Re: UEFI Revocation List being distributed by Debian
On Thu, May 7, 2020 at 3:06 AM Mario Limonciello wrote:
> there are concerns if this would fit within the DFSG
Since it does not include modification permission and several
restrictions on redistribution, this license is unlikely to meet the
DFSG requirements. I suggest contacting the UEFI folks to ask why
these restrictions are needed at all. A regular BSD/MIT license should
be enough to meet their purposes. OTOH, I'm not sure if the data meets
the requirements for copyrightability, in which case the license would
not need to be complied with at all.
> Recently there has been a discussion within upstream fwupd to start including the UEFI dbx revocation list directly with the fwupd package.
This sort of data is liable to be out of date if included in the
source code of fwupd, I think this should be separate to fwupd in the
same way that tzdata is separate to glibc and DNSSEC root keys are
separate to DNS servers and the web PKI CAs should be separate to web
browsers. I suggest that fwupd download it directly from the UEFI
website and update the copy within the boot firmware that way.
> Furthermore, if it is not acceptable to distribute this raw data in Debian, one of the options being considered is to programmatically re-generate a list of invalid hashes but without the signatures in the original file. Would that be acceptable to distribute in Debian instead?
I don't think that is meaningfully different to the original files,
since it would be derived from the original files?