Re: RFC: Unified package metadata format
Matthew Garrett <firstname.lastname@example.org> writes:
> * Users auditing their systems can have full kernel-enforced
> cryptographic assurance that the files they have on disk match the
> files that Debian shipped. Doing that otherwise would involve you
> having to take the machine offline.
I would very much like to have this as well. This sort of thing makes it
much easier to build out a maintainable FIM system that doesn't require
people constantly whitelist new binaries manually.
> * Even Debian users may (for security or other policy reasons) want to
> configure systems so that they only run binaries that are provided
> through some trusted distribution mechanism.
Yes. Consider, for example, a Kerberos KDC or other security-critical
system, where you may want to have some automated system for explicitly
blessing a subset of the archive and specific versions of packages and not
allow anything else.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>