On 06/06/2012 11:47, Tom H wrote:
Nowhere is the proposed Fedora 99-dollar-key being offered to other distributions. Since it only costs USD 99 it wouldn't make sense for Debian, for example, not to get its own rather than use Fedora's. And Fedora wouldn't want to take the risk of loaning its key to Debian, having the latter screwing up, and having Fedora's key being blacklisted.
Fedora have also signed the entire chain from their shim bootloader (with the 99USD key), grub, kernel and kernel modules (latter 3 with Fedora's own key/chain-of-trust). Even if they were willing to take the risk of sharing, I don't think they would with anyone who wasn't willing to sign their own entire boot-chain down to the kernel module level. I think it would be very bad for the principals of free (as in freedom) software if Debian went down the same route creating a walled-garden for the entire boot chain through to the kernel modules on secure-boot enabled systems.
Could the hardware manufactures not have provided a method to allow OS installers (as in installation programs) to add their own keys via an UEFI level call which results in a prompt at next boot saying "A new key has been added (fingerprint: $key_fingerprint). Do you want to trust it (Yes/No)?"? It wouldn't solve the potential risk for users who just say yes to everything, but for anyone with a little clue it provides protection and is not as anti-competitive as the current situation appears to be.
Laurence