| Message ID | CAEwRq=pBWFuJw+FoKCQ3amdRdm1c2+s1wzMEzmGgu-exOS=Qrg@mail.gmail.com |
|---|---|
| Headers | show |
| Series | Libwaive for signify | expand |
Yes, it's missing a proper description & synopsis. I'll add those, but will accept feedback anyways. Thanks
On Sun, Dec 20, 2020 at 07:49:22PM +0100, Vincent Legoll wrote: > The following series adds libwaive, use it > for signify, and remove the TODO item. > > I don't know if the test I did is sufficient to > ensure that the libwaive was used but the > following worked OK: > > wget https://ftp.openbsd.org/pub/OpenBSD/6.8/openbsd-68-base.pub > wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/miniroot68.img > wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/SHA256 > sha256sum -c --ignore-missing SHA256 > wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/SHA256.sig > signify -Cp ./openbsd-68-base.pub -x SHA256.sig miniroot68.img Well, as long as signify keeps working, these extra security features are offered as "best effort" on Linux. From what I can see, the only OpenBSD software that is fully supported on Linux is OpenSSH. So, we are only missing the description and synopsis.
Hello, On Sat, Feb 20, 2021 at 7:46 PM Leo Famulari <leo@famulari.name> wrote: > Well, as long as signify keeps working, these extra security features > are offered as "best effort" on Linux. From what I can see, the only > OpenBSD software that is fully supported on Linux is OpenSSH. So, we are > only missing the description and synopsis. Yes, I'm not knowledgeable enough to check for sure that this is really enhancing security or anything else, but saw the light^Wcomment and tried to do it... It certainly is more interesting than bare boring package version updates (which I'll still continue to do anyways though). I'll update the patch with desc and synopsis. Thanks -- Vincent Legoll
This one is not ready anyways, signify still uses the bundled libwaive, I have to handle that properly as well...
On Sat, Feb 20, 2021 at 10:38:00PM +0100, Vincent Legoll wrote: > This one is not ready anyways, signify still uses the > bundled libwaive, I have to handle that properly as > well... Alright. I noticed that libwaive hasn't been active in a few years. I wonder if it's something we should pursue...
Hello, On Sun, Feb 21, 2021 at 12:09 AM Leo Famulari <leo@famulari.name> wrote: > I noticed that libwaive hasn't been active in a few years. I wonder if > it's something we should pursue... libwaive is a single-file C (~300 LOCs [1]) source code library, I glanced over it and it looks straightforward enough. I compared it to the seccomp manpage [2] code samples and saw nothing suspicious. I think it may not have been updated for newly added syscalls, but that should not make it unsecure, mainly because what is not explicitely allowed is prevented from use (default-locked policy [3]). So, I'll wait for a bit more feedback before working on this, but I think it may still be a worthwhile addition. WDYT ? [1] https://github.com/dimkr/libwaive/blob/master/waive.c [2] https://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html [3] https://en.wikipedia.org/wiki/Seccomp
On Sun, Feb 21, 2021 at 10:55:16AM +0100, Vincent Legoll wrote: > Hello, > > On Sun, Feb 21, 2021 at 12:09 AM Leo Famulari <leo@famulari.name> wrote: > > I noticed that libwaive hasn't been active in a few years. I wonder if > > it's something we should pursue... > > libwaive is a single-file C (~300 LOCs [1]) source code library, I glanced over > it and it looks straightforward enough. I compared it to the seccomp manpage > [2] code samples and saw nothing suspicious. > > I think it may not have been updated for newly added syscalls, but that > should not make it unsecure, mainly because what is not explicitely allowed > is prevented from use (default-locked policy [3]). > > So, I'll wait for a bit more feedback before working on this, but I think > it may still be a worthwhile addition. > > WDYT ? I think you've done all the things a reviewer would ask for, so please proceed as you see fit :)