On Monday, October 13th, 2025 at 2:07 PM, Marek Marczykowski-Górecki <[email protected]> wrote: > Yeah, as a protection against compromised EOL keys, I don't think we need > this for the reasons explained above. > At some point, maybe, finally, we'll have more generic protection > against compromised package signing keys, in form of reproducible builds > (which will mean somebody would need to rebuild all relevant packages). > We did PoC of that integration down to the yum/dnf level a couple of > years ago, but for production deployment it's still a long way.
Makes sense. Thanks for weighing in. Best regards, deeplow -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/Qqw6Zbo-JptyL8JiAZOyrbkzMU1xYtwxuqpQrJHSGKQouYjH2Nb9crP3d710G00yPXrVUB3FFt0W3BgDIzi_9PLVma6a1fJ0Ztg32sNCMGg%3D%40protonmail.com.
