On Fri, 10 May 2024 at 15:51, Luca Boccassi <[email protected]> wrote: > > On Fri, 10 May 2024 at 15:49, Steve McIntyre <[email protected]> wrote: > > > > On Fri, May 10, 2024 at 03:44:35PM +0100, Luca Boccassi wrote: > > >On Fri, 10 May 2024 at 15:36, Steve McIntyre <[email protected]> wrote: > > >> On Fri, May 10, 2024 at 04:29:00PM +0200, Ansgar 🙀 wrote: > > >> > > >> >Maybe we should use a non-trusted cert for the initial setup and only > > >> >switch to a proper cert once everything is confirmed to be working as > > >> >expected? > > >> > > >> Hmmm, maybe? Luca? > > > > > >What do you mean precisely here? A DSA-managed cert used by FTP to > > >sign but that doesn't chain to the Debian CA? Or to do something > > >completely local to the systemd-boot package? > > > > Exactly the former - we can use a test key for signing systemd-boot to > > start with. Once we're happy all round, we can switch to a cert in the > > chain. > > > > >I am fine with any approach that lets us move forward, if that needs > > >to be some intermediate testing stage that's fine by me. > > > > Cool. > > Ok, sounds good to me, thanks. > > DSA, now that FTP Team has acked with this suggestion to use a test > cert first, are you happy to proceed or is there anything else you > need from me? Thanks!
As suggested by DSA, I filed a ticket on RT about this: https://rt.debian.org/Ticket/Display.html?id=9506
