Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Jochen Spieker]

Lisi:
> On Monday 25 June 2012 16:13:54 Jochen Spieker wrote:
>> And, BTW, Desktop LTS support lasts only for 3 years, not 5.
> 
> I recently read that it was changing to five for the desktop, as well as the 
> server edition.  If you say that this is an urban myth, I am happy to believe 
> you.

No, I just didn't read the entry in the Ubunti wiki thoroughly. Five
years is correct for >= 12.04.

J.
-- 
As a child I pulled the legs from a spider.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Lisi]

On Monday 25 June 2012 16:13:54 Jochen Spieker wrote:
> And, BTW, Desktop LTS support lasts only for 3 years, not 5.

I recently read that it was changing to five for the desktop, as well as the 
server edition.  If you say that this is an urban myth, I am happy to believe 
you.

Lisi


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201206261057.59269.lisi.re...@gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Mon, Jun 25, 2012 at 11:13 AM, Jochen Spieker  wrote:
>
> And, BTW, Desktop LTS support lasts only for 3 years, not 5.

It's been pushed up to 5 years with 12.04.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=SxZwxvH4ojfYSd7DLdBQ-QfLZ=XExsToxza1K=x6ob...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Mon, 2012-06-25 at 17:02 +0200, Ralf Mardorf wrote:
> On Mon, 2012-06-25 at 09:49 -0500, John Hasler wrote:
> > Lisi writes:
> > > I am just sorry that they have changed it at all.  Ubuntu now has 5
> > > year support for its long term supported version.  Such a pity that
> > > Debian is going the other way.
> > 
> > Support beyond Stable is on a "best effort" basis.  If enough people
> > were willing to actually work on it I'm sure a "long term support"
> > version would be welcome.  Are you volunteering?  You don't have to be a
> > programmer to help with Debian.
> 
> That's true, building new packages can be done based on old packages. I
> don't have the howto at hand, but it's very easy to do. I mark this mail
> as a todo ;) and hopefully I can add a howto within the next days,
> please don't stone me, if I forget to do this ;).
> 
> - Ralf

apt-get source PACKAGENAME

sudo apt-get build-dep PACKAGENAME (or su, if you don't have sudo
installed)

mv -vi PACKAGENAME-1.0/ PACKAGENAME-2.0

wget source_from_origin_place | tar xvj (or whatever)

cd SOURCE_DIR

# edit debian/changelog -> PACKAGENAME (version) e.g. unstable;
urgency=low

# edit debian/rules -> if needed

libtoolize --force --copy --automake

aclocal

autoreconf

debuild -b -us -uc

sudo dpkg -i ../PACKAGENAME.deb


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1340637524.1349.77.camel@localhost.localdomain

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Jochen Spieker]

Lisi:
> 
> I am just sorry that they have changed it at all.  Ubuntu now has 5 year 
> support for its long term supported version.  Such a pity that Debian is 
> going the other way. :-(

This comparison is a bit unfair since Ubuntu officially only supports
its "main" repository which is, as far as I know, considerably smaller
than Debian's "main". And the LTS promise isn't kept for all flavours or
parts of Ubuntu.[1] AFAIU, Ubuntu's upgrade policy for stable releases
isn't as strict as Debian's either.[2]

So while Debian's stable releases aren't supported as long as Ubuntu's
LTS releases, Debian support covers more packages and is more
conservative in what it includes -- even if that means more work.

And, BTW, Desktop LTS support lasts only for 3 years, not 5.

J.

[1] https://wiki.ubuntu.com/LTS

The LTS designation applies only to specific subsets of the Ubuntu
archive. The LTS may not apply to all flavors and remixes of Ubuntu.
For example, for 8.04 LTS, Kubuntu chose to move to KDE 4.0 and
didn't issue an LTS release. In 10.04, the Netbook Edition was not
an LTS. The project will decide which flavors will be LTS and the
support duration for each, early in the LTS development cycle. 

[2] https://wiki.ubuntu.com/StableReleaseUpdates

In some cases, when upstream fixes bugs, they do a new microrelease
instead of just sending patches. If all of the changes are
appropriate for an SRU by the criteria above, then it is acceptable
(and usually easier) to just upload the complete new upstream
microrelease instead of backporting the individual patches. Note
that some noise introduced by autoreconf is okay, but making
structural changes to the build system (such as introducing new
library dependencies) is generally not.

If a new upstream release has more intrusive changes, you need to
request an exception from the Technical Board, especially if you are
going to upload the package with non-SRU changes multiple times in
the future. Please see special cases below.

-- 
I like my Toyota RAV4 because of the commanding view of the traffic
jams.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Mon, 2012-06-25 at 09:49 -0500, John Hasler wrote:
> Lisi writes:
> > I am just sorry that they have changed it at all.  Ubuntu now has 5
> > year support for its long term supported version.  Such a pity that
> > Debian is going the other way.
> 
> Support beyond Stable is on a "best effort" basis.  If enough people
> were willing to actually work on it I'm sure a "long term support"
> version would be welcome.  Are you volunteering?  You don't have to be a
> programmer to help with Debian.

That's true, building new packages can be done based on old packages. I
don't have the howto at hand, but it's very easy to do. I mark this mail
as a todo ;) and hopefully I can add a howto within the next days,
please don't stone me, if I forget to do this ;).

- Ralf



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1340636543.1349.71.camel@localhost.localdomain

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[John Hasler]

Lisi writes:
> I am just sorry that they have changed it at all.  Ubuntu now has 5
> year support for its long term supported version.  Such a pity that
> Debian is going the other way.

Support beyond Stable is on a "best effort" basis.  If enough people
were willing to actually work on it I'm sure a "long term support"
version would be welcome.  Are you volunteering?  You don't have to be a
programmer to help with Debian.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87ehp378fv@thumper.dhh.gt.org

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Mon, 2012-06-25 at 15:29 +0100, Lisi wrote:
> On Tuesday 05 June 2012 18:55:59 Nuno Magalhães wrote:
> > That's awkward, i was under the impression there was a change some
> > years back so that the stable branch would change to a 6 months
> > release schedule. Did that never go through or was it only temporary?
> 
> It was cancelled, though they seem to be trying to keep the gap between 
> releases a bit shorter.  But the fact that Debian stable is well debugged and 
>  
> only released when it is ready, is one of the reasons that I, and, I imagine, 
>  
> others, use it.
> 
> I am just sorry that they have changed it at all.  Ubuntu now has 5 year 
> support for its long term supported version.  Such a pity that Debian is 
> going the other way. :-(
> 
> Lisi

For my needs I unfortunately have to switch distros and versions very
often, but FULL ACK, if a system does fit to our needs, we should use it
10 or 15 years or forever. By theory it's possible for my needs, since a
DAW doesn't need security upgrades for the browser etc., unfortunately I
need to exchange some hardware from time to time. Unfortunately
compiling stuff doesn't work after a while, because you'll run into
dependency hell, sometimes a patch that simply add a header to the old
source code can help, but anyway, it's a PITA to maintain old faithful
OSes. Pff, no modern monitor is "slow enough" so that I can use it with
my Atari ST ... dinos will die and make place for something new. That
ships with advantages and drawbacks ;).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1340635188.1349.59.camel@localhost.localdomain

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Lisi]

On Tuesday 05 June 2012 18:55:59 Nuno Magalhães wrote:
> That's awkward, i was under the impression there was a change some
> years back so that the stable branch would change to a 6 months
> release schedule. Did that never go through or was it only temporary?

It was cancelled, though they seem to be trying to keep the gap between 
releases a bit shorter.  But the fact that Debian stable is well debugged and  
only released when it is ready, is one of the reasons that I, and, I imagine,  
others, use it.

I am just sorry that they have changed it at all.  Ubuntu now has 5 year 
support for its long term supported version.  Such a pity that Debian is 
going the other way. :-(

Lisi


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201206251529.47240.lisi.re...@gmail.com

Re: Reading/posting to Debian mailing lists (was: Re: Fwd: the ghost of UEFI and Micr0$0ft)

[Ralf Mardorf]

On Fri, 2012-06-22 at 15:33 +, Camaleón wrote:
> On Fri, 22 Jun 2012 18:26:17 +0530, Harshad Joshi wrote:
> 
> > For some reasons i am not able to get debian members response in my
> > mailbox to my query posted on mailing list.
> 
> (...)
> 
> [snip]
> For the rest of the article I share most of your feelings but won't 
> repeat because I alredy commented on this thread what are my thoughts on 
> this.

FWIW sometime ago I posted the links to the archive at LAU, the OP of
the UEFI thread might take a look there:
 Forwarded Message 
From: Ralf Mardorf
To: linux-audio-user
Subject: [LAU] OT: Wait, did [UEFI] just really happen?
Date: Wed, 13 Jun 2012 12:25:16 +0200

Take a look at
http://lists.debian.org/debian-user/2012/06/threads.html#00267
    for the thread "the ghost of UEFI and Micr0$0ft".

I flagged the mail with the link to the article and will read it ASAP,
but I guess everything that could be written, already is written.

Regards,
Ralf

PS: Camaleón did the right thing when only replying to the list.
However, in this case a carbon copy might be wanted.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1340445019.2980.6.camel@precise

Reading/posting to Debian mailing lists (was: Re: Fwd: the ghost of UEFI and Micr0$0ft)

[Camaleón]

On Fri, 22 Jun 2012 18:26:17 +0530, Harshad Joshi wrote:

> For some reasons i am not able to get debian members response in my
> mailbox to my query posted on mailing list.

(...)

Most of the Debian mailing lists are open, meaning there's no need for 
users who want to post to be subscribed.

To receive/read the other users replies you can:

a) Subscribe to get a copy of every single post in your inbox
b) Read the mailing list using a newsreader

If you are subscribed you should receive an e-mail so if you get nothing 
something is going wrong and would need further investigation.

For the rest of the article I share most of your feelings but won't 
repeat because I alredy commented on this thread what are my thoughts on 
this.

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/js237h$5le$1...@dough.gmane.org

Re: Fwd: the ghost of UEFI and Micr0$0ft

[John Hasler]

Harshad Joshi writes:
> Lot of PC/laptop/tablets in 2012 and beyond will have UEFI instead of
> good old bios.

Bad old bios.  Very bad.  It was designed for 8080s and floppy disks.
It was excellent for that environment but it has been obsolete for
decades.

> Will Debian community fight against this evil step taken by computer
> makers?

UEFI is not evil (though Coreboot is better), and there is a lot more to
it than the signing stuff.  Even the latter is not intrinsically evil:
it all depends on the implementation.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/871ul78jky@thumper.dhh.gt.org

Fwd: the ghost of UEFI and Micr0$0ft

[Harshad Joshi]

For some reasons i am not able to get debian members response in my mailbox
to my query posted on mailing list.

So i have written a brief post about UEFI, Canonical and Microsoft over
here -
http://harshad.wordpress.com/2012/06/22/the-ghost-of-uefi-and-micr00ft/

Canonical too has some plans for UEFI..experts can find the link in blog
post.

Please post your views so that i can get to know what debian and FOSS
policies are about UEFI, BIOS and Grub 2. Or you can directly mail me your
thoughts.



-- Forwarded message --
From: Harshad Joshi 
Date: Tue, Jun 5, 2012 at 12:52 PM
Subject: the ghost of UEFI and Micr0$0ft
To: debian-user@lists.debian.org


i was reading this article -  http://mjg59.dreamwidth.org/12368.html

It is written by someone related to redhat and it describes implementing
UEFI secure boot in Fedora Core.

Lot of PC/laptop/tablets in 2012 and beyond will have UEFI instead of good
old bios.

I want to know what Debian is planning to do and how it will thwart this
potential threat to opensource software and now hardware architecture.

Will Debian community fight against this evil step taken by computer makers
?

All idea of opensource is not open unless we have access to open hardware
architecture.


-- 
Harshad Joshi





-- 
Harshad Joshi

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Sthu Deus]

Good time of the day, Camaleón.


Thank You for Your support and assistance for Deb. users!
You worte:

> We don't have to hold for those "horrible" things anymore. We need to 
> develop our own way. If we remain at the commands of MS we will be
> doing it wrong.

I agree w/ You. Debian is outstanding distro - not just another distro,
I would call it home for FLOSS - and it is already not only linux
kernel limited. And a good territory for people's freedom protection.


Sthu.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fe18482.a363700a.7c5b.3...@mx.google.com

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

Correction

On 11/06/12 12:36, Scott Ferguson wrote:



> add your own key to the UEFI... apparently that would *require you
> typing it in* (256 characters).


I can't confirm that as I had first hand access to the W8 pad, could be
a bum steer. :-(
Nothing in the published specs to show the format of the key or the
procedure for adding a key for custom mode.

I can see an upside if it's impossible to run Linux on OEM W8 devices -
MS has lost it's market share and will become irrelevant anyway, more
people buying devices without MS pre-installed is good for GNU/Linux -
and few hardware manufacturers are going to pin their futures on MS
anyway (just ask the retail industry how excited they are about Metro
and the new Nokias), and manufacturers aren't going to kiss the parts
market goodbye (which would require custom mode UEFI).
When it comes to "OS conversions" there's plenty of pre-UEFI devices
that'll be available second-hand, (more as MS fans move from XP), and I
suspect dual booting doesn't have the conversion rate of a dedicated
GNU/Linux machine.


> Never going to happen - most Windoof users will want the
> ability to run unsigned code, 

Various antimalware programs that need to load during the secure boot
sequence, (and rootkits).  Not Ffflash and Acrobat etc, I'm told W8 will
boot in secure mode and run unsigned code - as long as it's post desktop
(runs under user permissions).

> hence the unsecure boot mode.




Kind regards


-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fd57c5d.5020...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 07/06/12 16:46, Miles Bader wrote:
> Scott Ferguson  writes:
 You can't disable the code signing requirement on ARM.
>>>
>>> ... which is a great deal more worrying.
>>
>> Yes. And no.
>> I'd hate to see a situation where it was impossible to buy an ARM (or
>> other CPU based board) without UEFI that can be disabled - but I support
>> devices that can be made to *only* run signed code *provided* MS is
>> *not* the certificate agency.
> 
> Would that mean anybody who wants to build their own kernel would need
> to buy a signing key?
> 
> -miles
> 

For a UEFI that conforms with Windoof 8 Secure Boot on ARM?
I haven't seen a such a beast - my best guess according to the
specifications is that you'd have two choices (Buckley's and none):-
;sign your OS (boot, through kernel to module) with a key already signed
by the UEFI key
;convince a hardware manufacturer to add your key to the UEFI


For a UEFI that conforms with Windoof 8 Secure Boot on x86[*1] the only
example I'm aware of is the Sony tablet with the W8 developer preview.
It allows for you to use a key that has been signed by Microsoft (the
$99 sysdev key) and you also add your own key to the UEFI... apparently
that would *require you typing it in* (256 characters).

[*1]more about that here:-
http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

NOTES: there are, and will continue to be devices for sale without MS
pre-installed. Anyone buying a device with MS pre-installed with the
intention of replacing it with GNU/Linux is shooting themselves in the
foot and helping perpetuate the myth that MS has a monopoly (Apple and
Google have more influence over manufacturers than MS).
We are discussing UEFI as implemented by devices bearing the W8 flag -
many devices won't have that UEFI. I visited two computer stores on the
weekend - both had MS on less that 15% of the devices for sale, 100% of
desktops, 80% of laptops, about 50% of netbooks - and sod all of the
tablets, pads, and phones. So I doubt that many UEFI for ARM devices
will be built with a MS Secure Boot UEFI.

Getting your key (not signed by the CA) into a Windoof 8 UEFI would
require the hardware manufacturer adding it (KEK) something that only
Microsoft or an OEM could swing. Unless you're offering the manufacturer
a lot of money it's unlikely they'd help you - even RedHat couldn't
swing that deal.  I suspect a hobbyist/system administrator will have
two choices with the x86 Windoof 8 UEFI:-
;pay the CA $99 for an endorsed key, use it to sign your OS and it'll
"just work"
;add your own key to the UEFI *if* your hardware allows adding one to
the UEFI (doesn't look like UEFI for ARM will have that capacity)

If you're in the business of supporting Debian then you'd pay the $99
that way the client can only run what you are contracted to support.
Would that be providing MS with sustenance? Yes - though most of that
$99 goes to Verisoft. If you're in the business of supporting a
pre-installed Debian you'd need to deal with the hardware manufacturer
to have a custom UEFI. I suspect that last option will be made available
- MS no longer have the sway with hardware manufacturers they used to...
MS hasn't had a monopoly for a while so can't negotiate from a position
of strength (Apple and Google can though).

On a positive note - I don't believe that Microsoft has drafted the
terms of the W8 UEFI to include an unsecured boot mode out of fear of
being prosecuted for monopolising the UEFI for W8 UEFI Secure Boot
to work everything must be signed - even the IE plugins, Fffflash,
Acrobat etc. Never going to happen - most Windoof users will want the
ability to run unsigned code, hence the unsecure boot mode. My theory is
that the MS UEFI wet dream is *only MS on W8*, not *only MS on the box*.


Kind regards

-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fd559b8.4060...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Nate Bargmann]

* On 2012 09 Jun 01:15 -0500, Chris Bannister wrote:
> On Wed, Jun 06, 2012 at 06:20:12PM -0700, Weaver wrote:
> > After all this time, he still doesn't understand that the free/open source
> > software movement works for itself.
> 
> He has a bit of an axe to grind.
> 
> http://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists

I doubt he will ever get over it.  Note the portion where his commercial
enterprise was initially done on a PDP-10 provided by the US DOD--US
taxpayer funded--for "free".  What he stole, computer time, was of no
consequence, apparently.  The guy has lived the double standard all his
life.

Perhaps MSFT should go back to pricing software on the level of the
initial Altair BASIC which, per the article, was priced at $500!  That's
1975 dollars and works out to $2138.34 in 2012 (per US Bureau of Labor
Statistics).  Then you could buy the entire Altair package including
BASIC for just $995.  Heh!

- Nate >>

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120609130843.ga5...@n0nb.us

Re: the ghost of UEFI and Micr0$0ft

[Weaver]

> On Wed, Jun 06, 2012 at 06:20:12PM -0700, Weaver wrote:
>> After all this time, he still doesn't understand that the free/open
>> source
>> software movement works for itself.
>
> He has a bit of an axe to grind.
>
> http://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists
> http://www.digibarn.com/collections/newsletters/homebrew/V2_01/gatesletter.html
>
> And yet:
>
> http://wiki.answers.com/Q/Who_did_Bill_Gates_steal_DOS_from
> http://blogs.msdn.com/b/larryosterman/archive/2005/06/24/432386.aspx
>
> 'My favorite Gary Kildall quote on the issue:
> "Ask Bill [Gates] why the string in function 9 is terminated by a
> dollar sign. Ask him, because he can't answer, only I know that." '

Yes, heard most of this before.
Along with the odd episode along the way, such as how the head engineer
for the NT project was treated.
Gates is the last one to preach 'Holy, Holy'.

All this lockin process - and agreed, secure boot is no real problem yet -
gives me the heebee-geebees when other aspects such as the degree of
kernel development Microsoft does.

They have enough friends in government to arrange a small change in
copyright law when it suits them.
There's nothing all those three letter government agencies would welcome
more than a backdoor into every OS on the planet, rather than just the
Microsoft machines.
Regards,

Weaver.
-- 


Religion is regarded by the common people as true,
by the wise as false,
and by the rulers as useful.

— Lucius Annæus Seneca.

Terrorism, the new religion.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/c1e14736467cea837b77f86841e2dcd2.squir...@fulvetta.riseup.net

Re: the ghost of UEFI and Micr0$0ft

[Chris Bannister]

On Wed, Jun 06, 2012 at 06:20:12PM -0700, Weaver wrote:
> After all this time, he still doesn't understand that the free/open source
> software movement works for itself.

He has a bit of an axe to grind.

http://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists
http://www.digibarn.com/collections/newsletters/homebrew/V2_01/gatesletter.html

And yet:

http://wiki.answers.com/Q/Who_did_Bill_Gates_steal_DOS_from
http://blogs.msdn.com/b/larryosterman/archive/2005/06/24/432386.aspx

'My favorite Gary Kildall quote on the issue:
"Ask Bill [Gates] why the string in function 9 is terminated by a
dollar sign. Ask him, because he can't answer, only I know that." '

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120609061215.GJ26864@tal

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Fri, 2012-06-08 at 06:21 -0400, Carl Fink wrote:
> On Fri, Jun 08, 2012 at 05:26:30AM +0200, Ralf Mardorf wrote:
> 
> > The handling for the end user is optimized to fit to the needs of
> > Windows end users. Slavko already has written that Windows end users
> > don't compile Windows kernels, but Linux end users do.
> 
> No we don't. That hasn't been generally true for years.
> 
> Yes, it is *possible* to do so, but it hasn't really been common for some
> time.

At least for Linux audio users it's still common to build Linux kernels
(of course, we don't build Windows kernels ;).

Regards,
Ralf 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339216939.2411.1.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Christofer C. Bell]

On Thu, Jun 7, 2012 at 11:05 PM, Miles Bader  wrote:
> "Christofer C. Bell"  writes:
>>> Would that mean anybody who wants to build their own kernel would need
>>> to buy a signing key?
>>
>> Not at all.  You can generate your own key and load it into your UEFI.
>>  It's no different a situation than using self-signed ssl certs
>> without buying one from a certificate authority.  There's no need to
>> pay any money to anyone to use the secure boot feature.  Is it a
>> hassle?  Sure, but you're not beholden to any 3rd party regardless.
>
> Er, wait, doesn't that mean a malware author could do the same thing?

Yes, any malware author would be able to generate a signing key and
sign their software as authentic genuine malware.  This does not mean
that you are compelled to trust that key.

> Or is entering a new key a "manual" process ("type in the 50 hex digit
> key")?

You would need to enter that key yourself into your UEFI indicating
that you trust the malware author's key.  If you do not enter it into
your system, you indicate that you do not trust the key and therefore
the malware will not be allowed to run on your machine.

> Can there be multiple keys (I vaguely recall the article saying there
> could only be one key [at MS's insistence]...but not sure if I really
> understood what it was saying)?

That depends on the UEFI implementation.  I would guess that mutliple
keys are possible.

-- 
Chris


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caoevnys2gpjoplfjj8ajcohubnmcyna_1fw_tmqyon3zehm...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Christofer C. Bell]

On Thu, Jun 7, 2012 at 10:43 PM, Ralf Mardorf
 wrote:
> On Thu, 2012-06-07 at 21:36 -0500, Christofer C. Bell wrote:
>> This "new world" doesn't tie you to Microsoft or any other company.
>
> You're mistaken, it does and it does it in a way I don't like it.
> As soon as Apple or Microsoft are involved in such things, a healthy
> suspicion can't harm.

No, it doesn't.  When you build your own kernel, you become the
maintainer of it, the distributor of it, the "vendor" of it, if you
will.  You're able to generate your own signing key to sign your
kernel, just as Microsoft or Apple is free to generate their keys and
sign the software *they* are custodians of.  You are not beholden to
Microsoft to obtain keys for your Linux kernel -- it's up to you to
handle the management of *your* keys for *your* kernel.

> Perhaps Linux keys sold by Microsoft will be blacklisted, because of US
> laws, such as the prohibition to share hardware and software with some
> countries the US government doesn't like.

They're not "Linux keys sold by Microsoft" they're "UEFI secure boot
signing keys sold by Microsoft" and one Linux distributor has
purchased one to use.  Fedora also has the option (as does Debian) to
generate their own signing key to use and then provide users with
instructions on how to integrate that key into their system.

-- 
Chris


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOEVnYtLsVK=m0q9o-if0xmxqwk2uv497qkz_nbfgk5jffg...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Christofer C. Bell]

On Thu, Jun 7, 2012 at 10:26 PM, Ralf Mardorf
 wrote:
> On Thu, 2012-06-07 at 23:34 +0100, Roger Leigh wrote:
>> Let's be clear what this is.  I have to get *permission* from someone
>> else, to run a program on my own computer.  To actually use my
>> computer to do my stuff, I have to take extraordinary steps to get
>> someone else to grant me access.  That's *fundamentally wrong*.
>
> +1
>
> Moreover that someone is Microsoft, while Linux is a rival on the
> software market and Microsoft is known for unlawful acting to get rid of
> business competition. Without being paranoid, for me there's some
> negative connotation.

No, -1, since Roger's assumption isn't true.

> The handling for the end user is optimized to fit to the needs of
> Windows end users. Slavko already has written that Windows end users
> don't compile Windows kernels, but Linux end users do.

Microsoft takes care of the code signing for the kernel they build and
provide with their operating system.  Fedora is doing the same,
utilizing Microsoft's key.  Linux users who want to compile their own
kernel and become, in effect, a "distributor" of a custom Linux kernel
can do the same for themselves -- generate a signing key, and sign
their own kernel -- just as Microsoft signs theirs.

-- 
Chris


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caoevnyuq2ch6alf+nn_odrxgtnz9-soommoijwb6g-gqiu3...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Mika Suomalainen]

On 07.06.2012 03:43, Christofer C. Bell wrote:
> On Wed, Jun 6, 2012 at 2:46 PM, Roger Leigh  wrote:
>> On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:
>>>
>>> What's non-free about signing the "boot-chain"?
>>
>> Do I have the freedom to build and install and boot my own kernel?
>>
>> No?  Looks like I lost the freedom to have any semblance of control
>> over my own hardware.
> 
> You have the freedom to either:
> 
> a.) Disable Secure Boot and run your own kernel
> 
> or
> 
> b.) Generate your own signing key, sign your own kernel, and load your
> own key into your system's UEFI.
> 
> You have no lost any semblance of control over your own hardware.
> 

If I have understood correctly A and B depend on does your hardware
manufactor allow it and allowing is optional to them.

-- 
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[This signature](https://gist.github.com/2643070#file_icedove.md) ||

[Please reply below this
line](http://mkaysi.github.com/articles/complaining/topposting.html)





signature.asc
Description: OpenPGP digital signature

Re: the ghost of UEFI and Micr0$0ft

[Rob Owens]

On Thu, Jun 07, 2012 at 09:36:32PM -0500, Christofer C. Bell wrote:
> On Thu, Jun 7, 2012 at 5:34 PM, Roger Leigh  wrote:
> >
> > Let's be clear what this is.  I have to get *permission* from someone
> > else, to run a program on my own computer.  To actually use my
> > computer to do my stuff, I have to take extraordinary steps to get
> > someone else to grant me access.  That's *fundamentally wrong*.
> 
> No, we need to be clear that you do *not* have to get permission from
> someone else to run a program on your computer.  You can get

He needs permission from Verisign.  $99 plus whatever hoops they make
him jump through.

Imagine if you bought a new pair of pants but you couldn't wear them
until you paid Verisign.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120608124220.ga7...@aurora.owens.net

Re: the ghost of UEFI and Micr0$0ft

[Slavko]

Hi,

Dňa Fri, 8 Jun 2012 06:21:46 -0400 Carl Fink 
napísal:

> On Fri, Jun 08, 2012 at 05:26:30AM +0200, Ralf Mardorf wrote:
> 
> > The handling for the end user is optimized to fit to the needs of
> > Windows end users. Slavko already has written that Windows end users
> > don't compile Windows kernels, but Linux end users do.
> 
> No we don't. That hasn't been generally true for years.
> 
> Yes, it is *possible* to do so, but it hasn't really been common for some
> time.

Freedom is not about things, which we do often, but freedom is about
things which we can do when we want (or need).

Yes, you are right, i builded my last custom kernel cca 2 years ago. This
kernel is compiled with small size and memory requirements in mind. This
kernel (for my custom PXE backup tool) is still working for me. But when
there will be needing for new HW drivers, i will must to compile new one.

Some of my friends are often speaking about free (open) HW. I was joke
from them in past, but now i understand their ideas.

regards

-- 
Slavko
http://slavino.sk


signature.asc
Description: PGP signature

Re: the ghost of UEFI and Micr0$0ft

[Roger Leigh]

On Thu, Jun 07, 2012 at 09:33:45PM -0500, Christofer C. Bell wrote:
> On Thu, Jun 7, 2012 at 1:46 AM, Miles Bader  wrote:
> > Scott Ferguson  writes:
>  You can't disable the code signing requirement on ARM.
> >>>
> >>> ... which is a great deal more worrying.
> >>
> >> Yes. And no.
> >> I'd hate to see a situation where it was impossible to buy an ARM (or
> >> other CPU based board) without UEFI that can be disabled - but I support
> >> devices that can be made to *only* run signed code *provided* MS is
> >> *not* the certificate agency.
> >
> > Would that mean anybody who wants to build their own kernel would need
> > to buy a signing key?
> 
> Not at all.  You can generate your own key and load it into your UEFI.

This is of course a major part of the problem.  There are no
guarantees that you will be able to install your own keys into
your device.  That's up to the UEFI implementor.

>  It's no different a situation than using self-signed ssl certs
> without buying one from a certificate authority.  There's no need to
> pay any money to anyone to use the secure boot feature.  Is it a
> hassle?  Sure, but you're not beholden to any 3rd party regardless.

If you have the ability to install your public cert, then sure.
But how many implementors will choose to provide only Microsoft's
key, and provide no facility for changing it?  For ARM systems
running Windows 8, I suspect that will be most of them.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120608104432.gv15...@codelibre.net

Re: the ghost of UEFI and Micr0$0ft

[Roger Leigh]

On Fri, Jun 08, 2012 at 06:21:46AM -0400, Carl Fink wrote:
> On Fri, Jun 08, 2012 at 05:26:30AM +0200, Ralf Mardorf wrote:
> 
> > The handling for the end user is optimized to fit to the needs of
> > Windows end users. Slavko already has written that Windows end users
> > don't compile Windows kernels, but Linux end users do.
> 
> No we don't. That hasn't been generally true for years.
> 
> Yes, it is *possible* to do so, but it hasn't really been common for some
> time.

This is true, but it's also true of most software outside the kernel
as well.  But that is not to say that losing the freedom to do so
is unimportant, it most certainly is.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120608103218.gu15...@codelibre.net

Re: the ghost of UEFI and Micr0$0ft

[Carl Fink]

On Fri, Jun 08, 2012 at 05:26:30AM +0200, Ralf Mardorf wrote:

> The handling for the end user is optimized to fit to the needs of
> Windows end users. Slavko already has written that Windows end users
> don't compile Windows kernels, but Linux end users do.

No we don't. That hasn't been generally true for years.

Yes, it is *possible* to do so, but it hasn't really been common for some
time.
-- 
Carl Fink   nitpick...@nitpicking.com 

Read my blog at blog.nitpicking.com.  Reviews!  Observations!
Stupid mistakes you can correct!


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120608102146.ga7...@panix.com

Re: the ghost of UEFI and Micr0$0ft

[Claudius Hubig]

Hello Miles,

Miles Bader  wrote:
> Or is entering a new key a "manual" process ("type in the 50 hex digit
> key")?

Something like that, yes. Either via an already-signed update at
runtime or manually at something like the current BIOS interfaces.

> Can there be multiple keys (I vaguely recall the article saying there
> could only be one key [at MS's insistence]...but not sure if I really
> understood what it was saying)?

At the moment, only one key can be used to _sign_ software/drivers.
There can be more than one key on your computer to verify these
signatures.

That is, a driver A can be only be signed by one entity (1) and
driver B can only be signed by 2, but if you have both the public
keys of 1 and 2 in your UEFI keystore, you can load driver A and
driver B. Of course, it is also possible to distribute variants A'
and A'' signed by 2 and 3.

Best regards,

Claudius
-- 
I tried the clone syscall on me, but it didn't work.
-- Mike Neuffer trying to fix a serious time problem
http://chubig.net  telnet nightfall.org 4242


signature.asc
Description: PGP signature

Re: the ghost of UEFI and Micr0$0ft

[Paul E Condon]

On 20120607_213632, Christofer C. Bell wrote:
> On Thu, Jun 7, 2012 at 5:34 PM, Roger Leigh  wrote:
> >
> > Let's be clear what this is.  I have to get *permission* from someone
> > else, to run a program on my own computer.  To actually use my
> > computer to do my stuff, I have to take extraordinary steps to get
> > someone else to grant me access.  That's *fundamentally wrong*.
> 
> No, we need to be clear that you do *not* have to get permission from
> someone else to run a program on your computer.  You can get
> permission from *yourself* by using your own signing key.  The only
> downside is that you can't distribute your custom kernel without also
> providing the signing key to whomever is going to *also use it with
> secure boot* (they are free to disable secure boot, of course, or sign
> it with their *own* key, just like you did).
> 
> This "new world" doesn't tie you to Microsoft or any other company.
> 
> -- 
> Chris

Of course, after this infrastructure is in place, people will start
discovering other uses for this identity key that 'everybody' has,
like controlling access to the internet, and neat tricks like
that. But that has nothing to do with software freedom. A self-signed
key would surely not be accepted for these new infringements of our
liberty.

I hope I haven't thought of something that is unthinkable and thereby
marked myself as an evil person in the eyes of those who are watching.


-- 
Paul E Condon   
pecon...@mesanetworks.net


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120608053509.gb15...@big.lan.gnu

Re: the ghost of UEFI and Micr0$0ft

[Miles Bader]

"Christofer C. Bell"  writes:
>> Would that mean anybody who wants to build their own kernel would need
>> to buy a signing key?
>
> Not at all.  You can generate your own key and load it into your UEFI.
>  It's no different a situation than using self-signed ssl certs
> without buying one from a certificate authority.  There's no need to
> pay any money to anyone to use the secure boot feature.  Is it a
> hassle?  Sure, but you're not beholden to any 3rd party regardless.

Er, wait, doesn't that mean a malware author could do the same thing?

Or is entering a new key a "manual" process ("type in the 50 hex digit
key")?

Can there be multiple keys (I vaguely recall the article saying there
could only be one key [at MS's insistence]...but not sure if I really
understood what it was saying)?

Thanks,

-miles

-- 
We have met the enemy, and he is us.  -- Pogo


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/877gvisb1u@catnip.gol.com

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Thu, 2012-06-07 at 21:36 -0500, Christofer C. Bell wrote:
> This "new world" doesn't tie you to Microsoft or any other company.

You're mistaken, it does and it does it in a way I don't like it.
As soon as Apple or Microsoft are involved in such things, a healthy
suspicion can't harm.

Perhaps Linux keys sold by Microsoft will be blacklisted, because of US
laws, such as the prohibition to share hardware and software with some
countries the US government doesn't like.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339127003.4075.26.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Thu, 2012-06-07 at 18:20 -0400, Tom H wrote:
> You're already paying a for-profit company for your computer so this
> is "just" another USD 99 for a key.

It might be that I need to pay for the BIOS or whatever, when I buy a
new mobo, dunno, but I don't pay a Cent now and my mobo doesn't nearly
cost 99 US$. I don't pay anyone, if I build a kernel-rt.
In Germany I'm paying a lot to different Mafias. If I buy an empty sound
carrier I have to pay a performing right society called GEMA, but that's
not a good argument for paying an additional fee.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339124944.4075.6.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Thu, 2012-06-07 at 23:34 +0100, Roger Leigh wrote:
> Let's be clear what this is.  I have to get *permission* from someone
> else, to run a program on my own computer.  To actually use my
> computer to do my stuff, I have to take extraordinary steps to get
> someone else to grant me access.  That's *fundamentally wrong*.

+1

Moreover that someone is Microsoft, while Linux is a rival on the
software market and Microsoft is known for unlawful acting to get rid of
business competition. Without being paranoid, for me there's some
negative connotation.

The handling for the end user is optimized to fit to the needs of
Windows end users. Slavko already has written that Windows end users
don't compile Windows kernels, but Linux end users do.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339125990.4075.17.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Christofer C. Bell]

On Thu, Jun 7, 2012 at 5:34 PM, Roger Leigh  wrote:
>
> Let's be clear what this is.  I have to get *permission* from someone
> else, to run a program on my own computer.  To actually use my
> computer to do my stuff, I have to take extraordinary steps to get
> someone else to grant me access.  That's *fundamentally wrong*.

No, we need to be clear that you do *not* have to get permission from
someone else to run a program on your computer.  You can get
permission from *yourself* by using your own signing key.  The only
downside is that you can't distribute your custom kernel without also
providing the signing key to whomever is going to *also use it with
secure boot* (they are free to disable secure boot, of course, or sign
it with their *own* key, just like you did).

This "new world" doesn't tie you to Microsoft or any other company.

-- 
Chris


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOEVnYt4i+=7-=kWtevjc5hAdMDbvnPOcAM==1qhag6x5wa...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Christofer C. Bell]

On Thu, Jun 7, 2012 at 1:46 AM, Miles Bader  wrote:
> Scott Ferguson  writes:
 You can't disable the code signing requirement on ARM.
>>>
>>> ... which is a great deal more worrying.
>>
>> Yes. And no.
>> I'd hate to see a situation where it was impossible to buy an ARM (or
>> other CPU based board) without UEFI that can be disabled - but I support
>> devices that can be made to *only* run signed code *provided* MS is
>> *not* the certificate agency.
>
> Would that mean anybody who wants to build their own kernel would need
> to buy a signing key?

Not at all.  You can generate your own key and load it into your UEFI.
 It's no different a situation than using self-signed ssl certs
without buying one from a certificate authority.  There's no need to
pay any money to anyone to use the secure boot feature.  Is it a
hassle?  Sure, but you're not beholden to any 3rd party regardless.

-- 
Chris


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caoevnyts_avjvs-2bkaka5aacblnat4cp0m_ax9y3c2jnmn...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[ACro]

> I can get the source and modify it.  But I can't exercise my freedom
> by actually running it.  I can't *use* it.  Not unless I pay some
> money for a special key.  And get "authorised" to run my own code on
> my own computer.
>
> Let's be clear what this is.  I have to get *permission* from someone
> else, to run a program on my own computer.  To actually use my
> computer to do my stuff, I have to take extraordinary steps to get
> someone else to grant me access.  That's *fundamentally wrong*.


This would be a huge absurdity and a profound injustice. We have to 
*boycott* all hardware makers who are going to stupidly lock their

hardware (if they are ever going to do that; hopefully they're
intelligent people). And let's raise our voices *before* they do,
sending tons of mails to them, saying that we would refuse to buy their
things again if they did bow to absurd MS requests, and that we would
tell everyone to do the same - even to MS users.

It's just too *ridiculous* how a big, a huge software company, that
theoretically could afford to create one of the best software around,
is just acting like a stupid, childish, fearful braggart, just being
able to erect concrete walls in defense of its obtusely built world.
They could *learn* from the creative and constructive ways of FLOSS,
and still sell their things and make money, but no, just fearfully
locking everything.

We are not going to allow that. And we *must not* allow this UEFI thing
to break the FLOSS community into fragments, into sub-communities that
verbally fight against each other's choices. «Devide et impera» -
divide and rule: that's an old technique for winning wars and that's
what is happening now. We must not allow that, seriously.

All the best,
Andrew


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fd154f2.7060...@bluebottle.com

Re: the ghost of UEFI and Micr0$0ft

[Roger Leigh]

On Thu, Jun 07, 2012 at 06:20:25PM -0400, Tom H wrote:
> The shim boot loader that's being planned by Fedora would be signed by
> Microsoft but is open source [1] - it wouldn't be accepted in Fedora
> otherwise.

>From the Free Software Foundation:

A program is free software if the program's users have the four
essential freedoms:

• The freedom to run the program, for any purpose (freedom 0).
• The freedom to study how the program works, and change it so it does
  your computing as you wish (freedom 1). Access to the source code is
  a precondition for this.
• The freedom to redistribute copies so you can help your neighbor
  (freedom 2).
• The freedom to distribute copies of your modified versions to others
  (freedom 3). By doing this you can give the whole community a chance
  to benefit from your changes. Access to the source code is a
  precondition for this.


The bootloader might technically be free software, it meets the above
four freedoms.  I can get the source and modify it.  But I can't
exercise my freedom by actually running it.  I can't *use* it.  Not
unless I pay some money for a special key.  And get "authorised" to
run my own code on my own computer.

Let's be clear what this is.  I have to get *permission* from someone
else, to run a program on my own computer.  To actually use my
computer to do my stuff, I have to take extraordinary steps to get
someone else to grant me access.  That's *fundamentally wrong*.


Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120607223404.gq15...@codelibre.net

Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Thu, Jun 7, 2012 at 8:08 AM, Ralf Mardorf  wrote:
> On Thu, 2012-06-07 at 06:20 -0400, Tom H wrote:
>> On Wed, Jun 6, 2012 at 3:46 PM, Roger Leigh  wrote:
>> > On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:
>> >>
>> >> What's non-free about signing the "boot-chain"?
>> >
>> > Do I have the freedom to build and install and boot my own kernel?
>> >
>> > No?  Looks like I lost the freedom to have any semblance of control
>> > over my own hardware.
>>
>> You can buy a key from Verisign, etc...
>>
>> I'll be buying a new laptop in December/January and I'll give that a
>> try. We'll see how much of a PitA it's going to be.
>
> If I should need to buy a key from a company handling the UEFI keys,
> assumed it's not a Linux related company, to use Linux with a self build
> kernel, I would drop Linux soon. Fortunately there are laws against
> monopolies, so I suspect that for x86_64 mobos UEFI always can be
> disabled.
>
> I also won't use a closed source bootloader-bootloader from a company
> like Microsoft. They often offended laws and I'm sure they'll continue
> to violate laws.

You're already paying a for-profit company for your computer so this
is "just" another USD 99 for a key.

The shim boot loader that's being planned by Fedora would be signed by
Microsoft but is open source [1] - it wouldn't be accepted in Fedora
otherwise.

1. https://github.com/mjg59/shim


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=SxFkz5UHT28hyVxd4Xx8QQLy_y2i1b7s9okew=2uil...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Slavko]

Ahoj,

Dňa Thu, 7 Jun 2012 06:14:17 -0400 Tom H  napísal:

> On Thu, Jun 7, 2012 at 5:43 AM, Andrei POPESCU
>  wrote:
> > On Mi, 06 iun 12, 13:04:50, Kelly Clowers wrote:
> >>
> >> I sincerely doubt it. Although I guess it depends on what you mean by
> >> "via the network". Worms that infect like SQL Slammer are relatively
> >> rare, AFAIK most malware get in via drive-by downloads, or intentional
> >> installation of programs that are infected. Those are user issues and
> >> browser issues (though local OS exploits may be used after the
> >> browser security is bypassed). Though these get delivered by the
> >> network, it isn't the same as vulnerabilities in, say, the TCP/IP
> >> stack, or a vulnerable OS daemon/service.
> >
> > But still, those attacks wouldn't be prevented by Secure Boot, so
> > Nate's argument (Secure Boot won't improve Windows security) still
> > stands.
> 
> Did everyone miss this link [1] that was posted by MG in his blog post?!
> 
> Simply because viruses/malware/etc have been introduced historically
> through the network doesn't mean that the firmware isn't a target now
> or won't be in the future.

The computers are often stolen, from companies, from home… Why there is
not the welding-machine as computer case's component, to make sure that
they will stay on the same place?

> That Microsoft's leveraging a (potential) solution to this problem to
> make our lives difficult isn't surprising...

yes, this can be right. But only in windows world. I don't know anyone who
is building own Windows kernel :-)

In free world, there is one problem - the changed kernel is not direct
mark to virus (or similar). In my WiFi router, the first thing which
happens was change to custom firmware. I was buying it with this change
in mind…

Theoretically, this don't must be a problem, if i will have solution to
sign my own kernel/firmware (without paying money). When i will have
solution to sign my rescue tools (CD, USB, PXE, etc)… Something as gpg.
But with this is another problem - if i will can sign my things, then
attacker will can do it too.

Or i will need to buy every some time new sign for 99$. But what if
attacker will buy sing for 99$? Where is the security?

-- 
Slavko
http://slavino.sk


signature.asc
Description: PGP signature

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Thu, 07 Jun 2012 11:50:29 +0200, Ralf Mardorf wrote:

> OT:
> 
> On Wed, 2012-06-06 at 14:41 +, Camaleón wrote:
>> Windows users with secure boot enabled who want to boot a different OS
>> should ask MS how to do it, don't you think? They have paid for what
>> they have installed.
> 
> IIRC it's not allowed to run a Linux on the same machine, beside a
> Windows, regarding to the Microsoft license or warranty, support. 

Is there any paper that supports that? I really doubt it, given that MS 
is under the eyes of the anti-monopoly parties in many countries.

> AFAIK Suse, resp. Novell made a deal with Windows and it's the only
> Linux a Windows customer is allowed to run on a Windows machine.
> Perhaps just half of half-truth.

Hopefully none of that is true. The deal was to protect Novell users from 
a possible patent lawsuit taken by MS, among other things...

> However, I don't like a proprietary software company being the one to
> handle keys. They will abuse this impact.

What annoys me is that I feel like the rats of the Hamelin legend while 
MS takes the pied piper role. We, FLOSS users, have to start learning to 
say "NO".

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqqelu$dr8$8...@dough.gmane.org

Re: the ghost of UEFI and Micr0$0ft

[John Hasler]

Ralf writes:
> Fortunately there are laws against monopolies...

