| ▲ | DrillShopper a day ago |
| > The cryptsetup, cryptenroll, unified kernel images, kernel signing and systemd-boot work nicely together. This has not been my experience across Debian and Arch |
|
| ▲ | donnachangstein a day ago | parent | next [-] |
| That's because Debian 'stable' has a half-assed implementation of systemd, frozen in time on some ancient version. So you are stuck waiting years between upgrades. Bookworm finally supports the crypto functions. Arch OTOH was where these functions first worked out of the box. |
| |
| ▲ | bogantech a day ago | parent [-] | | > frozen in time on some ancient version. Yeah that's a feature of Debian stable | | |
| ▲ | Vilian 12 hours ago | parent | next [-] | | A broken implementation? | |
| ▲ | donnachangstein a day ago | parent | prev [-] | | It stops being a feature and becomes a bug bordering on retardation when they purposefully ship broken software. First example coming to mind, TLS is broken in the version of OpenSMTPD that ships with Debian Stable. Yes you read that correctly. The version of OpenSMTPD in Debian Stable does not have functioning TLS. It's also not well documented why this is, things just don't work and you are forced to discover why. It has to do with a broken dependency on their ancient version of OpenSSL. They refuse to patch it because muh stability - it requires a version jump. So you are forced to jump through hoops and install a newer version from backports if you expect TLS to work on your SMTP server. | | |
|
|
|
| ▲ | mattpallissard a day ago | parent | prev | next [-] |
| Arch user here. These things work much nicer than any of the previous alternatives. Sure, kernel signing is a bit of a mess, but that's more of a product of how key-signing at a low-level works than anything. Cryptsetup, cryptenroll, unified kernel images, and systemd-boot worked for me out of box. |
| |
| ▲ | DrillShopper a day ago | parent [-] | | They very much did not for me. I beat things into shape with sbctl but it was very much an uphill battle. idk why Arch seems allergic to packaging shim-signed (it's an AUR, why would I trust such a key component to essentialy a stranger?), but here we are I guess. | | |
| ▲ | udev4096 11 hours ago | parent | next [-] | | you can inspect the PKGBUILD file very easily. it's same as alpine's abuild and various other build file formats from distros. don't just blindly build it | |
| ▲ | Timber-6539 19 hours ago | parent | prev [-] | | The AUR is just a repository of PKGBUILDs. You don't need to trust a stranger to use PKGBUILD. |
|
|
|
| ▲ | Timber-6539 19 hours ago | parent | prev [-] |
| Am on Arch and I use them with unattended boot(TPM) and they work flawlessly. |
