Hi - Having upgraded debuginfod.elfutils.org's server to a more modern distro, this machine now can handle the IMA crypto extensions we added to debuginfod not too long ago. It federates to the same debuginfod servers as before, but for those that show "yes" in the "IMA" column, it now applies "ima:enforcing" mode.
In theory, this means that users can rely on it taking greater care to validate its upstream downloads. In practice, users probably should *not* use ima:enforcing mode against debuginfod.elfutils.org itself, because some of its upstreams do not have IMA stuff at all (.deb and other formats), and it cannot yet consistently relay IMA signatures to clients (for cached objects PR31862). Baby steps! Clients are welcome to experiment with ima:enforcing mode connections directly to upstream servers marked "yes" in the IMA column of the public debuginfod servers list, e.g.: % export DEBUGINFOD_URLS="ima:enforcing https://debuginfod.fedoraproject.org/"; % gdb /bin/ls [...] See also: https://sourceware.org/elfutils/Debuginfod.html https://sourceware.org/bugzilla/show_bug.cgi?id=30978 https://sourceware.org/bugzilla/show_bug.cgi?id=31842 https://sourceware.org/bugzilla/show_bug.cgi?id=31862 https://sourceware.org/bugzilla/show_bug.cgi?id=32318 - FChE
