On Fri, 22 Mar 2024 18:13:35 +0000 Luca Boccassi <bl...@debian.org> wrote: > On Mon, 4 Mar 2024 at 23:58, Luca Boccassi <bl...@debian.org> wrote: > > > > On Mon, 4 Mar 2024 at 23:28, Steve McIntyre <st...@einval.com> wrote: > > > > > Modulo those questions, let's talk infrastructure. Off the top of my > > > head, in no particular order... > > > > > > * We'll need to create a new intermediate signing cert for > > > systemd-boot (and another for UKI, I guess). Given recent > > > discussions about changing the way we build and sign kernels, we > > > should also generate a new signer cert for those too. And if we're > > > going that far, we may as well generate a complete new set of 2024 > > > certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA about > > > doing this piece. > > > > That makes sense to me, I guess DSA owns the machinery to do this? > > > > > * We'll probably need to add things to the signing setup for > > > ftp-master. Nothing earth-shattering, just some config to > > > recognise the new set of packages IIRC. I'm sure Bastian can > > > manage this. :-) > > > > > > * Are people from the team ready to deal with long-term security > > > support for the systemd-boot chain? > > > > Speaking for myself, yes, I am already part of the team who is > > responsible for that upstream, and I plan to be very strict about not > > carrying downstream patches for the signed components outside of > > security fixes (and even then, prefer upstream stable point releases > > that I am also responsible for anyway). > > > > > That's all I can think of for now, but I wouldn't be surprised if more > > > comes to mind tomorrow... :-) > > > > Thanks for the feedback! > > Gentle ping on this - what are the next steps in order to make this happen?
On IRC Steve mentioned that he's ok with proceeding with this. jcristau from DSA said that it's the FTP team that should confirm the request for the new intermediate signer cert for systemd-boot to DSA. FTP team, are you ok with proceeding with this? If so, would it be possible to have an ACK, please? Is there any more information required beforehand? Thanks! -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part