No there aren't.  There are laws against _abusing_ monopolies.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87zk8fjnhh@thumper.dhh.gt.org

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Thu, 2012-06-07 at 19:46 +0900, Miles Bader wrote:
> it _does_ conveniently lay the groundwork for the
> sort of locked-down no-user-control hardware ecosystem which is
> fervently desired by many unsavory parties, who are most certainly not
> acting with the best interests of the public in mind.

For the long run laws might protect us against this, but during legal
battles exactly this could happen.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339071183.3331.51.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Thu, 2012-06-07 at 06:20 -0400, Tom H wrote:
> On Wed, Jun 6, 2012 at 3:46 PM, Roger Leigh  wrote:
> > On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:
> >>
> >> What's non-free about signing the "boot-chain"?
> >
> > Do I have the freedom to build and install and boot my own kernel?
> >
> > No?  Looks like I lost the freedom to have any semblance of control
> > over my own hardware.
> 
> You can buy a key from Verisign, etc...
> 
> I'll be buying a new laptop in December/January and I'll give that a
> try. We'll see how much of a PitA it's going to be.
> 
> 

If I should need to buy a key from a company handling the UEFI keys,
assumed it's not a Linux related company, to use Linux with a self build
kernel, I would drop Linux soon. Fortunately there are laws against
monopolies, so I suspect that for x86_64 mobos UEFI always can be
disabled.

I also won't use a closed source bootloader-bootloader from a company
like Microsoft. They often offended laws and I'm sure they'll continue
to violate laws.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339070920.3331.47.camel@precise

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Miles Bader]

Andrei POPESCU  writes:
> But still, those attacks wouldn't be prevented by Secure Boot, so Nate's 
> argument (Secure Boot won't improve Windows security) still stands.

That's why the whole thing seems so creepy... even if they --
currently! -- allow it to be disabled:

It really won't make computer systems much "safer" (from malware etc)
in practice, but it _does_ conveniently lay the groundwork for the
sort of locked-down no-user-control hardware ecosystem which is
fervently desired by many unsavory parties, who are most certainly not
acting with the best interests of the public in mind.  Not just
Microsoft, but *AA ("closing the analogue hole isn't enough!") etc.

-miles

-- 
Happiness, n. An agreeable sensation arising from contemplating the misery of
another.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87wr3js8kw@catnip.gol.com

Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Wed, Jun 6, 2012 at 3:46 PM, Roger Leigh  wrote:
> On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:
>>
>> What's non-free about signing the "boot-chain"?
>
> Do I have the freedom to build and install and boot my own kernel?
>
> No?  Looks like I lost the freedom to have any semblance of control
> over my own hardware.

You can buy a key from Verisign, etc...

I'll be buying a new laptop in December/January and I'll give that a
try. We'll see how much of a PitA it's going to be.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=Sxyhj7vZNPftPBhtQh4d_4iT7FSc=vtrpfwwo4+ihd...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Thu, Jun 7, 2012 at 5:43 AM, Andrei POPESCU  wrote:
> On Mi, 06 iun 12, 13:04:50, Kelly Clowers wrote:
>>
>> I sincerely doubt it. Although I guess it depends on what you mean by
>> "via the network". Worms that infect like SQL Slammer are relatively
>> rare, AFAIK most malware get in via drive-by downloads, or intentional
>> installation of programs that are infected. Those are user issues and
>> browser issues (though local OS exploits may be used after the
>> browser security is bypassed). Though these get delivered by the
>> network, it isn't the same as vulnerabilities in, say, the TCP/IP
>> stack, or a vulnerable OS daemon/service.
>
> But still, those attacks wouldn't be prevented by Secure Boot, so Nate's
> argument (Secure Boot won't improve Windows security) still stands.

Did everyone miss this link [1] that was posted by MG in his blog post?!

Simply because viruses/malware/etc have been introduced historically
through the network doesn't mean that the firmware isn't a target now
or won't be in the future.

That Microsoft's leveraging a (potential) solution to this problem to
make our lives difficult isn't surprising...

1. 
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=Sww2+H=rve5w7fohlaeh9x6c73mv30fst3khrvhb1h...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

OT:

On Wed, 2012-06-06 at 14:41 +, Camaleón wrote:
> Windows users with secure boot enabled who want to boot a different OS
> should ask MS how to do it, don't you think? They have paid for what
> they have installed.

IIRC it's not allowed to run a Linux on the same machine, beside a
Windows, regarding to the Microsoft license or warranty, support. AFAIK
Suse, resp. Novell made a deal with Windows and it's the only Linux a
Windows customer is allowed to run on a Windows machine. Perhaps just
half of half-truth.

However, I don't like a proprietary software company being the one to
handle keys. They will abuse this impact.

- Ralf


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339062629.3331.37.camel@precise

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Andrei POPESCU]

On Mi, 06 iun 12, 13:04:50, Kelly Clowers wrote:
> 
> I sincerely doubt it. Although I guess it depends on what you mean by
> "via the network". Worms that infect like SQL Slammer are relatively
> rare, AFAIK most malware get in via drive-by downloads, or intentional
> installation of programs that are infected. Those are user issues and
> browser issues (though local OS exploits may be used after the
> browser security is bypassed). Though these get delivered by the
> network, it isn't the same as vulnerabilities in, say, the TCP/IP
> stack, or a vulnerable OS daemon/service.

But still, those attacks wouldn't be prevented by Secure Boot, so Nate's 
argument (Secure Boot won't improve Windows security) still stands.

Kind regards,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Wed, 2012-06-06 at 14:51 +0100, Jon Dowland wrote:
> On Wed, Jun 06, 2012 at 11:31:11PM +1000, Scott Ferguson wrote:
> > Not immediately it's not (W7).  Perhaps >W7. How about Apple?
> 
> The irony here is that Apple hardware might end up being the easiest for a
> beginner to install Linux on.

Resp. there will be something similar to a jailbreak for Apple, that
enables to disable UEFI, even if it can't be disabled by a BIOS option
for Intel, ASUS and other boards. At least hardware alterations will be
available, comparable to Mac clones.
There always will be a way to get Linux running on a PC.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339061694.3331.30.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Wed, 2012-06-06 at 19:04 +1000, Scott Ferguson wrote:
> On 06/06/12 18:44, Andrei POPESCU wrote:
> > On Ma, 05 iun 12, 20:26:03, Slavko wrote:
> >>
> >> in our country is more and more difficult to buy computer (specially
> >> notebook) without Windows included. In one shop they are telling me, that
> >> it si not possible. 
> > 
> > If you have such an answer on paper you *might* be able to request a 
> > refund for the MS Windows license according to its own EULA, but be 
> > careful not to accept the EULA
> 
> 
> The Windoof 7 EULA:-
> 
> "By using the software, you accept these terms. If you do not accept
> them, do not use the software. Instead, contact the manufacturer or
> installer to determine its return policy. You must comply with that
> policy, which might limit your rights or require you to return the
> entire system on which the software is installed."
> 
> > on the first boot (most laptops on 
> > display will have it accepted by the shop staff).
> > 
> > Hope this helps,
> > Andrei
> 
> 
> My experience is that Dell and Toshiba do refunds (XP and Vista), albeit
> reluctantly, but Leveno/IBM won't (for Thinkpads).
> 
> This may prove useful:-
> http://no.more.racketware.info/index
> 
> 
> 
> 
> Kind regards

Laptops etc. tend to ship with Windows, but a tower PC of a Linux user
often might be arranged by the user. I never owned a tower PC that was
pre-build and/or delivered with Windows.

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339059429.3331.12.camel@precise

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Ralf Mardorf]

On Wed, 2012-06-06 at 05:21 -0400, Tom H wrote:
> Consider banking.

Online-banking already is impossible for me, regarding to a technology
the German Postbank is using. I once enabled it, then disabled it and
now me and even the Postbank admins are unable to enable online-banking
again.

They implemented a broken technology parallel to German ID cards that
now ship with a new technology too, that can't be used for anything
useful, but that is intended to give more security. The new ID card is
more expensive.

Fortunately my bank "donated" the needed online-banking tool, when I
complained, since it costs money.

The truth: Non of that crap will provide a higher level of security,
it's only good to sell microchips, licenses etc., to offend data privacy
etc..

- Ralf


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1339060143.3331.23.camel@precise

Re: the ghost of UEFI and Micr0$0ft

[Miles Bader]

Scott Ferguson  writes:
>>> You can't disable the code signing requirement on ARM.
>> 
>> ... which is a great deal more worrying.
>
> Yes. And no.
> I'd hate to see a situation where it was impossible to buy an ARM (or
> other CPU based board) without UEFI that can be disabled - but I support
> devices that can be made to *only* run signed code *provided* MS is
> *not* the certificate agency.

Would that mean anybody who wants to build their own kernel would need
to buy a signing key?

-miles

-- 
Opportunity, n. A favorable occasion for grasping a disappointment.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/878vfzty92@catnip.gol.com

Re: the ghost of UEFI and Micr0$0ft

[Weaver]

> On 07. 06. 12 00:33, Weaver wrote:
>  > There are two issues only to consider here:
>  >
>  > (1) Who controls the keys and who controls them.
>  >
>  > (2) I resent any degree of control of the open source software
>  > movement being given over into the control of anybody else.
>  >
>  > Recognise this for what it is.
>  > Microsoft fears us.
>  > Gates admitted this in a recent intermanagement memo.
>
>
> This is a 2001 memo. A chapter is titled "Openness" and its last
> sentence is quite illuminating.
>
> « Our most potent Operating System competitor is Linux and the phenomena
> around Open Source and free software. The same phenomena fuels
> competitors to all of our products. The ease of picking up Linux to
> learn it or modify some pieces of it is very attractive. The academic
> community, start up companies, foreign governments and many other
> constituencies are putting their best work into Linux. Although we
> cannot make Windows free for commercial use we can do dramatically more
> to make it accessible including parts of the source code. We can make it
> free in restricted areas. [...] We need other creative ideas to allow
> Windows to match the viral nature of Linux. »
>
> A full transcription of the memo:
> http://techrights.org/2009/06/23/bill-gates-afraid-of-gnu-linux/

Excellent!
And that last sentence is where he gets it all wrong.
Right from the Get-Go, at the very beginnings of Microsoft, Gates operates
from a destructive, not creative mindset.
He's incapable of 'matching', so creates hurdles to accessibility.
Also, his thinking is corrupted.
Does he really think that he is going to be able to persuade people to
work for him for nothing?
There have been attempts at that before.
They don't seem to be visible now.
After all this time, he still doesn't understand that the free/open source
software movement works for itself.
Regards,

Weaver.
-- 


Religion is regarded by the common people as true,
by the wise as false,
and by the rulers as useful.

— Lucius Annæus Seneca.

Terrorism, the new religion.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/85a03c460a4c7d6d318110ae34c1cff2.squir...@fruiteater.riseup.net

Re: the ghost of UEFI and Micr0$0ft

[rbmj]

On 06/06/2012 08:43 PM, Christofer C. Bell wrote:

On Wed, Jun 6, 2012 at 2:46 PM, Roger Leigh  wrote:

On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:

What's non-free about signing the "boot-chain"?

Do I have the freedom to build and install and boot my own kernel?

No?  Looks like I lost the freedom to have any semblance of control
over my own hardware.

You have the freedom to either:

a.) Disable Secure Boot and run your own kernel

Not on ARM hardware that is certified for Windows 8 AFAIK.


or

b.) Generate your own signing key, sign your own kernel, and load your
own key into your system's UEFI.
I doubt that this will be easy- they'll have to make it inordinately 
difficult to discourage social engineering attacks and the like.

You have no lost any semblance of control over your own hardware.
Yes,  you have.  Luckily (at least in the U.S.) we have a free market, 
so you have choices available to you.  You don't have to buy the 
crippleware, you have other options.  And the most important thing that 
we, as free software/fair use advocates, can do, is force the large 
corporations to back down through economic means.  They won't sell it if 
we don't buy it.


--
rbmj


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fcffa91.5010...@verizon.net

Re: the ghost of UEFI and Micr0$0ft

[Christofer C. Bell]

On Wed, Jun 6, 2012 at 2:46 PM, Roger Leigh  wrote:
> On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:
>>
>> What's non-free about signing the "boot-chain"?
>
> Do I have the freedom to build and install and boot my own kernel?
>
> No?  Looks like I lost the freedom to have any semblance of control
> over my own hardware.

You have the freedom to either:

a.) Disable Secure Boot and run your own kernel

or

b.) Generate your own signing key, sign your own kernel, and load your
own key into your system's UEFI.

You have no lost any semblance of control over your own hardware.

-- 
Chris


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caoevnyuxeip1aj6aspnr2xc93q2lrvg2ap14qq4krhlcspr...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[ACro]

On 07. 06. 12 00:33, Weaver wrote:
> There are two issues only to consider here:
>
> (1) Who controls the keys and who controls them.
>
> (2) I resent any degree of control of the open source software
> movement being given over into the control of anybody else.
>
> Recognise this for what it is.
> Microsoft fears us.
> Gates admitted this in a recent intermanagement memo.


This is a 2001 memo. A chapter is titled "Openness" and its last 
sentence is quite illuminating.


« Our most potent Operating System competitor is Linux and the phenomena 
around Open Source and free software. The same phenomena fuels 
competitors to all of our products. The ease of picking up Linux to 
learn it or modify some pieces of it is very attractive. The academic 
community, start up companies, foreign governments and many other 
constituencies are putting their best work into Linux. Although we 
cannot make Windows free for commercial use we can do dramatically more 
to make it accessible including parts of the source code. We can make it 
free in restricted areas. [...] We need other creative ideas to allow 
Windows to match the viral nature of Linux. »


A full transcription of the memo:
http://techrights.org/2009/06/23/bill-gates-afraid-of-gnu-linux/

Andrew


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fcfe757.1080...@bluebottle.com

Re: the ghost of UEFI and Micr0$0ft

[Weaver]

There are two issues only to consider here:

(1) Who controls the keys and who controls them.

(2) I resent any degree of control of the open source software movement
being given over into the control of anybody else.

Recognise this for what it is.
Microsoft fears us.
Gates admitted this in a recent intermanagement memo.
I could chase it down and supply it, but attachments are not an option on
this list.
Understand that LibreOffice and many other apps now supply everything that
Microsoft deliver, on a more stable, secure and speedier base.
Microsoft do.
This is what this is about.
Control.
Don't give it to them.

Let's just do a little more work on projects such as Coreboot to ensure
continued accessibility for the base-level, end-user.
If security is what is required in the situation, I'm quite sure we can
supply that.
Microsoft have proven beyond doubt that they can't.

Panic and consternation are what Microsoft want.
Don't give them that too.
Just keep coding and writing documentation on a continuous 7 day/week, 24
hour/day basis.
When it comes to the crunch, they can't compete with that.

That's their biggest overhead.
Bigger than all the others combined.
Regards,

Weaver.
-- 


Religion is regarded by the common people as true,
by the wise as false,
and by the rulers as useful.

— Lucius Annæus Seneca.

