Re: Add support for shipping extended attributes in debs
Matthew Garrett writes ("Re: Add support for shipping extended attributes in debs"):
> On Thu, May 3, 2018 at 8:39 AM Ian Jackson <ijackson@chiark.greenend.org.uk>
> wrote:
> > I see. That's a nice explanation of the next layer up. But I was
> > hoping for a layer 9 anser.
>
> I'm not sure I understand. In order to achieve this we need to ship the
> signatures. The signatures are directly associated with the files. If dpkg
> is installing the files then it also ought to be writing out the
> signatures, otherwise things can end up out of sync - if a binary is
> executed before the signature is written out then either it'll end up in
> the untrusted tier or the kernel will block execution because the IMA or
> EVM validation will fail.
Who wants the unapproved binaries to run, and who wants to prevent
them from running, and (in each case) why ?
My reference to `layer 9' is to the usage seen here:
http://www.flora.ca/osw2004/osw2004.pdf
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: