On Sun, Jun 17, 2012 at 8:09 PM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > On Sun, Jun 17, 2012 at 07:54:17PM -0400, Seth Johnson wrote: >> On Sat, Jun 16, 2012 at 7:26 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> > >> > >> > Am 17.06.2012 01:14, schrieb Chris Murphy: >> >> Please provide an example of a better option, with sufficient detail as to constitute a successful relay of the baton. >> >> The point of the thread from the outset was to explore alternatives, but so far those alternatives are vaporware. >> >> >> Numerous non-vaporware recommendations follow, snipped directly from the thread: > > (snip) > > These suggestions boil down to: > > 1) Do nothing > 2) Become a hardware vendor > 3) Use a Fedora key > > None of these solve the problem of getting Fedora onto arbitrary x86 > hardware bought towards the end of this year. Which one is the "do nothing" alternative? The other two are some sort of reduction that at least moves us past acting like no constructive suggestions have been made in this discussion, so I would ask questions about how your reduction works on them. Below you'll see that I think the idea that these suggestions are saying "do nothing" misses the point that they're saying something that's missing, that needs to be done -- whereas more technical solutions may have seemed sufficient so far. <various snippets> I think my main point stands: talking with, say, Dell, and Microsoft in private, without a serious legal and propaganda push, makes Fedora's position weak in the private negotiations. As soon as the other side made clear that their position was to accept Microsoft's plan, Red Hat should have called a press conference and explained the situation to reporters from the New York Times, the Wall Street Journal, etc.. Please allow me a personal remark: I too have fought one part of a big battle so hard and so long that it seemed to me that the part I was engaged in must be the whole battle. I think that perhaps the negotiators on the Fedora/Red Hat have mistaken one part of the battle for the whole battle. <insert 1 by Seth> I don't see a match with any of your items here: 1) Do nothing 2) Become a hardware vendor 3) Use a Fedora key Is this the "do nothing" option? As in, the things said here are "nothing" because they do not produce a deterministic effect? </insert 1 by Seth> --- My posts argue that Fedora should neither accept, nor seem to accept, Microsoft's having the Hardware Root Key. One reason not to seem to accept Microsoft's having the Hardware Root Key is that, when arguing for Examption 4, the Englobulators will answer "Well, there is really no issue here. Why, Fedora accepts that it is right and proper that Microsoft have the Hardware Root Key.". <insert 2 by Seth> Still no match, though one could invert it and say it implies item 3) Use a Fedora key. 1) Do nothing 2) Become a hardware vendor 3) Use a Fedora key Might you see this as a "do nothing" option? As in "not seem[ing] to accept Microsoft's having the Hardware Root Key" is not related to a deterministic technical solution to getting Fedora onto arbitrary x86 hardware bought towards the end of this year? </insert 2 by Seth> --- Now, perhaps I misread, or misremember, but in this thread, I think it was said that a home computer vendor has offered to allow a key, authorized by what you distinguish as the "PK", to be loaded into the UEFI, so that Fedora would stand equal to Microsoft, though both, you now claim, would be equally junior to the vendor (which claim is not right). And you refused. This is ridiculous. If one more key can be loaded at point of sale, then so can several more. And this is not the final step in the remedy, but only an early step. We can do more. But, if Fedora agrees that Microsoft gets to dictate what is loaded at point of sale, well, that is an un-necessary loss. As your statement shows, your team was not negotiating with Microsoft, nor with the vendors of hardware, but with a non-existent being of irresistible power. Of course that negotiation with an imaginary being is much harder to win than the real negotiation. RMS had no Red Hat backing him when he started Project GNU. Nor did Linus when he started the Linux kernel. Nor did the founders of Red Hat. But you have Red Hat, with a large income, and much money. You also have many people who will help you, and help ourselves, in this fight. Suggestion 2: Have Red Hat buy a large quantity of standard home machines, on condition that the UEFI not be locked at point of delivery to Red Hat. Suggestion 3: Do a better command and control screen for the UEFI. There is enough room in the UEFI for a big, but very simple, screen. There is even room for a proper manual. You have written that there is nothing you can do about the bad interface of the UEFI. But you can. <insert 3 by Seth> I see 2) Become a hardware vendor and 3) Use a Fedora key here 1) Do nothing 2) Become a hardware vendor 3) Use a Fedora key Is this where the "do nothing" option is? As in, "agree[ing] that Microsoft gets to dictate what is loaded at point of sale," is, while related to a deterministic technical step towards a solution (i.e., working with the vendor to put in a Fedora key of ostensible coordinate status with Microsoft), is nevertheless a proposition that is less determinate than purchasing a key which Microsoft offers in the real world? </insert 3 by Seth> --- ad inability to manage keeping the private half of the Fedora key private: This is absurd. I will be happy to explain methods which, if Red Hat wanted, would meet all statutory, and real security, and even all anti-FUD compliance, requirements. This claimed inability is not reasonable. Why? Because your position implies that you trust Microsoft and the hardware vendor more than you trust yourselves in this. If that is your opinion, well, why run Fedora ever? After all, in the world your propose to create, Fedora depends for the security of its boot process, on Microsoft and Microsoft's partner, the hardware vendor. <insert 4 by Seth> I see 3) Use a Fedora key here 1) Do nothing 2) Become a hardware vendor 3) Use a Fedora key Is this where the "do nothing" option is? As in, "keeping the private half of the Fedora key private" is part of a deterministic technical solution that is not being made available? </insert 4 by Seth> </various snippets> Seth -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