Terrorism, the new religion.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/27ffa796a13e5fbcc83f4bb9c3fc5ba0.squir...@fulvetta.riseup.net

Re: the ghost of UEFI and Micr0$0ft

[Tony Baldwin]

On Wed, Jun 06, 2012 at 06:04:12PM +0200, Slavko wrote:
> Hi Andrei,
> 
> Dňa Wed, 6 Jun 2012 11:44:27 +0300 Andrei POPESCU
>  napísal:
> 
> > > in our country is more and more difficult to buy computer (specially
> > > notebook) without Windows included. In one shop they are telling me,
> > > that it si not possible. 
> > 
> > If you have such an answer on paper you *might* be able to request a 
> > refund for the MS Windows license according to its own EULA, but be 
> > careful not to accept the EULA on the first boot (most laptops on 
> 
> Yes, but consider following. Your solution:
> 
> pay money -> take care about OS -> request a refund -> use my HW
> 
> My expectation is:
> 
> pay money -> use my HW
> 

This is why I generally purchase components and build my own,
rather than purchase pre-fab machines.

I just hope that some manufacturers will continue to offer mobos
either without this MS crap on them, or, as mentioned,
at least allow disabling thereof.

./tony
-- 
http://www.tonybaldwin.me
all tony, all the time!
3F330C6E


signature.asc
Description: Digital signature

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Kelly Clowers]

On Wed, Jun 6, 2012 at 10:47 AM, Nate Bargmann  wrote:
> * On 2012 06 Jun 12:13 -0500, Tom H wrote:
>> It's not irrelevant. Irrespective of Linux using or not using Secure
>> Boot, I want Microsoft to take every measure the it can take to reduce
>> the number of compromised Windows boxes and therefore reduce the
>> number of attacks on my Linux boxes.
>
> What is the predominant attack vector toward MS Windows?  It's via the
> network and then being able to compromise components of the OS and
> machine, right?

I sincerely doubt it. Although I guess it depends on what you mean by
"via the network". Worms that infect like SQL Slammer are relatively
rare, AFAIK most malware get in via drive-by downloads, or intentional
installation of programs that are infected. Those are user issues and
browser issues (though local OS exploits may be used after the
browser security is bypassed). Though these get delivered by the
network, it isn't the same as vulnerabilities in, say, the TCP/IP
stack, or a vulnerable OS daemon/service.


Cheers,
Kelly Clowers


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAFoWM=9zjukkzxlnvkq7tgu-huzf-fehlwffnt9spgkurgd...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Roger Leigh]

On Wed, Jun 06, 2012 at 01:07:23PM -0400, Tom H wrote:
> 
> What's non-free about signing the "boot-chain"?

Do I have the freedom to build and install and boot my own kernel?

No?  Looks like I lost the freedom to have any semblance of control
over my own hardware.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606194627.gf15...@codelibre.net

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Nate Bargmann]

* On 2012 06 Jun 12:13 -0500, Tom H wrote:
> It's not irrelevant. Irrespective of Linux using or not using Secure
> Boot, I want Microsoft to take every measure the it can take to reduce
> the number of compromised Windows boxes and therefore reduce the
> number of attacks on my Linux boxes.

What is the predominant attack vector toward MS Windows?  It's via the
network and then being able to compromise components of the OS and
machine, right?  Access to the hardware means all bets are off, so to
really make things "secure" requires that there is no measure available
to disable secure boot.

But it's not necessary to install a differing version of the OS to cause
it to do unseemly things on the network, right?  It seems to me that
tightening security all through the network stack and OS would have done
far more to improve the security situation for all concerned than this
wrong headed approach.  This is akin to using an enima to acheive dental
hygeine.

I stand in full agreement with the FSF on this issue.  Like Novell
paying MSFT patent fees, I think this move to fall in line with MSFT's
command by Fedora/Red Hat is selfish and potentially harmful to the
Free Software community.  I don't follow debian-devel so I am not up to
speed on any Debian consensus on this issue as regards the DFSG and
Social Contract.

- Nate >>

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606174704.go6...@n0nb.us

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Wed, 06 Jun 2012 13:11:26 -0400, Tom H wrote:

> On Wed, Jun 6, 2012 at 9:51 AM, Camaleón  wrote:

>>> Can you guarantee that there isn't and will never be a BIOS rootkit
>>> that affects Linux?
>>>
>>> Can you guarantee that Windows botnets don't/won't attack Linux boxes?
>>
>> Tom, that's irrelevant!
>>
>> I can cope with a linux malware but I can't cope with a third-party
>> company disallowing me from booting _my own_ systems and I can't see
>> any benefit in helping nor defending such restrictive position.
>>
>> To be sincere, I prefer my linux (or windows) computer got infected
>> because of _my failure_ that being at the orders of a _third party_ :-/
> 
> It's not irrelevant. Irrespective of Linux using or not using Secure
> Boot, I want Microsoft to take every measure the it can take to reduce
> the number of compromised Windows boxes and therefore reduce the number
> of attacks on my Linux boxes.

And that's perfectly fine!

But then you have to *stick to their rules* so ask them what are their 
plans to support a dual booting system and what are they doing to 
integrate their secure boot system with the rest of the OS makers.

Surprise... they are doing nothing! Why have we to spend our scarce 
resources and our time in patching their faults and lackings? That's 
crazy :-)

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqo439$u68$2...@dough.gmane.org

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Wed, Jun 6, 2012 at 9:51 AM, Camaleón  wrote:
> On Tue, 05 Jun 2012 15:07:42 -0400, Tom H wrote:
>> On Tue, Jun 5, 2012 at 1:45 PM, Camaleón  wrote:
>>> On Tue, 05 Jun 2012 19:26:55 +0200, Claudius Hubig wrote:

 However, I welcome the fact that attacks on Windows will be made more
 difficult, since that also means smaller botnets, fewer vulnerable
 computers etc.
>>>
>>> That's the problem: we don't have to care about Windows security, it's
>>> not our business! That's a problem for the Windows users not for us.
>>
>> Can you guarantee that there isn't and will never be a BIOS rootkit that
>> affects Linux?
>>
>> Can you guarantee that Windows botnets don't/won't attack Linux boxes?
>
> Tom, that's irrelevant!
>
> I can cope with a linux malware but I can't cope with a third-party
> company disallowing me from booting _my own_ systems and I can't see any
> benefit in helping nor defending such restrictive position.
>
> To be sincere, I prefer my linux (or windows) computer got infected
> because of _my failure_ that being at the orders of a _third party_ :-/

It's not irrelevant. Irrespective of Linux using or not using Secure
Boot, I want Microsoft to take every measure the it can take to reduce
the number of compromised Windows boxes and therefore reduce the
number of attacks on my Linux boxes.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=sw92dvfztktxypsahdg6zgae_2vtzzmgdwe2dzuahs...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Wed, Jun 6, 2012 at 7:48 AM, Laurence Hurst  wrote:
> On 06/06/2012 11:47, Tom H wrote:
>>
>> Nowhere is the proposed Fedora 99-dollar-key being offered to other
>> distributions. Since it only costs USD 99 it wouldn't make sense for
>> Debian, for example, not to get its own rather than use Fedora's. And
>> Fedora wouldn't want to take the risk of loaning its key to Debian,
>> having the latter screwing up, and having Fedora's key being
>> blacklisted.
>>
>
> Fedora have also signed the entire chain from their shim bootloader (with
> the 99USD key), grub, kernel and kernel modules (latter 3 with Fedora's own
> key/chain-of-trust). Even if they were willing to take the risk of sharing,
> I don't think they would with anyone who wasn't willing to sign their own
> entire boot-chain down to the kernel module level. I think it would be very
> bad for the principals of free (as in freedom) software if Debian went down
> the same route creating a walled-garden for the entire boot chain through to
> the kernel modules on secure-boot enabled systems.

What's non-free about signing the "boot-chain"?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=Sw2vLgdXGVCKk50c8ajQM-xSnZzCznZA=9bbowldfj...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Slavko]

Hi Andrei,

Dňa Wed, 6 Jun 2012 11:44:27 +0300 Andrei POPESCU
 napísal:

> > in our country is more and more difficult to buy computer (specially
> > notebook) without Windows included. In one shop they are telling me,
> > that it si not possible. 
> 
> If you have such an answer on paper you *might* be able to request a 
> refund for the MS Windows license according to its own EULA, but be 
> careful not to accept the EULA on the first boot (most laptops on 

Yes, but consider following. Your solution:

pay money -> take care about OS -> request a refund -> use my HW

My expectation is:

pay money -> use my HW

I don't want to pay money for useless things and waste time with stupid
and manipulating sellers and producers.

If i give something to someone and they refund them to my, then it is loan.
I don't want to loan my money to sellers without any rent! ;-)

regards

-- 
Slavko
http://slavino.sk


signature.asc
Description: PGP signature

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Wed, 06 Jun 2012 03:13:23 -0400, Tom H wrote:

> On Tue, Jun 5, 2012 at 1:22 PM, Camaleón  wrote:
>> On Tue, 05 Jun 2012 19:03:54 +0200, Claudius Hubig wrote:

(...)

>>> UEFI has many benefits over the traditional BIOS, secure boot being
>>> one of them. Why do you think there is no technical reason to support
>>> secure boot? And what other mechanism would you suggest to use to get
>>> a chain of trust from the BIOS(-replacement) to the desktop?
>>
>> UEFI is not the problem here. People is using UEFI nowadays without any
>> issue. Is MS who is building a fictional wall in between.
> 
> The concept of Secure Boot is sound; it's to secure the firmware boot of
> a box and the handoff from the firmware to the OS; it has nothing to do
> with TPM (although I understand that they can be combined) or grub2
> passwords.

I put TPM as an example of another technology that was intended to 
"secure" our lives. I wonder how many linux users are currently taking 
advantadge of it.

> It's the implementation of Secure Boot that sucks, from a Linux
> perspective. 

It sucks because there's still not developed a normalized way of using 
it. And it sucks because closed source sofware developers are using it as 
a weapon to get their own purposes and goals and not considering another 
approaches... and such position can be valid from their point of view but 
not from ours :-/

> A dominant power, in our case Microsoft, will always impose its will on
> others. 

That will be so until we stop it. And buying a single certificate is not 
what I understand for a proper solution: you're only solving "one" 
problem, there will be more to come.

> It's the same in politics. When Great Britain was the world's
> superpower, it used to impose its will on countries, companies, and
> people. The US has imposed, is imposing, and will impose for the
> forceable future its will on others. And China will, if it becomes the
> world's superpower, do the same in the future. Others may not like it
> but they don't have a choice. Secure Boot can be turned off so there's
> some freedom available to those who want to reject it - for the time
> being...

The true freedom starts by telling users about the real situation and not 
by hidding the bad policies of a company just to gain your user base by 
saying "Hey, look, we're cool. We're a user-friendly linux 
distribution" :-/

> The board of directors of UEFI includes representatives from Apple,
> Dell, HP, IBM, and Lenovo. So, even though Acer, Asus, and Samsung (to
> cite a few) aren't represented, it's pretty safe to conclude that the
> manufacturers are on-board.

My guess is that manufacturers will take a "low-profile" approach: they 
will just provide a way for disabling "secure boot" from BIOS/UEFI and 
let the user decides what to do.

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqnsp0$u68$1...@dough.gmane.org

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Rob Owens]

On Tue, Jun 05, 2012 at 09:40:23PM -0500, Christofer C. Bell wrote:
> On Tue, Jun 5, 2012 at 12:45 PM, Camaleón  wrote:
> >
> > That's the problem: we don't have to care about Windows security, it's
> > not our business! That's a problem for the Windows users not for us.
> 
> If you don't care about Windows security then just turn off secure
> boot.  You're running Debian to begin with.  I'm sure you can figure
> it out.  You're a technical person.  UEFI secure boot was *not
> developed to benefit Microsoft*.  Microsoft's only involvement here is
> being a 3rd party player who has a code signing key.  They are acting
> no differently than any other generic certificate authority here.  You
> just irrationally hate the company.
> 
Or maybe she quite rationally *distrusts* the company.

I think considering MS's history, it is not hard to envision UEFI secure
boot being misused in a variety of ways.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606151352.ga19...@aurora.owens.net

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Tue, 05 Jun 2012 21:37:31 -0500, Christofer C. Bell wrote:

> On Tue, Jun 5, 2012 at 12:22 PM, Camaleón  wrote:

(...)

 Repeat with me: we-don't-need-Windows-anymore.
> 
> This has absolutely *nothing* to do with a dependency on Windows.

Yes, it is. And more specifically with Windows 8.

>> Microsoft (I can't tell for the rest of the hardware manufacturers
>> because their position is not mentioned in detail in the blog post) is
>> forcing a needing for something I (and I guess others) _don't need_,
>> like TPM modules, using a password in GRUB2, using encryption nor
>> signing for safe code.
> 
> Microsoft isn't forcing anyone to do anything.  They're saying, "if you
> want to put the Windows 8 logo on your hardware, you must enforce
> trusted boot."  No one else has to use it, however, PC manufacturers are
> likely to, you know, enforce secure boot which means Linux *won't* boot
> unless it's either signed or secure boot is disabled.  You're completely
> free to not use secure boot if you don't want to.

You seems to ignore that MS Windows comes pre-installed on almost every 
single computer sold in this planet (okay, let's say ~95% of the desktop 
oriented market). I don't know how you call that but to me eyes that's 
not what I see it a "fair status" for the rest of the software 
manufacturers: if you want to sell your hardware you'll have to put 
windows on it. I'd like to see policies aimed to change this situation.

>> We are who decide what/how/when we need something not the others and
>> even less MS :-/
> 
> Yes, and you're free to decide you don't need secure boot and to disable
> it at your option.  If you can't figure out how, I'm sure your PC or
> motherboard will come with documentation that can help.

Yes, that's the idea, so why caring about their secure boot at all? We 
should recommend *our* users that they simply disable that feature if 
they want to dual boot their computers, right?

>> The price to pay here is more than a few pennies: there's a freedom
>> price.
> 
> There is absolutely zero price anyone needs to pay.  Fedora is
> purchasing a key from a trusted 3rd party to sign their own code with so
> it can work with secure boot UEFI out of the box with a minimum of
> hassle.  They're buying a convenience, not something that's at all
> required.

They're buying _your_ freedom and mine is priceless.

>> I value ideas and the good work more than money; they're priceless.
> 
> Your rant against UEFI secure boot, Fedora, and Microsoft smells an
> awful lot like "I just hate Microsoft just because I hate them and
> they're evil and I hate them" than it does any kind of reasoned
> technical objection.

Sorry sir but you completely miss the point. I'm not "ranting" against 
UEFI nor secure boot nor Fedora nor MS but exposing my POV about how is 
the FLOSS community handling this situation.

And forget that "MS-hate" you speak about, it does not go with me :-)

>> UEFI is not the problem here. People is using UEFI nowadays without any
>> issue. Is MS who is building a fictional wall in between.
> 
> People are using UEFI just fine without secure boot.  Secure boot is a
> new feature that requires signed code to work.  You're free to not use
> it.  The rest of us feel it's beneficial.  There's no artificial wall.
>  You just hate Microsoft.

And you're wrong, again. 

I hate the way a company is treating something that involves another 
companies and users becasue they're acting as if there were no other 
operating systems in the world. If you can't or don't want understand 
what MS is doing with this, I can't be of any help. 

Finally, I can't but fully agree with FSF position in this regard:

http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqnrak$u68$1...@dough.gmane.org

Re: the ghost of UEFI and Micr0$0ft

[Jon Dowland]

On Wed, Jun 06, 2012 at 03:40:13PM +0100, Laurence Hurst wrote:
> I can see this turning into a support nightmare for Fedora when,
> inevitably, some hardware or firmware comes along which (at least as
> an interim measure until "official" fixes are released) requires the
> use of a newer kernel and/or module, or a patch/rebuild of an
> existing one.
> 
> I wonder how they will cope with the likes of nvidia/ati/intel who
> release their own kernel modules and installers outside of the
> distribution ecosystem, which will presumably be unsigned and a lot
> of people seem to use for the [potential/perceived] performance
> benefits.

In both cases, probably "disable secure boot".

> I doubt there will be an easy way to disable the secure boot BIOS
> setting on the users' behalf, even from a signed boot loader, as
> that would just lead to malware finding a way to silently disable it
> to get around it.

Said malware would need to have direct BIOS access and thus be executed
from a 'trusted' environment. 'Trusted' environments should disable
direct hardware access except for signed components.  The question is
whether having a program which *intended* to do it for you could be
signed and whether this would pass whatever requirements you are accepting
when you hand over the 99$.


-- 
Jon Dowland


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606145014.GD22416@debian

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Tue, 05 Jun 2012 15:01:53 -0400, Tom H wrote:

> On Tue, Jun 5, 2012 at 1:39 PM, Camaleón  wrote:

(...)

>>> http://blog.canonical.com/2011/10/28/white-paper-secure-boot-impact-
on-linux/
>>
>> That white paper points to Canonical and Redhat companies.
>>
>> I wonder if they tried to contact the other community linux members and
>> distributions or even thought about another way of handling this
>> through The Linux Foundation, for instance.
> 
> Maybe Red Hat and Canonical contacted others, maybe they didn't. 

That's important, at leats for me. If other linux manufacturers want to 
play alone in this game, that's fine but I'd also like knowing my 
"partners" and what's their position on the subject. This UEFI issue is 
an important thing I would take with extremely care, I mean, is not like 
selecting what will be the default MUA we're going to include for the 
next release, I guess you get the point.

> These are the two Linux companies that are the least likely to
> cooperate so I'd have to guess (but it's only a guess!) that others
> were contacted.

I wonder what about SUSE (SLES and SLED) as this is another of the "big" 
linux distributors :-?

> But, if a distribution didn't react post-the-white-paper either on its
> own or in cooperation with Fedora and/or Ubuntu, then it has no right to
> complain now.

Mmmm, that's not fair: I can't react to something I'm not aware of.

> This is the position of the Linux Foundation [2] and this is the paper's
> conclusion:

(...)

> It's dated October 2011 but it doesn't seem to have a problem with what
> Fedora's done. It even calls the "establishment of an independent
> certificate authority" unnecessary.
> 
> 2.
> https://www.linuxfoundation.org/sites/main/files/
lf_uefi_secure_boot_open_platforms.pdf

That's an interesting insight. The sad part here starts at page 3 
("Booting closed operating systems") so, why should bother about MS 
movements if they reject to consider an open implementation of this UEFI 
secure boot?

>>> The other distributions only have themselves to blame if Fedora's
>>> ended up going its own way. I wonder what happened to Ubuntu
>>> post-the-white-paper; it's even more bizarre than the other
>>> distributions not making any kind of statement or seemingly not
>>> getting involved in fighting for Linux, given that like Fedora, Ubuntu
>>> has a new release in October/November that'll have take Secure Boot
>>> into account. Also, I suspect that had Debian's participation been
>>> raised on debian-devel, the flame war would have ended after F18 and
>>> U12.10 had been published (witness the never-ending "discussions" on
>>> replacing sysvinit that have been going on, intermittently, since last
>>> summer).
>>
>> Maybe is that they were not properly queried for comments. And remember
>> Debian has not a time-based schedule for their releases so why should
>> we worry about the other's hurries to be more Windows-friendly?
> 
> Debian can live in a bubble 

Which seems to be working quite fine, I'd add :-)

> by saying that it doesn't have a time-based schedule but the hardware
> manufacturers have a schedule, that of Microsoft's release of Win8. 

Are you saying that we should follow the other's (MS or harwdare 
manufacturers) schedule? Why do you think they deserve so? Have been they 
helping us in any way by open sourcing their firmaware or drivers specs? 
I think that no :-)

> So a solution has to be planned and implemented before Win8 and Secure
> Boot boxes hit the market for those distributions that choose to give
> their users the choice to use Secure Boot. 

Sorry but I don't have any hurry nor have a timeline to accomplish nor 
have shareholders to keep happy ;-)

> Debian might choose to tell its users "disable Secure Boot" as the
> second poster in this thread said, but we don't know what its choice is
> or what it's going to be.

That's exactly what I would do: teaching users is the best long-term 
approach. 

Windows users with secure boot enabled who want to boot a different OS 
should ask MS how to do it, don't you think? They have paid for what they 
have installed.

> I suspect that at some point in the future not only will Secure Boot be
> extended to servers but it'll be a criterion to fulfill in order to pass
> a security audit. If a distribution doesn't get involved at the
> inception of the rules, it'll just have to live by the specs that have
> been developed and agreed to by others.

To be sincere, although I have not a deep knowledgement about this 
feature, I think it will have the same effect that DRM or TPM 
technologies... almost unuseful because they were tricky to setup with no 
value-added benefits.

>>> For those of us who want to dual-, triple-, ...-boot Windows, want to
>>> boot from a Live CD, want to compile their own kernels, want to use
>>> kernel modules not included in their distribution (assuming that the
>>> distribution can boot using Secure Boot), ..., we have to thank Fedora
>>> for workin

Re: the ghost of UEFI and Micr0$0ft

[Laurence Hurst]

On 06/06/2012 14:56, Jon Dowland wrote:

and it'd require resources to manage and maintain, something better suited to
a commercial enterprise.


That's the big deal. Fedora seem to believe they can manage maintaining closed
and signed bootloaders, kernel and kernel modules.  That would be very difficult
to achieve in Debian.



I can see this turning into a support nightmare for Fedora when, 
inevitably, some hardware or firmware comes along which (at least as an 
interim measure until "official" fixes are released) requires the use of 
a newer kernel and/or module, or a patch/rebuild of an existing one.


I wonder how they will cope with the likes of nvidia/ati/intel who 
release their own kernel modules and installers outside of the 
distribution ecosystem, which will presumably be unsigned and a lot of 
people seem to use for the [potential/perceived] performance benefits.



A more interesting approach might be to maintained a locked-down install image
chain which offered, as a very early installer option, to disable the secure
boot BIOS setting on your behalf.  From then onwards you could run whatever you
like.  Whether or not that will be generally possible, I don't know.




I doubt there will be an easy way to disable the secure boot BIOS 
setting on the users' behalf, even from a signed boot loader, as that 
would just lead to malware finding a way to silently disable it to get 
around it.


Laurence


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fcf6bcd.9050...@lboro.ac.uk

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Tue, 05 Jun 2012 18:55:59 +0100, Nuno Magalhães wrote:

> On Tue, Jun 5, 2012 at 6:39 PM, Camaleón  wrote:
>> And remember
>> Debian has not a time-based schedule for their releases
> 
> That's awkward, i was under the impression there was a change some years
> back so that the stable branch would change to a 6 months release
> schedule. Did that never go through or was it only temporary?

What I wanted to say is that Debian releases a new version at the time 
they consider is ready to be released with no other barriers beyond 
technical problems. 

Yes, there was a consensus about delivering a new stable version every 2 
years but to be sincere, I don't know is that still stands true :-?

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqno3u$u68$9...@dough.gmane.org

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Tue, 05 Jun 2012 21:40:23 -0500, Christofer C. Bell wrote:

> On Tue, Jun 5, 2012 at 12:45 PM, Camaleón  wrote:
>> On Tue, 05 Jun 2012 19:26:55 +0200, Claudius Hubig wrote:

(...)

>>> However, I welcome the fact that attacks on Windows will be made more
>>> difficult, since that also means smaller botnets, fewer vulnerable
>>> computers etc.
>>
>> That's the problem: we don't have to care about Windows security, it's
>> not our business! That's a problem for the Windows users not for us.
> 
> If you don't care about Windows security then just turn off secure boot.

And that's precisely the path I prefer for this matter: doing the same 
we've been doing for years, as for example, with win-BIOS fake RAIDs. You 
want that thing? You (the user) enable it or disable it at your desire.

>  You're running Debian to begin with.  I'm sure you can figure it out. 
> You're a technical person.  

"You, you, you..." *I'm* not the problem here.

> UEFI secure boot was *not developed to benefit Microsoft*.  

We're not talking here about the UEFI secure boot feature but Fedora's 
path to workaround an exclusively problem that will be generated by the 
upcoming version of Microsoft OS, Windows 8. And IMO is just that, a 
patch, a workaround, because it does not solve the core of the problem :-/

> Microsoft's only involvement here is being a 3rd party player who has a
> code signing key.  They are acting no differently than any other generic
> certificate authority here.  You just irrationally hate the company.

I use Microsoft products every day (in my home, at the office...), so you 
simply don't know what you are saying.

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqnntp$u68$8...@dough.gmane.org

Re: the ghost of UEFI and Micr0$0ft

[Jon Dowland]

On Wed, Jun 06, 2012 at 09:56:07PM +1000, Scott Ferguson wrote:
> the only things stopping Debian from getting a key is that not many
> manufacturers would use it

They wouldn't have to: they have to trust anything signed with a private
key that MS/Versign hold, so if Debian paid the 99$ and got a bootloader
signed, it would be trusted. The manufacturers would not need to do any
extra work.

> and it'd require resources to manage and maintain, something better suited to
> a commercial enterprise.

That's the big deal. Fedora seem to believe they can manage maintaining closed
and signed bootloaders, kernel and kernel modules.  That would be very difficult
to achieve in Debian.

A more interesting approach might be to maintained a locked-down install image
chain which offered, as a very early installer option, to disable the secure
boot BIOS setting on your behalf.  From then onwards you could run whatever you
like.  Whether or not that will be generally possible, I don't know.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606135619.GB22416@debian

Re: the ghost of UEFI and Micr0$0ft

[Jon Dowland]

On Wed, Jun 06, 2012 at 11:31:11PM +1000, Scott Ferguson wrote:
> Not immediately it's not (W7).  Perhaps >W7. How about Apple?

The irony here is that Apple hardware might end up being the easiest for a
beginner to install Linux on.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606135128.GA22416@debian

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Camaleón]

On Tue, 05 Jun 2012 15:07:42 -0400, Tom H wrote:

> On Tue, Jun 5, 2012 at 1:45 PM, Camaleón  wrote:
>> On Tue, 05 Jun 2012 19:26:55 +0200, Claudius Hubig wrote:
>>>
>>> However, I welcome the fact that attacks on Windows will be made more
>>> difficult, since that also means smaller botnets, fewer vulnerable
>>> computers etc.
>>
>> That's the problem: we don't have to care about Windows security, it's
>> not our business! That's a problem for the Windows users not for us.
> 
> Can you guarantee that there isn't and will never be a BIOS rootkit that
> affects Linux?
>
> Can you guarantee that Windows botnets don't/won't attack Linux boxes?

Tom, that's irrelevant!

I can cope with a linux malware but I can't cope with a third-party 
company disallowing me from booting _my own_ systems and I can't see any 
benefit in helping nor defending such restrictive position.

To be sincere, I prefer my linux (or windows) computer got infected 
because of _my failure_ that being at the orders of a _third party_ :-/

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/jqnn88$u68$7...@dough.gmane.org

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 22:51, Tom H wrote:
> On Wed, Jun 6, 2012 at 7:56 AM, Scott Ferguson
>  wrote:
>> On 06/06/12 20:47, Tom H wrote:
>>> On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson
>>>  wrote:
 On 06/06/12 19:23, Tom H wrote:
> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
>  wrote:
> 
> 
> 
>> ;consider also that Fedora has *not* said they won't be sharing the key
>
> They won't share their Secure Boot key in the same way that they don't
> share their RPM-signing key(s).

 I'm unable to find anything from the RedHat/Fedora community who
 supports that assertion, and it's not supported by the article:-

 "Adopting a distribution-specific key and encouraging hardware companies
 to adopt it *would have been hostile to other distributions*. We want to
 compete on merit, not because we have better links to OEMs.
>>>
>>> In this para, MG's saying that Fedora didn't want to buy a
>>> 99-dollar-key and have it loaded into the firmware of the hardware
>>> manufacturers who'd agree to do so.
>>
>> I read that as "there was no realistic chance that we could get *all* of
>> them to carry it", and so they didn't. Tim Burke gives the same reasons.
>> Aside from legal reasons (I'm not sure how UEFI and the Debian
>> constitution fit) the only things stopping Debian from getting a key is
>> that not many manufacturers would use it - and it'd require resources to
>> manage and maintain, something better suited to a commercial enterprise.
> 
> He made two arguments for not going the
> have-the-Fedora-key-uploaded-by-OEMs way. He called the first
> user-hostile because it would require having hardware-compatibility
> lists because not all OEMs would be willing to upload the Fedora key.
> And he called the second distribution-hostile because Fedora would
> have had better success at having its key uploaded than other
> distributions given Red Hat's more extensive relationships with OEMs.
> There not even a hint of sharing Fedora's key with anyone.
> 
> 
> 
 An alternative was producing some sort of overall Linux key. It turns
 out that this is also difficult, since it would mean finding an entity
 who was willing to take responsibility for managing signing or key
 distribution. That means having the ability to keep the root key
 absolutely secure and perform adequate validation of people asking for
 signing. That's expensive. Like millions of dollars expensive. It would
 also take a lot of time to set up, and that's not really time we had.
 And, finally, nobody was jumping at the opportunity to volunteer. So no
 generic Linux key."

 Hardly "we don't want to share", more "we can't afford to"
>>>
>>> In this para, he isn't discussing a Fedora 99-dollar-key purchased
>>> from Verisign, but a cross-distribution Linux key infrastructure
>>> similar to the one that Microsoft's developed/developing.
>>
>> Two keys?
>> I read it as *one* key bought (from Verison) for $99 through the MS
>> sysdev portal that will be used to sign the first stage boot loader for
>> use on hardware "certified" to support Windoof 7?
> 
> Why would a 99-dollar-key cost millions?

No one said a key would cost millions.

> 
> You're thinking of a third scenario that MG hasn't described where a
> "Linux Secure Boot Foundation" buys a 99-dollar-key and shares it with
> all (!) distributions - I'm of course assuming here and the previous
> scenario of Fedora sharing its key that the agreement with Verisign
> allows a key to be loaned out/shared - which puts us in the same
> situation as the Fedora-key-sharing situation, that I posted earlier
> and that you snipped from your reply, where the failure of one
> distribution would result in all distributions having their one key
> blacklisted.

That's the management exercise that would cost millions.

> 
> 


-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcf5c20.90...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 22:14, Nate Bargmann wrote:
> * On 2012 05 Jun 23:04 -0500, Christofer C. Bell wrote:
>> Please articulate what freedoms, exactly, you're losing through the
>> availability of UEFI secure boot (a feature you are in no way
>> compelled to use).
> 
> Let's not  blindly assume that all hardware manufacturers will follow
> the spec and *allow* disabling of secure boot.  

I'd agree that not all manufacturers will follow UEFI specs or MS
requirements as to what UEFI *must* support for the device to carry the
"W7 approved" sticker. That's two separate issues.

Intel, MS, Apple and other players share your concern that not all UEFI
BIOS will be equal.

For W7 MS require that x86 UEFI to allow disabling secure boot - so if a
UEFI BIOS doesn't but carries the W7 sticker, it's a MS problem.

> It's obvious from the
> discussion that they will have the option of not enabling a non secure
> boot. 

Not immediately it's not (W7).  Perhaps >W7. How about Apple?

> The point I and others are making is that MSFT has a long record
> of engaging the hardware manufacturers in contracts whose terms are
> apparently rather interesting.  

...as has everyone of the UEFI players.

> There is no guarantee that being able to
> disable secure boot will be available in future products.  I'm sure it
> will be available at first just to quell the fear, but the manufacturers
> will discover some "sound reasoning" a few years hence as to why
> eliminating the BIOS option is necessary.

I don't have a problem with that. But then I don't think MS is a viable
long term business, and I'd prefer people bought open hardware (even if
it costs more ie Golden Delicious) instead of settling for second prize
(buying a device with another OS on it).

> 
> It's quite possible that everyone in this endeavor is working with the
> best interests of the users in mind.  It would be a first, but given the
> long track record of this industry, I'm not holding my breath.

Please don't (hold your breath).

UEFI could be good - but if the corporations get their way it could also
be bad. It's just too easy for the lowlifes to use UEFI as a way to
shift responsibility from the company that benefits to the consumer.
Likewise "user" training under the guise of certification




> 
> I'm only concerned about being able to continue to enjoy general purpose
> computing and programming on my terms.  

And hopefully some manufacturers will realise that you are not alone.
And I'd agree with a need for a choice - but I still want UEFI for many
instances.

> I can see this leading to a
> "secure" certificate being required to sign everything from boot to
> logging onto the Internet where only "approved secure" software may be
> used, to a place where compilers and interpreters--anything that can be
> used to write executable/interpreted code--must be likewise signed and
> part of a verified chain of "trust".  All to prevent "malware", you see.

Yes. And various other similar scenarios (for the children,
anti-terrorism, anti-piracy, preserve the bandwidth). I don't believe
UEFI will enable or make that scenario more likely - because I don't
believe the corporate players would agree on the division of spoils.


> Hobbyists and Free Software as we've known it will have no place in this
> brave new world.  

Certainly the corporations would like that - it's what they wanted with
the first motor vehicles, wireless, movies, recorded music.
I'm told "hacker" was a derisory term first employed by owners of the
new steam powered factories, to describe craftsmen who handcrafted
furniture. I don't expect much will change - appliances will continue to
be hacked (modified) with limitations imposed by manufacturers trying to
increase their margins, while other manufacturers cater to hacking.
There will always be Audrino/Rasberry Pi/PIC and autopart stores, but
we'll no more force all computer manufacturers to support "hobbyists"
than car manufacturers - at least until the next Communist Empire.

> This strikes me as much like DRM the content studios
> have been pushing for several years.

:-)
And possibly just as effective.

> 
> - Nate >>
> 

Kind regards

-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcf5b9f.1080...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Wed, Jun 6, 2012 at 7:56 AM, Scott Ferguson
 wrote:
> On 06/06/12 20:47, Tom H wrote:
>> On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson
>>  wrote:
>>> On 06/06/12 19:23, Tom H wrote:
 On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
  wrote:



> ;consider also that Fedora has *not* said they won't be sharing the key

 They won't share their Secure Boot key in the same way that they don't
 share their RPM-signing key(s).
>>>
>>> I'm unable to find anything from the RedHat/Fedora community who
>>> supports that assertion, and it's not supported by the article:-
>>>
>>> "Adopting a distribution-specific key and encouraging hardware companies
>>> to adopt it *would have been hostile to other distributions*. We want to
>>> compete on merit, not because we have better links to OEMs.
>>
>> In this para, MG's saying that Fedora didn't want to buy a
>> 99-dollar-key and have it loaded into the firmware of the hardware
>> manufacturers who'd agree to do so.
>
> I read that as "there was no realistic chance that we could get *all* of
> them to carry it", and so they didn't. Tim Burke gives the same reasons.
> Aside from legal reasons (I'm not sure how UEFI and the Debian
> constitution fit) the only things stopping Debian from getting a key is
> that not many manufacturers would use it - and it'd require resources to
> manage and maintain, something better suited to a commercial enterprise.

He made two arguments for not going the
have-the-Fedora-key-uploaded-by-OEMs way. He called the first
user-hostile because it would require having hardware-compatibility
lists because not all OEMs would be willing to upload the Fedora key.
And he called the second distribution-hostile because Fedora would
have had better success at having its key uploaded than other
distributions given Red Hat's more extensive relationships with OEMs.
There not even a hint of sharing Fedora's key with anyone.



>>> An alternative was producing some sort of overall Linux key. It turns
>>> out that this is also difficult, since it would mean finding an entity
>>> who was willing to take responsibility for managing signing or key
>>> distribution. That means having the ability to keep the root key
>>> absolutely secure and perform adequate validation of people asking for
>>> signing. That's expensive. Like millions of dollars expensive. It would
>>> also take a lot of time to set up, and that's not really time we had.
>>> And, finally, nobody was jumping at the opportunity to volunteer. So no
>>> generic Linux key."
>>>
>>> Hardly "we don't want to share", more "we can't afford to"
>>
>> In this para, he isn't discussing a Fedora 99-dollar-key purchased
>> from Verisign, but a cross-distribution Linux key infrastructure
>> similar to the one that Microsoft's developed/developing.
>
> Two keys?
> I read it as *one* key bought (from Verison) for $99 through the MS
> sysdev portal that will be used to sign the first stage boot loader for
> use on hardware "certified" to support Windoof 7?

Why would a 99-dollar-key cost millions?

You're thinking of a third scenario that MG hasn't described where a
"Linux Secure Boot Foundation" buys a 99-dollar-key and shares it with
all (!) distributions - I'm of course assuming here and the previous
scenario of Fedora sharing its key that the agreement with Verisign
allows a key to be loaned out/shared - which puts us in the same
situation as the Fedora-key-sharing situation, that I posted earlier
and that you snipped from your reply, where the failure of one
distribution would result in all distributions having their one key
blacklisted.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=SwEX3+6uN1Qu=w07vivqp0a0j5m51cgqfnqaakudjd...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Nate Bargmann]

* On 2012 05 Jun 23:04 -0500, Christofer C. Bell wrote:
> Please articulate what freedoms, exactly, you're losing through the
> availability of UEFI secure boot (a feature you are in no way
> compelled to use).

Let's not  blindly assume that all hardware manufacturers will follow
the spec and *allow* disabling of secure boot.  It's obvious from the
discussion that they will have the option of not enabling a non secure
boot.  The point I and others are making is that MSFT has a long record
of engaging the hardware manufacturers in contracts whose terms are
apparently rather interesting.  There is no guarantee that being able to
disable secure boot will be available in future products.  I'm sure it
will be available at first just to quell the fear, but the manufacturers
will discover some "sound reasoning" a few years hence as to why
eliminating the BIOS option is necessary.

It's quite possible that everyone in this endeavor is working with the
best interests of the users in mind.  It would be a first, but given the
long track record of this industry, I'm not holding my breath.

> Secure boot is about future devices, not current ones.  Your comments
> thus far indicate you've made no effort to educate yourself about the
> issues.

That's twice you've swerved into ad hominem.  If I were uneducated about
the issues at hand, I would be rather accepting of what is being placed
on my plate.  As I am championing the right of myself and others to boot
the code of our choice on the hardware of our choice, pragmatism is not
a reasonable response.

> On ARM devices that support secure boot, it cannot be disabled like it
> can on a PC.

Ahhh, now a qualifier.  So it's not a requirement of the ARM processor
then, and my comment about community derived ARM hardware being our
future stands true?

I'm only concerned about being able to continue to enjoy general purpose
computing and programming on my terms.  I can see this leading to a
"secure" certificate being required to sign everything from boot to
logging onto the Internet where only "approved secure" software may be
used, to a place where compilers and interpreters--anything that can be
used to write executable/interpreted code--must be likewise signed and
part of a verified chain of "trust".  All to prevent "malware", you see.
Hobbyists and Free Software as we've known it will have no place in this
brave new world.  This strikes me as much like DRM the content studios
have been pushing for several years.

- Nate >>

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606121411.gl4...@n0nb.us

Re: the ghost of UEFI and Micr0$0ft

[Laurence Hurst]

On 06/06/2012 11:47, Tom H wrote:


Nowhere is the proposed Fedora 99-dollar-key being offered to other
distributions. Since it only costs USD 99 it wouldn't make sense for
Debian, for example, not to get its own rather than use Fedora's. And
Fedora wouldn't want to take the risk of loaning its key to Debian,
having the latter screwing up, and having Fedora's key being
blacklisted.



Fedora have also signed the entire chain from their shim bootloader 
(with the 99USD key), grub, kernel and kernel modules (latter 3 with 
Fedora's own key/chain-of-trust). Even if they were willing to take the 
risk of sharing, I don't think they would with anyone who wasn't willing 
to sign their own entire boot-chain down to the kernel module level. I 
think it would be very bad for the principals of free (as in freedom) 
software if Debian went down the same route creating a walled-garden for 
the entire boot chain through to the kernel modules on secure-boot 
enabled systems.


Could the hardware manufactures not have provided a method to allow OS 
installers (as in installation programs) to add their own keys via an 
UEFI level call which results in a prompt at next boot saying "A new key 
has been added (fingerprint: $key_fingerprint). Do you want to trust it 
(Yes/No)?"? It wouldn't solve the potential risk for users who just say 
yes to everything, but for anyone with a little clue it provides 
protection and is not as anti-competitive as the current situation 
appears to be.


Laurence


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fcf4386.2000...@lboro.ac.uk

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 20:47, Tom H wrote:
> On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson
>  wrote:
>> On 06/06/12 19:23, Tom H wrote:
>>> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
>>>  wrote:
> 
> 
 ;consider also that Fedora has *not* said they won't be sharing the key
>>>
>>> They won't share their Secure Boot key in the same way that they don't
>>> share their RPM-signing key(s).
>>
>> I'm unable to find anything from the RedHat/Fedora community who
>> supports that assertion, and it's not supported by the article:-
>>
>> "Adopting a distribution-specific key and encouraging hardware companies
>> to adopt it *would have been hostile to other distributions*. We want to
>> compete on merit, not because we have better links to OEMs.
> 
> In this para, MG's saying that Fedora didn't want to buy a
> 99-dollar-key and have it loaded into the firmware of the hardware
> manufacturers who'd agree to do so.

I read that as "there was no realistic chance that we could get *all* of
them to carry it", and so they didn't. Tim Burke gives the same reasons.
Aside from legal reasons (I'm not sure how UEFI and the Debian
constitution fit) the only things stopping Debian from getting a key is
that not many manufacturers would use it - and it'd require resources to
manage and maintain, something better suited to a commercial enterprise.


> 
> 
>> An alternative was producing some sort of overall Linux key. It turns
>> out that this is also difficult, since it would mean finding an entity
>> who was willing to take responsibility for managing signing or key
>> distribution. That means having the ability to keep the root key
>> absolutely secure and perform adequate validation of people asking for
>> signing. That's expensive. Like millions of dollars expensive. It would
>> also take a lot of time to set up, and that's not really time we had.
>> And, finally, nobody was jumping at the opportunity to volunteer. So no
>> generic Linux key."
>>
>> Hardly "we don't want to share", more "we can't afford to"
> 
> In this para, he isn't discussing a Fedora 99-dollar-key purchased
> from Verisign, but a cross-distribution Linux key infrastructure
> similar to the one that Microsoft's developed/developing.

Two keys?
I read it as *one* key bought (from Verison) for $99 through the MS
sysdev portal that will be used to sign the first stage boot loader for
use on hardware "certified" to support Windoof 7?


Kind regards

-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcf4557@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson
 wrote:
> On 06/06/12 19:23, Tom H wrote:
>> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
>>  wrote:


>>> ;consider also that Fedora has *not* said they won't be sharing the key
>>
>> They won't share their Secure Boot key in the same way that they don't
>> share their RPM-signing key(s).
>
> I'm unable to find anything from the RedHat/Fedora community who
> supports that assertion, and it's not supported by the article:-
>
> "Adopting a distribution-specific key and encouraging hardware companies
> to adopt it *would have been hostile to other distributions*. We want to
> compete on merit, not because we have better links to OEMs.

In this para, MG's saying that Fedora didn't want to buy a
99-dollar-key and have it loaded into the firmware of the hardware
manufacturers who'd agree to do so.


> An alternative was producing some sort of overall Linux key. It turns
> out that this is also difficult, since it would mean finding an entity
> who was willing to take responsibility for managing signing or key
> distribution. That means having the ability to keep the root key
> absolutely secure and perform adequate validation of people asking for
> signing. That's expensive. Like millions of dollars expensive. It would
> also take a lot of time to set up, and that's not really time we had.
> And, finally, nobody was jumping at the opportunity to volunteer. So no
> generic Linux key."
>
> Hardly "we don't want to share", more "we can't afford to"

In this para, he isn't discussing a Fedora 99-dollar-key purchased
from Verisign, but a cross-distribution Linux key infrastructure
similar to the one that Microsoft's developed/developing.

Nowhere is the proposed Fedora 99-dollar-key being offered to other
distributions. Since it only costs USD 99 it wouldn't make sense for
Debian, for example, not to get its own rather than use Fedora's. And
Fedora wouldn't want to take the risk of loaning its key to Debian,
having the latter screwing up, and having Fedora's key being
blacklisted.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=SyALgri4pLTfNivZhDR+LKDPo0jrhnjvwxzq+DtM=k...@mail.gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Weaver]

There has to be some monopoly abuse scenario here.
How is Microsoft permitted to own the BIOS?
Garbage.
This is a clear cut denial of natural justice.
Regards,

Weaver.


-- 


Religion is regarded by the common people as true,
by the wise as false,
and by the rulers as useful.

— Lucius Annæus Seneca.

Terrorism, the new religion.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/dcc9957dfb9869b933967a161240e334.squir...@fulvetta.riseup.net

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 19:23, Tom H wrote:
> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
>  wrote:
>>
>> ;consider also that Fedora has *not* said they won't be sharing the key
> 
> They won't share their Secure Boot key in the same way that they don't
> share their RPM-signing key(s).


I'm unable to find anything from the RedHat/Fedora community who
supports that assertion, and it's not supported by the article:-

"Adopting a distribution-specific key and encouraging hardware companies
to adopt it *would have been hostile to other distributions*. We want to
compete on merit, not because we have better links to OEMs.

An alternative was producing some sort of overall Linux key. It turns
out that this is also difficult, since it would mean finding an entity
who was willing to take responsibility for managing signing or key
distribution. That means having the ability to keep the root key
absolutely secure and perform adequate validation of people asking for
signing. That's expensive. Like millions of dollars expensive. It would
also take a lot of time to set up, and that's not really time we had.
And, finally, nobody was jumping at the opportunity to volunteer. So no
generic Linux key."


Hardly "we don't want to share", more "we can't afford to"


> My hypothetical friends won't be thinking of Microsoft when they
> decide that they don't want to turn Secure Boot off. They'll just see
> it as lessening or disabling security on their computer, full-stop.

