Re: [PATCH v2] Support for PAX extended header and Linux extended attributes
On 07/01/2016 02:35 PM, Stefan Berger wrote:
On 05/23/2016 02:27 PM, Stefan Berger wrote:
On 05/23/2016 05:50 AM, Guillem Jover wrote:
On Thu, 2016-05-19 at 11:33:27 -0400, Stefan Berger wrote:
The following patch adds support for the tar pax extended header to
parser so that tar files with pax extended headers containing Linux
attributes can be processed by dpkg. Essentially the pax extended
contains key value pairs that describe file attributes. More
about the format can be found here:
We are particularly interested in the security.ima extended attribute,
which, if available, contains a signature for the following file in
and which we then write as a Linux extended attribute into the
First of all, thanks for the patch! I've been looking into this the
past several days, and unfortunately I see some problems with the
proposed implementation and probably with this approach in general.
mtree(5) support, which I hope to get ready soon, but I'm still
if that would be ideal as that manifest.
I guess this all depends a bit on how this all is intended to be used.
In the future, ideally distros would provide repositories with
packages where the contents are signed. Whether the installed system
is actually using them would be up to the user, though having them in
the packages enables one to setup a rather locked-down secure system.
How can we move this forward?
We also recently presented our work on file signatures at Linux Plumbers
I have been using the patches for PAX header support in dpkg & apt-get
for a while now and installing and updating a system that uses file
signatures embedded in the PAX header works quite well.