Demi Marie Obenour

@HeavyRain266 Is [this approach](https://github.com/rust-gamedev/wg/issues/90#issuecomment-587275027) an option?

> > @HeavyRain266 Is [this approach](https://github.com/rust-gamedev/wg/issues/90#issuecomment-587275027) an option? > > Yes, you need to wrap your game in C (tested on PS5) to sign binaries with Sony's clang and deploy...

If Rocky winds up using the same signing infrastructure code that Fedora does, this could help get Fedora to sign their metadata, too.

https://github.com/QubesOS/qubes-linux-yum/commit/e981175aba8a27a088348e9a7bdf9a87c93c7529 implemented metadata signing in QubesOS. The metadata signature is just a standard detached GPG signature on the metadata XML.

> I'd imagine solving kms is what's stopping them... As is our challenge. Does “kms” mean “key management system”? If so, my suggestion would be to sign the metadata the...

Ah okay. What I meant is that signing packages and repo metadata can/should be done using the same system.

> To give some clarity, I know why a lot of distros don't sign their repos. First of all, if all packages in the repo are signed then signing the...

The main purpose of repo metadata signing is attack surface reduction. See: - CVE-2020-14352 - CVE-2021-20721 - CVE-2021-3421 RCE possible in the first two cases.

I agree, but for a different reason: performance (break and continue may very well be faster).

I know that parts of HACL\* are already used in places such as NSS. What about the TLS and hoped-for QUIC implementations?