Jonathan Lebon

I'm not familiar with signify or minisign but am willing to learn to use it if it's available in Fedora. That said, if there isn't demand for it, I'm OK...

As is, one has to trust both you and GitHub (or that it hasn't been compromised). If the binaries are signed, one only has to trust you (which I already...

Note that just dumbly doing a type GUID match will not work for things like multipath. We solved this in `rdcore` by looking for ESPs only on the same devices...

WDYT about the discussions in https://github.com/coreos/fedora-coreos-tracker/issues/510#issuecomment-669331994? It seems like for EFI at least, it seems possible to make updates quite safe. In which case, it might be worthwhile to just...

> Should it? Should rpm-ostree status include e.g. any status from dbxtool.service too? I like the idea of a "one pane of glass" but it also introduces some potential confusion...

>> Now clearly it would be (potentially) better to update the bootloader before rebooting, i.e. hook into the rpm-ostree process and scrape out the updates but...eh. > > This would...

> That said, I don't want to go back to coreos/rpm-ostree#1882. I'd much prefer for tighter integration between rpm-ostree and bootupd, which I think then meshes well with having it...

Still need to test this. CI tests the online flow, but it'd be good to also sanity-check that DNS lookup failures are also caught by the retry logic.

This comes from an internal chat. From Colin there: > My guess here is that the system BIOS time is incorrect. Probably need to block on chrony/timesyncd before running `coreos-installer`....

Note that coreos-installer should keep retrying. If the chrony theory is correct, then eventually it should succeed once chrony has stepped the clock (IIRC, it does allow stepping once initially)....