On 06/02/2012 04:28 AM, Sam Varshavchik wrote:
Yes, all five of them.
Point taken.
[0] Yes, I found it, it was there all along, I guess I didn't look
hard enough (or didn't listen properly):
http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf
[search for secureboot, you'll find it easy enough]
I never said that Microsoft would openly prohibit OEMs from offering an
option to install user-provided keys.
They key word here is "openly".
How do you mean "openly"? It can't get much more open that a mandatory
interface that let's you do it simply. What UEFI could do to make
things better is standardize the UI, but that's it.
Exactly, by ignoring them and using the services of other organizations.
Well, that's one unique way to ignore them: it costs $99 to do that.
Please try to stay with me, you can't have everything. If you can find
somebody who's gonna keep a key safe and manage hundreds of customers
(signing their shims) *and* make contracts with as much OEMs as possible
to get their own key in the firmwares for *you*, for *free*, then give
me a number, and give it to Fedora.
If you think this service is useless for secure boot, I'll argue that
you're not being realistic, you can't ask every OS developer to make
deals with every OEM on the planet.
If you want to be realistic and want secure boot for free for every
developer of every OS, then fat chance, you can't have it. Some might
have the contacts to make the deals for free, but Fedora chose not to
use them so they wouldn't have an unfair advantage over the other
distros. That's their explanation anyway.
There are plenty of people who use non-Fedora kernels with the rest of
the Fedora distribution. Now, I have no reasons to do so myself; and I
can't think of a typical reason why I'd want to do that; but they surely
have their own valid reason for doing that.
I know that, and that's my point, they're non-Fedora kernels, so it's
not strictly Fedora in the sense that Fedora maintainers have no
authority to bless each and every one of these kernels with a signature,
and nor should they have one.
And, if their hardware required a Microsoft-blessed key to boot a host
OS, then the whole point of getting one would be to be able to boot
their machine.
Imagine the gall – wanting to be able to boot a custom kernel.
Easy, sign it yourself. We went over it a hundred times now. If you
can build a kernel you can sign a million of them.
If the technical task of signing a kernel is too much for people who
don't care much about security, they can disable secure boot.
--
t
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
