On 5/31/12 2:17 PM, Peter Jones wrote:
On 05/31/2012 12:37 PM, Adam Jackson wrote:
Now if you're suggesting Fedora should ship another version of the
shimloader that's signed with a common Fedora key... sure, why not,
that could be nice.
Of course since we have to /install/ a bootloader, for this to be
effective it needs to be the same bootloader signed twice, which is
not currently supported by the binary format. (It can, of course, be
adapted to support it trivially without even changing the bits on the
disk if we can talk them in to it, and my tools currently includes a
partial implementation of this that's merely #define'd away.)
Not that I want to discourage multiple signatures - quite the opposite -
but could we not install the bootloader after (and based on) looking at
the enrolled keys?
- ajax
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
