On 06/06/2012 11:47, Tom H wrote:
Nowhere is the proposed Fedora 99-dollar-key being offered to other
distributions. Since it only costs USD 99 it wouldn't make sense for
Debian, for example, not to get its own rather than use Fedora's. And
Fedora wouldn't want to take the risk of loaning its key to Debian,
having the latter screwing up, and having Fedora's key being
blacklisted.
Fedora have also signed the entire chain from their shim bootloader
(with the 99USD key), grub, kernel and kernel modules (latter 3 with
Fedora's own key/chain-of-trust). Even if they were willing to take the
risk of sharing, I don't think they would with anyone who wasn't willing
to sign their own entire boot-chain down to the kernel module level. I
think it would be very bad for the principals of free (as in freedom)
software if Debian went down the same route creating a walled-garden for
the entire boot chain through to the kernel modules on secure-boot
enabled systems.
Could the hardware manufactures not have provided a method to allow OS
installers (as in installation programs) to add their own keys via an
UEFI level call which results in a prompt at next boot saying "A new key
has been added (fingerprint: $key_fingerprint). Do you want to trust it
(Yes/No)?"? It wouldn't solve the potential risk for users who just say
yes to everything, but for anyone with a little clue it provides
protection and is not as anti-competitive as the current situation
appears to be.
Laurence
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcf4386.2000...@lboro.ac.uk