Hi all, On Fri, Jan 22, 2021 at 10:15:23AM +0100, Takashi Iwai wrote:
On Fri, 22 Jan 2021 06:05:28 +0100, joeyli wrote:
On Wed, Jan 20, 2021 at 10:22:47AM +0100, Takashi Iwai wrote:
On Wed, 20 Jan 2021 09:32:06 +0100, Marcus Meissner wrote:
Some other form of enrollment needs to be considered or e.g. that all KMPs are built in SLES.
Hmm, I don't think it's a good idea. It doesn't scale, and would just bring more burden to both SUSE and openSUSE contributors.
The MOK enrollment itself is an easy action, and once after we have some automatic cert installation via a package chain, the only
We will submit a certificate package for enrolling Leap public key to MOK. Maybe the name is opensuse-leap-kmp-key.rpm or something like this. Then all KMPs depend on this key package.
The package name may need more consideration, but I think putting the dependency in KMP is no good way (although I myself suggested in the above). Think of building a KMP in a devel project or other wild OBS project: bringing the opensuse-leap-kmp-key makes no sense for such a KMP. Also, imaging that you'd need to promote the Leap package to an official SLE sometime later. The dependency on opensuse-leap-kmp-key is rather harmful.
So, IMO, it should be enough to let the cert package install once via patterns. (Or somehow automatically when the secure boot is detected? -- maybe it's too complex and error-prone.)
I found that I can not create a openSUSE Jira against this requirement. So I still create a bsc#1182641 to note this change. Thanks Joey Lee