Lennart Poettering
Lennart Poettering
> Of course, it works just fine, I have been using a normal rootfs, package-managed, with a UKI for months and months. When a new kernel package is published the...
Oh, and you can just read the UKI's os-release data from /run/systemd/stub/os-release these days. We place it there via tmpfiles.d/20-systemd-stub.conf. That's much simpler and works unpriv and so on.
Or in other words: if you want this, then please introduce counterparts for those 6 specifiers, that look in /run/systemd/stub/os-release instead of /etc/os-release, and then add one ProtectVersion= line so...
Please just add those 6 new specifiers that use the UKI's os-release files, it's a very short patch then, and makes things less magic. People really should have the freedom...
sorry, but this cannot work. UKIs are not as unified as one might think in some cases, for example, a pcrlock.d golden measurement file for a UKI might be something...
do you se any further contexts like this showing up? i don't... But again, you cannot just do "the right thing", because you never know if you want to match...
> > do you se any further contexts like this showing up? i don't... > > You mentioned a bunch? uh? there are only ever two sets of versions involved:...
those are auxiliary resources store on disk that are versioned like the context they belong to, i.e. the UKI or the root fs. All I am saying is that you...
Let's say people actually go fully for independent UKI and rootfs versioning. They start and version their UKIs 1, 2, 3, 4, 5, 6. And they also version their roofs...
I am not sure why this is so hard to grok. Let me try another way: let's say you want to ship an UKI together with a pcrlock golden file...