Re: UEFI Revocation List being distributed by Debian

To: Mario.Limonciello@dell.com
Cc: debian-legal@lists.debian.org
Subject: Re: UEFI Revocation List being distributed by Debian
From: Steve Langasek <vorlon@debian.org>
Date: Fri, 8 May 2020 13:35:17 -0700
Message-id: <[🔎] 20200508203517.GA924035@homer.dodds.net>
Mail-followup-to: Mario.Limonciello@dell.com, debian-legal@lists.debian.org
In-reply-to: <[🔎] 1cd5d94adcba45bfa32832ea234e6569@AUSX13MPC101.AMER.DELL.COM>
References: <[🔎] 1cd5d94adcba45bfa32832ea234e6569@AUSX13MPC101.AMER.DELL.COM>

Hi Mario,

On Thu, May 07, 2020 at 02:25:41AM +0000, Mario.Limonciello@dell.com wrote:
> Hello,

> Recently there has been a discussion within upstream fwupd to start
> including the UEFI dbx revocation list directly with the fwupd package. 
> During the code review for this as part of reviewing the terms included
> with it there are concerns if this would fit within the DFSG.  Would it be
> possible to request a review of these terms to determine if this is
> appropriate to distribute in Debian?

> https://uefi.org/revocationlistfile

> Furthermore, if it is not acceptable to distribute this raw data in
> Debian, one of the options being considered is to programmatically
> re-generate a list of invalid hashes but without the signatures in the
> original file.  Would that be acceptable to distribute in Debian instead?

First, the license is not an end-user license and if someone chooses to
agree to the license as part of downloading, this appears to only be binding
on the downloader; it is not a license that must be included in the
redistribution to users (as debian/copyright).

Second, the following URL is accessible without affirmatively agreeing to
the license.

  http://www.uefi.org/sites/default/files/resources/dbxupdate.zip

Third, the contents of this file are a non-copyrightable list of statements
of mathematical facts.  Distribution of this file is not subject to
copyright law.

I don't think there is any issue with Debian distributing this file.

FWIW Ubuntu already distributes this file in the secureboot-db package.  I
do not think that Ubuntu would want to enable updates of the revocation list
via the fwupd package since revocations could in principle impact the
bootability of the system (if the dbx update included a hash of Ubuntu's
shim, or Ubuntu's signing key).  dbx updates should be carefully managed in
conjunction with updates to the bootloader itself, which the tighter
coupling of a directly-managed native package gives us.  I think similar
reasoning would apply for Debian.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- RE: UEFI Revocation List being distributed by Debian
  - From: <Mario.Limonciello@dell.com>

References:
- UEFI Revocation List being distributed by Debian
  - From: <Mario.Limonciello@dell.com>

Prev by Date: RE: UEFI Revocation List being distributed by Debian
Next by Date: RE: UEFI Revocation List being distributed by Debian
Previous by thread: RE: UEFI Revocation List being distributed by Debian
Next by thread: RE: UEFI Revocation List being distributed by Debian
Index(es):
- Date
- Thread