On Fri, 2012-07-06 at 16:44 +0100, M A Young wrote: > Another good article I stumbled upon about what Fedora plans is at > http://mjg59.dreamwidth.org/12368.html > Yep, I found and (re)read it too. Here they are the excerpts that looked more interesting to me: "Instead we're writing a very simple bootloader[2]. This will do nothing other than load a real bootloader (grub 2), validate that it's signed with a Fedora signing key and then execute it. Using the Fedora signing key there means that we can build grub updates in our existing build infrastructure and sign them ourselves." "So, we'll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality." "We'll be providing all the tools we use for signing our binaries, but for obvious reasons we can't hand out our keys." So, I might well be wrong, but that's how how understood the thing: - what we need is the xen binaries shipped with the xen rpms to be signed with the Fedora keys, just as grub2 and the linux binaries will be, is that true? - I'm not sure we can't do that by ourselves, does that "we will release tools but not keys" also exclude, say, the xen packages maintainer from signing stuff? If we "just" need to sign the binary and a package maintainer and/or the "existing build infrastructure" can sign stuff, I tend to think we should be pretty safe... Thoughts? Regards, Dario -- <<This happens because I choose it to happen!>> (Raistlin Majere) ----------------------------------------------------------------- Dario Faggioli, Ph.D, http://retis.sssup.it/people/faggioli Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)
Attachment:
signature.asc
Description: This is a digitally signed message part
-- xen mailing list xen@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/xen
