Re: the ghost of UEFI and Micr0$0ft
On 06/06/12 22:51, Tom H wrote:
> On Wed, Jun 6, 2012 at 7:56 AM, Scott Ferguson
> <firstname.lastname@example.org> wrote:
>> On 06/06/12 20:47, Tom H wrote:
>>> On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson
>>> <email@example.com> wrote:
>>>> On 06/06/12 19:23, Tom H wrote:
>>>>> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
>>>>> <firstname.lastname@example.org> wrote:
>>>>>> ;consider also that Fedora has *not* said they won't be sharing the key
>>>>> They won't share their Secure Boot key in the same way that they don't
>>>>> share their RPM-signing key(s).
>>>> I'm unable to find anything from the RedHat/Fedora community who
>>>> supports that assertion, and it's not supported by the article:-
>>>> "Adopting a distribution-specific key and encouraging hardware companies
>>>> to adopt it *would have been hostile to other distributions*. We want to
>>>> compete on merit, not because we have better links to OEMs.
>>> In this para, MG's saying that Fedora didn't want to buy a
>>> 99-dollar-key and have it loaded into the firmware of the hardware
>>> manufacturers who'd agree to do so.
>> I read that as "there was no realistic chance that we could get *all* of
>> them to carry it", and so they didn't. Tim Burke gives the same reasons.
>> Aside from legal reasons (I'm not sure how UEFI and the Debian
>> constitution fit) the only things stopping Debian from getting a key is
>> that not many manufacturers would use it - and it'd require resources to
>> manage and maintain, something better suited to a commercial enterprise.
> He made two arguments for not going the
> have-the-Fedora-key-uploaded-by-OEMs way. He called the first
> user-hostile because it would require having hardware-compatibility
> lists because not all OEMs would be willing to upload the Fedora key.
> And he called the second distribution-hostile because Fedora would
> have had better success at having its key uploaded than other
> distributions given Red Hat's more extensive relationships with OEMs.
> There not even a hint of sharing Fedora's key with anyone.
>>>> An alternative was producing some sort of overall Linux key. It turns
>>>> out that this is also difficult, since it would mean finding an entity
>>>> who was willing to take responsibility for managing signing or key
>>>> distribution. That means having the ability to keep the root key
>>>> absolutely secure and perform adequate validation of people asking for
>>>> signing. That's expensive. Like millions of dollars expensive. It would
>>>> also take a lot of time to set up, and that's not really time we had.
>>>> And, finally, nobody was jumping at the opportunity to volunteer. So no
>>>> generic Linux key."
>>>> Hardly "we don't want to share", more "we can't afford to"
>>> In this para, he isn't discussing a Fedora 99-dollar-key purchased
>>> from Verisign, but a cross-distribution Linux key infrastructure
>>> similar to the one that Microsoft's developed/developing.
>> Two keys?
>> I read it as *one* key bought (from Verison) for $99 through the MS
>> sysdev portal that will be used to sign the first stage boot loader for
>> use on hardware "certified" to support Windoof 7?
> Why would a 99-dollar-key cost millions?
No one said a key would cost millions.
> You're thinking of a third scenario that MG hasn't described where a
> "Linux Secure Boot Foundation" buys a 99-dollar-key and shares it with
> all (!) distributions - I'm of course assuming here and the previous
> scenario of Fedora sharing its key that the agreement with Verisign
> allows a key to be loaned out/shared - which puts us in the same
> situation as the Fedora-key-sharing situation, that I posted earlier
> and that you snipped from your reply, where the failure of one
> distribution would result in all distributions having their one key
That's the management exercise that would cost millions.
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-