Panu Matilainen wrote:
> On my F33 laptop, there are 331284 rpm-installed files. The IMA
> signature as proposed is apparently 162 bytes per file in the
> hex-encoded format, this makes for approximately 51 megabytes of data.
> My rpmdb is about 115 megabytes. That'd be almost 45% increase in size!
On 1/28/21 12:05 PM, Panu Matilainen wrote:
On 1/28/21 12:21 PM, Roberto Ragusa wrote:
On 1/28/21 9:34 AM, Panu Matilainen wrote:
On 1/27/21 8:30 PM, Kevin Fenzi wrote:
SO, I don't really understand... Patrick says in the Change:
"The size of the rpmdb increases from 22952 to 28416 bytes, a
On 1/28/21 12:21 PM, Roberto Ragusa wrote:
On 1/28/21 9:34 AM, Panu Matilainen wrote:
On 1/27/21 8:30 PM, Kevin Fenzi wrote:
SO, I don't really understand... Patrick says in the Change:
"The size of the rpmdb increases from 22952 to 28416 bytes, a 20%
increase. This is on an install size of
On 1/28/21 9:34 AM, Panu Matilainen wrote:
On 1/27/21 8:30 PM, Kevin Fenzi wrote:
SO, I don't really understand... Patrick says in the Change:
"The size of the rpmdb increases from 22952 to 28416 bytes, a 20%
increase. This is on an install size of 1.7GB in total, so this 5MB
increase is a 0.
On 1/27/21 8:30 PM, Kevin Fenzi wrote:
On Wed, Jan 27, 2021 at 10:48:46AM +0200, Panu Matilainen wrote:
On 1/26/21 8:44 PM, Kevin Fenzi wrote:
So, the thread here kind of fell quiet with everything else going on.
It seems clear there's issues to address here before this change might
get approv
On 27. 01. 21 19:30, Kevin Fenzi wrote:
On Wed, Jan 27, 2021 at 10:48:46AM +0200, Panu Matilainen wrote:
On 1/26/21 8:44 PM, Kevin Fenzi wrote:
So, the thread here kind of fell quiet with everything else going on.
It seems clear there's issues to address here before this change might
get appro
On Wed, Jan 27, 2021 at 10:48:46AM +0200, Panu Matilainen wrote:
> On 1/26/21 8:44 PM, Kevin Fenzi wrote:
> > So, the thread here kind of fell quiet with everything else going on.
> >
> > It seems clear there's issues to address here before this change might
> > get approved. Here's my list:
> >
On Wed, Jan 27, 2021 at 2:14 AM Pavel Raiskup wrote:
>
> On Tuesday, January 26, 2021 9:46:49 PM CET Neal Gompa wrote:
> > Yes. This is breaking *everything*. Regardless of whether the plugin
> > is installed, RPM now thinks the generated packages are invalid and
> > cannot do anything with them.
On Wed, Jan 27, 2021 at 10:48:46AM +0200, Panu Matilainen wrote:
> And this would be on EVERYBODY's database whether you use the
> feature or not, also slowing down every single rpm query somewhat as
> a whole lot more data has to be pulled from disk, and there's no way
> to get rid of the weight o
On 1/26/21 8:44 PM, Kevin Fenzi wrote:
So, the thread here kind of fell quiet with everything else going on.
It seems clear there's issues to address here before this change might
get approved. Here's my list:
* Try and change the storage format of the signatures to not take up
tons of room. I
On Tuesday, January 26, 2021 9:46:49 PM CET Neal Gompa wrote:
> Yes. This is breaking *everything*. Regardless of whether the plugin
> is installed, RPM now thinks the generated packages are invalid and
> cannot do anything with them. This has also broken package builds on
> COPR and the openSUSE B
On Tuesday, January 26, 2021 7:44:05 PM CET Kevin Fenzi wrote:
> * Get rpm updated at least in all Fedora's / active RHEL's to be able to
> handle rpms with the signatures. I don't know how likely this is for
> rhel7, but 8 and fedora 32 should hopefully not be hard.
Yes, no need to fix RHEL 7 --
On Tue, Jan 26, 2021, 3:47 PM Neal Gompa wrote:
> On Tue, Jan 26, 2021 at 3:44 PM Matthew Miller
> wrote:
> >
> > On Tue, Jan 26, 2021 at 10:44:05AM -0800, Kevin Fenzi wrote:
> > > * Try and change the storage format of the signatures to not take up
> > > tons of room. I guess this would be in i
On Tue, Jan 26, 2021 at 4:16 PM Matthew Miller wrote:
>
> On Tue, Jan 26, 2021 at 03:46:49PM -0500, Neal Gompa wrote:
> > > On Tue, Jan 26, 2021 at 10:44:05AM -0800, Kevin Fenzi wrote:
> > > > * Try and change the storage format of the signatures to not take up
> > > > tons of room. I guess this w
On Tue, Jan 26, 2021 at 03:46:49PM -0500, Neal Gompa wrote:
> > On Tue, Jan 26, 2021 at 10:44:05AM -0800, Kevin Fenzi wrote:
> > > * Try and change the storage format of the signatures to not take up
> > > tons of room. I guess this would be in ima tools and sigul?
> >
> > Is this an immediate issu
On Tue, Jan 26, 2021 at 3:44 PM Matthew Miller wrote:
>
> On Tue, Jan 26, 2021 at 10:44:05AM -0800, Kevin Fenzi wrote:
> > * Try and change the storage format of the signatures to not take up
> > tons of room. I guess this would be in ima tools and sigul?
>
> Is this an immediate issue given that
On Tue, Jan 26, 2021 at 10:44:05AM -0800, Kevin Fenzi wrote:
> * Try and change the storage format of the signatures to not take up
> tons of room. I guess this would be in ima tools and sigul?
Is this an immediate issue given that it only affects systems where the
plugin is enabled?
> * Get rpm
On Tue, Jan 26, 2021 at 10:44:05AM -0800, Kevin Fenzi wrote:
> So, the thread here kind of fell quiet with everything else going on.
>
> It seems clear there's issues to address here before this change might
> get approved. Here's my list:
>
> * Try and change the storage format of the signatur
On Tue, Jan 26, 2021 at 1:45 PM Kevin Fenzi wrote:
>
> It seems clear there's issues to address here before this change might
> get approved. Here's my list:
>
Given the schedule, it seems like this should be retargeted for F35.
I'm not sure if your list has that assumption in mind.
> * Get rpm u
So, the thread here kind of fell quiet with everything else going on.
It seems clear there's issues to address here before this change might
get approved. Here's my list:
* Try and change the storage format of the signatures to not take up
tons of room. I guess this would be in ima tools and si
On Thu, Jan 21, 2021 at 9:52 AM Kevin Kofler via devel <
devel@lists.fedoraproject.org> wrote:
> Patrick マルタインアンドレアス Uiterwijk wrote:
> > I'd like to point out that after many requests, I have updated the change
> > page for this significantly, with more details as to the goals (and
> > non-goal
On Di, 12.01.21 12:20, Brian C. Lane (b...@redhat.com) wrote:
> On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
> > Note that this change was submitted after the deadline, but since it can be
> > shipped in an complete
On 1/22/21 1:33 AM, Matthew Miller wrote:
On Thu, Jan 21, 2021 at 03:16:47PM -0800, Kevin Fenzi wrote:
I defer to Patrick, but I think what he was trying to say is that if you
do not have the rpm-plugin-ima installed, nothing changes in the files
you are installing from rpm. They are exactly the
On Thu, Jan 21, 2021 at 03:16:47PM -0800, Kevin Fenzi wrote:
> I defer to Patrick, but I think what he was trying to say is that if you
> do not have the rpm-plugin-ima installed, nothing changes in the files
> you are installing from rpm. They are exactly the same as they would be
> if they were n
On Thu, Jan 21, 2021 at 11:25:30AM +0100, Roberto Ragusa wrote:
> On 1/21/21 12:29 AM, Patrick マルタインアンドレアス Uiterwijk wrote:
> > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> > >
> >
> > I'd like to point out that after many requests, I have updated the change
> > page for this s
On Thu, Jan 21, 2021 at 12:50 PM Zbigniew Jędrzejewski-Szmek
wrote:
>
> On Wed, Jan 20, 2021 at 11:29:55PM -, Patrick マルタインアンドレアス Uiterwijk
> wrote:
> > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> > >
> >
> > I'd like to point out that after many requests, I have updated
On Wed, Jan 20, 2021 at 11:29:55PM -, Patrick マルタインアンドレアス Uiterwijk wrote:
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
>
> I'd like to point out that after many requests, I have updated the change
> page for this significantly, with more details as to the goals (and
On Thu, Jan 21, 2021 at 9:51 AM Kevin Kofler via devel
wrote:
>
> Patrick マルタインアンドレアス Uiterwijk wrote:
> > I'd like to point out that after many requests, I have updated the change
> > page for this significantly, with more details as to the goals (and
> > non-goals) of this feature, and answers
On Wed, Jan 20, 2021 at 11:29:55PM -, Patrick マルタインアンドレアス Uiterwijk wrote:
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
>
> I'd like to point out that after many requests, I have updated the change
> page for this significantly, with more details as to the goals (and
On Thu, Jan 21, 2021 at 11:25:30AM +0100, Roberto Ragusa wrote:
> On 1/21/21 12:29 AM, Patrick マルタインアンドレアス Uiterwijk wrote:
> > On installation of two different VMs, one with the resigned RPMs, and one
> > with the resigned+ima RPMs, the /usr directory size does not change at all
> > (both are exac
* Patrick マルタインアンドレアス Uiterwijk:
>> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>>
>
> I'd like to point out that after many requests, I have updated the
> change page for this significantly, with more details as to the goals
> (and non-goals) of this feature, and answers to many
On Thu, Jan 21, 2021 at 10:50:52AM +0100, Kevin Kofler via devel wrote:
> Patrick マルタインアンドレアス Uiterwijk wrote:
> > I'd like to point out that after many requests, I have updated the change
> > page for this significantly, with more details as to the goals (and
> > non-goals) of this feature, and
On 1/21/21 12:29 AM, Patrick マルタインアンドレアス Uiterwijk wrote:
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
I'd like to point out that after many requests, I have updated the change page
for this significantly, with more details as to the goals (and non-goals) of
this feature, and a
Patrick マルタインアンドレアス Uiterwijk wrote:
> I'd like to point out that after many requests, I have updated the change
> page for this significantly, with more details as to the goals (and
> non-goals) of this feature, and answers to many other questions asked.
Sorry, but these clarifications only mak
On Wed, Jan 20, 2021 at 11:29:55PM -, Patrick マルタインアンドレアス Uiterwijk wrote:
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> I'd like to point out that after many requests, I have updated the change
> page for this significantly, with more details as to the goals (and
> non-goa
On Wed, Jan 20, 2021 at 7:10 PM Miro Hrončok wrote:
>
> On 21. 01. 21 0:29, Patrick マルタインアンドレアス Uiterwijk wrote:
> >> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >>
> >
> > I'd like to point out that after many requests, I have updated the change
> > page for this significantly,
On 21. 01. 21 0:29, Patrick マルタインアンドレアス Uiterwijk wrote:
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
I'd like to point out that after many requests, I have updated the change page
for this significantly, with more details as to the goals (and non-goals) of
this feature, and an
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
I'd like to point out that after many requests, I have updated the change page
for this significantly, with more details as to the goals (and non-goals) of
this feature, and answers to many other questions asked.
Please have anothe
On Tue, Jan 12, 2021 at 8:22 PM Brian C. Lane wrote:
> On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
> > Note that this change was submitted after the deadline, but since it can
> be
> > shipped in an complete state,
On Tue, Jan 12, 2021 at 8:21 PM Brian C. Lane wrote:
>
> On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
> > Note that this change was submitted after the deadline, but since it can be
> > shipped in an complete state,
> >> > During signing builds, the files in it will be signed with IMA
> >> > signatures.. These signatures will be made with a key that’s kept by
> >> > the Fedora Infrastructure team, and installed on the sign vaults.
> >>
> >> What is the impact on RPM database size?
> >
> > They're stored in xa
On 12.01.2021 21:20, Brian C. Lane wrote:
Who is going to use this feature? My guess is a very limited set of
users, so it seems unfair to dramatically increase the size of their
downloads and install footprint to support something they don't use.
Can't they be shipped on the side? An rpm of sign
On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
> Note that this change was submitted after the deadline, but since it can be
> shipped in an complete state, I am still processing it for Fedora 34.
>
>
> == Summary ==
> W
> * Peter Robinson:
>
>
> If the signatures end up in RPM headers, they will land in the RPM
> database, too.
>
> “rpm -qla | wc -l” shows around 28,589 files for me, in the Fedora 33
> container image. / seems to need 183 MiB right now. If the signatures
> land in the RPM database and the fil
* Colin Walters:
> I think the Change authors here trying to make it easier to enable IMA
> without the really awful hack of "boot up your installed system and
> run these shell scripts to sign", which is a laudable goal. Having
> pre-signed OS binaries would definitely help, but...in any kind of
Zbigniew Jędrzejewski-Szmek wrote:
> In more mundane words: a signature will be shipped in the rpm for each
> file separately? And what will be done with this signature on the
> destination machine: will it be kept in the rpms database or something
> more?
As I understand it, yes.
> What is the o
On 1/7/21 10:41 AM, Panu Matilainen wrote:
On 1/5/21 8:12 PM, Matthew Miller wrote:
On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
We want to add signatures to individual files that are part of shipped RPMs.
This is for _every file_ in every RPM? Or some files in some RPMs?
Ev
On 1/5/21 8:12 PM, Matthew Miller wrote:
On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
We want to add signatures to individual files that are part of shipped RPMs.
This is for _every file_ in every RPM? Or some files in some RPMs?
Every file in every RPM is the idea.
This come
On Tue, 2021-01-05 at 13:05 -0500, Ben Cotton wrote:
> == Benefit to Fedora ==
>
> Having all files signed with a verifiable key means that system
> owners can use the kernel Integrity and Measurement Architecture
> (IMA) to enforce only verified files can be executed, or define other
> policies.
Dne 05. 01. 21 v 20:01 Michel Alexandre Salim napsal(a):
> Is there any relation between this and fapolicyd, that seems to be
> developed mostly by Red Hat employees?
>
> https://github.com/linux-application-whitelisting/fapolicyd
And Swid?
https://copr.fedorainfracloud.org/coprs/adelton/swid/
-
On Wed, Jan 06, 2021 at 01:27:40AM +0100, Kevin Kofler via devel wrote:
> Ben Cotton wrote:
> > == Summary ==
> > We want to add signatures to individual files that are part of shipped
> > RPMs. These signatures will use the Linux IMA (Integrity Measurement
> > Architecture) scheme, which means the
Ben Cotton wrote:
> == Summary ==
> We want to add signatures to individual files that are part of shipped
> RPMs. These signatures will use the Linux IMA (Integrity Measurement
> Architecture) scheme, which means they can be used to enforce runtime
> policies to ensure execution of only trusted fi
On Tue, Jan 5, 2021, at 3:19 PM, Florian Weimer wrote:
> ... IMA seems to be pretty useless.
This is a complex and highly nuanced topic because IMA is both a mechanism and
a set of potential *policies* that one can use, and a whole lot depends on the
exact policy in use.
Like SELinux in that i
* Peter Robinson:
> On Tue, Jan 5, 2021 at 6:41 PM Florian Weimer wrote:
>>
>> * Ben Cotton:
>>
>> > During signing builds, the files in it will be signed with IMA
>> > signatures.. These signatures will be made with a key that’s kept by
>> > the Fedora Infrastructure team, and installed on the
On Tue, Jan 5, 2021 at 6:59 PM Neal Gompa wrote:
>
> On Tue, Jan 5, 2021 at 1:51 PM Kevin Fenzi wrote:
> >
> > On Tue, Jan 05, 2021 at 01:38:48PM -0500, Neal Gompa wrote:
> > >
> > > While having IMA is nice, can we *please* have repodata signing too?
> >
> > Why? It gets us nothing really... add
On Tue, Jan 5, 2021 at 6:41 PM Florian Weimer wrote:
>
> * Ben Cotton:
>
> > During signing builds, the files in it will be signed with IMA
> > signatures.. These signatures will be made with a key that’s kept by
> > the Fedora Infrastructure team, and installed on the sign vaults.
>
> What is th
On Tue, Jan 5, 2021 at 6:39 PM Neal Gompa wrote:
>
> On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton wrote:
> >
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
> > Note that this change was submitted after the deadline, but since it can be
> > shipped in an complete state, I am stil
On Tue, Jan 5, 2021 at 1:39 PM Neal Gompa wrote:
>
> On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton wrote:
> >
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
> > Note that this change was submitted after the deadline, but since it can be
> > shipped in an complete state, I am stil
On Tue, 2021-01-05 at 13:05 -0500, Ben Cotton wrote:
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
> Note that this change was submitted after the deadline, but since it
> can be shipped in an complete state, I am still processing it for
> Fedora 34.
>
>
> == Summary ==
> We wan
On Tue, Jan 5, 2021 at 1:51 PM Kevin Fenzi wrote:
>
> On Tue, Jan 05, 2021 at 01:38:48PM -0500, Neal Gompa wrote:
> >
> > While having IMA is nice, can we *please* have repodata signing too?
>
> Why? It gets us nothing really... adds complexity and issues.
>
And IMA has the same problem. IMA is w
On Tue, Jan 05, 2021 at 01:38:48PM -0500, Neal Gompa wrote:
>
> While having IMA is nice, can we *please* have repodata signing too?
Why? It gets us nothing really... adds complexity and issues.
We would definiltey need to improve dnf's handling of signed repos
before we did at least.
kevin
On Tue, Jan 05, 2021 at 07:41:05PM +0100, Florian Weimer wrote:
> Will GPLv3 packages be excluded, or will the signing keys be provided
> upon request?
https://www.gnu.org/licenses/gpl-faq.en.html#GiveUpKeys
Q: I use public key cryptography to sign my code to assure its
authenticity. I
* Ben Cotton:
> During signing builds, the files in it will be signed with IMA
> signatures.. These signatures will be made with a key that’s kept by
> the Fedora Infrastructure team, and installed on the sign vaults.
What is the impact on RPM database size?
Will GPLv3 packages be excluded, or
On Tue, Jan 5, 2021, at 1:05 PM, Ben Cotton wrote:
>
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
There's a bunch of related discussion in
https://github.com/coreos/rpm-ostree/issues/1883
I think probably rather than having RPMs *also* include IMA signatures by
default it'd b
On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton wrote:
>
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
> Note that this change was submitted after the deadline, but since it can be
> shipped in an complete state, I am still processing it for Fedora 34.
>
>
> == Summary ==
> We want to
On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
> We want to add signatures to individual files that are part of shipped RPMs.
This is for _every file_ in every RPM? Or some files in some RPMs?
--
Matthew Miller
Fedora Project Leader
___
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
Note that this change was submitted after the deadline, but since it can be
shipped in an complete state, I am still processing it for Fedora 34.
== Summary ==
We want to add signatures to individual files that are part of shipped RPMs.
67 matches
Mail list logo
