Update TODO

author: Luca Boccassi <bluca@debian.org> 2022-12-03 12:23:00 +0100
committer: Luca Boccassi <bluca@debian.org> 2022-12-03 12:23:00 +0100
commit: 8825e90a708a54ce202b327b93ed7e7955885dfe (patch)
tree: d9f94cbf31b862928e343933f154fb1e888116c1 /TODO
parent: dissect: add new helper verity_settings_data_covers() (diff)
download: systemd-8825e90a708a54ce202b327b93ed7e7955885dfe.tar.xz
systemd-8825e90a708a54ce202b327b93ed7e7955885dfe.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/TODO b/TODO
index 4af0ffcc1f..1d4b484f7f 100644
--- a/TODO
+++ b/TODO
@@ -963,6 +963,10 @@ Features:
   records would be stripped of all meta info, except the basic UID/name
   info. Then use this in portabled environments that do not use PrivateUsers=1.
 
+* portabled: when extracting unit files and copying to system.attached, if a
+  .p7s is available in the image, use it to protect the system.attached copy
+  with fs-verity, so that it cannot be tampered with
+
 * logind introduce two types of sessions: "heavy" and "light". The former would
   be our current sessions. But the latter would be a new type of session that
   is mostly the same but does not pull in user@.service or wait for it. Then,
author	Luca Boccassi <bluca@debian.org>	2022-12-03 12:23:00 +0100
committer	Luca Boccassi <bluca@debian.org>	2022-12-03 12:23:00 +0100
commit	8825e90a708a54ce202b327b93ed7e7955885dfe (patch)
tree	d9f94cbf31b862928e343933f154fb1e888116c1 /TODO
parent	dissect: add new helper verity_settings_data_covers() (diff)
download	systemd-8825e90a708a54ce202b327b93ed7e7955885dfe.tar.xz systemd-8825e90a708a54ce202b327b93ed7e7955885dfe.zip