[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Add support for shipping extended attributes in debs

Matthew Garrett writes ("Add support for shipping extended attributes in debs"):
> This is currently something of a scratch proposal, but let's see where
> it goes. This patchset adds support for shipping an mtree file within
> debs, which (right now) is only used for writeout of extended
> attributes. The idea is that additional metadata can be incorporated
> into the mtree file, providing a unified format for metadata storage and
> making it easy to compare the installed system state to the default
> package state (and restore it if necessary).
> I'm primarily interested in using this to ship security metadata in the
> form of security.ima and security.evm, but this also provides a way to
> ship file capabilities without requiring postinst to mess about with
> setcap.

Why do you want to ship security metadata and have dpkg apply it ?

Security mechanisms serve the interests of some people over others,
and we should understand who we are helping and who we are hurting, so
we can decide whether that's a good thing.

FAOD I generally trust your personal judgement about these kinds of
things but I think this is a question that you ought to have addressed
in your mail.

(In the unlikely event that the answer now is that we shouldn't
include this feature because the users would be contrary to our
values, of course we might need to revisit that if other use cases
turn up.)


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: