Re: Add support for shipping extended attributes in debs

To: Matthew Garrett <mjg59@google.com>
Cc: debian-dpkg@lists.debian.org
Subject: Re: Add support for shipping extended attributes in debs
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 4 May 2018 12:12:30 +0100
Message-id: <[🔎] 23276.16414.638756.10821@chiark.greenend.org.uk>
In-reply-to: <[🔎] CACdnJutDYR+Hd055eG3PQq-bbWnxtjy=sa1XMQUnLF65Oynisw@mail.gmail.com>
References: <[🔎] 20180501203731.62577-1-mjg59@google.com> <[🔎] 23273.45450.6153.161524@chiark.greenend.org.uk> <[🔎] CACdnJuu7L=YXhODhbKN=0KUNjb1xnPXkAdWM_+dHAoGe+Ry=wA@mail.gmail.com> <[🔎] 23275.11509.567477.126805@chiark.greenend.org.uk> <[🔎] CACdnJutDYR+Hd055eG3PQq-bbWnxtjy=sa1XMQUnLF65Oynisw@mail.gmail.com>

Matthew Garrett writes ("Re: Add support for shipping extended attributes in debs"):
> On Thu, May 3, 2018 at 8:39 AM Ian Jackson <ijackson@chiark.greenend.org.uk>
> wrote:
> > I see.  That's a nice explanation of the next layer up.  But I was
> > hoping for a layer 9 anser.
> 
> I'm not sure I understand. In order to achieve this we need to ship the
> signatures. The signatures are directly associated with the files. If dpkg
> is installing the files then it also ought to be writing out the
> signatures, otherwise things can end up out of sync - if a binary is
> executed before the signature is written out then either it'll end up in
> the untrusted tier or the kernel will block execution because the IMA or
> EVM validation will fail.

Who wants the unapproved binaries to run, and who wants to prevent
them from running, and (in each case) why ?

My reference to `layer 9' is to the usage seen here:
  http://www.flora.ca/osw2004/osw2004.pdf

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: Add support for shipping extended attributes in debs
  - From: Matthew Garrett <mjg59@google.com>

References:
- Add support for shipping extended attributes in debs
  - From: Matthew Garrett <mjg59@google.com>
- Re: Add support for shipping extended attributes in debs
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Add support for shipping extended attributes in debs
  - From: Matthew Garrett <mjg59@google.com>
- Re: Add support for shipping extended attributes in debs
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Add support for shipping extended attributes in debs
  - From: Matthew Garrett <mjg59@google.com>

Prev by Date: Re: [dpkg] 06/24: debian: Add libncurses-dev as the first Build-Depends alternative
Next by Date: Re: RFC: Support for zstd in .deb packages?
Previous by thread: Re: Add support for shipping extended attributes in debs
Next by thread: Re: Add support for shipping extended attributes in debs
Index(es):
- Date
- Thread