*countable infinities only

Jesse Keating jkeating at j2solutions.net
Sat Jun 2 16:05:55 UTC 2012

On 06/02/2012 08:38 AM, Gregory Maxwell wrote:
> When I create a fork, respin, or remix of Fedora and distribute it to
> people it will not run for them like Fedora does without a level of
> fiddling which the people advocating this have made clear is entirely
> unacceptable.  This is because Fedora will be cryptographically
> signing the distribution with keys these systems require and not
> sharing the keys with me.  Fedora be doing this even with software
> that I wrote, enhancing it with a signing key only they have access
> too, making it much more useful on hardware where it is not otherwise,
> and not allowing me and or downstream recipients to enjoy the same
> improvements for their modified versions.
> What is unclear about this?

You do realize that if you create a fork, respin, or remix that you will 
have packages on the system that are not signed by Fedora's GPG key, and 
your generated ISOs will not be signed by Fedora's GPG key?  Worse, 
there is no amount of money you could pay Fedora to gain access to 
Fedora's GPG key, nor is there any infrastructure for Fedora's key to 
"trust" other keys.  Fedora already takes "software you wrote" and 
enhances it by signing it with a (gpg) signing key, which makes it much 
more useful on hardware with Fedora installed where it is not otherwise. 
  (Users would have to disable yum's gpg checking in order to install 
your unsigned package, or they would have to install /your/ gpg key and 
trust it in order to install the package signed with your key).

Further, your product may not be hosted by our servers, and our mirrors. 
  It will not be produced into physical media and brought to Fedora 
events to be handed out to users.  There never was equal footing.

The only Freedom you've lost is that now, in addition to the 
person-hours to do the work and monetary cost to host your bits or 
generate physical media, you have an additional cost if you wish to have 
your own cert that will be accepted out of the box by the next 
generation of PC hardware.  You have as much equal footing as Fedora 
does to plunk down the $99 and play along in the PC sandbox.  That's a 
better deal than Fedora's gpg signing setup.

Help me fight child abuse: http://tinyurl.com/jlkcourage

- jlk

More information about the devel mailing list