#2711 F37 Change: Enable fs-verity in RPM
Closed: Rejected 2 years ago by churchyard. Opened 3 years ago by bcotton.

Enable the use of fsverity for installed RPM files validation.


The discussion on the mailing list is still going on.

* leaving token -1 vote until the discussion quiets down to prevent auto-approval *

Metadata Update from @zbyszek:
- Issue tagged with: meeting

3 years ago

This issue will be discussed during today's meeting.

* leaving token -1 vote until the discussion quiets down to prevent auto-approval *

Please don't lift that before the end of the year.

I recommend against this change as it increases the attack surface of RPM. There was a recent bug in RPM where a malformed package could (if I recall correctly) cause a heap-based buffer overflow, which is a potentially exploitable security vulnerability. If fsverity signatures were moved from the signature header (which is not signed) to the main header (which is), and were ignored if they were in the signature header, I would be fine with this.

Metadata Update from @bcotton:
- Issue set to the milestone: Fedora Linux 37 (was: Fedora Linux 36)

2 years ago

I'm -1 for this change for now. This change impacts every package build in Fedora and every RPM that is produced, and in my opinion we should only make changes with such a wide-ranging impact for features that are going to be enabled by default or used by a majority of our users. I just don't see a lot of users turning this on, and so I'm not sure the extra build times and larger (even if just slightly) RPM files are worth it.

Some advice for improving the proposal:

  • Explain what the authors intend to use this feature for: I understand that the feature provides verification for RPM installed files, but is there some larger goal here (e.g. A highly-secure Fedora derivative, A plan to deploy Fedora into a large organization with the feature enabled etc.)
  • Provide data about how this feature impacts the build times in koji and make sure to include some packages with 1+ GB debuginfo files.

Metadata Update from @churchyard:
- Issue untagged with: meeting
- Issue close_status updated to: Rejected
- Issue status updated to: Closed (was: Open)

2 years ago

Log in to comment on this ticket.

Metadata