On Mon, Apr 16, 2018 at 1:22 PM Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > I could go either way on this - I think that doing it on the command line > would satisfy all my use cases. Thinking about this some more - I think being able to do this at runtime is actually important. If we add an additional xattr to the signatures then we want to be able to update machine policy without forcing a reboot first, otherwise we have a chicken and egg problem where we have to gate any new package update against having a machine rebooted with an updated command line (otherwise the signature validation will fail for packages that contain new signatures)
