[Bug debuginfod/27758] security idea: DEBUGINFOD_VERIFY mode

fche at redhat dot com sourceware-bugzilla@sourceware.org
Wed Apr 21 14:09:30 GMT 2021


--- Comment #5 from Frank Ch. Eigler <fche at redhat dot com> ---
(In reply to Vitaly Chikunov from comment #3)
> Instead of `X-Debuginfod-Hash` you can use `ETag` where you can put anything
> including sha256 (can be prescribed in webapi description), then GET request
> with `If-None-Match` + tag value (which is a hash) will return just 304 if
> the hash is not changed. So HEAD request is not needed too.

That's a good idea, except in the case of an older [current] debuginfod that
doesn't understand If-None-Match, and would just resend the entire content
every time.  But at least it's not a security problem, just a performance one.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the Elfutils-devel mailing list