From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751853AbbEDBpo (ORCPT ); Sun, 3 May 2015 21:45:44 -0400 Received: from mail-ig0-f175.google.com ([209.85.213.175]:34578 "EHLO mail-ig0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751160AbbEDBph (ORCPT ); Sun, 3 May 2015 21:45:37 -0400 MIME-Version: 1.0 In-Reply-To: <1430559977.5803.12.camel@memnix.com> References: <1430516505-4812-1-git-send-email-aricart@memnix.com> <1430559977.5803.12.camel@memnix.com> Date: Sun, 3 May 2015 18:45:36 -0700 X-Google-Sender-Auth: flF_5ohYFJmD7OVuYCA7uqPcbQw Message-ID: Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2] From: Linus Torvalds To: Abelardo Ricart III Cc: Michal Marek , Linux Kernel Mailing List , Sedat Dilek , David Howells , keyrings@linux-nfs.org, Rusty Russell , LSM List , James Morris , Greg Kroah-Hartman Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 2, 2015 at 2:46 AM, Abelardo Ricart III wrote: > endif > > -signing_key.priv signing_key.x509: x509.genkey > +signing_key.priv signing_key.x509: | x509.genkey Hmm. Thinking some more about this, I'm not entirely convinced. With this change, if we change kernel/Makefile to have a different keysigning authority etc, it won't re-generate the keys, because the old keys still exist. No? That would be wrong. I'd much rather see "x509.genkey" be generated with a move-if-changed pattern, so that it only changes if (a) it didn't exist before or (b) it actually has new content. On a tangentially related issue: I figured out why I get those (very annoying) "X.509 certificate list changed" messages. I made it print out *what* changed: X.509 certificate list changed from ./signing_key.x509 to signing_key.x509 Note the "./" difference. Linus