On Thu, Jan 21, 2021 at 9:51 AM Kevin Kofler via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Patrick マルタインアンドレアス Uiterwijk wrote: > > I'd like to point out that after many requests, I have updated the change > > page for this significantly, with more details as to the goals (and > > non-goals) of this feature, and answers to many other questions asked. > > Sorry, but these clarifications only make it even clearer to me that I do > not want this. > > The size measurements show that the RPMDB increases by 20%, which is a lot. > Also, the unit "bytes" in that sentence seems to be wrong, because the next > sentence speaks of a 5 MB increase. > > And this "feature": > > | Having all files signed with Fedora keys would enable integration with for > | example [https://keylime.dev/], which is a CNCF project that implements > | remote system attestation, based on which a system may or may not get > | access to secrets and other consequences. > > claims that those signatures can be used by a remote system to enforce an > unmodified Fedora, which is a blatant violation of GPLv3 requirements. It can if you: 1) have an IMA policy signed by the Fedora signing keys (the state at this point in time at least) 2) modify the kernel command line to enable IMA 3) have a TPM module 4) install rpm-plugin-ima 5) install the keylime agent 6) configure the keylime server in the agent 7) probably extra steps that I've missed None of that is being done by default and nor is it intended to do so for any of the general Fedora pieces. There's numerous ways of disabling this, the easiest, is not to have rpm-plugin-ima install and that is the default on Fedora. There's other advantages, you can know if a binary has been modified at runtime (as opposed at a manual individual time with rpm -V) from what was on the build system so you can tell if the system has been compromised and with a policy make a decision on how to handle that. For a single user system such as a laptop or desktop that might not make sense but there's a lot of cases where it does and by doing so it improves the security of those systems and I think making Fedora more secure for those that wish to use the functionality is a good thing as a whole. It's not a violation of the GPLv3 if a user wishes to do that on systems they own and control and they aren't selling them without the ability to unlock it. In Fedora we're not doing that and this is not part of the proposal. This is all about being able to verify the user is running the binaries that came from the build system. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
