On Sun, 2026-02-01 at 17:09 +0000, David Howells wrote: > Mihai-Drosi Câju <[email protected]> wrote: > > > > The current signature-based module integrity checking has some > > > drawbacks > > in combination with reproducible builds. Either the module signing > > key is generated at build time, which makes the build > > unreproducible, or a static signing key is used, which precludes > > rebuilds by third parties and makes the whole build and packaging > > process much more complicated. > > There is another issue too: If you have a static private key that you > use to sign modules (and probably other things), someone will likely > give you a GPL request to get it.
The SFC just lost that exact point in the Vizio trial, so I think you're wrong on this under US law at least. There's no general ability under GPLv2 to demand long lived signing keys. Regards, James
