[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: Unified package metadata format

On Thu, Mar 30, 2017 at 3:02 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Matthew Garrett:
>
>> I'm looking at implementing support for IMA file signatures inside
>> dpkg. The previous patches posted for this
>> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850340) did so
>> using extended PAX metadata, but people didn't seem terribly
>> enthusiastic about that.
>
> Do really want to have such a software singing infrastructure in
> Debian?  What's the benefit to *our* users?  (As opposed to commercial
> downstream distributions.)

There's several reasons:

* Users auditing their systems can have full kernel-enforced
cryptographic assurance that the files they have on disk match the
files that Debian shipped. Doing that otherwise would involve you
having to take the machine offline.

* Debian could sign each archive with a different key, allowing users
to configure their systems to only trust executables signed with the
key from main and ensure that they don't accidentally end up running
any non-free code

* Even Debian users may (for security or other policy reasons) want to
configure systems so that they only run binaries that are provided
through some trusted distribution mechanism.
Reply to: