svn commit: r335402 - head/sbin/veriexecctl
Cy Schubert
Cy.Schubert at cschubert.com
Wed Jun 20 04:13:16 UTC 2018
In message <CAG6CVpV124ze+Y6xX2ZFqbM+3hJNEJWR2qpnChpey=PmiW6qXg at mail.gma
il.com>
, Conrad Meyer writes:
> On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan <stevek at freebsd.org> wrot
> e:
> > Author: stevek
> > Date: Wed Jun 20 01:08:54 2018
> > New Revision: 335402
> > URL: https://svnweb.freebsd.org/changeset/base/335402
> >
> > Log:
> > This application (veriexecctl) handles reading a fingerprints file
>
> Hi,
>
> This patchset needed design and code review prior to commit. It
> appears to have serious problems.
>
> First and foremost: nothing is actually signed, anywhere. The
> veriexecctl tool parses and tells the kernel to trust a file input.
> But if we don't trust other files on the filesystem, why do we trust
> that one? There is no embedded signature mechanism proving the hash
> list file is trustworthy.
>
> As a corollary to the above, the name "signature file" is used
> repeatedly in the code, which is misleading. The file contains hashes
> (digests), not signatures (MACs). The file itself is unsigned.
> Nothing about this has signatures.
>
> There's absolutely no reason to use sha1 or ripemd in new designs.
> These should be removed.
>
> The patchset is littered with style issues. One fairly obvious issue
> is mixed indentation styles — some files vary between space and tab
> indentation from line to line.
>
> Please revert this patchset. It's not ready.
>
> Some suggestions for a second attempt:
>
> - Maybe use HMACs instead of raw hashes
> - Maybe sign the source-of-trust file
> - Fix the style issues
> - Fix the compiler warnings at 6
- i386 format issues, build failures in multiple places
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
More information about the svn-src-all
mailing list