On 1/10/25 20:16, Luis Chamberlain wrote: > On Thu, Jan 09, 2025 at 11:52:27AM +0100, Arnout Engelen wrote: >> On Fri, 3 Jan 2025 17:37:52 -0800, Luis Chamberlain wrote: >>> What distro which is using module signatures would switch >>> to this as an alternative instead? >> >> In NixOS, we disable MODULE_SIG by default (because we value >> reproducibility over having module signatures). Enabling >> MODULE_HASHES on systems that do not need to load out-of-tree >> modules would be a good step forward. >> > > Mentioning this in the cover letter will also be good. So two > distros seemt to want this. I'm aware that folks from the reproducible build community have been interested in this functionality [1, 2]. Some people at SUSE have been eyeing this as well. I've let them know about this series. It would help with the mentioned build reproducibility and from what I understood, it should also avoid in SUSE case some bottlenecks with HSM needing to sign all modules. I agree that we should make sure that whatever ends up added is something that some distributions actually check it works for them and they intend to use it.
