From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 6F7553858D33; Mon, 28 Aug 2023 14:40:04 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6F7553858D33 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1693233604; bh=d7X9l7TwicU77zwK+Fh98Q9JGy0tp8Vkvg1V4DmymBw=; h=From:To:Subject:Date:In-Reply-To:References:From; b=cfNb0lIsFPCnR/yQ5+T4gSoixe6ABJxJ2gs7l/OSjtkJDkFAmyTJ8qbPElZJ8pS63 E+VG27vTJBD0WEj4LYtTDppaGjzJOdVZGLthkZwX0X1Vx+4jkUR9dqxh613VundRBT v1ub9XUMO217XaQnF6ijn1zWFE4rWovPbg5waUtQ= From: "rgoldber at redhat dot com" To: elfutils-devel@sourceware.org Subject: [Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives Date: Mon, 28 Aug 2023 14:40:04 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: debuginfod X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: rgoldber at redhat dot com X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: rgoldber at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D28204 --- Comment #27 from Ryan Goldberg --- (In reply to Mark Wielaard from comment #24) > BTW. How does this interact with the "section" queries? Since these aren't ima verifiable anyways wdyt of just skipping verification all together (i.e treat that query in the same way as the ignore policy) Tweaking the above to something like: 2008 if(NULL !=3D url_ima_policies && ignore !=3D url_ima_policies[commi= tted_to] && NULL =3D=3D section) { ... } (In reply to Mark Wielaard from comment #25) > Includes an "undefined" policy? Just used internally when parsing DEBUGINFOD_URLS > Is the k +=3D DATA_SIZE correct? Can't pread return an n < DATA_SIZE? Fixed > If the cert_paths =3D strdup (...) fails cert_paths gets assigned a sta= tic string? Fixed (In reply to Mark Wielaard from comment #26) > If we have an permissive mode then I think it should work like the selinux > permissive mode. > That is, it should always check the signature, but instead of failing with > EPERM, it should > always produce a warning (whether or not we are in verbose mode or not). I would be ok with this kind of permissive mode --=20 You are receiving this mail because: You are on the CC list for the bug.=