Subject: Re: verified executable kernel modification committed
To: Brett Lymn <>
From: Bill Studenmund <>
List: tech-security
Date: 10/31/2002 16:39:15
On Thu, 31 Oct 2002, Brett Lymn wrote:

> On Wed, Oct 30, 2002 at 09:26:34AM -0500, Perry E. Metzger wrote:
> >
> > What prevents them from also altering the fingerprints?
> >
> either chflags or ro media.  To be honest, this is part that needs
> work.  The loading of the fingerprints is something I consider that
> needs work to improve the security of the mechanism.

Or use public/private key signing, and code the public keys into the

One other thing we could do is come up with "Official" keys. So that you
could use a signed set of fingerprints that were generated on the build
machine which made the release.

So then all you have to do is trust the builders. :-)

> > So, again, why is this better/different from an immutable flag?

With the above, you can have a trail of verification. With the immutable
flag, you can't do any back-tracking to the build. Yes, you could download
a build and hash everything then, but that's an extra step. The immutable
flag itself won't help.

Take care,