Hi, On Tue, May 10 2011, Sridhar Dhanapalan wrote: > However, I was thinking along more simplistic lines. We could have > have it so that one can only install RPMs signed with a signature[0] > that is present in the RPM database. This would allow users to add > their own RPMs, but prevent 'unofficial' ones from being installed.
I think it's still more complicated than that. There could be a Fedora-signed RPM -- perhaps a sysadmin tool of some kind -- that opens up root access to users in some way or another. (And of course there are many Fedora-signed RPMs that develop known security vulnerabilities at some point in their lives.) I don't know if such a signed RPM exists, but my point is that we're moving the semantics of a customization key from "it's safe to secure- boot a customization key on a locked machine" to "this greatly increases the risk vector of secure-booting customization keys". Anyway, I'm not saying that you shouldn't do it yourselves. But OLPC would have to be careful before signing a key with your patch included if there are any locked deployments that use OLPC's keychain, which means we should use the same care when deciding whether to merge the patch. Martin and dsd would be better at speaking to how big a worry this is for deployments in real-world terms. Thanks, - Chris. -- Chris Ball <[email protected]> <http://printf.net/> One Laptop Per Child _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
