Timothée Ravier
@pid_eins The threat model is unclear here. How can you trust the system to really reset itself if you think it's compromised and run this command from a compromised environment?
Later you mention a boot entry, which makes more sense to me, but we would need something to not expose it too much as it would be too easy to select by mistake on boot. You would also likely need two reboots there, one to reset the TPM, and then do the reset?
Timothée Ravier
> While OSTree ..., it has a significant drawback: it can’t support SecureBoot because it can’t support Unified Kernel Images, ...
That's not true. We demonstrated that in https://media.ccc.de/v/all-systems-go-2024-309-the-road-to-a-trusted-and-measured-boot-chain-in-bootable-containers.
You can say that it's not fully integrated, it's not ready or it's not what you want to do, but please don't say that it's not possible when we showed that it is.
I'm really glad that GNOME OS development is taking off so please don't justify technical decisions with misconceptions.
CoreOS engineer at Red Hat :redhat:, Fedora Atomic Desktops maintainer (Silverblue :silverblue:, Kinoite :Kinoite:), KDE developer :kde: and KDE Apps maintainer on Flathub :flatpak:.Mostly boosts about :linux:, :rust:, :golang:, :androidalt:, :fedora:, :redhat:, :kde:, :plasma:, :gnome:, :k8s:, :flatpak:, :Kinoite:, :silverblue:, systemd, security and some French politics.Searchable via tootfinder (https://tootfinder.ch/).
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.