Blockchain can establish that an rpmdb event happened. That isn't enough
because a root kit can either fake an rpmdb event, or skip using blockchain to
register the event.
On a compromised system, any executable, including the tools used to track
installs, can be altered.
Creating a trusted 3rd party store of "orphaned" metadata (like you are
describing with EPEL) might use a blockchain to track its updates, and provide
metadata and file digests for "rpm -Vp" instead of RO media.
(aside)
There are security protocols in the TCG MTM spec to handle software
installations and forensics for manage mobile devices that could be used for an
rpmdb. However adding rpm to the "trusted base" would take an effort comparable
to switching to "secure boot" on linux.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/196#issuecomment-293000462
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint