Public bug reported:
[ Reason ]
Open source IPA (Image Processing Algorithms) modules are signed at build time
allowing them to be trusted. However, IPA binaries are modified by dh_strip
invalidating the signatures. Thus IPA modules provided in the package are not
trusted anymore and need to be re-signed after the dh_strip step. This fix is
applied in 0.0.4-3.
[ Impact ]
Not resigning IPA modules will make them untrusted, they will be isolated
inside a Sandbox environment with restricted access to the system (like any
closed-source module). Provided IPA modules won't work as expected.
[ Risks ]
The risk is low since we only regenerate signatures after dh_strip, i.e.
/usr/lib/*/libcamera/ipa_.so.sign files.
** Affects: libcamera (Ubuntu)
Importance: Undecided
Status: Confirmed
** Affects: libcamera (Debian)
Importance: Unknown
Status: Unknown
** Bug watch added: Debian Bug tracker #1033118
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033118
** Also affects: libcamera (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033118
Importance: Unknown
Status: Unknown
** Changed in: libcamera (Ubuntu)
Status: New => Confirmed
** Changed in: libcamera (Ubuntu)
Milestone: None => ubuntu-23.04
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libcamera in Ubuntu.
https://bugs.launchpad.net/bugs/2012745
Title:
IPA modules are not resigned after dh_strip
Status in libcamera package in Ubuntu:
Confirmed
Status in libcamera package in Debian:
Unknown
Bug description:
[ Reason ]
Open source IPA (Image Processing Algorithms) modules are signed at build
time allowing them to be trusted. However, IPA binaries are modified by
dh_strip invalidating the signatures. Thus IPA modules provided in the package
are not trusted anymore and need to be re-signed after the dh_strip step. This
fix is applied in 0.0.4-3.
[ Impact ]
Not resigning IPA modules will make them untrusted, they will be isolated
inside a Sandbox environment with restricted access to the system (like any
closed-source module). Provided IPA modules won't work as expected.
[ Risks ]
The risk is low since we only regenerate signatures after dh_strip, i.e.
/usr/lib/*/libcamera/ipa_.so.sign files.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcamera/+bug/2012745/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
