--- Begin Message ---On Sun, 23 Nov 2025 06:37:14 +0100, Bernhard M. Wiedemann wrote: > > > > On 13/11/2025 21.10, Thomas Weißschuh via rb-general wrote: > > Hi everyone, > > > > I am the author of the CONFIG_MODULE_HASHES patchset [0] for the Linux > > kernel > > which aims to enable reproducible kernel packages for Linux distributions. > > My goal is to reignite development and continue with the upstream process. > > To have a better base to argue with I'd like to get some confirmation that > > distributions have looked at the patches and do intent to adapt this scheme > > when > > it is available in the mainline kernel. That should help me get some > > leverage > > with the upstream maintainers. > > > > The current form of the patches can be found at [1], they are only slightly > > adapted from the previous submission to LKML. Remaining open topics before > > the > > next submission are proper IMA support and stripping of modules. > > Future changes may introduce more hash algorithms and performance > > improvements, > > but these should not be relvant for now. > > > > So if you are packaging Linux for your distribution, have looked at my > > patches > > and are eager to use them, please let me know. My plan is to talk with the > > upstream maintainers at the upcoming Linux Plumbers Conference on 11th of > > December. > > > > > [0] > > https://lore.kernel.org/lkml/[email protected]/ > > [1] > > https://git.kernel.org/pub/scm/linux/kernel/git/thomas.weissschuh/linux.git/log/?h=b4/module-hashes > > > I'm forwarding this to our kernel list for extra feedback. > I did not look at your patch sources. > > AFAIK, we don't use a random ephemeral signing key, so our kernel > binaries are theoretically reproducible... but then we do external > signing for kernel and all individual .ko files in OBS. So IMHO, we > would appreciate not having to sign 5289 individual kernel modules.Through a quick glance without much details, the idea and the code changes look like a nice optimization. It may allow us dropping the second stage to sign modules completely. Though, my wild guess is that the actual improvement in the case of openSUSE / SUSE would be marginal, but I may be wrong and this has to be measured with the test builds. I suppose the module signing and check are still available in addition, right? thanks, Takashi
--- End Message ---
Fwd: Re: Looking for feedback on CONFIG_MODULE_HASHES for Linux
Bernhard M. Wiedemann via rb-general Sun, 23 Nov 2025 06:42:01 -0800
- Looking for feedback on CONFIG_MODULE... Thomas Weißschuh via rb-general
- Re: Looking for feedback on CONF... Robin Candau
- Re: Looking for feedback on CONF... Fabian Grünbichler
- Re: Looking for feedback on ... Bastian Blank
- Re: Looking for feedback on CONF... Bernhard M. Wiedemann via rb-general
- Re: Looking for feedback on ... Takashi Iwai
- Fwd: Re: Looking for fee... Bernhard M. Wiedemann via rb-general
- Re: Looking for feedback... Thomas Weißschuh via rb-general
- Re: Looking for feedback on CONF... kpcyrd
