From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives
Date: Thu, 17 Aug 2023 15:39:25 +0000 [thread overview]
Message-ID: <bug-28204-10460-cS6IqmhTv4@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-28204-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=28204
--- Comment #20 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Frank Ch. Eigler from comment #18)
> > Doesn't that give a false sense of "security"?
> > It still rejects some stuff, but doesn't really protect against "falsifying"
> > files, all a server has to do is not provide an IMA
>
> Yes, but trusted servers won't just do that.
But isn't the idea of checking the IMA signatures that you don't have to trust
the server providing the debuginfo files as the distro intended them?
> > If it is just to see what would happen if enabling ima file checking, then
> > it probably shouldn't reject anything. In that case it should warn for both
> > missing and invalid signatures, but still accept them.
>
> The difference between missing and invalid is that the latter is KNOWN bad.
> An invalid signature is evidence that the file has a problem.
And a missing signature is UNKNOWN bad?
So both are bad in some way. Which imho means that if we support some kind of
permissive mode, then it should explicitly warn for both kind of baddness.
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2023-08-17 15:39 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 21:11 [Bug debuginfod/28204] New: " fche at redhat dot com
2021-08-12 18:13 ` [Bug debuginfod/28204] " fche at redhat dot com
2021-08-26 20:53 ` mark at klomp dot org
2021-09-08 11:26 ` fche at redhat dot com
2022-06-10 17:19 ` fche at redhat dot com
2022-07-13 19:44 ` rgoldber at redhat dot com
2022-07-14 16:32 ` fche at redhat dot com
2022-07-27 14:52 ` mark at klomp dot org
2022-08-04 19:45 ` rgoldber at redhat dot com
2022-10-20 21:10 ` mark at klomp dot org
2022-10-20 23:11 ` mark at klomp dot org
2023-07-06 19:49 ` rgoldber at redhat dot com
2023-07-23 21:05 ` mark at klomp dot org
2023-07-23 21:07 ` mark at klomp dot org
2023-07-23 21:08 ` mark at klomp dot org
2023-07-23 21:57 ` mark at klomp dot org
2023-07-23 22:23 ` mark at klomp dot org
2023-07-31 14:27 ` rgoldber at redhat dot com
2023-08-02 16:37 ` mark at klomp dot org
2023-08-07 17:04 ` fche at redhat dot com
2023-08-09 18:17 ` rgoldber at redhat dot com
2023-08-17 15:39 ` mark at klomp dot org [this message]
2023-08-17 16:25 ` rgoldber at redhat dot com
2023-08-25 15:00 ` mark at klomp dot org
2023-08-25 15:21 ` rgoldber at redhat dot com
2023-08-25 15:24 ` mark at klomp dot org
2023-08-25 16:43 ` mark at klomp dot org
2023-08-26 22:25 ` mark at klomp dot org
2023-08-28 14:40 ` rgoldber at redhat dot com
2023-08-29 13:09 ` mark at klomp dot org
2024-06-03 15:28 ` fche at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-28204-10460-cS6IqmhTv4@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=elfutils-devel@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).