Upcoming changes to Debian Linux kernel packages

Justin Cappos jcappos at nyu.edu
Tue Sep 26 00:51:05 UTC 2023


If they sign with something that is detached (like a SLSA / in-toto
attestation), then this would still be reproducible.  Of course, then you
have to ship that along with the artifact you are checking though...

Thanks,
Justin

On Mon, Sep 25, 2023 at 12:23 PM Mattia Rizzolo <mattia at mapreri.org> wrote:

> On Mon, Sep 25, 2023 at 11:41:09AM -0400, David A. Wheeler wrote:
> > > ## Kernel modules will be signed with an ephemeral key
> > >
> > > The modules will not longer be signed using the Secure Boot CA like the
> > > EFI kernel image itself.  Instead a key will be created during the
> build
> > > and thrown away after.
> > >
> > > Yes, this will make the build unreproducible, but no better solution
> > > currently exists.  There are some plans, but no-one is working on them.
> > > If a suitable replacement shows up, we can always switch to that
> > > solution.
> >
> > Ugh. In the US, the usual retort is, "Other than that, Mrs. Lincoln, how
> did you enjoy the play?"
> > [Context: Abraham Lincoln was murdered at a play. This retort is
> sometimes used
> > when someone is trying to ignore an important issue.]
> >
> > What exactly are these "plans"?
>
> There is a follow-up answer from Ben:
>
> > Builds for the architectures involved are already unreproducible due to
> > inconsistent generation of BTF in both the kernel and modules.
> > Additionally, my "plan" would also get rid of signing modules with the
> > Secure Boot CA, so I'm not going to object to this.
>
> --
> regards,
>                         Mattia Rizzolo
>
> GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
> More about me:  https://mapreri.org                             : :'  :
> Launchpad user: https://launchpad.net/~mapreri                  `. `'`
> Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230925/b472d456/attachment.htm>


More information about the rb-general mailing list