On Mon, Jun 19, 2023, at 6:10 PM, Eric Biggers wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > fsverity builtin signatures (CONFIG_FS_VERITY_BUILTIN_SIGNATURES) aren't > the only way to do signatures with fsverity, and they have some major > limitations. Yet, more users have tried to use them, e.g. recently by > https://github.com/ostreedev/ostree/pull/2640. In most cases this seems > to be because users aren't sufficiently familiar with the limitations of > this feature and what the alternatives are. > > Therefore, make some updates to the documentation to try to clarify the > properties of this feature and nudge users in the right direction. FWIW, Reviewed-by: Colin Walters <walters@xxxxxxxxxx> And I agree with your points enough that our project using fsverity will switch to documenting userspace crypto first. I did spend a few minutes reading through `git log -p crypto/asymmetric_keys` and beyond the links to the bugfixes you already sent, I think you're clearly within your rights to add this text to the fsverity docs.
