From: Philipp Rudo on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2917#note_1821173591 You need to do more to make me truly happy. But having the -debug sub-rpm is a step in the right direction ;-) Although I don't see a point in shipping unsigned addons at all. Creating the addons is a simple call to ukify. Signing them is much more painful. You not only need to create and install your MOK but, when you want to make it properly, setup a full signing environment where the key is stored securely. This adds a lot of complexity and additional hardware requirements only to make sure that the MOK doesn't fall in the wrong hands. So the real value RH adds for our customers is to sign the addons so they don't need to maintain such an environment. Anyway, when the consensus is to ship the -debug addons unsigned I won't block it. We can still sign them later on when needed once we have real life experience with UKI from the field. -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
