On Mon, 5 Jun 2023 at 14:10, Steve Grubb <sgr...@redhat.com> wrote: > On Monday, June 5, 2023 1:37:24 PM EDT Stephen Smoogen wrote: > > On Mon, 5 Jun 2023 at 13:32, Michael Catanzaro <mcatanz...@redhat.com> > > > > wrote: > > > On Mon, Jun 5 2023 at 01:13:50 PM -0400, Demi Marie Obenour > > > > > > <demioben...@gmail.com> wrote: > > > > zlib should be added to the standard freedesktop.org runtime if it > is > > > > not > > > > already included. > > > > > > zlib is included in both freedesktop-sdk and also GNOME runtimes, so > > > nobody should need to bundle it. > > > > > > Michael > > > > The problem I see in these conversations are: > > > > 1. What is a flatpak and what does it mean to have an application in it? > Is > > it everything bundled in it or does it use layers? > > 2. So there are these 'SDKs' that people mention? What is in them? How > are > > they built? How are they updated? Who maintains them and how can we > > 'verify' in the 'trust and verify' method (aka source code, build flags, > > build system). > > > > I think a FAQ around these and others would probably cut down a lot of > the > > uncertainty and doubt people feel. > > Yes. And how does it's security model work? > > What is the root of trust? Are they signed by a Fedora key that I already > have? How can we verify it's integrity? Once installed, how do I verify > it's > integrity? How do I check if anything has been modified? Does it integrate > well with SE Linux, IMA, fapolicyd, or openscap? On a locked down system, > are > there sysctls that I have undo such as user namespaces? If an app > coredumps, > does a problem report get generated? Who gets it? > > How can I tell what the security policy that the upstream chose to implement for me.
> -Steve > > > -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
