Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Panu Matilainen wrote:
> On my F33 laptop, there are 331284 rpm-installed files. The IMA
> signature as proposed is apparently 162 bytes per file in the
> hex-encoded format, this makes for approximately 51 megabytes of data.
> My rpmdb is about 115 megabytes. That'd be almost 45% increase in size!
> And this would be on EVERYBODY's database whether you use the feature or
> not, also slowing down every single rpm query somewhat as a whole lot
> more data has to be pulled from disk, and there's no way to get rid of
> the weight once its there. The height of the insult is that the data is
> essentially useless in the rpmdb, it's only relevant during
> installation, for the (presumably few) people who actually enable the
> feature. And of course that extra weight in every single package is
> carried around in mirrors and each and every package download too, again
> whether you use the feature or not.
> 
> What the IMA feature really needs is a redesign to avoid inflicting this
> cost on everybody whether you use the feature or not, but the
> low-hanging fruit is the encoding: the hex encoding is just about the
> most stupid format there is for such a purpose, when base64 encoded the
> same data is ~38% of the size of the hex encoding, which brings down the
> IMA data size in the above figures to ~19 megabytes and ~17% increase in
> rpmdb size, which is a lot of data still but a lot less anyhow.

IMHO, this overhead is entirely unacceptable. Even using base64 would still 
be too expensive. This Change should just be permanently rejected (not just 
for F34 as it already was).

I disagree that centrally signed individual files are a desirable feature at 
all. It is already clear that the vast majority of users will have no use 
for this feature and will not have it enabled. Hence, I do not see why we 
should be paying for it with any kind of overhead. Not even if it were only 
the overhead of infrastructure having to sign all those files and mirrors 
having to carry an external database.

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux