On Wed, Dec 29, 2021 at 11:03 AM Stephen Snow <s40w5s(a)gmail.com> wrote:
On Wed, 2021-12-29 at 06:38 -0500, Neal Gompa wrote:
> With Windows 11, they're *mandatory*. Corporate policies now
> effectively *require* TPM-based mechanisms *in addition* to classical
> password or token-based multi-factor authentication.
This certainly is not any reason to adopt this for Fedora. So far in my
life with TPM, it has been an annoyance that I find refreshing not to
have to even contemplate with my Fedora Linux installation.
I see no benefit for the Fedora Community and the Fedora Project it
supports to follow the lead of the proprietary driven objectives. The
only obvious one that comes to mind is the recent announcements of it's
inclusion on traditionally proprietary OS vendor supplied hardware.
This wreaks of "for profit" motivation.
Just my opinion on what I am reading here in the comments.
To be fully transparent, the reason I mentioned that stuff is that
having the capability to do these things in Fedora Linux is key for
growth and adoption in more circles. At no point do I want to have
these features implemented in such a way that the user doesn't have
the capability to control and self-authenticate their whole system. If
we ever want Fedora Linux to displace Windows or macOS, we *need* to
be able to satisfy people's security requirements, including so-called
"zero trust" architectures.
But none of that has much to do with this Change, since this is about
making it possible for a user to configure their system to enforce the
integrity of the system based on RPM database information. As users of
Fedora Linux systems, we *already* control the RPM database and the
RPM signature trust directly, so *if* you turn it on, all it does is
decrease the risk of external tampering.
--
真実はいつも一つ!/ Always, there's only one truth!