blymn@baea.com.au (Brett Lymn) writes:
> > If the answer is immutable files then what's the benefit of
> >the dynamic tripwire?
> >
> 
> Only that it stops the execution of any unsigned binary.  There is
> nothing to stop a person, given the correct permissions, running any
> binary they want - even one they have downloaded into, say, /tmp.  By
> using signing you can have a mechanism that can detect such a binary
> and not run it.

I've been thinking about this, and I'm far from sure this whole scheme 
is going to provide any real security. It may add a lot of complexity, 
but in the end, I'm far from sure its a win.

Perry