On Wed, Dec 29, 2021 at 1:35 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Wed, Dec 29, 2021 at 11:03 AM Stephen Snow <s40w5s@xxxxxxxxx> wrote: > > > > On Wed, 2021-12-29 at 06:38 -0500, Neal Gompa wrote: > > > With Windows 11, they're *mandatory*. Corporate policies now > > > effectively *require* TPM-based mechanisms *in addition* to classical > > > password or token-based multi-factor authentication. > > This certainly is not any reason to adopt this for Fedora. So far in my > > life with TPM, it has been an annoyance that I find refreshing not to > > have to even contemplate with my Fedora Linux installation. > > I see no benefit for the Fedora Community and the Fedora Project it > > supports to follow the lead of the proprietary driven objectives. The > > only obvious one that comes to mind is the recent announcements of it's > > inclusion on traditionally proprietary OS vendor supplied hardware. > > This wreaks of "for profit" motivation. > > > > Just my opinion on what I am reading here in the comments. > > To be fully transparent, the reason I mentioned that stuff is that > having the capability to do these things in Fedora Linux is key for > growth and adoption in more circles. At no point do I want to have > these features implemented in such a way that the user doesn't have > the capability to control and self-authenticate their whole system. If > we ever want Fedora Linux to displace Windows or macOS, we *need* to > be able to satisfy people's security requirements, including so-called > "zero trust" architectures. > > But none of that has much to do with this Change, since this is about > making it possible for a user to configure their system to enforce the > integrity of the system based on RPM database information. As users of > Fedora Linux systems, we *already* control the RPM database and the > RPM signature trust directly, so *if* you turn it on, all it does is > decrease the risk of external tampering. I'm staring at the introduction letter at: https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@xxxxxxxxxx/ RPM headers are a *possible* use. I'd expect this to be used, very quickly, for other signed metadata for less benign uses. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
