On Thu, 04 Apr 2024 20:41:59 +0100 Luca Boccassi <bl...@debian.org> wrote: > On Fri, 22 Mar 2024 18:13:35 +0000 Luca Boccassi <bl...@debian.org> > wrote: > > On Mon, 4 Mar 2024 at 23:58, Luca Boccassi <bl...@debian.org> wrote: > > > > > > On Mon, 4 Mar 2024 at 23:28, Steve McIntyre <st...@einval.com> > wrote: > > > > > > > Modulo those questions, let's talk infrastructure. Off the top of > my > > > > head, in no particular order... > > > > > > > > * We'll need to create a new intermediate signing cert for > > > > systemd-boot (and another for UKI, I guess). Given recent > > > > discussions about changing the way we build and sign kernels, > we > > > > should also generate a new signer cert for those too. And if > we're > > > > going that far, we may as well generate a complete new set of > 2024 > > > > certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA > about > > > > doing this piece. > > > > > > That makes sense to me, I guess DSA owns the machinery to do this? > > > > > > > * We'll probably need to add things to the signing setup for > > > > ftp-master. Nothing earth-shattering, just some config to > > > > recognise the new set of packages IIRC. I'm sure Bastian can > > > > manage this. :-) > > > > > > > > * Are people from the team ready to deal with long-term > security > > > > support for the systemd-boot chain? > > > > > > Speaking for myself, yes, I am already part of the team who is > > > responsible for that upstream, and I plan to be very strict about > not > > > carrying downstream patches for the signed components outside of > > > security fixes (and even then, prefer upstream stable point > releases > > > that I am also responsible for anyway). > > > > > > > That's all I can think of for now, but I wouldn't be surprised if > more > > > > comes to mind tomorrow... :-) > > > > > > Thanks for the feedback! > > > > Gentle ping on this - what are the next steps in order to make this > happen? > > On IRC Steve mentioned that he's ok with proceeding with this. jcristau > from DSA said that it's the FTP team that should confirm the request > for the new intermediate signer cert for systemd-boot to DSA. > > FTP team, are you ok with proceeding with this? If so, would it be > possible to have an ACK, please? Is there any more information required > beforehand? > > Thanks!
Hello FTP Team, One more gentle ping to unblock progress on this. TIA! -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
