On Wed, Apr 6, 2022 at 12:04 AM Gary Buhrmaster <gary.buhrmaster@xxxxxxxxx> wrote: > > On Wed, Apr 6, 2022 at 12:59 AM Demi Marie Obenour > <demiobenour@xxxxxxxxx> wrote: > > > > On 4/5/22 19:38, Chris Murphy wrote: > > > We either want users with NVIDIA hardware to be inside the Secure Boot > > > fold or we don't. I want them in the fold *despite* the driver that > > > needs signing is proprietary. That's a better user experience across > > > the board, including the security messaging is made consistent. The > > > existing policy serves no good at all and is double talk. If we really > > > care about security more than ideological worry, we'd sign the driver. > > > > I agree with this. Sign the driver. > > Nvidia has their driver signed for their > Windows drivers. That they choose > not to do so for Linux is their right, > even if some wish they did. > > It should be noted that while many > might wish nvidia chose a different > way, that is completely orthogonal > to bios vs uefi. Linux, like Windows, requires the distribution vendor to sign modules for automatic trust. There are a number of complicated issues that make it difficult for us to sign this particular driver, though. Notably, NVIDIA themselves acknowledges that it infringes on the GPL to redistribute built kernel module blobs of nvidia.ko[1], so that means any method of signing it needs to be done locally, which means we *need* the local signing path to be improved. [1]: https://imgur.com/LUCQ3WW -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure