Upcoming changes to Debian Linux kernel packages
Mattia Rizzolo
mattia at mapreri.org
Mon Sep 25 16:23:10 UTC 2023
On Mon, Sep 25, 2023 at 11:41:09AM -0400, David A. Wheeler wrote:
> > ## Kernel modules will be signed with an ephemeral key
> >
> > The modules will not longer be signed using the Secure Boot CA like the
> > EFI kernel image itself. Instead a key will be created during the build
> > and thrown away after.
> >
> > Yes, this will make the build unreproducible, but no better solution
> > currently exists. There are some plans, but no-one is working on them.
> > If a suitable replacement shows up, we can always switch to that
> > solution.
>
> Ugh. In the US, the usual retort is, "Other than that, Mrs. Lincoln, how did you enjoy the play?"
> [Context: Abraham Lincoln was murdered at a play. This retort is sometimes used
> when someone is trying to ignore an important issue.]
>
> What exactly are these "plans"?
There is a follow-up answer from Ben:
> Builds for the architectures involved are already unreproducible due to
> inconsistent generation of BTF in both the kernel and modules.
> Additionally, my "plan" would also get rid of signing modules with the
> Secure Boot CA, so I'm not going to object to this.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230925/6dd65a68/attachment.sig>
More information about the rb-general
mailing list