[Bug debuginfod/32314] Profile script in elfutils-debuginfod-client throws error on login

2024-10-28 Thread amerey at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=32314

Aaron Merey  changed:

   What|Removed |Added

 CC||amerey at redhat dot com

--- Comment #1 from Aaron Merey  ---
Thanks for the bug reports. The directories referenced by
DEBUGINFOD_IMA_CERT_PATH are meant to hold DER or PEM formatted certificates /
public keys for IMA verification. Fedora's documentation on this feature is a
work in progress but some details can be found here:
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents

Someone else posted a simple fix for this issue, does this work for you:
https://sourceware.org/pipermail/elfutils-devel/2024q4/007580.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug debuginfod/32318] New: client should avoid url duplication for different ima:FOO modes

2024-10-28 Thread fche at redhat dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=32318

Bug ID: 32318
   Summary: client should avoid url duplication for different
ima:FOO modes
   Product: elfutils
   Version: unspecified
Status: NEW
  Severity: normal
  Priority: P2
 Component: debuginfod
  Assignee: unassigned at sourceware dot org
  Reporter: fche at redhat dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Even with IMA stuff going into debuginfod/-client in 0.192ish, we can't in good
conscience enable ima:enforcing as a mode for fedora.  That's because it's
possibly risky: breaking some downloads if anything's wrong with the signature
data over at the server archive, which could happen due to build system
inconsistencies or other unknown factors.  (We don't have a census.)

So in the absence of that certainty, an ima:permissive mode like bug #31842
pleads for could do the job.  In the absence of that mode, this would be a way
of emulating it:

DEBUGINFOD_URLS="ima:enforcing https://debuginfod.fedoraproject.org ima:ignore
https://debuginfod.fedoraproject.org";

 but the debuginfod client code duplicate-eliminates the two occurrences of
the same URL, defeating the purpose.  So we need to get the client code to
consider ima mode when dupe eliminating.  Let's track this change here.

-- 
You are receiving this mail because:
You are on the CC list for the bug.