https://bugzilla.redhat.com/show_bug.cgi?id=2079784 --- Comment #18 from Neal Gompa <ngompa13@xxxxxxxxx> --- (In reply to Peter Robinson from comment #14) > (In reply to Zbigniew Jędrzejewski-Szmek from comment #13) > > > This is why it should be a separate project/source upstream to systemd > > > > Let's try to keep the scope of this ticket to the review. > > The separate code thingy has been discussed (and refuted) on the mailing > > list, > > see e.g. > > https://lists.freedesktop.org/archives/systemd-devel/2022-April/047828.html . > > There's nothing in that post that refuted or even addresses any of my points > above. If three's a CVE that's against systemd it covers all of systemd and > hence the CVE still applies to sd-boot even if the code is unaffected. None > of that was addressed in that post. Note that even if we did get it split, I'm not sure I'd like setting this up the way GRUB is set up, where the signing happens as part of building the package from source. Having packages completely locked down from the community sucks balls, and this approach is nice in that the only part that's actually locked down is the part that *signs* the binary. It also makes it *really* easy for third parties to do their own signing by taking the signing spec and pointing it to their own certificates. Once this package is reviewed and accepted, I intend to finally write the guidelines I've been stalling on for how to do EFI stuff in Fedora. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2079784 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
