Jon Polom
Jon Polom
What is the status of SELinux support with kairos built OS images? I have noticed (via the PRs mentioned here) it's explicitly disabled from the Fedora builds and `getenforce` reports...
> but what we _want_ to work is this for fulcio: > > ``` > "fulcio": { > "caPath": "/etc/.sigstore/fulcio_v1.crt.pem", > "oidcIssuer": "https://token.actions.githubusercontent.com"", > "subject": "https://github.com/sallyom/image-build/.github/workflows/build-sign-push.yaml@refs/heads/main" > ``` @sallyom It's...
> Hi, currently to use host PKCS #11 devices you need to use sandbox holes. That's not good and not something that really belongs in the documentaiton. It's better for...
> Really strongly recommend against documenting step 3 as that's not acceptable to present to users. Why is that supported functionality if you deem it inappropriate? I find it completely...
Can someone else from Red Hat review this issue? These responses are unreasonable. This is a legitimate deficiency in flatpak and the solution being proposed is non-existent with no ETA....
Unfortunately @lukewarmtemp is the one working on this from an issue I created against [`rpm-ostree`](https://github.com/coreos/rpm-ostree/issues/4272). I am not the one doing the implementation work. > Thanks. So, wouldn’t one or...
> I read those reasons as equally arguing for the use of 1.9 / 1.18; using the SAN URI value is, if anything, strictly worse, because on the expected certificates...
The original issue that generated this PR specifically addressed that keyless sigstore signatures CANNOT be verified via rpm-ostree if they're made non-interactively using the GH actions token. The reason is...
> “I want this command to pass” is not a security objective. What is the information that you want to ascertain by validating the signature? This seems like an unfair...
> AFAICS a workflow triggered by an incoming PR (coming from an untrusted party) could satisfy all three quoted criteria This is a project/user use case and policy issue to...