On 1/22/21 1:33 AM, Matthew Miller wrote:
On Thu, Jan 21, 2021 at 03:16:47PM -0800, Kevin Fenzi wrote:
I defer to Patrick, but I think what he was trying to say is that if you
do not have the rpm-plugin-ima installed, nothing changes in the files
you are installing from rpm. They are exactly the same as they would be
if they were not ima signed. It's only after you install the
rpm-plugin-ima and install a rpm that it puts the signatures down in the
files extended attributes.
Oh! I hadn't caught that in the original description (and it's much more
clear now in the revised change proposal). That very much lessens the impact
of this change!
It does, but the hex-encoded signatures in headers bloat everybodys
rpmdb and add up in download sizes, whether used or not. That matters at
least to the container folks who are desperate about the rpmdb size as
it is. So at the very least a more efficient encoding should be used to
minimize the penalty to *everybody* whether they use this feature or not.
- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx