On Mon, Oct 9, 2017 at 11:15 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Mon, 2017-10-09 at 10:59 -0700, Matthew Garrett wrote: >> Ok, that makes sense. But for cases where we do have security.ima, the >> inode doesn't seem to provide additional security but does make >> deployment more difficult. Does supporting this use case seem >> reasonable? > > Yes! Excellent. This means defining a new signature type - the two options seem to be Mikhail's portable format, or the approach I took of having the signature define which metadata is included. Do you have a preference?
