On Mon, 2017-01-23 at 09:06 -0500, Stefan Berger wrote: > On 01/22/2017 10:39 PM, Ben Hutchings wrote: > > Control: tag -1 moreinfo > > > > On Thu, 5 Jan 2017 21:16:58 -0500 Stefan Berger <stefanb@linux.vnet.ibm.com> wrote: > > > Package: initramfs-tools > > > Version: 0.103ubuntu4.3 > > > Severity: wishlist > > > > > > Linux implements the Integrity Measurement Architecture (IMA) and the Extended > > > Verfication Module (EVM). > > > > > > IMA measures application and libraries as they are started and, using a policy, > > > it can also verify the signatures associated with the applications and > > > libraries. For this to work the operating system has load a policy and keys > > > into the kernel. This should be done when the system is booted. > > > > > > EVM protects file metadata against offline tampering. It does this by signing > > > (HMAC, public key signature) file attributes. For this to work the operating > > > system has to load the key used for verfication and signing into the kernel. > > > This should be done when the system is booted. > > > > As your implementation only adds new hook and boot scripts, why not put > > them in a separate package? > > Separate package means separate git repository or produce a separate > Debian package or both? We actually do the 'both' case internally. I meant a separate source package, which would be in a separate git repository. Ben. -- Ben Hutchings Hoare's Law of Large Problems: Inside every large problem is a small problem struggling to get out.
Attachment:
signature.asc
Description: This is a digitally signed message part