Re: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal)

Sat, 04 Dec 2021 14:50:30 -0800 

Davide Cavalca via devel wrote:
> To clarify: RPM does support files validation, but fs-verity is more
> than just that. With RPM, the validation only happens on install time,
> and when one runs rpm -V manually. With fs-verity, the validation
> happens on-demand whenever a block of a file that originated from an
> RPM is accessed. This means, for example, that if an attacker replaces
> /bin/ls on disk with a compromised one, the next time it's read from
> disk (e.g. because you ran it) you will see a validation failure and
> the syscall will be blocked, preventing the compromised code from being
> executed.

This means that there is a performance cost in addition to the disk space 
cost (because something has to compute those checksums each time the file is 
acessed). It also means that it is harder for users to exercise their right 
to modify the Free Software (because replacing or patching RPM-installed 
binaries will lead to them failing to execute).

> About filesystem usage: unless you install rpm-plugin-fsverity (which
> is not and will not be installed by default), there is no disk space
> increase for verity-signed RPM packages. If you do install rpm-plugin-
> fsverity, some disk space will be used for the Merkle tree as described
> in the Change.

Since the change also adds to the metadata in the RPM, that means that it 
also increases the size of the RPMs. With keepcache=1, this also translates 
to increased disk space use. But even if the user does not keep cached RPMs, 
the download sizes will increase, which can cost time and for some users 
even money.

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to