Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries

[Pavel Machek <pavel@suse.cz>]

Hi!

> > <shrug> so in a month rootkits get updated and we are back to square 1,
> > with additional mess from patch...
> 
> Viro, I think you have an attitude problem here. "Don't be ridiculous",
> "Rubbish", "<shrug>" don't sound very constructive or at least
> encouraging.
> 
> Over the years it was proved that Linux kernel can be tailored for a very
> large number of unexpected and very strange needs. IBM put it into
> watches, NASA sent it to space, it is exists in oil wells and so on. I
> think that the possibilities offered by Linux kernel are limited only by
> the knowledge, imagination and will of every of us. Linux itself was once
> a very insignificant and unreliable kernel and many other serious Unix and
> Unix-like alternative were available. Still, it is prevailing today because
> some peoples believed in what they did.
> 
> Especially to your point, should I mention that there are patches that
> avoid buffer-overflows? Or that there are patches for gcc that add bound
> check to arrays in C?

I simply wanted to see valid usage of this. It certainly does not
prevent attacker to get control of your box. Al seems to be right. It
may temporarily redirect script-kiddies, through...

There may be some uses like "prevent tivo users from running their own
software", but I'm not sure I want to encourage some uses. Maybe "its
neccessary to get our phones approved by FCC" would be better.
								Pavel
-- 
When do you have a heart between your knees?
[Johanka's followup: and *two* hearts?]