On Sat, Mar 22, 2008 at 03:16:31AM -0700, Nicholas Miell wrote:
quoted text
> 
> *sigh* this is probably true

Actually it is a relatively weak argument assuming the standard
4k xattrs, but still an issue.

The other stronger argument against it is that larger xattrs tend to be
outside the inode so you would have another seek again.

quoted text
> > and a mess to manage (a lot of tools don't know about them)
> 
> At this point in time, all tools that don't support xattrs are
> defective,

Good joke.

quoted text
> I just have an instinctive aversion towards the kernel mucking around in
> ELF objects -- for one thing, you're going to have to blacklist
> cryptographically signed binaries.

What signed binaries? 

Anyways there are two ways to deal with this:

- Run the executable through a little filter that zeroes the bitmap before
computing the checksum.  That is how rpm -V deals with prelinked binaries which 
have a similar issue. You can probably reuse the scripts from rpm.
- Disable the pbitmap header before you sign, either by never adding
one or disabling it by turning the phdr type into a nop (should be very simple) 

-Andi
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/