On 06/06/2012 14:56, Jon Dowland wrote:
and it'd require resources to manage and maintain, something better suited to a commercial enterprise.That's the big deal. Fedora seem to believe they can manage maintaining closed and signed bootloaders, kernel and kernel modules. That would be very difficult to achieve in Debian.
I can see this turning into a support nightmare for Fedora when, inevitably, some hardware or firmware comes along which (at least as an interim measure until "official" fixes are released) requires the use of a newer kernel and/or module, or a patch/rebuild of an existing one.
I wonder how they will cope with the likes of nvidia/ati/intel who release their own kernel modules and installers outside of the distribution ecosystem, which will presumably be unsigned and a lot of people seem to use for the [potential/perceived] performance benefits.
A more interesting approach might be to maintained a locked-down install image chain which offered, as a very early installer option, to disable the secure boot BIOS setting on your behalf. From then onwards you could run whatever you like. Whether or not that will be generally possible, I don't know.
I doubt there will be an easy way to disable the secure boot BIOS setting on the users' behalf, even from a signed boot loader, as that would just lead to malware finding a way to silently disable it to get around it.
Laurence