Re: shim-signed

To: debian-devel@lists.debian.org
Subject: Re: shim-signed
From: Tollef Fog Heen <tfheen@err.no>
Date: Thu, 28 Apr 2022 06:22:21 +0200
Message-id: <[🔎] 87k0b9ygzm.fsf@err.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] YmT3WXPagR7eu3OO@home.rince.de> (Hanno Wagner's message of "Sun, 24 Apr 2022 09:08:09 +0200")
References: <[🔎] 20220419002746.GT14939@tack.einval.com> <[🔎] CAGEayXOsfuWpwRVYO0Z7LhM7vNSJP4xJo+P0a0LsvhGYa7RaHw@mail.gmail.com> <[🔎] 877d7hwk91.fsf@hands.com> <[🔎] E1niCtr-007gWR-VN@drop.zugschlus.de> <[🔎] 87v8uz3r32.fsf@err.no> <[🔎] YmT3WXPagR7eu3OO@home.rince.de>

]] Hanno 'Rince' Wagner 

> Hi everbody,
> 
> On Sun, 24 Apr 2022, Tollef Fog Heen wrote:
> 
> > I don't think we have docs for running with a different root of trust
> > than MS'. To be honest, I'm not sure we even _should_ have a lot of docs
> > around it, since the general brittleness of the boot process, UEFI and
> > friends might very well lead to more systems being broken when people
> > discover the docs and run with the instructions without understanding
> > the implications.
> 
> I am a very firm believer of giving people as much information as
> possible while being responsible. Meaning, that I would love to have
> that documentation - including a big warning sign which sais "if you
> follow this path, you may brick your machine and this is your problem,
> not ours". If someone is interested to learn _how_ the security is
> done and implemented, why should this be unavailable?

Sadly, warnings generally don't work because people will ignore them and
break their systems and then blame the people writing the
documentation, causing load and grief on people were trying to be
helpful by writing the docs.

I don't think we should invest a lot into writing the docs required
because we can use that effort elsewhere.  Documentation requires
maintenance, just like everything else and if it's rarely used, we get
little value out of that effort.  If somebody is very eager to write and
maintain that documentation over time, by all means, but we haven't seen
anyone step up to do so.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: shim-signed
  - From: Steve McIntyre <steve@einval.com>

References:
- Firmware - what are we going to do about it?
  - From: Steve McIntyre <steve@einval.com>
- Re: Firmware - what are we going to do about it?
  - From: Leandro Cunha <leandrocunha016@gmail.com>
- Re: Firmware - what are we going to do about it?
  - From: Philip Hands <phil@hands.com>
- shim-signed (was: Firmware - what are we going to do about it?)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: shim-signed
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: shim-signed
  - From: Hanno 'Rince' Wagner <wagner@debian.org>

Prev by Date: feedback for NEW packages: switch to using the BTS?
Next by Date: Re: shim-signed
Previous by thread: Re: shim-signed
Next by thread: Re: shim-signed
Index(es):
- Date
- Thread