Hi @iseletsk
Many thanks for this post.
I am rather new to Linux, and a happy user of AlmaLinux as a desktop OS. My usage is therefore much less critical that people running it on enterprise servers, but I came across the topic of kmod signing too.
This was raised after I experienced some issues with Wireguard, which was running smoothly until something broke it.
I received great support from the community here:
However, after considering the two options (remove SecureBoot or sign kmod-wireguard), I felt that:
- keeping SecureBoot is the right thing to do
- signing a module myself is not something I could do, as I considered not having the technical skills to “competently” sign a module (while I trusted the module, it brought a general feeling a bit like signing a blank check).
For my own little Wireguard issue, I chose a workaround (OpenVPN) waiting for AlmaLinux 9, but it’s great to read your post about this matter, as I believe it will address expectations of a number of existing and future AlmaLinux users.
In terms of Product Management or software lifecycle, the proposed steps look great. The step 7 would provide a higher level of assurance as to the software security supply chain but I am just wondering how this could be done as securily and efficiently as possible (audit from vetted securiy vendor is a reliable solution, but how would it affect delivery cycle/speed? could it be somehow integrated in a DevSecOps approach?).
Happy to contribute/volunteer from a Product Management / Process perspective if that could be useful.
And thanks again for raising this topic!
Alex