On Tue, Jan 12, 2021 at 8:22 PM Brian C. Lane <bcl@xxxxxxxxxx> wrote:
On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
> Note that this change was submitted after the deadline, but since it can be
> shipped in an complete state, I am still processing it for Fedora 34.
>
>
> == Summary ==
> We want to add signatures to individual files that are part of shipped RPMs.
> These signatures will use the Linux IMA (Integrity Measurement
> Architecture) scheme, which means they can be used to enforce runtime
> policies to ensure execution of only trusted files.
Who is going to use this feature? My guess is a very limited set of
users, so it seems unfair to dramatically increase the size of their
downloads and install footprint to support something they don't use.
Can't they be shipped on the side? An rpm of signatures that's
optionally installed would be more user friendly.
Also, I (being unfamiliar with IMA), don't see how this is any better
than trusting the file hash signed by the fedora keys that we currently
have.
Brian
I work on an upstream security project (https://keylime.dev), we are packaged in Fedora that would hugely benefit from this.
In turn our users will be able to more easily manage the remote attestation of a Fedora system (as Fedora is our target environment).
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx