Dear Luca
On Tue, Apr 2, 2024 at 4:32 PM Luca Boccassi <bluca@xxxxxxxxxx> wrote:
> Hi Zbigniew!
>
> On Tue, Apr 2, 2024 at 1:15 PM Zbigniew Jędrzejewski-Szmek <
> zbyszek(a)in.waw.pl> wrote:
>
>
> Thanks. In the period between the proposal was written and published the
> TPM2 provider has landed in Fedora.
> PKCS#11 provider is already here for a while.
The fact that such packages are physically present is not enough - they need to implement all the needed features, and they need to be mature enough to just work out of the box. Neither of these are true today, and providers just do not work for very simple use cases like signing a UKI with a yubikey. At the very least a couple more years of development and testing is needed before they are anywhere near ready to drop support for engines, that actually do work out of the box. Not to mention third party engines that are specific to internal/private build systems - if any such system runs Fedora as the build host, they'd have to migrate to Debian/Ubuntu to keep working.
The TPM2 package is suitable for all required operations, AFAIK.
I'm also sure about the PKCS11 provider which I follow close enough.
Please raise detailed issues if you have something particular.
I remember that you mentioned a particular issue about PKCS#11, could you please try the current version?
My colleagues working on PKCS#11 are not aware of any Yubikey issues, BTW.
Third-party engines may be a problem but as we don't break ABI, it's not a problem of the moment.
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue