radical suggestion for fc4 release

Jeff Johnson n3npq at nc.rr.com
Thu Feb 3 17:39:01 UTC 2005

Nils Philippsen wrote:

>On Thu, 2005-02-03 at 08:19 -0500, Jeff Johnson wrote:
>>Whether changelogs should be part of an immutable region or not is an open
>>question too. It is (and was) certainly possible to define a header 
>>immutable region
>>without including changelogs content, which would permit truncation or other
>>forms of normalization, editing header content while installing.
>>I chose to put *all* tags into a header immutable region so that I
>>would not have to have the discussion about which tags go where.
>>For example, the content in changelogs, if not hardened by digest and/or 
>>might be part of a socially engineered exploit to disguise a maliciously 
>>package. It's very hard not believe what you read.
>Well, I didn't propose anything of that sort (i.e. changelog outside of
>what is digested/signed) ;-). What I meant was that it is irrelevant
>whether you sign/digest an actually existing stream of bytes which
>contains the changelog or the result of a function which puts together
>this stream from changelog and the remainder of the header.
Yep, one can reassemble a header from components, and verify blobs.

That was the context of my previous comments: you cannot reassemble a blob
unless the components are actually present, and there almost certainly 
will be
some way for separate changelogs to go AWOL preventing reassembly.

Splitting changelogs out, but not changing how digest/signature are 
performed on headers,
adds complexity and additional failure modes where there are none now, 
that are hard to "trust"
for no perceivable gain to verifiability other than compatibility with 
the exsisting mechanism.

Move changelogs out of headers, or truncate to acceptable length, is 
better imho.

Or RFE an explicit mechanism for moving changelogs out of headers and 
normalizing content.

73 de Jeff

More information about the fedora-devel-list mailing list