Subject: Re: verified executable kernel modification committed
To: Brett Lymn <email@example.com>
From: Bill Studenmund <firstname.lastname@example.org>
Date: 10/31/2002 16:39:15
On Thu, 31 Oct 2002, Brett Lymn wrote:
> On Wed, Oct 30, 2002 at 09:26:34AM -0500, Perry E. Metzger wrote:
> > What prevents them from also altering the fingerprints?
> either chflags or ro media. To be honest, this is part that needs
> work. The loading of the fingerprints is something I consider that
> needs work to improve the security of the mechanism.
Or use public/private key signing, and code the public keys into the
One other thing we could do is come up with "Official" keys. So that you
could use a signed set of fingerprints that were generated on the build
machine which made the release.
So then all you have to do is trust the builders. :-)
> > So, again, why is this better/different from an immutable flag?
With the above, you can have a trail of verification. With the immutable
flag, you can't do any back-tracking to the build. Yes, you could download
a build and hash everything then, but that's an extra step. The immutable
flag itself won't help.