Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> >> > During signing builds, the files in it will be signed with IMA
> >> > signatures..  These signatures will be made with a key that’s kept by
> >> > the Fedora Infrastructure team, and installed on the sign vaults.
> >>
> >> What is the impact on RPM database size?
> >
> > They're stored in xattr so it shouldn't have any noticeable impact,
> > although Patrick can confirm the details of that.
>
> If the signatures end up in RPM headers, they will land in the RPM
> database, too.
>
> “rpm -qla | wc -l” shows around 28,589 files for me, in the Fedora 33
> container image.  / seems to need 183 MiB right now.  If the signatures
> land in the RPM database and the file system, I expect at least 96 bytes
> per file signature (digests in the header are traditionally hex-encoded,
> I think).  That translates to 2.6 MiB, or ~1.4% size increase.
>
> But quite likely there is some per-block overhead, so the numbers should
> be worse.
>
> >> Will GPLv3 packages be excluded, or will the signing keys be provided
> >> upon request?
> >
> > The public key?
>
> The private key.  IMA is typically used for some form of remote

There's no requirement of the GPLv3 to redistribute the private key
for this usecase, we're not denying access or restricting use of the
OS:
https://www.gnu.org/licenses/gpl-faq.html#GiveUpKeys

> attestation, I think.  I'm not sure if it is possible to distribute
> hardware with IMA enforcement.  And as long as enforcement can be turned
> of trivially (as required by the GPLv3, as far as I can tell), IMA seems
> to be pretty useless.

Like most things end users if they're not onselling/distributing to
third parties can use technologies such as IMA to reduce the attack
surface or increase their ability to audit their own systems as they
like.

Like most security tooling it's about layers of security and functionality.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux