On Sat, Jun 2, 2012 at 12:04 PM, Chris Adams <cmadams@xxxxxxxxxx> wrote: > Once upon a time, Gregory Maxwell <gmaxwell@xxxxxxxxx> said: >> When I create a fork, respin, or remix of Fedora and distribute it to >> people it will not run for them like Fedora does without a level of >> fiddling which the people advocating this have made clear is entirely >> unacceptable. > > As I understand how this works, respins/remixes of Fedora that use the > Fedora boot loader shim, Fedora grub, and Fedora kernel will still be > signed and work with Secure Boot enabled. You can use the fedora signature as long as you don't modify the software (such as replace the kernel with a realtime kernel for multimedia use— which is actually the only reason I've ever had to distribute modified fedora kernel myself). (An interesting question there is will the signatures end up covering anything with fedora trademark branding) > I don't like Secure Boot being forced upon us, but we don't have any > real choice in the matter; vendors _are_ going to implement it. Fedora > certainly doesn't have sufficient market share to get everybody to I wasn't making that argument there— though I think it's still a worthwhile one to have— only pointing out that this is a material loss of freedom. You can argue that there is an unavoidable compromise here and that this is the best option we have by far, and I won't feel like you are misunderstanding my position. On Sat, Jun 2, 2012 at 12:05 PM, Jesse Keating <jkeating@xxxxxxxxxxxxxxx> wrote: > You do realize that if you create a fork, respin, or remix that you will > have packages on the system that are not signed by Fedora's GPG key, and > your generated ISOs will not be signed by Fedora's GPG key? Worse, there is Which is irrelevant because there is no hardware that Fedora needs to used these keys to gain access to. > (Users would have to disable > yum's gpg checking in order to install your unsigned package, or they would > have to install /your/ gpg key and trust it in order to install the package > signed with your key). I distribute modified copies of Fedora's OpenSSL libraries, they're signed my by key not Fedora's. Users— even rather technically unsophisticated— install them without any difficulty. The install tools do not enforce that the files be signed, they do not have to install my key. Try for yourself, if you like: http://people.xiph.org/~greg/openssl/ > You have as > much equal footing as Fedora does to plunk down the $99 and play along in > the PC sandbox. So if I were to take, say, a GPLed compositing window manager and then I paid $99 for a license to embed a copy of commercial opengl special effects— which prohibited modification, reverse engineering, redistribution by unlicensed parties, and commercial use— then I started distributing this modified version... and I gave it to you and told you that you were free to pay $99 to play in the graphically-enhanced distribution sandbox, you'd think that was okay? I'd like to now summon the folks arguing for this who earlier insisted that Fedora was being upfront about the tradeoffs here to come argue with people that there isn't a material loss of freedom. Being upfront means not only speaking up for points that support your position. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
