> (3) We should have a "security path", like "critical path". > > sshd is linked to a lot of libraries: > > /lib64/libaudit.so.1 audit-libs > /lib64/libc.so.6 glibc > /lib64/libcap-ng.so.0 libcap-ng > /lib64/libcap.so.2 libcap > /lib64/libcom_err.so.2 libcom_err > /lib64/libcrypt.so.2 libxcrypt > /lib64/libcrypto.so.3 openssl-libs > /lib64/libeconf.so.0 libeconf > /lib64/libgcc_s.so.1 libgcc > /lib64/libgssapi_krb5.so.2 krb5-libs > /lib64/libk5crypto.so.3 krb5-libs > /lib64/libkeyutils.so.1 keyutils-libs > /lib64/libkrb5.so.3 krb5-libs > /lib64/libkrb5support.so.0 krb5-libs > /lib64/liblz4.so.1 lz4-libs > /lib64/liblzma.so.5 xz-libs > /lib64/libm.so.6 glibc > /lib64/libpam.so.0 pam-libs > /lib64/libpcre2-8.so.0 pcre2 > /lib64/libresolv.so.2 glibc > /lib64/libselinux.so.1 libselinux > /lib64/libsystemd.so.0 systemd-libs > /lib64/libz.so.1 zlib / zlib-ng > /lib64/libzstd.so.1 zstd > > Should we have a higher level of attention to these packages? We > already have "critical path", but that's a broad category now. These > seem like they are "security path" packages, an intentionally small > subset associated with very secure services which are enabled by > default. I agree, but that brings us to the question of what to do about them that's special. Unrelated to the idea that some packages are special in this way, it's probably worth writing some static analysis tools we could put into rpm-inspect to detect when (a) a binary grows new public keys it didn't have before, and (b) a shared object grows a new ifunc. The latter is dramatically easier, of course, but both of those should be pretty rare events, so they're worth further inspection. Even if it's just RSA keys that we search for, that would add some benefit, and that's pretty easy if nobody has tried to cover their tracks: scan a binary for a big power of two sized odd number followed by a small prime number, and then filtering that with a more rigorous prime test on the first number will detect RSA keys and probably very little else. Might be worth grepping for "----- BEGIN" as well. Just some thoughts, I'm sure we'll all have many more where these come from. -- Peter -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue