On Thu, 31 Oct 2002, Brett Lymn wrote:

> On Wed, Oct 30, 2002 at 09:26:34AM -0500, Perry E. Metzger wrote:
> >
> > What prevents them from also altering the fingerprints?
> >
>
> either chflags or ro media.  To be honest, this is part that needs
> work.  The loading of the fingerprints is something I consider that
> needs work to improve the security of the mechanism.

Or use public/private key signing, and code the public keys into the
kernel.

One other thing we could do is come up with "Official" keys. So that you
could use a signed set of fingerprints that were generated on the build
machine which made the release.

So then all you have to do is trust the builders. :-)

> > So, again, why is this better/different from an immutable flag?

With the above, you can have a trail of verification. With the immutable
flag, you can't do any back-tracking to the build. Yes, you could download
a build and hash everything then, but that's an extra step. The immutable
flag itself won't help.

Take care,

Bill