Re: F36 Change: DIGLIM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 29, 2021 at 1:35 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
>
> On Wed, Dec 29, 2021 at 11:03 AM Stephen Snow <s40w5s@xxxxxxxxx> wrote:
> >
> > On Wed, 2021-12-29 at 06:38 -0500, Neal Gompa wrote:
> > > With Windows 11, they're *mandatory*. Corporate policies now
> > > effectively *require* TPM-based mechanisms *in addition* to classical
> > > password or token-based multi-factor authentication.
> > This certainly is not any reason to adopt this for Fedora. So far in my
> > life with TPM, it has been an annoyance that I find refreshing not to
> > have to even contemplate with my Fedora Linux installation.
> > I see no benefit for the Fedora Community and the Fedora Project it
> > supports to follow the lead of the proprietary driven objectives. The
> > only obvious one that comes to mind is the recent announcements of it's
> > inclusion on traditionally proprietary OS vendor supplied hardware.
> > This wreaks of "for profit" motivation.
> >
> > Just my opinion on what I am reading here in the comments.
>
> To be fully transparent, the reason I mentioned that stuff is that
> having the capability to do these things in Fedora Linux is key for
> growth and adoption in more circles. At no point do I want to have
> these features implemented in such a way that the user doesn't have
> the capability to control and self-authenticate their whole system. If
> we ever want Fedora Linux to displace Windows or macOS, we *need* to
> be able to satisfy people's security requirements, including so-called
> "zero trust" architectures.
>
> But none of that has much to do with this Change, since this is about
> making it possible for a user to configure their system to enforce the
> integrity of the system based on RPM database information. As users of
> Fedora Linux systems, we *already* control the RPM database and the
> RPM signature trust directly, so *if* you turn it on, all it does is
> decrease the risk of external tampering.

I'm staring at the introduction letter at:
https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@xxxxxxxxxx/
RPM headers are a *possible* use. I'd expect this to be used, very
quickly, for other signed metadata for less benign uses.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux