This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
The process itself should be no more difficult than pulling down a fixpack. When installing the securityfixes LPP should be used, and we should not need to remove the fixes to install then next fixpack, LPP should know how to do this. We should not need to search for what is needed, the fixes should be released on a regular cadence and be and extension of the OS level command rather than the hack that is now.
This catch-22 way for downloading and verifying code is really awkward. It is already difficult to validate IBM downloads by checksum or signature for authenticity. Then we get a partial implementation of package signing requiring the installation of untrusted packages BEFORE installing trusted ones? That's as bad as the cksum.bff with VIO updates, advising us to RUN A DOWNLOADED SCRIPT AS ROOT to confirm our software.
To stand up and be a beacon of best practices and security, IBM should:
- Make every download come with SHA256/512 hashes and an attached text file of all the hashes, signed by a well known public IBM PGP key.
- Update LPP to integrate signing into the inventory of each package. The LPP archive should contain it's own list of checksums and a signature against the certificates in /etc/security/cert for validation. If the certificate doesn't match when it should have come from IBM, it should HALT immediately instead of just logging a warning.
Ultimately I should be able to download an entire service pack from IBM and either verify it on my PC via sha256sum and GPG, or place the files into an LPP_SOURCE on NIM and hit "confirm all packages are valid" without installing or trusting anything from that download.