[Bug debuginfod/27758] security idea: DEBUGINFOD_VERIFY mode
fche at redhat dot com
sourceware-bugzilla@sourceware.org
Wed Apr 21 14:09:30 GMT 2021
https://sourceware.org/bugzilla/show_bug.cgi?id=27758
--- Comment #5 from Frank Ch. Eigler <fche at redhat dot com> ---
(In reply to Vitaly Chikunov from comment #3)
> Instead of `X-Debuginfod-Hash` you can use `ETag` where you can put anything
> including sha256 (can be prescribed in webapi description), then GET request
> with `If-None-Match` + tag value (which is a hash) will return just 304 if
> the hash is not changed. So HEAD request is not needed too.
That's a good idea, except in the case of an older [current] debuginfod that
doesn't understand If-None-Match, and would just resend the entire content
every time. But at least it's not a security problem, just a performance one.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Elfutils-devel
mailing list