On 1/22/21 1:33 AM, Matthew Miller wrote:
On Thu, Jan 21, 2021 at 03:16:47PM -0800, Kevin Fenzi wrote:
> I defer to Patrick, but I think what he was trying to say is that if you
> do not have the rpm-plugin-ima installed, nothing changes in the files
> you are installing from rpm. They are exactly the same as they would be
> if they were not ima signed. It's only after you install the
> rpm-plugin-ima and install a rpm that it puts the signatures down in the
> files extended attributes.
Oh! I hadn't caught that in the original description (and it's much more
clear now in the revised change proposal). That very much lessens the impact
of this change!
It does, but the hex-encoded signatures in headers bloat everybodys
rpmdb and add up in download sizes, whether used or not. That matters at
least to the container folks who are desperate about the rpmdb size as
it is. So at the very least a more efficient encoding should be used to
minimize the penalty to *everybody* whether they use this feature or not.
- Panu -