On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote: > Furthermore, we need to store the keys for all EV certificates (both > the certificate used for submission, and the certificate embedded in > the shim) in devices that meet at least FIPS 140 Level 2. Such > devices that are affordable, support secure, remote operation, and are > compatible with free software environments are difficult to find. > (But perhaps we can find a DD who agrees to keep the keys in his or > her home and manually signs our kernels, using Windows if necessary.)
We (Canonical) have been trying to get this requirement made a bit more sane; we keep our SB root certificate split up among a number of shareholders using gfshare, which we believe should be functionally adequate for this. Steve Langasek may know where this sits. > I wonder why Microsoft no longer wants to sign GPLv3 code (such as > GRUB 2). It could be due to plans to make Secure Boot mandatory > eventually. Right now, it is possible to comply with the GPLv3 > license requirements because users can switch off Secure Boot, either > at the BIOS level or through the MokManager loophole. This does not > affect us because we rarely ship hardware with Debian pre-installed, > and if we do, we can make use of the general GPLv3 opt-out clause. > But it would affect some of our users. Not that I'm very impressed with Microsoft's reasoning here, but in practice we wouldn't want to get GRUB signed by Microsoft anyway; their signing process is far too cumbersome for anything but a loader that we try not to change very often. Their guidelines permit chaining to GPLv3 code via shim, so this part of it should not be a problem. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140108111130.ga20...@riva.ucam.org
