On Thu, May 31, 2012 at 12:22 PM, Peter Jones <pjones@xxxxxxxxxx> wrote: > The argument that it's a security effort is bolstered in many vendors eyes > by the existence of attacks in the wild which Secure Boot would prevent. I'm not aware of any attack _objectives_ (as compared to methods) which this would prevent, at least not without locking down all the code on the system instead of just the kernel and bootloader. Yes, some malware exploits insecure kernels to screw with the boot environment to prevent its removal. But if you take that away the malware will just modify the first piece of unsigned code to perform the same attack at every boot. If the first piece of unsigned code runs before software update the malware can still prevent updates from defeating it. If the kernel was secure to begin with (no boot time userspace exploit) then permissions in the kernel are enough and you don't need secureboot. > If you see a legal challenge to MS requiring secure boot to be enabled with > their keys in order to ship systems with their trademarked logo on it, > you're at your leisure to follow through on that. I'll make no attempt to stand in > your way. I look forward to keeping track of your progress on this matter. Fedora's participation would substantially undermine both claims on anti-competitive and tortious interference grounds. I can only accept that the legal options have already been considered and were regarded as non-viable even absent Fedora's actions, but it's a little unfair to say "so you do it." here. I think it would be more accurate and honest to say "We've got better lawyers than you do, and we've already considered this and currently consider it non-viable for reasons we can't discuss in public— so much so that we're willing to forever undermine some possible arguments by going along with this." On Thu, May 31, 2012 at 12:42 PM, Miloslav Trmač <mitr@xxxxxxxx> wrote: > BIOS passwords. (Yes, it can be reset on many machines, but that's a > property of the machine, not of the design.) If I have access to the hardware I can just replace the whole motherboard. On Thu, May 31, 2012 at 12:42 PM, Miloslav Trmač <mitr@xxxxxxxx> wrote: > I can't see that this is a freedom issue. You are absolutely not > _forced_ to use the system this way. One freedom Fedora provides is the freedom to fork and make respins, without asking permission and without making them any less good (e.g. not like the old SUSE thing where the installer was non-free, or the old ubuntu thing where the distribution build infrastructure was non-free). If I make a fork of Fedora post SecureBoot my fork will be less compatible and harder to install the moment I adjust the binary to change the trademark name, much less make any real change. You may not thing this freedom to stand as technical equals is very important— but I counter that many people rationally believe the freedom to modify the software you run is not very important either. If it really was a non-issue Peter Jones wouldn't have just written: "Next year if we don't implement some form of Secure Boot support, the majority of Fedora users will not be able to install Fedora on new machines." The corollary to this is that "Next year if Fedora implements this, Forks and Respins will not be installable by the majority of users on the same hardware where Fedora runs". On Thu, May 31, 2012 at 11:59 AM, Peter Jones <pjones@xxxxxxxxxx> wrote: > You see why maybe that comes across as a bit of a fib? I'm not saying > you're > a bad person or something, but you appear to be reacting emotionally without > fully thinking through what you're saying, and as a result overlooking > things and contradicting yourself in an embarrassing way. You may want to do > some more sleeping on it. Well, I forwarded you some of the private discussion I was involved with which I felt supported the position I took that this wasn't seriously a matter for public discussion. You don't agree with my interpretation, and I don't consider you crazy for not agreeing with it. While airing Fedora governance dirty laundry in public isn't my goal, I wanted to at least make some comment here in my defense. My reading skills are not defective, and I'm not trolling. I was emotional about this 12 hours ago, but now I am responding in the hopes of increasing awareness. I know the page said that said that it wasn't done. But in direct contradiction to that I was told, to the best of my ability to understand, that this was going to be presented fait accompli, and that it would not be put to a vote before Fesco because doing so would simply be pretextual. Perhaps internal background to which I am not privy makes the nature of the pretext seem more charitable to others— that it would only be pretextual because everyone relevant has already been convinced that this best— and that it's not because they don't value freedom as much or because they're already too committed to this path... But I was not being careless, emotional, or dishonest to present this exactly as final as it was presented to me. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
