On Wed, Jan 06, 2021 at 01:27:40AM +0100, Kevin Kofler via devel wrote:
Ben Cotton wrote:
> == Summary ==
> We want to add signatures to individual files that are part of shipped
> RPMs. These signatures will use the Linux IMA (Integrity Measurement
> Architecture) scheme, which means they can be used to enforce runtime
> policies to ensure execution of only trusted files.
In more mundane words: a signature will be shipped in the rpm for each file
separately? And what will be done with this signature on the destination
machine: will it be kept in the rpms database or something more?
What is the overhead on packed rpm size, rpm database, on-disk installation?
Can we description be made clearer in what is changed in rpms and how IMA
is consuming those changes on the installation machine?
> == Owner ==
> * Name: [[User:Puiterwijk| Patrick Uiterwijk]]
> * Email: puiterwijk(a)redhat.com
> * Name: [[User:Pbrobinson| Peter Robinson]]
> * Email: pbrobinson(a)gmail.com
I am opposed to this Change, because it increases the file size of all RPMs
and the size of the RPM database (and hence, of all installed systems,
including, but not limited to, the live images) to implement what basically
amounts to "Treacherous Computing"
[
https://www.gnu.org/philosophy/can-you-trust.en.html ].
Neither do I consider it acceptable to ban execution of non-centrally-signed
binaries,
I don't think we should forbid opt-in verification, no matter if
centrally managed or not. It's not 1995 and people have fleets of machines
that are centrally managed...
nor do I consider it acceptable to bloat all our packages with
per-file signatures that are ultimately redundant with the package
signatures that already guarantee the integrity of all files in the package.
...
but that is a good question. The "Benefit to Fedora" to Fedora doesn't
actually explain why those signatures are better than the ones we already have.
Zbyszek