>>>>>> The secure boot patches have been around in
the Fedora tree for a
>>>>>> while
>>>>>> now.
>>>>>> They work well enough but there has not been much active work in
>>>>>> getting
>>>>>> them accepted upstream in recent years. The longer they exist out
of
>>>>>> tree
>>>>>> the harder they get to maintain without extra support. If there
isn't
>>>>>> a
>>>>>> path for the current secure boot patch set to be accepted
upstream,
>>>>>> we
>>>>>> need
>>>>>> to seriously consider if it's worth carrying long term.
>>>>>>
>>>>>> Thoughts?
>>>>>
>>>>>
>>>>>
>>>>> So, how would we handle secure boot moving forward?
>>>>
>>>>
>>>>
>>>> How are other distros handling this? Does upstream have an alternative?
>>>>
>>>
>>> There isn't one unified answer. Every distro seems to be doing something
>>> different because upstream hasn't provided a single solution.
>>>
>>> Moving forward, we would treat secure boot like feature that is still
>>> in progress. This means taking the existing secure boot patches or
>>> a new approach and submitting them in a way that's acceptable to the
>>> upstream
>>> community. This is also code for "I don't know but what we have
isn't
>>> sustainable so let's discuss something better".
>>
>>
>> Of course.
>>
>> What patch set are Red Hat and CentOS using? If they're not all using
>> the same thing is it viable to get them all using the same thing?
>
>
> They're using the same basic thing, but CentOS 7 and it's grandfather are
> based on a 3.10 kernel, so there's a gulf of difference in the codebase of
> that and current Fedora kernels, meaning there's no way they're going to
> be using exactly the same code. And once it works one particular way in
> Red Hat Enterprise Linux, it's unlikely to be swapped out wholesale for
> the "new and improved" upstream way until the next major RHEL release.
> Enterprise stability and stuff. So yeah, no, you really can't get them all
> using the same thing. The kernel codebases are just faaaar too different
> for a fairly invasive patchset that touches bits and pieces all over the
> place in core areas.
>
You're right, distros aren't going to swap out what they have in existing
releases for the new hotness. I'd like to believe that if there was a
workable upstream solution many distros would choose to converge on that
for a future release with a corresponding kernel version. Maybe we will
have to maintain some version of these patches for older kernels like
Cent OS but newer kernels could be common.
Sounds like a good topic to be bought up at plumbers conf.
P