Daan De Meyer

> @behrmann tried as stated above same issue, dracut is still present. I think you want to remove dracut-core as well. That's the package that actually provides dracut

I wrote these comments ages ago but forgot to submit, apologies

> Of course, this implies the kernel and initrd (and whatever else sits in /boot) doesn't fall under dm-verity validation, but the Grub wouldn't check/use these checksums anyway. This is...

I don't particularly mind making XBOOTLDR required when using grub. Any idea how backwards compatible this would be? If the grub files are still accessible at the same paths, I...

Yeah, let's use XBOOTLDR for this. Only thing I'm unsure about is whether we should do this unconditionally or not. I'm not familiar enough with grub to know whether we'd...

We'll also need to support using pesign instead of sbsign to sign the efi binaries produced by mkosi since centos 8 doesn't provide sbsigntools but does provide pesign.

@mrc0mmand One of my latest PRs dropped the requirement for arch-install-scripts. We just use pacman directly now so you can drop one dependency. @poettering Sounds like a way better solution....

@behrmann Awesome! I searched using github search but it didn't return any results. It uses the same method we use in mkosi. We can replace our own implementation with that...

I'm not sure if this is something mkosi should do. If I understand correctly, `bootctl` should take care of signing the binaries from /usr when `bootctl add` is executed

> I'm seeing bootctl update run from systemd-boot-update.service copy systemd-boot which is unsigned. It certainly isn't signed with the keys used by mkosi if signing is enabled, and it would...