[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Add support for shipping extended attributes in debs

Matthew Garrett writes ("Re: Add support for shipping extended attributes in debs"):
> On Thu, May 3, 2018 at 8:39 AM Ian Jackson <ijackson@chiark.greenend.org.uk>
> wrote:
> > I see.  That's a nice explanation of the next layer up.  But I was
> > hoping for a layer 9 anser.
> I'm not sure I understand. In order to achieve this we need to ship the
> signatures. The signatures are directly associated with the files. If dpkg
> is installing the files then it also ought to be writing out the
> signatures, otherwise things can end up out of sync - if a binary is
> executed before the signature is written out then either it'll end up in
> the untrusted tier or the kernel will block execution because the IMA or
> EVM validation will fail.

Who wants the unapproved binaries to run, and who wants to prevent
them from running, and (in each case) why ?

My reference to `layer 9' is to the usage seen here:


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: