Originally Posted by knc1
The support for the requirement that those files be signed was in the original Kpw firmware. I just didn't think to mention it.
In answer to that question:
It would (will?) require a 5.2.0.a hack to put our code into that location in a way which makes it still usable after the update to 5.3.
Prior to doing the update to 5.3.0.
Yes, but this will only help for people who actually still run 5.2.0, and are aware of the situation. It won't help folks who got their PW shipped with 5.3.0, or who already went through the auto-update without being aware that it's also an auto-lockdown. We need to find a proper solution for "vanilla" 5.3.0. I guess that it's time to get our hands dirty and try to find another exploit.
It would also be necessary to confirm that user additions to that part of the directory tree don't get scrubbed by the handling of the md5sum file manifest.
That's highly improbable. First, /var/local/ is a different partition, and second, it only contains user data. Wouldn't make sense to expect any particular state there.