On Mon, 4 Mar 2024 at 23:58, Luca Boccassi <bl...@debian.org> wrote: > > On Mon, 4 Mar 2024 at 23:28, Steve McIntyre <st...@einval.com> wrote: > > > Modulo those questions, let's talk infrastructure. Off the top of my > > head, in no particular order... > > > > * We'll need to create a new intermediate signing cert for > > systemd-boot (and another for UKI, I guess). Given recent > > discussions about changing the way we build and sign kernels, we > > should also generate a new signer cert for those too. And if we're > > going that far, we may as well generate a complete new set of 2024 > > certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA about > > doing this piece. > > That makes sense to me, I guess DSA owns the machinery to do this? > > > * We'll probably need to add things to the signing setup for > > ftp-master. Nothing earth-shattering, just some config to > > recognise the new set of packages IIRC. I'm sure Bastian can > > manage this. :-) > > > > * Are people from the team ready to deal with long-term security > > support for the systemd-boot chain? > > Speaking for myself, yes, I am already part of the team who is > responsible for that upstream, and I plan to be very strict about not > carrying downstream patches for the signed components outside of > security fixes (and even then, prefer upstream stable point releases > that I am also responsible for anyway). > > > That's all I can think of for now, but I wouldn't be surprised if more > > comes to mind tomorrow... :-) > > Thanks for the feedback!
Gentle ping on this - what are the next steps in order to make this happen?
