On Thu, Jan 21, 2021 at 03:16:47PM -0800, Kevin Fenzi wrote:
I defer to Patrick, but I think what he was trying to say is that if
you
do not have the rpm-plugin-ima installed, nothing changes in the files
you are installing from rpm. They are exactly the same as they would be
if they were not ima signed. It's only after you install the
rpm-plugin-ima and install a rpm that it puts the signatures down in the
files extended attributes.
Oh! I hadn't caught that in the original description (and it's much more
clear now in the revised change proposal). That very much lessens the impact
of this change!
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader