On Sun, Dec 26, 2021 at 1:10 AM Dan Čermák
<dan.cer...@cgc-instruments.com> wrote:
>
> Ben Cotton <bcot...@redhat.com> writes:
>
> *snip*
>
> >
> > It will also make Fedora able to detect tampering of its components at
> > a more privileged level, the kernel, without the interference of user
> > space programs. Once tampering has been detected, the actions of the
> > altered component are prevented before that component gets the chance
> > to perform any action. Fedora could be configured to also allow the
> > usage of components provided by the user, if he wishes to do so
> > (DIGLIM has a tool to build custom digest lists).
>
> How would that look in practice? Will a user just get a message in the
> journal?
>
> > == Upgrade/compatibility impact ==
> > The user should ensure that software (not updated) from the old
> > distribution is packaged and the package header is signed, or he
> > should create and sign a custom digest list for the software he wishes
> > to use after the upgrade.
>
> Uhm, so locally/manually installed software (i.e. not signed by Fedora's
> signkeys) will silently break when switching to F36? How about 3rd party
> repositories?

It wouldn't be the first time software has been deliberately broken by
well-intended kernel security changes. Remember when systemd decided
to cancel all backgrounded processes belong to a user when they logged
out, breaking "screen" and "tux", with no record of killing the jobs
whatsover? Fortunately, people screamed pretty hard about that one.

Nico Kadel-Garcia

> Cheers,
>
> Dan
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to