On 01/22/2017 10:39 PM, Ben Hutchings wrote:
Control: tag -1 moreinfo
On Thu, 5 Jan 2017 21:16:58 -0500 Stefan Berger <stef...@linux.vnet.ibm.com>
wrote:
Package: initramfs-tools
Version: 0.103ubuntu4.3
Severity: wishlist
Linux implements the Integrity Measurement Architecture (IMA) and the Extended
Verfication Module (EVM).
IMA measures application and libraries as they are started and, using a policy,
it can also verify the signatures associated with the applications and
libraries. For this to work the operating system has load a policy and keys
into the kernel. This should be done when the system is booted.
EVM protects file metadata against offline tampering. It does this by signing
(HMAC, public key signature) file attributes. For this to work the operating
system has to load the key used for verfication and signing into the kernel.
This should be done when the system is booted.
As your implementation only adds new hook and boot scripts, why not put
them in a separate package?
Separate package means separate git repository or produce a separate
Debian package or both? We actually do the 'both' case internally.
Stefan
