Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/5/21 8:12 PM, Matthew Miller wrote:

On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:

We want to add signatures to individual files that are part of shipped RPMs.


This is for _every file_ in every RPM? Or some files in some RPMs?



Every file in every RPM is the idea.
This comes at at a very significant size increase for everything.
Taking the rather small and trivial popt package with 39 files as an example, pre and post file-signing [1]: 

 58254 Jan  7 11:19 /tmp/popt-1.18-1.fc33.x86_64.rpm
130222 Jan  7 11:21 popt-1.18-1.fc33.x86_64.rpm
It more than doubles the size. The signatures are indeed hex-encoded which is a terrible waste, it should have used base64 encoding instead. And at least with the reproducer script that I have, the per-file overhead is 1745 bytes, most of which is zeroes (I don't know if that's a bug somewhere or what). And all of that will end up in everybodys downloads and also databases. 

At the same time people are pushing to find ways to reduce the rpmdb size...
If Fedora wants to use IMA, I would kindly suggest somebody fix it to use base64 encoding for the signatures and look at the excessive zeroes first.
Also, I'd suggest people interested in this do a detailed comparison between the IMA and fs-verity which Matthew Almond already mentioned. fs-verity is not yet in any released rpm version (only a matter of months), and while IMA is been in rpm longer it hasn't seen any wide-spread use yet either.
[1] This can be modified to reproduce/test: https://gist.githubusercontent.com/dashea/ffe49cb5703d3e44870d71006bfeedd0/raw/89546690755c13e57988cda2858bb192487462c1/verify_signfiles.sh 

	- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux