On Tue, Jan 12, 2021 at 8:21 PM Brian C. Lane <bcl@xxxxxxxxxx> wrote: > > On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents > > > > Note that this change was submitted after the deadline, but since it can be > > shipped in an complete state, I am still processing it for Fedora 34. > > > > > > == Summary == > > We want to add signatures to individual files that are part of shipped RPMs. > > These signatures will use the Linux IMA (Integrity Measurement > > Architecture) scheme, which means they can be used to enforce runtime > > policies to ensure execution of only trusted files. > > Who is going to use this feature? My guess is a very limited set of > users, so it seems unfair to dramatically increase the size of their > downloads and install footprint to support something they don't use. > Can't they be shipped on the side? An rpm of signatures that's > optionally installed would be more user friendly. > > Also, I (being unfamiliar with IMA), don't see how this is any better > than trusting the file hash signed by the fedora keys that we currently > have. I wasn't aware the current rpm has functionality integrated with kernel/tpm and other functionality to do it at runtime access of the files, I thought it was more an audit style use case such as rpm -V to see if something had changed. IMA is more about being able to check at runtime and setting policies of what to do if something has changed. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
