Announcement

Collapse
No announcement yet.

Fedora 36 May Support FS-VERITY Integrity/Authenticity Verification For RPMs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 36 May Support FS-VERITY Integrity/Authenticity Verification For RPMs

    Phoronix: Fedora 36 May Support FS-VERITY Integrity/Authenticity Verification For RPMs

    Fedora 36 may support using the Linux kernel's fs-verity code for allowing some interesting integrity and authenticity use-cases around RPM packages...

    https://www.phoronix.com/scan.php?pa...FS-VERITY-RPMs

  • #2
    Am I missing something or can't you just use ZFS/BTRFS which basically store all file data as a tree that is also checksummed?

    Comment


    • #3
      Originally posted by mdedetrich View Post
      Am I missing something or can't you just use ZFS/BTRFS which basically store all file data as a tree that is also checksummed?
      The Fedora page links to this post, which discusses that very thing: https://developers.facebook.com/blog...port-in-btrfs/

      Apparently there are tradeoffs, and some potential for integration. F2FS also supports checksumming (though the details aren't really documented afaik), and its also one the filesystems supported by fs-verity (along with ext4 and btrfs).

      Comment


      • #4
        How does this differ from the signify project in OpenBSD? For patches and ports?

        Comment


        • #5
          I know the importance of this, but my experience with integrity checks and verification give me flashbacks of being unable to install packages because of some arcane error, outdated certificates or mismatching md5.I have to admit that I end totally deactivating checking on distros that fail constantly with those.

          Comment


          • #6
            Originally posted by vladimir86 View Post
            I know the importance of this, but my experience with integrity checks and verification give me flashbacks of being unable to install packages because of some arcane error, outdated certificates or mismatching md5.I have to admit that I end totally deactivating checking on distros that fail constantly with those.
            All this gets you is an even more broken system on top of exposing very easy attack surface.

            Fedora has has had all package signatures verified by default for a *long* time; it does not break.
            If you have a system that's failing due to signature or certificate errors, your system being broken somehow is *much* more likely to be the culprit rather than the signature verification mechanism itself, and you should fix your broken system rather than disabling security-critical functionality.

            Comment


            • #7
              rpm -qv

              Comment


              • #8
                Originally posted by kylew77 View Post
                How does this differ from the signify project in OpenBSD? For patches and ports?
                nothing in common, fedora packages are signed already. subj is for verifying filesystem in use

                Comment

                Working...
                X