Hi Aaron,
On Thu, 2024-05-09 at 13:56 -0400, Aaron Merey wrote:
> I know there's already been a lot of discussion re. ima:permissive and
> I'm weighing in rather late, but FWIW I do support including it.
> Currently individual ELF sections cannot be downloaded when
> ima:enforcing is active. With
Hi Frank,
I've pointed out a couple nits below, but otherwise the patch LGTM.
I've also attached a diff for handling DEBUGINFOD_IMA_CERT_PATH in
profile.fish.in that should apply on top of this patch.
I know there's already been a lot of discussion re. ima:permissive and
I'm weighing in rather la
Hi -
On Tue, Apr 16, 2024 at 06:15:00PM -0400, Frank Ch. Eigler wrote:
> The following is the candidate patch for the basic functionality.
> It's been corrected for whitespace & error codes, given more complete
> docs and commit message. See also the users/fche/try-bz2824f branch.
> [...]
ping
Hi -
The following is the candidate patch for the basic functionality.
It's been corrected for whitespace & error codes, given more complete
docs and commit message. See also the users/fche/try-bz2824f branch.
debuginfod: PR28204 - RPM IMA per-file signature verification
Recent ver
Hi -
> > IOW, without a "permissive" mode being available at all, we could not
> > ask users to enable this new code at all for our own federated
> > servers, nor even for fedora. That's because no server can guarantee
> > the availability of signatures for all content they can serve.
>
> I don'
Hi Frank,
On Wed, Apr 10, 2024 at 05:01:36PM -0400, Frank Ch. Eigler wrote:
> > > - to drop "permissive" mode
> >
> > We discussed a bit on irc about "wording". But I think it isn't really
> > how it is worded, but that there is just different features. What is
> > called "enforcing" is an authen
Hi, Mark -
> > - to drop "permissive" mode
>
> We discussed a bit on irc about "wording". But I think it isn't really
> how it is worded, but that there is just different features. What is
> called "enforcing" is an authenticity scheme. While "permissive" is
> more like an (optional) error-detec
Hi Frank,
On Wed, 2024-04-03 at 17:04 -0400, Frank Ch. Eigler wrote:
> The following raw diff reworks this long-blocked patch to overcome
> these three objections last fall:
>
> - to drop "permissive" mode
We discussed a bit on irc about "wording". But I think it isn't really
how it is worded, b
Hi -
The following raw diff reworks this long-blocked patch to overcome
these three objections last fall:
- to drop "permissive" mode
- to stop redistributing published distro ima certificates
- to not use libimaevm.so (due to concurrency / licensing concerns)
This is a raw diff only. I'll be p
