On Sun, 24 May 2015 17:39:08 -0700 Patrick Bartek <nemommxiv@gmail.com> wrote: > On Sun, 24 May 2015, Petter Adsen wrote: > > > On Sat, 23 May 2015 12:46:10 -0700 > > Patrick Bartek <nemommxiv@gmail.com> wrote: > > > > > On Sat, 23 May 2015, Petter Adsen wrote: > > > > > > > On Sat, 23 May 2015 09:04:55 -0700 > > > > Patrick Bartek <nemommxiv@gmail.com> wrote: > > > > > I've read about that, but right now until W10 in its final > > > > > form is release, nobody really knows for sure. > > > > > > > > Well, yes and no. We *do* know that the status has changed from > > > > "mandatory" to "optional", but whether hardware manufacturers > > > > will actually remove the ability to turn Secure Boot off > > > > remains to be seen. > > > > > > Yes. I read that. Wonder what Microsoft has up its sleeve? > > > > If I were to guess, this is in preparation for at some point in the > > future requiring Secure Boot to be used, without the ability to turn > > it off. > > My guess as well. Anything to make Windows more convenient to use > than installing another OS. But you gotta think like a Microsoft > lawyer here: "But, your Honor, you CAN install Linux on the machine. > Just follow these simple 389 steps. No problem." ;-) > > > You know, "think of the children!". > > > > > Maybe, this is indicative of W10 being even more insecure than > > > previous Windows' OSes. > > > > Secure Boot itself is not actually such a bad idea, in some > > circumstances it might be nice to have a fully signed chain. IMHO. > > But it seems that Microsoft has co-opted it for their own use. > They're the only ones making and selling the signing keys aren't they? > Shouldn't those security keys come from an independent, unbiased > provider? One that Microsoft has to get their signing keys from, too. From what I understand, basically anyone can put their signing keys in the firmware. Part of the criticism is that Microsofts keys are already in it, making it difficult for anyone else, and without installing your own keys, you must use keys that have been derived from theirs. I may be wrong on this, I don't fully understand it. Canonical will also enforce Secure Boot in the future, they claim, and they are trying to get vendors to include their keys. I am more worried about distributions like Debian. Fedora has the backing of RedHat, so they will get keys (if they haven't already), SUSE has cash, but I have no idea about Debian. At some point Canonical would probably have helped them out, but I think that time has passed. They are mostly looking out for themselves these days. With Snappy, I don't even know if they will be based on Debian for much longer. And what about all the other distributions? Slackware, Gentoo, etc? There is no way all of them will be able to obtain keys. I agree; an independent signing authority would be the best, but I'd also like to see the ability to implant your own keys in the firmware. And even better, to remove them, so that I could delete the MSFT key. As mentioned, the Linux Foundation is looking into obtaining a key that can be used to sign for distributions. The problem is that MS is able to revoke keys at any time, and that would revoke all the Linux distributions at once. Eggs - basket. > > Hardware manufacturers will have to take into account the fact that > > there are a large number of people and organizations that run their > > machines without Windows, so I don't think there will be a lack of > > machines that can turn Secure Boot off in the near future. > > Have you forgotten about Asus and its $99 EeePC of a few years ago? > It only ran Linux. To keep the cost down. No OS license needed. It > sold very well, but was only a small part of Asus' Windows PC market. > Microsoft still threw a hissy fit and threatened to revoke Asus' > Windows license, if they didn't cnange the EeePC so it could run > Windows XP. Production on the EeePC ceased, and a year later a new > EeePC debuted running a stripped down version of XP. But now it cost > $199 not $99 whether it ran XP or Linux. And the consumer got > screwed. MS didn't care. They got their unit license fee. Ah, the MS tax. > Microsoft holds that Windows license over manufacturers like a battle > axe. If manufacturers don't go along, off with their heads! > Microsoft can (and does) get almost anything it wants, and they've > got a legal department that enables them to get away with it. I really, really wish Apple would release OS X for commodity hardware. That could probably give MS a (little) run for its money in the home market. Because let's face it - Linux isn't going to compete with them for the ordinary user anytime soon. Neither are the BSDs, or HURD, or Haiku, or... (Yes, I know Apple will never do that.) > > But will it become something to watch out for when buying new > > hardware? Most certainly, at least for a period of time. I have a > > sneaking suspicion that it might become a bigger problem for laptop > > users than for desktop users, although I'm unable to back that up. > > For those of us who prefer to build their own machines, I think it > > will be much less of a problem. > > Haven't you heard? The desktop machine is dead. Microsoft said so. > So, it must be true. ;-) Sad for them, as it's all they've got :) > > The cleanest option would probably be to allow the owner of the > > machine to install his/her own keys in the firmware, and sign the > > boot image with those. > > That won't fly. Microsoft will stop it. Not good for MS. I don't know, maybe. It is really up to the hardware manufacturers. > > And we still have legacy mode. For now. > > Right. I expect Legacy to mostly disappear in the next couple years. > "Old, unneeded technology," they'll profess. It undoubtedly will disappear at some point (which is why I said "for now"), but by then I hope we have a solution to the Secure Boot mess. One lawsuit has already been launched, in Spain. An organization called Hispalinux, or something like that. As I've already said, I don't think MS really wants to lock Linux out. They *need* that little bit of competition to stay out of the courtrooms. Remember the Internet Explorer bundling of the '90s? This is far more serious, with much bigger consequences. And they know that. They also know that Linux is no real competition for the ordinary user. > > I am also not sure MS really _wants_ to lock Linux/others out of the > > playing field. If they do, I assume the murmurs of class-action and > > anti-competition would rise in pitch, and someone might do something > > that could *really* hurt them. They really should work with the > > community to come up with a solution that works for everyone before > > someone forces them to. > > Microsoft wants to be the ONLY OS in the world. It's been their goal > since Day One with MSDOS. However, they can't be and stay out of > court. So there just needs to be an insignificant OS like Linux (and > OSX) around -- a few % of the market? -- so legally they're not a > monopoly. Insidious plan, huh? > > Unfortunately, Microsoft has screwed their customers too many times in > the name of profits, and Linux and OSX are steadily gaining ground, > particularly in the server, business and government markets. > > There will never NOT be a Microsoft, but they are scared and > scrambling to correct poor market decision, if they can. And that's > a good thing. True market capitalism does work, just slowly. Remember, Google also has a dog in this fight - ChromeOS. I think it's very likely they want a larger piece of the pie, they are constantly diversifying. Their Chromebooks are doing fairly well, and there are a lot of people out there with Android phones and tablets that might want one. In the Linux community, Debian is BIG, one of the top distributions. Unfortunately, that does not mean lots of money or market power, so it is one of the distributions that might suffer because of Secure Boot. It is also among the ones that we just can't let die, the stakes are far too high. I hope this all will be sorted out, and soon. Regards, Petter -- "I'm ionized" "Are you sure?" "I'm positive."
Attachment:
pgpO21I5LAYOh.pgp
Description: OpenPGP digital signature