Re: [PATCH v2] Support for PAX extended header and Linux extended attributes

[Stefan Berger <stefanb@linux.vnet.ibm.com>]

On 05/23/2016 02:27 PM, Stefan Berger wrote:
> On 05/23/2016 05:50 AM, Guillem Jover wrote:
> > Hi!
> >
> > On Thu, 2016-05-19 at 11:33:27 -0400, Stefan Berger wrote:
> > > The following patch adds support for the tar pax extended header to 
> > > the tar
> > > parser so that tar files with pax extended headers containing Linux 
> > > extended
> > > attributes can be processed by dpkg. Essentially the pax extended 
> > > header
> > > contains key value pairs that describe file attributes. More 
> > > information
> > > about the format can be found here:
> > >
> > > http://pubs.opengroup.org/onlinepubs/009695299/utilities/pax.html#tag_04_100_13_03 
> > >
> > >
> > > We are particularly interested in the security.ima extended attribute,
> > > which, if available, contains a signature for the following file in 
> > > the tar
> > > and which we then write as a Linux extended attribute into the 
> > > filesystem.
> > First of all, thanks for the patch! I've been looking into this the
> > past several days, and unfortunately I see some problems with the
> > proposed implementation and probably with this approach in general.
>
> You're welcome.

> > mtree(5) support, which I hope to get ready soon, but I'm still 
> > uncertain
> > if that would be ideal as that manifest.
> >
> >
> > I guess this all depends a bit on how this all is intended to be used.
>
> In the future, ideally distros would provide repositories with 
> packages where the contents are signed. Whether the installed system 
> is actually using them would be up to the user, though having them in 
> the packages enables one to setup a rather locked-down secure system.

How can we move this forward?

Regards,
   Stefan