Re: Add support for shipping extended attributes in debs
Matthew Garrett writes ("Re: Add support for shipping extended attributes in debs"):
> On Thu, May 3, 2018 at 8:39 AM Ian Jackson <email@example.com>
> > I see. That's a nice explanation of the next layer up. But I was
> > hoping for a layer 9 anser.
> I'm not sure I understand. In order to achieve this we need to ship the
> signatures. The signatures are directly associated with the files. If dpkg
> is installing the files then it also ought to be writing out the
> signatures, otherwise things can end up out of sync - if a binary is
> executed before the signature is written out then either it'll end up in
> the untrusted tier or the kernel will block execution because the IMA or
> EVM validation will fail.
Who wants the unapproved binaries to run, and who wants to prevent
them from running, and (in each case) why ?
My reference to `layer 9' is to the usage seen here:
Ian Jackson <firstname.lastname@example.org> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.