Hi Aaron,
On Thu, 2024-05-09 at 13:56 -0400, Aaron Merey wrote:
> I know there's already been a lot of discussion re. ima:permissive and
> I'm weighing in rather late, but FWIW I do support including it.
> Currently individual ELF sections cannot be downloaded when
> ima:enforcing is active. With
Hi Frank,
I've pointed out a couple nits below, but otherwise the patch LGTM.
I've also attached a diff for handling DEBUGINFOD_IMA_CERT_PATH in
profile.fish.in that should apply on top of this patch.
I know there's already been a lot of discussion re. ima:permissive and
I'm weighing in rather la
Hi -
On Tue, Apr 16, 2024 at 06:15:00PM -0400, Frank Ch. Eigler wrote:
> The following is the candidate patch for the basic functionality.
> It's been corrected for whitespace & error codes, given more complete
> docs and commit message. See also the users/fche/try-bz2824f branch.
> [...]
ping
Hi -
The following is the candidate patch for the basic functionality.
It's been corrected for whitespace & error codes, given more complete
docs and commit message. See also the users/fche/try-bz2824f branch.
debuginfod: PR28204 - RPM IMA per-file signature verification
Recent ver
Hi -
> > IOW, without a "permissive" mode being available at all, we could not
> > ask users to enable this new code at all for our own federated
> > servers, nor even for fedora. That's because no server can guarantee
> > the availability of signatures for all content they can serve.
>
> I don'
Hi Frank,
On Wed, Apr 10, 2024 at 05:01:36PM -0400, Frank Ch. Eigler wrote:
> > > - to drop "permissive" mode
> >
> > We discussed a bit on irc about "wording". But I think it isn't really
> > how it is worded, but that there is just different features. What is
> > called "enforcing" is an authen
Hi, Mark -
> > - to drop "permissive" mode
>
> We discussed a bit on irc about "wording". But I think it isn't really
> how it is worded, but that there is just different features. What is
> called "enforcing" is an authenticity scheme. While "permissive" is
> more like an (optional) error-detec
Hi Frank,
On Wed, 2024-04-03 at 17:04 -0400, Frank Ch. Eigler wrote:
> The following raw diff reworks this long-blocked patch to overcome
> these three objections last fall:
>
> - to drop "permissive" mode
We discussed a bit on irc about "wording". But I think it isn't really
how it is worded, b
Hi -
The following raw diff reworks this long-blocked patch to overcome
these three objections last fall:
- to drop "permissive" mode
- to stop redistributing published distro ima certificates
- to not use libimaevm.so (due to concurrency / licensing concerns)
This is a raw diff only. I'll be p
Hi Frank,
On Tue, 2023-11-14 at 11:45 -0500, Frank Ch. Eigler wrote:
> > >\fIima:optimistic\fP Every downloaded file with a known-invalid
> > >signature is rejected, protecting against some types of corruption.
> >
> > I like this wording more. But maybe it would be helpful to split the
>
Hi -
> >\fIima:optimistic\fP Every downloaded file with a known-invalid
> >signature is rejected, protecting against some types of corruption.
>
> I like this wording more. But maybe it would be helpful to split the
> patch into one that implements ima:enforcing and another that adds the
Hi Frank,
On Tue, 2023-10-31 at 11:46 -0400, Frank Ch. Eigler wrote:
> > My point is really that posting with git format-patch or send-email
> > makes it possible for someone to simply use git am, b4 or git pw to try
> > out a patch. If the patch doesn't apply then that will be the first
> > revie
Hi, Mark -
> > Considering how easily the trybots can process the actual code - and
> > have done so before posting the patch for review - we can consider
> > some CI well done already. After approval but before merge, it would
> > undergo another round of trybotting. With such workflow, patchw
Hi Frank,
On Fri, 2023-10-27 at 15:15 -0400, Frank Ch. Eigler wrote:
> > > I would not expect the emailed patch to apply, esp. with all the other
> > > work done in the intermediate months, which is why the code is also in
> > > the git branch. The binary files do not seem effectively reviewable
Hi -
> > I would not expect the emailed patch to apply, esp. with all the other
> > work done in the intermediate months, which is why the code is also in
> > the git branch. The binary files do not seem effectively reviewable
> > anyway.
>
> It would be really convenient though. And modern git
Hi Frank,
On Tue, Oct 24, 2023 at 09:27:43AM -0400, Frank Ch. Eigler wrote:
> > BTW. The diff doesn't show the newly added binary files. So the patch
> > cannot be applied. Please use git send-email or git format-patch for
> > that.
>
> I would not expect the emailed patch to apply, esp. with all
Hi,
Continued review...
On Thu, 2023-09-07 at 08:55 -0400, Frank Ch. Eigler via Elfutils-devel
wrote:
> diff --git a/debuginfod/debuginfod.cxx b/debuginfod/debuginfod.cxx
> index d72d2ad16960..8c3298586672 100644
> --- a/debuginfod/debuginfod.cxx
> +++ b/debuginfod/debuginfod.cxx
> @@ -113,6 +113
Hi -
Thanks for the review.
> [...]
> BTW. The diff doesn't show the newly added binary files. So the patch
> cannot be applied. Please use git send-email or git format-patch for
> that.
I would not expect the emailed patch to apply, esp. with all the other
work done in the intermediate months,
Hi Frank,
On Thu, Sep 07, 2023 at 08:55:10AM -0400, Frank Ch. Eigler via Elfutils-devel
wrote:
> Here's a squashed/rebased version of the big IMA patch. I also
> tweaked a few documentation oriented bits, and removed the
> "ima:default" tag.
Thanks. Sorry the reviews take so long. But it is a b
Hi -
Here's a squashed/rebased version of the big IMA patch. I also
tweaked a few documentation oriented bits, and removed the
"ima:default" tag.
commit 4e45a08aee42958298a3fad6043cbf96243d13a5 (HEAD ->
users/fche/try-bz28204, origin/users/fche/try-bz28204)
Author: Ryan Goldberg
Date: Mon A
20 matches
Mail list logo
