Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/26/21 8:44 PM, Kevin Fenzi wrote:

So, the thread here kind of fell quiet with everything else going on.

It seems clear there's issues to address here before this change might
get approved. Here's my list:

* Try and change the storage format of the signatures to not take up
tons of room. I guess this would be in ima tools and sigul?



That'd be rpm upstream work.
On my F33 laptop, there are 331284 rpm-installed files. The IMA signature as proposed is apparently 162 bytes per file in the hex-encoded format, this makes for approximately 51 megabytes of data. My rpmdb is about 115 megabytes. That'd be almost 45% increase in size! And this would be on EVERYBODY's database whether you use the feature or not, also slowing down every single rpm query somewhat as a whole lot more data has to be pulled from disk, and there's no way to get rid of the weight once its there. The height of the insult is that the data is essentially useless in the rpmdb, it's only relevant during installation, for the (presumably few) people who actually enable the feature. And of course that extra weight in every single package is carried around in mirrors and each and every package download too, again whether you use the feature or not.
What the IMA feature really needs is a redesign to avoid inflicting this cost on everybody whether you use the feature or not, but the low-hanging fruit is the encoding: the hex encoding is just about the most stupid format there is for such a purpose, when base64 encoded the same data is ~38% of the size of the hex encoding, which brings down the IMA data size in the above figures to ~19 megabytes and ~17% increase in rpmdb size, which is a lot of data still but a lot less anyhow.
The existing hex encoded format needs to continue to be supported both on the install and signing side as it has been in several releases now, but there's no reason both can't be supported. 

Patches welcome.

	- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux