From: Mark Wielaard <mark@klomp.org>
To: "Frank Ch. Eigler" <fche@redhat.com>
Cc: elfutils-devel@sourceware.org, amerey@redhat.com
Subject: Re: patch 2/2 debuginfod server etc.
Date: Wed, 20 Nov 2019 11:53:00 -0000 [thread overview]
Message-ID: <7f1273e6dbfd52b95e9f8e86f6096fe46e800745.camel@klomp.org> (raw)
In-Reply-To: <20191119211503.GF4911@redhat.com>
On Tue, 2019-11-19 at 16:15 -0500, Frank Ch. Eigler wrote:
> Hi -
>
>
> > [...] What I want is simply make it easy for the user to say where
> > they expect the sources are. So there is no surprises.
>
> If this were a mandate, it would be a hassle, for any build that's
> more than one directory wide.
It wouldn't be mandatory. It just wouldn't be the default.
> > > The compiled-in default for the binary is off. The systemd service
> > > default, it happens to be on, but it's configured to serve only
> > > privileged directories that people with bad compilers cannot sneak
> > > binaries into. People running personal servers can/should use -F as
> > > they see fit. In the context of a normal workgroup - it's fine.
> >
> > So -F seems fine for the later, just not for the former.
>
> IMHO, even the former seems okay and even desirable:
>
> debuginfod -F /usr/lib/debug
>
> is a safe & easy way to relay the contents of all the debuginfo rpms
> that were installed, to nearby clients. All those binaries come from
> packages/distros, so are at least as high quality & trustworthiness as
> the user's own. Again I offer to do an audit of some distro debuginfo
> that all their source refs are milquetoast like /usr/include or
> /usr/src/debug.
Sure, you could use that if you wanted to share your whole build/source
trees and don't mind serving any other files on some local network. I
just think it shouldn't be the default. If you go look for odd paths in
.debug files you probably will find them. We already know some builds
generate and/or build files in /tmp or outside the src/builddir.
I'll look to see what is necessary to make sure none of those leak out
by default.
> > > System certs do not serve to authenticate clients. Client
> > > certificates are per-user things that come with their own management
> > > headaches. Will think about authentication matters in the future.
> >
> > I thought ca-certificates.crt were normally used to authenticate
> > remote servers.
>
> ca-certificates.crt types of files (or /usr/share/pki/ files) are the
> trust roots for validating the *servers'* certificates. They are
> generally provided by the distro, so can't possibly serve as unique
> *client* authentication.
I think we are talking past each other here. I am not really interested
in "client certificates". I am simply interested in knowing what is
done for outgoing https connections to be authenticated. What would it
take to use the trust roots for validating the server certificates?
Thanks,
Mark
next prev parent reply other threads:[~2019-11-20 11:53 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-28 19:04 patch 0/2 debuginfod submission Frank Ch. Eigler
2019-10-28 19:06 ` patch 1/2 debuginfod client Frank Ch. Eigler
2019-10-28 19:09 ` patch 2/2 debuginfod server etc Frank Ch. Eigler
2019-11-04 21:48 ` patch 3/3 debuginfod client interruptability Frank Ch. Eigler
2019-11-07 9:07 ` patch 4 debuginfod: symlink following mode Frank Ch. Eigler
2019-11-07 9:08 ` patch 5 debuginfod: prometheus metrics Frank Ch. Eigler
2019-11-15 17:26 ` Mark Wielaard
2019-11-15 17:58 ` Frank Ch. Eigler
2019-11-18 16:20 ` Mark Wielaard
2019-11-18 16:48 ` Frank Ch. Eigler
2019-11-19 16:13 ` Mark Wielaard
2019-11-15 16:49 ` patch 4 debuginfod: symlink following mode Mark Wielaard
2019-11-15 18:31 ` Frank Ch. Eigler
2019-11-18 16:27 ` Mark Wielaard
2019-11-15 16:16 ` patch 3/3 debuginfod client interruptability Mark Wielaard
2019-11-15 17:03 ` Aaron Merey
2019-11-15 17:35 ` Mark Wielaard
2019-11-15 18:14 ` Pedro Alves
2019-11-17 23:44 ` Mark Wielaard
2019-11-18 2:50 ` Frank Ch. Eigler
2019-11-18 9:24 ` Pedro Alves
2019-11-19 12:58 ` Mark Wielaard
2019-11-13 17:22 ` patch 2/2 debuginfod server etc Mark Wielaard
2019-11-14 11:54 ` Frank Ch. Eigler
2019-11-16 1:31 ` Mark Wielaard
2019-11-13 23:19 ` Mark Wielaard
2019-11-14 12:30 ` Frank Ch. Eigler
2019-11-18 14:17 ` Mark Wielaard
2019-11-18 18:41 ` Frank Ch. Eigler
2019-11-19 15:41 ` Mark Wielaard
2019-11-19 16:13 ` Frank Ch. Eigler
2019-11-19 20:11 ` Mark Wielaard
2019-11-19 21:15 ` Frank Ch. Eigler
2019-11-20 11:53 ` Mark Wielaard [this message]
2019-11-20 12:29 ` Frank Ch. Eigler
2019-11-21 14:16 ` Mark Wielaard
2019-11-21 15:40 ` Mark Wielaard
2019-11-21 16:01 ` Frank Ch. Eigler
2019-11-21 15:58 ` Frank Ch. Eigler
2019-11-21 16:37 ` Mark Wielaard
2019-11-21 17:18 ` Frank Ch. Eigler
2019-11-21 20:42 ` Mark Wielaard
2019-11-22 12:08 ` Mark Wielaard
2019-11-14 20:45 ` Mark Wielaard
2019-11-15 11:03 ` Mark Wielaard
2019-11-15 21:00 ` Frank Ch. Eigler
2019-11-18 15:01 ` Mark Wielaard
2019-11-15 14:40 ` Mark Wielaard
2019-11-15 19:54 ` Frank Ch. Eigler
2019-11-18 15:31 ` Mark Wielaard
2019-11-18 15:49 ` Frank Ch. Eigler
2019-11-12 11:12 ` patch 1/2 debuginfod client Mark Wielaard
2019-11-12 15:14 ` Frank Ch. Eigler
2019-11-12 21:59 ` Mark Wielaard
2019-11-14 0:33 ` Frank Ch. Eigler
2019-11-15 21:33 ` Mark Wielaard
2019-11-12 21:25 ` Mark Wielaard
2019-11-13 23:25 ` Frank Ch. Eigler
2019-11-16 0:46 ` Mark Wielaard
2019-11-16 18:53 ` Frank Ch. Eigler
2019-11-18 17:17 ` Mark Wielaard
2019-11-18 20:33 ` Frank Ch. Eigler
2019-11-19 15:57 ` Mark Wielaard
2019-11-19 16:20 ` Frank Ch. Eigler
2019-11-19 20:16 ` Mark Wielaard
2019-11-19 21:22 ` Frank Ch. Eigler
2019-11-20 12:50 ` Mark Wielaard
2019-11-20 13:30 ` Frank Ch. Eigler
2019-11-21 14:02 ` Mark Wielaard
2019-11-13 13:57 ` Mark Wielaard
2019-11-14 11:24 ` Frank Ch. Eigler
2019-11-16 0:52 ` Mark Wielaard
2019-11-16 2:28 ` Frank Ch. Eigler
2019-10-30 11:04 ` patch 0/2 debuginfod submission Mark Wielaard
2019-10-30 13:40 ` Frank Ch. Eigler
2019-10-30 14:12 ` Mark Wielaard
2019-10-30 18:11 ` Frank Ch. Eigler
2019-10-31 11:18 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7f1273e6dbfd52b95e9f8e86f6096fe46e800745.camel@klomp.org \
--to=mark@klomp.org \
--cc=amerey@redhat.com \
--cc=elfutils-devel@sourceware.org \
--cc=fche@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).