Hi Ken,
On February 14, 2022 5:10:41 PM UTC, Ken Dreyer <ktdreyer(a)ktdreyer.com> wrote:
Hi folks,
I've been researching IMA signing with RPM. This is a new feature in
CentOS 9 that has not been enabled in Fedora
I'm not an IMA expert, and I don't work on this for Red Hat, I'm just
an interested user. (In particular, I'm interested in how our build
systems track signatures, and how those get passed along the rest of
the pipeline.)
I'm finding there's no simple "guide to RPM and IMA" where I might
contribute further documentation, so for now I've posted my notes and
code to
https://github.com/ktdreyer/ima
It would be great to build some sort of documentation site that
explains this stuff, but it's unclear to me what is the RPM team's
responsibility vs other teams, etc. See
https://github.com/rpm-software-management/rpm-web/issues/28 for
example - RPM has a new "FILESIGNATURES" header, but no docs for that.
What's a better place for this documentation to live?
I suppose that the RPM specifics should go into RPM's documentation. And everything
else that covers the Fedora bits and pieces, like copr, koji, pungi, etc should go to
docs.fedoraproject.org.
Cheers,
Dan