[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH v2] Support for PAX extended header and Linux extended attributes

On 05/23/2016 02:27 PM, Stefan Berger wrote:
On 05/23/2016 05:50 AM, Guillem Jover wrote:

On Thu, 2016-05-19 at 11:33:27 -0400, Stefan Berger wrote:
The following patch adds support for the tar pax extended header to the tar parser so that tar files with pax extended headers containing Linux extended attributes can be processed by dpkg. Essentially the pax extended header contains key value pairs that describe file attributes. More information
about the format can be found here:


We are particularly interested in the security.ima extended attribute,
which, if available, contains a signature for the following file in the tar and which we then write as a Linux extended attribute into the filesystem.
First of all, thanks for the patch! I've been looking into this the
past several days, and unfortunately I see some problems with the
proposed implementation and probably with this approach in general.

You're welcome.

mtree(5) support, which I hope to get ready soon, but I'm still uncertain
if that would be ideal as that manifest.

I guess this all depends a bit on how this all is intended to be used.

In the future, ideally distros would provide repositories with packages where the contents are signed. Whether the installed system is actually using them would be up to the user, though having them in the packages enables one to setup a rather locked-down secure system.

How can we move this forward?


Reply to: