RE: F36 Change: DIGLIM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Neal Gompa [mailto:ngompa13@xxxxxxxxx]
> Sent: Saturday, January 1, 2022 3:47 PM
> On Sat, Jan 1, 2022 at 5:51 AM Vitaly Zaitsev via devel
> <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On 31/12/2021 20:03, Nico Kadel-Garcia wrote:
> > > Sounds like, if this is enabled, they'll need a GPG key associated
> > > with their personal repository.
> >
> > Locally built packages are always unsigned.
> >
> 
> They don't have to be, but yes, by default they are.
> 
> And note, you can already configure DNF to require GPG validation of
> local packages by setting localpkg_gpgcheck=1 in dnf.conf.

Hi everyone

first, Happy New Year!

I agree that if you are a developer, often installing
new software for testing, this feature makes things
harder.

If you are installing software in the main system and
running it as root, yes, you would have to install your GPG
key (or the certificate of your RSA key) in the kernel keyring.
And also, you should use rpmsign to sign your RPMs before
you install them (assuming that you want IMA appraisal
and not just measurement).

If you are testing software as a regular user, then
enforcing a policy only on root processes will not affect
your work (you can test unsigned RPMs).

This feature will not block VMs, so also there you can
test things without restriction. Currently, IMA does not
support per container policy (it is under development),
but in the future you would be able to test things in
a container without restriction, and by having full
enforcement on the root container.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux