On Tue, 2023 Apr 4 12:07-04:00, Andreas Beckmann wrote: > We should probably file a bug against diffoscope to make it aware of > this file "modification"
Done: https://bugs.debian.org/1034034 Please tweak or elaborate as needed. >> Is a unique signature being added to the modules? I noticed that >> /var/lib/dkms/mok.{key,pub} differ between the two systems. > > That's probably the reason. Not sure if something could/should be > done about that difference. We should probably take this to the > reproducible builds people > https://wiki.debian.org/ReproducibleBuilds ... My thoughts would be 1. I'm vaguely aware that on secure-boot-enabled systems, the kernel and kernel modules need to be signed. But setting that up for things one builds themselves is non-trivial (the whole key-enrolling mess), and necessarily needs to be opt-in. My expectation is that if one doesn't explicitly request that, no signing should be performed (the signatures would be either unused or rejected anyway), and thus no caveat should need to be made on kernel modules differing. 2. Can't these things use a detached signature? That would make the reproducible aspect much easier to deal with. (Is dkms the proper place to address this?) --Daniel -- Daniel Richard G. || sk...@iskunk.org My ASCII-art .sig got a bad case of Times New Roman.
