From: Philipp Rudo on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2917#note_1821173591
You need to do more to make me truly happy. But having the -debug sub-rpm is a step in the right direction ;-) Although I don't see a point in shipping unsigned addons at all. Creating the addons is a simple call to ukify. Signing them is much more painful. You not only need to create and install your MOK but, when you want to make it properly, setup a full signing environment where the key is stored securely. This adds a lot of complexity and additional hardware requirements only to make sure that the MOK doesn't fall in the wrong hands. So the real value RH adds for our customers is to sign the addons so they don't need to maintain such an environment. Anyway, when the consensus is to ship the -debug addons unsigned I won't block it. We can still sign them later on when needed once we have real life experience with UKI from the field. -- _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
