On Sat, Jun 16, 2012 at 8:16 PM, Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > Calls for speculation. We know what the certification policy used to be. We also know how long DOJ takes to do anything, let alone politicking behind the scenes to arrive at compromise, let alone its day in court. Years. Generations of computers without a disable feature. Good job selectively quoting the part of my message where I was saying that it was a call for speculation either way. > This handful are the people who use adversarial words like: fight, war, battle, attack, surrender, engagement, tactical, etc. to describe this topic. This verbiage is the hallmark of propaganda, designed to cause emotive reactions in people, so they don't consider inconvenient things like facts. I certainly have not done this and by using this argument against me I feel you're guilty of the same: It appears to me that you're suggesting that I'm somehow asscoiated with "propaganda" (an emotionally laden word too) and that people should not bother with an inconvenient thing like contemplating my position. > Oh, the same people who must think boot loader malware is somewhere in the continuum of people's imaginations to being exclusively a Windows threat. Except, as I argued early in these thread, for Fedora the cryptographic lockdown will not meaningfully inhibit boot _time_ malware. If malware can exploit your kernel to infect the bootloader so that the kernel rootkit is reinstalled at every boot to prevent updates from removing it then it can just as well infect systemd to the exact same end. It only helps if the whole system runs no unsigned code at least upto the point where it connects to the internet and gets updates. There are a great many things Fedora could do which would have clear security benefit without the compromises. Where is the effort to fully seccomp-2 restrict and/or SELinux lockdown every use app that handles hostile network input, for example. Closing the door on botnet software long after the machine is compromised is a pretty weak security feature and thats the most the signed bootloader/kernel can offer, and even that requires signing up half the userspace too. > The Windows 8 certification is the most significant change in Microsoft's hardware requirements ever, as far as I can tell. It's a significant departure from their "support legacy at most any cost" position prior to this. Clearly they are more than a bit concerned about boot loader malware than they are gaining, what, 1%, by obliterating the entirety of desktop Linux with this conspiracy. Old hardware will continue to run Windows 8. I don't see that I've seen any evidence of Microsoft adopting policy to ensure that new hardware would continue to run Windows, are you saying they have? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
