On Sun, May 29, 2016 at 9:48 AM, Ben Hutchings [off-list ref] wrote:

I'm withdrawing this patch for reasons explained in
http://lists.debian.org/1464525520.2762.80.camel@decadent.org.uk

quoting some parts:

This is blocked on upstream acceptance in kmod, and it's not clear
whether that's ever going to happen."

I'm more against the impact of how this is implemented, not against
the idea of reproducible builds you are pursuing. From the points you
raised there:

1. Attach module signatures at installation time, in a subdirectory.
   Change kmod to prefer this subdirectory (this is purely a
   configuration change).  It would also be possible to check during
   installation that signatures match the installed unsigned modules,
   and if not then abort and leave any older signed modules in place.

Yep, this is a mere change to depmod.d config files.

2. Attach module signatures at package build time, making the
   linux-image-signed packages provide/conflict/replace the
   corresponding linux-image packages.  For architectures with
   signed modules, udebs would be built from linux-signed and not
   from linux.

very reasonable, too.


Lucas De Marchi