*countable infinities only

Michael Scherer misc at zarb.org
Sat Jun 2 21:51:07 UTC 2012 

Le samedi 02 juin 2012 à 09:46 +0100, phantomjinx a écrit :
> Michael scherer <misc at zarb.org> wrote:
>         On Sat, Jun 02, 2012 at 02:10:38AM +0200, Kevin Kofler wrote:
>         > Tomasz Torcz wrote:
>         > > Documenting the procedure may be viable after all.  Kevin, could you start
>         > > writing such guides on Fedora wiki?
>         > 
>         > I cannot start documenting this before the first "Secure"-Boot-enabled 
>         > firmware actually ships.
>         
>         Sure you can, just send a email to OEMs to have access to engineering samples.
>         
>         You can also start to organize the effort to review UEFI interface, by creating
>         a "UEFI documenting SIG", and let all the people who want to document as a alternative
>         to paying 99$ to Verisign take care of the logistics.
>         -- 
>         Michael Scherer
>         -- 
>         devel mailing list
>         devel at lists.fedoraproject.org
>         https://admin.fedoraproject.org/mailman/listinfo/devel
> 
> While this reply is informative, it tends to imply that KK should do
> this without any support from those that disagree with his position.

Well, from what I red from KK position, this seems to be not be a big
problem to document, so does he really need support from others ?

And there is enough people agreeing with him to be something that can be
done fast, no ?

Of course, if in the end, the solution requires a massive amount of work
and no one is motivated enough to do it, then it may not workable, and
then people who think the solution of getting a certificate from
Verisign are right, and KK is wrong, but the only way to know is to try
to do it.

> Having watched this thread over the last 24 hours I would like to
> understand where we are going with it. There are different positions
> with increasingly shrill talking at and talking past replies. 
> 
> The media has already posted articles on this as "fedora selling out
> to Microsoft". This cannot be good long term for the reputation of the
> project.

I think you underestimate the lack of long term memory of people, and
the fact that most people do not really care. Yes, there is a few people
that would remember that. But technically, they would factually wrong,
since the money is paid to Verisign, not Microsoft ( cf update to the
blog post of MG ). 
And I think no one would be happy if someone start to use some stuff
like Bluepill ( http://en.wikipedia.org/wiki/Blue_Pill_%28software%29 )
to root them. Security researcher have found also some weird stuff
( like http://events.ccc.de/congress/2010/Fahrplan/events/4174.en.html )
on hardware, so that's at least something that can be done by people
motivated enough.

Maybe you would not be attacked, maybe that's pure paranoia. And maybe
not. And I am pretty sure we would all hate seeing people saying that
Linux is less secure than Windows due to such problem ( and in fact,
people already imply that Bitlocker is safer because it use TPM : 
http://theinvisiblethings.blogspot.fr/2009/01/why-do-i-miss-microsoft-bitlocker.html, even if that something that can be done http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fecrypts%2Fliaaiecryptfs.htm but not integrated for now )

Having a free BIOS/EFI would surely be a step toward a better solution,
but frankly who here tried to use coreboot on real hardware ? 

I do not like the current situation, do not get me wrong. But yet, if
people who say "we should let people change their settings" do not even
know what a modern firmware interface does look like, I do not have much
confidence in their capacity to fully see what is going on.

UEFI was marketing as being a platform to "add value", ie "interface
variation". 
  
> A lot of work has been put into this by MG and his article seemed to
> imply almost a despairing resignation about the decision (if not the
> case then I misread it -sorry). Based on the comments of this thread
> can a working group or sig be set up to build on MG and Co's work to
> find the most workable solution that preserves the reputation of the
> project. Otherwise I fear the distro will gain zero new users but
> worse lose the ones it already has!

I think most users would not see any difference at all, because cds
would work without them seeing anything, that's the whole point of
offering a seamless experience. 

And if people are following only Slashdot headlines ( who are quite
often misleading IMHO ) without searching in depth what goes one to make
their decision, I doubt they would be the one _I_ would try to get ( and
I realize that rather elitist to say, yes, but I am speaking for myself
). There is never a shortage of people too quick to judge. 
If people do not care to even understand what goes behind a compromise,
how would they care to contribute enough ?

-- 
Michael Scherer

More information about the devel mailing list