On Sun, Dec 26, 2021 at 1:10 AM Dan Čermák
<dan.cermak(a)cgc-instruments.com> wrote:
Ben Cotton <bcotton(a)redhat.com> writes:
*snip*
>
> It will also make Fedora able to detect tampering of its components at
> a more privileged level, the kernel, without the interference of user
> space programs. Once tampering has been detected, the actions of the
> altered component are prevented before that component gets the chance
> to perform any action. Fedora could be configured to also allow the
> usage of components provided by the user, if he wishes to do so
> (DIGLIM has a tool to build custom digest lists).
How would that look in practice? Will a user just get a message in the
journal?
> == Upgrade/compatibility impact ==
> The user should ensure that software (not updated) from the old
> distribution is packaged and the package header is signed, or he
> should create and sign a custom digest list for the software he wishes
> to use after the upgrade.
Uhm, so locally/manually installed software (i.e. not signed by Fedora's
signkeys) will silently break when switching to F36? How about 3rd party
repositories?
It wouldn't be the first time software has been deliberately broken by
well-intended kernel security changes. Remember when systemd decided
to cancel all backgrounded processes belong to a user when they logged
out, breaking "screen" and "tux", with no record of killing the jobs
whatsover? Fortunately, people screamed pretty hard about that one.
Nico Kadel-Garcia
> Cheers,
>
> Dan
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure