[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: Unified package metadata format

Matthew Garrett <matthewgarrett@google.com> writes:

> * Users auditing their systems can have full kernel-enforced
> cryptographic assurance that the files they have on disk match the
> files that Debian shipped. Doing that otherwise would involve you
> having to take the machine offline.

I would very much like to have this as well.  This sort of thing makes it
much easier to build out a maintainable FIM system that doesn't require
people constantly whitelist new binaries manually.

> * Even Debian users may (for security or other policy reasons) want to
> configure systems so that they only run binaries that are provided
> through some trusted distribution mechanism.

Yes.  Consider, for example, a Kerberos KDC or other security-critical
system, where you may want to have some automated system for explicitly
blessing a subset of the archive and specific versions of packages and not
allow anything else.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: