Re: Whitelisting only digitally signed binaries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> 
> > > Has any work taken place in the Linux community toward building a 
> > > "trusted loader" into Linux.  If so, what is the status? If not, 
> > > why not?
> >
> > This would be against the very idea of Free Software, i.e. the right

> > to freely modify your software and use such modified versions.
> > See e.g.: http://www.gnu.org/philosophy/can-you-trust.html
> 
> That depends on who has the keys. If the system admins can use their 
> own keys, then it isn't a problem.
>

There are times I don't care about "philosophy" as much as being able to
deliver a stable somewhat-trusted box to a customer. I have customers
for whom configuration managed baselines are very important.  Once the
baseline is established, they want it locked down, and want to be able
to detect when the baseline changes...better yet, ensure the baseline
can't change without authorization. Once a server is in production,
"philosophy" takes a back seat.

Of course the ability for the end-user to modify open source or create
custom apps and be able to sign them has go to be part of the solution.

Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM SAIC,
IISBU, Columbia, MD


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux