Le samedi 02 juin 2012 à 09:46 +0100, phantomjinx a écrit : > Michael scherer <misc@xxxxxxxx> wrote: > On Sat, Jun 02, 2012 at 02:10:38AM +0200, Kevin Kofler wrote: > > Tomasz Torcz wrote: > > > Documenting the procedure may be viable after all. Kevin, could you start > > > writing such guides on Fedora wiki? > > > > I cannot start documenting this before the first "Secure"-Boot-enabled > > firmware actually ships. > > Sure you can, just send a email to OEMs to have access to engineering samples. > > You can also start to organize the effort to review UEFI interface, by creating > a "UEFI documenting SIG", and let all the people who want to document as a alternative > to paying 99$ to Verisign take care of the logistics. > -- > Michael Scherer > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > > While this reply is informative, it tends to imply that KK should do > this without any support from those that disagree with his position. Well, from what I red from KK position, this seems to be not be a big problem to document, so does he really need support from others ? And there is enough people agreeing with him to be something that can be done fast, no ? Of course, if in the end, the solution requires a massive amount of work and no one is motivated enough to do it, then it may not workable, and then people who think the solution of getting a certificate from Verisign are right, and KK is wrong, but the only way to know is to try to do it. > Having watched this thread over the last 24 hours I would like to > understand where we are going with it. There are different positions > with increasingly shrill talking at and talking past replies. > > The media has already posted articles on this as "fedora selling out > to Microsoft". This cannot be good long term for the reputation of the > project. I think you underestimate the lack of long term memory of people, and the fact that most people do not really care. Yes, there is a few people that would remember that. But technically, they would factually wrong, since the money is paid to Verisign, not Microsoft ( cf update to the blog post of MG ). And I think no one would be happy if someone start to use some stuff like Bluepill ( http://en.wikipedia.org/wiki/Blue_Pill_%28software%29 ) to root them. Security researcher have found also some weird stuff ( like http://events.ccc.de/congress/2010/Fahrplan/events/4174.en.html ) on hardware, so that's at least something that can be done by people motivated enough. Maybe you would not be attacked, maybe that's pure paranoia. And maybe not. And I am pretty sure we would all hate seeing people saying that Linux is less secure than Windows due to such problem ( and in fact, people already imply that Bitlocker is safer because it use TPM : http://theinvisiblethings.blogspot.fr/2009/01/why-do-i-miss-microsoft-bitlocker.html, even if that something that can be done http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fecrypts%2Fliaaiecryptfs.htm but not integrated for now ) Having a free BIOS/EFI would surely be a step toward a better solution, but frankly who here tried to use coreboot on real hardware ? I do not like the current situation, do not get me wrong. But yet, if people who say "we should let people change their settings" do not even know what a modern firmware interface does look like, I do not have much confidence in their capacity to fully see what is going on. UEFI was marketing as being a platform to "add value", ie "interface variation". > A lot of work has been put into this by MG and his article seemed to > imply almost a despairing resignation about the decision (if not the > case then I misread it -sorry). Based on the comments of this thread > can a working group or sig be set up to build on MG and Co's work to > find the most workable solution that preserves the reputation of the > project. Otherwise I fear the distro will gain zero new users but > worse lose the ones it already has! I think most users would not see any difference at all, because cds would work without them seeing anything, that's the whole point of offering a seamless experience. And if people are following only Slashdot headlines ( who are quite often misleading IMHO ) without searching in depth what goes one to make their decision, I doubt they would be the one _I_ would try to get ( and I realize that rather elitist to say, yes, but I am speaking for myself ). There is never a shortage of people too quick to judge. If people do not care to even understand what goes behind a compromise, how would they care to contribute enough ? -- Michael Scherer -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