That's RedHat's thinking too (and mine). Additionally it makes it
difficult to ask people to try a live GNU/Linux CD if the first step is
to "turn off Secure boot" - you know, that thing that ensures only
trusted code runs (meanwhile we insist they practise safe computing use).


Kind regards

-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcf2bb8.9070...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson
 wrote:
>
> ;consider also that Fedora has *not* said they won't be sharing the key

They won't share their Secure Boot key in the same way that they don't
share their RPM-signing key(s).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=swszvmtasgxywmyhqaemcweeyv_ew_4tg8s7rcq3zk...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Tue, Jun 5, 2012 at 5:04 PM, ACro  wrote:
>>
>> I won't send them a gift but if Fedora's the only distribution to
>> support Secure Boot, then it's the only one that I'll recommend to
>> friends (independently from installing and providing support for
>> Debian servers at some of my jobs) because I don't want to have to
>> tell them "to install Linux or even test Linux from a CD without
>> installing it, I'll have to turn off 'Secure Boot' on your computer";
>> they'll most likely say "no" anyway after hearing that.
>
> of course you don't have to tell it them *this* way: yours is just sounding
> as the perfect marketing argument pro MS: «You don't want to turn your
> computer insecure, right?». It's too funny that this kind of reasoning is
> turning (from your friends' point of view) the *real security* concept
> upside down: Windows mimics the secure-OS part :-) forcing other OSs to bow
> to it, whereas Debian is thought to be the insecure one. This is clearly
> made possible because of power and money, not trust and freedom.

My hypothetical friends won't be thinking of Microsoft when they
decide that they don't want to turn Secure Boot off. They'll just see
it as lessening or disabling security on their computer, full-stop.

Microsoft's marketing's eventually going to force Secure Boot on
many/most/all; and it'll end up being compulsory and impossible to
turn off.

Consider banking. On the server-side, Secure Boot'll make it into the
security audit checklists and will have to be used on Linux boxes. On
the client-side, assuming that there's a secure way for an OS to
advertise that it was booted via Secure Boot, the latter'll become
compulsory for internet banking.

Not a pretty picture but an entirely possible and plausible one...


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=Swe3+=od_8hgtgzbezvw6yyeu1atexahkwszbsj060...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Andrei POPESCU]

On Ma, 05 iun 12, 18:55:59, Nuno Magalhães wrote:
> On Tue, Jun 5, 2012 at 6:39 PM, Camaleón  wrote:
> > And remember
> > Debian has not a time-based schedule for their releases
> 
> That's awkward, i was under the impression there was a change some
> years back so that the stable branch would change to a 6 months
> release schedule. Did that never go through or was it only temporary?

Debian will release "when it's ready" and there are no plans to change 
this. However, it will try to *freeeze* every two years (or at least 
have a predictable freeze), the next one being planned for the second 
half of this month (whohoo).

Kind regards,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 18:44, Andrei POPESCU wrote:
> On Ma, 05 iun 12, 20:26:03, Slavko wrote:
>>
>> in our country is more and more difficult to buy computer (specially
>> notebook) without Windows included. In one shop they are telling me, that
>> it si not possible. 
> 
> If you have such an answer on paper you *might* be able to request a 
> refund for the MS Windows license according to its own EULA, but be 
> careful not to accept the EULA


The Windoof 7 EULA:-

"By using the software, you accept these terms. If you do not accept
them, do not use the software. Instead, contact the manufacturer or
installer to determine its return policy. You must comply with that
policy, which might limit your rights or require you to return the
entire system on which the software is installed."

> on the first boot (most laptops on 
> display will have it accepted by the shop staff).
> 
> Hope this helps,
> Andrei


My experience is that Dell and Toshiba do refunds (XP and Vista), albeit
reluctantly, but Leveno/IBM won't (for Thinkpads).

This may prove useful:-
http://no.more.racketware.info/index




Kind regards


-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcf1d1e.2000...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Jon Dowland]

On Tue, Jun 05, 2012 at 11:02:49PM -0500, Christofer C. Bell wrote:
> >> You can't disable the code signing requirement on ARM.
> >
> > Really?  So the Raspberry Pi requires signed code?  The Freedom Box
> > on ARM hardware requires signed code?
> 
> Secure boot is about future devices, not current ones.  Your comments
> thus far indicate you've made no effort to educate yourself about the
> issues.  On ARM devices that support secure boot, it cannot be
> disabled like it can on a PC.

"ARM devices that support secure boot" is not the same thing as "ARM", which is
what you actually said, even if it isn't what you actually meant. (and if you
meant future devices, you got the tense wrong in "ARM devices that support
secure boot.")

MS have a much smaller presence in the ARM-space and are much less likely to be
able to push their requirements onto ARM equipment manufacturers.  There's a
strong likelyhood that you will be able to get unencumbered ARM hardware much
more easily. The RPi is a good sign on this front.  The plethora of Android
tablets out there is another.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606085929.GC9629@debian

Re: the ghost of UEFI and Micr0$0ft

[Jon Dowland]

On Tue, Jun 05, 2012 at 12:52:22PM +0530, Harshad Joshi wrote:
> i was reading this article -  http://mjg59.dreamwidth.org/12368.html
> 
> It is written by someone related to redhat

He's also a former Debian developer, and a former Ubuntu developer.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120606085459.GB9629@debian

Re: the ghost of UEFI and Micr0$0ft

[Andrei POPESCU]

On Ma, 05 iun 12, 20:26:03, Slavko wrote:
> 
> in our country is more and more difficult to buy computer (specially
> notebook) without Windows included. In one shop they are telling me, that
> it si not possible. 

If you have such an answer on paper you *might* be able to request a 
refund for the MS Windows license according to its own EULA, but be 
careful not to accept the EULA on the first boot (most laptops on 
display will have it accepted by the shop staff).

Hope this helps,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Tue, Jun 5, 2012 at 2:38 PM, Roger Leigh  wrote:
> On Tue, Jun 05, 2012 at 07:26:55PM +0200, Claudius Hubig wrote:

>> However, I welcome the fact that attacks on Windows will be made more
>> difficult, since that also means smaller botnets, fewer vulnerable
>> computers etc.
>
> It will have zero effect. Not only was the certificate effectively
> compromised by allowing arbitrary code to be signed apparently by
> Microsoft (see recent news), how effective is the security when you
> have the ability to chainload GRUB? Once you can do that, you can
> load any arbitrary code of your choice. Any malware worth its salt
> will just co-opt the Linux bootloader and continue on its way.
> Effective security gained: none.

I don't think that you can draw a straight parallel between the
Terminal Server certificate lacunas exploited by "Flame" but even if
we ignore the differences, yes, there's a possibility that
Microsoft'll screw up and it'll have a large effect, much larger than,
for example the screw-ups of Debian,  kernel.org, and countless others
in the past. But eben if Microsoft's replaced as the ultimate trusted
authority by another, independent entity, you'll still have a TBTF,
single-point-of-failure.

In the proposed Fedora scenario, I don't think that you'll be able to
chainload grub, or at least you won't be able to chainload a grub that
isn't signed by a trusted key in the same way that you won't be able
to boot a kernel that isn't signed by a trusted key.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=swsdcmx04lyz73bbhgks8ucam4pbtfg_a3ewvbupwo...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[Tom H]

On Tue, Jun 5, 2012 at 1:22 PM, Camaleón  wrote:
> On Tue, 05 Jun 2012 19:03:54 +0200, Claudius Hubig wrote:
>> Camaleón  wrote:



> Microsoft (I can't tell for the rest of the hardware manufacturers
> because their position is not mentioned in detail in the blog post) is
> forcing a needing for something I (and I guess others) _don't need_, like
> TPM modules, using a password in GRUB2, using encryption nor signing for
> safe code.



>>> "Blindly" here means there's no technical reason that supports the path
>>> they want to take for UEFI, but a marketing strategy.
>>
>> UEFI has many benefits over the traditional BIOS, secure boot being one
>> of them. Why do you think there is no technical reason to support secure
>> boot? And what other mechanism would you suggest to use to get a chain
>> of trust from the BIOS(-replacement) to the desktop?
>
> UEFI is not the problem here. People is using UEFI nowadays without any
> issue. Is MS who is building a fictional wall in between.

The concept of Secure Boot is sound; it's to secure the firmware boot
of a box and the handoff from the firmware to the OS; it has nothing
to do with TPM (although I understand that they can be combined) or
grub2 passwords.

It's the implementation of Secure Boot that sucks, from a Linux
perspective. A dominant power, in our case Microsoft, will always
impose its will on others. It's the same in politics. When Great
Britain was the world's superpower, it used to impose its will on
countries, companies, and people. The US has imposed, is imposing, and
will impose for the forceable future its will on others. And China
will, if it becomes the world's superpower, do the same in the future.
Others may not like it but they don't have a choice. Secure Boot can
be turned off so there's some freedom available to those who want to
reject it - for the time being...

The board of directors of UEFI includes representatives from Apple,
Dell, HP, IBM, and Lenovo. So, even though Acer, Asus, and Samsung (to
cite a few) aren't represented, it's pretty safe to conclude that the
manufacturers are on-board.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=sxaulcm6p5xffqveyn5gc3_equegv+vc5xkzdctg69...@mail.gmail.com

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

[ACro]

> This is not about "security" at all.  This is about MSFT marginalizing
> and eliminating a serious competitor.  It's MSFT's DNA.

Nate,

I perfectly agree: this MS role and attitude is so deeply radicated
that, sadly, we're getting used to it, eventually forgetting its real
meaning in terms of freedom. Seemingly, the great fear of being put out
of the scenes makes people like Fedora's take steps that are dangerous
in terms of long term freedom preservation. They're "forgetting" the
main point, preferring this kind of short term compromise.

> Let them rot in their malware hell. It's about time someone in the
> tech industry took a stand. I did long ago.

Yeah. How could this be done, so that it can produce a real and
enduring effect? Does the foundation-like nature of open source allow
to move effectively against brute force corporate and marketing tricks?
The great power, at least from a quantitative point of view, is
theoretically represented by users: the choice in favor of a particular
product is made by users/consumers. Therefore, properly informing and
orienting users is seemingly going to be a vital, essential task.

On the other side, all hardware manufacturers should understand that
FOSS is the real deal, even if numbers seem not to say so.

Distributions could create, working together, a better and clearer way
to drive users toward preinstalled and preconfigured Linux hardware
sellers, maybe creating a quality label, something that is uniform and
recognizable; and a central web site with information linking together
supported hardware manufacturers and Linux distributions. Not everyone
is wanting to climb the entire Linux learning curve, so this would make
it easier for people to get a great, working Linux computer, making
things less confusing. This would perhaps urge non supported hardware
manufacturers to join the club and become more supporting. I would
gladly help with translations if such a project became reality.

All the best,
Andrew


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fcf01e8.10...@bluebottle.com

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 14:06, Miles Bader wrote:
> "Christofer C. Bell"  writes:
>>> Again, let MS rot in its malware hell.  I don't care!  Perhaps if MS had
>>> been a bit more proactive a couple of decades ago we would not be having
>>> this discussion.  MSFT issues are not for us in the Debian or wider
>>> Linux community to resolve.
>>
>> Comments like this make you look like a tool.  Microsoft is acting as
>> as nothing more than a certificate authority here.  This has jack and
>> all to do with MS Windows.
> 
> Er, except that MS is one of the main parties pushing this ...
> 
>> You can't disable the code signing requirement on ARM.
> 
> ... which is a great deal more worrying.

Yes. And no.
I'd hate to see a situation where it was impossible to buy an ARM (or
other CPU based board) without UEFI that can be disabled - but I support
devices that can be made to *only* run signed code *provided* MS is
*not* the certificate agency. They have a vested interest making life
hard for other OS, and a poor track record (earlier this year) at
reviewing key management processes.

I'd like to see a group composed of industry (and community)
representatives that manages the UEFI keys - and the cost of
registration capped at $99. I'd also like the group to not be like
ICAAN, and I'd like a pony too.

> 
>>From that thread, I got the impression that they actually pushed this
> requirement ("signing cannot be disabled by user").

>From other sources (research) - it appears that both Intel (who wants a
monopoly) and MS (who want their own monopoly) have pushed for that - I
suspect that originally they considered ARM as a platform only for
mobile communications. I'd be very surprised if they were the only
parties pushing for signed code to only be allowed on ARM.

NOTE: UEFI originated with Intel and they still control it. MS is only
one of the OS players. They might have more history of making life hard
for other OS - but the other players are no more caring, benevolent or
community minded (they're all companies).

> 
> Is this even _legal_...?  Surely that kind of thing is much more
> likely to run afoul of antitrust laws etc.

IANAL but I'd think so... but it seems that much of the industry
(material sourcing, component pricing, market placement) is in breach
anyway. What eBooks did to the concept of book ownership is nothing
compared to what commercial OS did to the idea of owning code (bonnet
welded shut, no liability or responsibility).

On another note - I can see a need for UEFI (though I don't want it on
*my* devices - just the irresponsible peoples' whose failings keep my
firewall dropping packets and my spam filters busy), but it's like skin
cream for measles if hardware trust and code quality is not addressed
also (pointless waste of time).


> 
> -miles
> 


Kind regards


-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fcee02e.30...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Scott Ferguson]

On 06/06/12 13:35, Nate Bargmann wrote:
> * On 2012 05 Jun 21:45 -0500, Christofer C. Bell wrote:
>> On Tue, Jun 5, 2012 at 1:01 PM, Nate Bargmann  wrote:
>>>
>>> Again, let MS rot in its malware hell. �I don't care! 

I'm all right Jack

Great attitude.


>>
>> Comments like this make you look like a tool.  Microsoft is acting as
>> as nothing more than a certificate authority here.  This has jack and
>> all to do with MS Windows.

Don't go bringing facts to a passion play ;-p

> 
> I'd much rather be a "tool" standing up for computing freedom than a
> lacky buying into the marketing spin.

There are other, intelligent, alternatives to your binary view of the
issue:-
;don't confuse Intel with Microsoft
;do your own research instead of stupidly swallowing the first "blog"
that feeds your paranoia
;consider that Fedora paid the $99 fee  - in a free world that would be
their right
;consider also that Fedora has *not* said they won't be sharing the key




Kind regards

-- 
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4fceda0b.8050...@gmail.com

Re: the ghost of UEFI and Micr0$0ft

[Miles Bader]

"Christofer C. Bell"  writes:
>> Again, let MS rot in its malware hell.  I don't care!  Perhaps if MS had
>> been a bit more proactive a couple of decades ago we would not be having
>> this discussion.  MSFT issues are not for us in the Debian or wider
>> Linux community to resolve.
>
> Comments like this make you look like a tool.  Microsoft is acting as
> as nothing more than a certificate authority here.  This has jack and
> all to do with MS Windows.

Er, except that MS is one of the main parties pushing this ...

> You can't disable the code signing requirement on ARM.

... which is a great deal more worrying.

>From that thread, I got the impression that they actually pushed this
requirement ("signing cannot be disabled by user").

Is this even _legal_...?  Surely that kind of thing is much more
likely to run afoul of antitrust laws etc.

-miles

-- 
Advice, n. The smallest current coin.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87sje9ulsb@catnip.gol.com