[systemd-devel] Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora

[Dan Nicholson]

On Wed, Apr 27, 2022 at 9:10 AM Neal Gompa <ngompa13 at gmail.com> wrote:
>
> Note that it means Fedora CI, pull requests from contributors, and
> releng auto-rebuilds will no longer work. Maintainers basically
> sign-on to do all of those things manually and have to be responsive
> for doing it. You will get FTBFS tickets every cycle because of it,
> for example.

Asking systemd folks to change their development process because of
limitations in Fedora/Koji seems like a big ask, don't you think?
Having implemented UEFI secure boot signing for Endless, I can concur
it is a PITA. However, there are certainly ways to make it work that
have no effect on upstream. Our Endless system is pretty hacky, but
Debian's is pretty well thought out. What both have in common is that
the signer generates a separate package so that the normal build flow
isn't affected. In the case of systemd, there would be both an
unsigned and signed version of the sd-boot EFI program in separate
packages.

I'm sure it would require work to fix, but this seems like more of a
Koji problem than a systemd problem. I also feel like Lennart's
suggestion that sd-boot get split out as a separate source package but
using the same tarball is completely reasonable if your signing system
is too onerous to use.

--
Dan