Re: UEFI Revocation List being distributed by Debian

To: Paul Wise <pabs@debian.org>
Cc: Mario.Limonciello@dell.com, debian-legal@lists.debian.org
Subject: Re: UEFI Revocation List being distributed by Debian
From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 07 May 2020 07:26:01 +0200
Message-id: <[🔎] 87h7wsb9jq.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] CAKTje6Ep2Q=xyr4VGekKgEmTDp0spO85EnxsMeb0ndHHwkXVkQ@mail.gmail.com> (Paul Wise's message of "Thu, 7 May 2020 03:55:33 +0000")
References: <[🔎] 1cd5d94adcba45bfa32832ea234e6569@AUSX13MPC101.AMER.DELL.COM> <[🔎] CAKTje6Ep2Q=xyr4VGekKgEmTDp0spO85EnxsMeb0ndHHwkXVkQ@mail.gmail.com>

* Paul Wise:

> This sort of data is liable to be out of date if included in the
> source code of fwupd, I think this should be separate to fwupd in the
> same way that tzdata is separate to glibc and DNSSEC root keys are
> separate to DNS servers and the web PKI CAs should be separate to web
> browsers. I suggest that fwupd download it directly from the UEFI
> website and update the copy within the boot firmware that way.

It also has to be optional and disabled by default because a future
dbx update may be specifically designed to stop Debian systems from
booting.  No Debian user will want to install such an update.

Reply to:

Follow-Ups:
- Re: UEFI Revocation List being distributed by Debian
  - From: Paul Wise <pabs@debian.org>

References:
- UEFI Revocation List being distributed by Debian
  - From: <Mario.Limonciello@dell.com>
- Re: UEFI Revocation List being distributed by Debian
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: UEFI Revocation List being distributed by Debian
Next by Date: Re: UEFI Revocation List being distributed by Debian
Previous by thread: Re: UEFI Revocation List being distributed by Debian
Next by thread: Re: UEFI Revocation List being distributed by Debian
Index(es):
- Date
- Thread