On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents > > Note that this change was submitted after the deadline, but since it can be > shipped in an complete state, I am still processing it for Fedora 34. > > > == Summary == > We want to add signatures to individual files that are part of shipped RPMs. > These signatures will use the Linux IMA (Integrity Measurement > Architecture) scheme, which means they can be used to enforce runtime > policies to ensure execution of only trusted files. Who is going to use this feature? My guess is a very limited set of users, so it seems unfair to dramatically increase the size of their downloads and install footprint to support something they don't use. Can't they be shipped on the side? An rpm of signatures that's optionally installed would be more user friendly. Also, I (being unfamiliar with IMA), don't see how this is any better than trusting the file hash signed by the fedora keys that we currently have. Brian -- Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
