Source: linux Severity: normal X-Debbugs-Cc: j...@debian.org In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040901 I asked you to switch to an ephemeral key which was a misunderstanding from a discussion with xnox, which we still need to sort out fully.
Please either document how the buildds ensure that - private key generation has enough, and high quality enough, entropy - private keys are safely erased after not being needed anymore or revert to signing modules with the CA key and use MODVERSIONS and co to ensure that modules built for one ABI cannot be used with another. I need to update the question in shim-review accordingly, I think I never reverted it or adjusted it, but it will likely take the form of the previous three paragraphs. I sincerely apologize for causing this misunderstanding. -- System Information: Debian Release: trixie/sid APT prefers noble APT policy: (500, 'noble'), (500, 'mantic-security') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.8.0-11-generic (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
