On Thu, 16 Apr 2020, Andrei Borzenkov wrote:
16.04.2020 00:59, Frank Krüger пишет:
FYI: https://bugzilla.opensuse.org/show_bug.cgi?id=1169588
Regards, Frank
I do not understand how
a) enforcing HMAC check of library at start of each program using libgcrypt b) shipping actual HMAC and library itself in two independent separate packages
is ever going to work. You will always have hash mismatch during update unless it is somehow possible to force both packages to be updated at the same time *and* make sure no binary that needs libgcrypt runs during this update.
And even if RPM can do it, I am not sure to which extent zypper complies with these requirements (does not it effectively use --nodeps --force and computes installation order itself)?
It's really sad this bogosity went in ... it doesn't buy us anything but
a checkmark on some certification - plus these kind of issues. There's
no chain of trust involved so ...
For Leap this asks for disabling the "feature" IMHO.
When we were discussing this "feature" I was suggesting to generate
the hmac at RPM install time from within rpm itself (which has done
cryptographic signature verification on the RPMs contents) when the
feature is enabled. The solution with a separate package
(only Suggested by the library(!?)) looks broken to me.
Richard.
--
Richard Biener