> * Vitaly Zaitsev via devel: > > > But they also say this: > > | The default state of Secure Boot has a wide circle of trust which can > | result in customers trusting boot components they may not need. Since > | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for > | all Linux distributions, trusting the Microsoft 3rd Party UEFI CA > | signature in the UEFI database increase[]s the attack surface of > | systems. A customer who intended to only trust and boot a single Linux > | distribution will trust all distributions–much more than their desired > | configuration. > > And this is an accurate description of the situation. > > Unfortunately, Fedora promoted this broken model with pervasive > cross-distribution/cross-OS trust as well. People are generally quick > to criticize those who control a PKI, but very few organizations are > willing to step up to hold the key material for the key of last resort > because of the risk inherent to that. Consequently, pretty much all > distributions hide behind the Microsoft key, instead of running their > own PKI and working with OEMs to get it accepted by the firmware. I mean there are hundreds of distributions, and hundreds if not thousands of OEM. How could that even work? _maybe_ major OEMs would pick up the phone if it's Redhat, Canonical and maybe SUSE who are calling. What about everyone else? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
