On 06/02/2012 08:38 AM, Gregory Maxwell wrote:
When I create a fork, respin, or remix of Fedora and distribute it to people it will not run for them like Fedora does without a level of fiddling which the people advocating this have made clear is entirely unacceptable. This is because Fedora will be cryptographically signing the distribution with keys these systems require and not sharing the keys with me. Fedora be doing this even with software that I wrote, enhancing it with a signing key only they have access too, making it much more useful on hardware where it is not otherwise, and not allowing me and or downstream recipients to enjoy the same improvements for their modified versions. What is unclear about this?
You do realize that if you create a fork, respin, or remix that you will have packages on the system that are not signed by Fedora's GPG key, and your generated ISOs will not be signed by Fedora's GPG key? Worse, there is no amount of money you could pay Fedora to gain access to Fedora's GPG key, nor is there any infrastructure for Fedora's key to "trust" other keys. Fedora already takes "software you wrote" and enhances it by signing it with a (gpg) signing key, which makes it much more useful on hardware with Fedora installed where it is not otherwise. (Users would have to disable yum's gpg checking in order to install your unsigned package, or they would have to install /your/ gpg key and trust it in order to install the package signed with your key).
Further, your product may not be hosted by our servers, and our mirrors. It will not be produced into physical media and brought to Fedora events to be handed out to users. There never was equal footing.
The only Freedom you've lost is that now, in addition to the person-hours to do the work and monetary cost to host your bits or generate physical media, you have an additional cost if you wish to have your own cert that will be accepted out of the box by the next generation of PC hardware. You have as much equal footing as Fedora does to plunk down the $99 and play along in the PC sandbox. That's a better deal than Fedora's gpg signing setup.
-- Help me fight child abuse: http://tinyurl.com/jlkcourage - jlk -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
