*countable infinities only

Gregory Maxwell gmaxwell at gmail.com
Sat Jun 2 16:24:51 UTC 2012 

On Sat, Jun 2, 2012 at 12:04 PM, Chris Adams <cmadams at hiwaay.net> wrote:
> Once upon a time, Gregory Maxwell <gmaxwell at gmail.com> said:
>> When I create a fork, respin, or remix of Fedora and distribute it to
>> people it will not run for them like Fedora does without a level of
>> fiddling which the people advocating this have made clear is entirely
>> unacceptable.
>
> As I understand how this works, respins/remixes of Fedora that use the
> Fedora boot loader shim, Fedora grub, and Fedora kernel will still be
> signed and work with Secure Boot enabled.

You can use the fedora signature as long as you don't modify the
software (such as replace the kernel with a realtime kernel for
multimedia use— which is actually the only reason I've ever had to
distribute modified fedora kernel myself).

(An interesting question there is will the signatures end up covering
anything with fedora trademark branding)

> I don't like Secure Boot being forced upon us, but we don't have any
> real choice in the matter; vendors _are_ going to implement it.  Fedora
> certainly doesn't have sufficient market share to get everybody to

I wasn't making that argument there—  though I think it's still a
worthwhile one to have—  only pointing out that this is a material
loss of freedom. You can argue that there is an unavoidable compromise
here and that this is the best option we have by far, and I won't feel
like you are misunderstanding my position.


On Sat, Jun 2, 2012 at 12:05 PM, Jesse Keating <jkeating at j2solutions.net> wrote:
> You do realize that if you create a fork, respin, or remix that you will
> have packages on the system that are not signed by Fedora's GPG key, and
> your generated ISOs will not be signed by Fedora's GPG key?  Worse, there is

Which is irrelevant because there is no hardware that Fedora needs to
used these keys to gain access to.

> (Users would have to disable
> yum's gpg checking in order to install your unsigned package, or they would
> have to install /your/ gpg key and trust it in order to install the package
> signed with your key).

I distribute modified copies of Fedora's OpenSSL libraries, they're
signed my by key not Fedora's.  Users— even rather technically
unsophisticated— install them without any difficulty.  The install
tools do not enforce that the files be signed, they do not have to
install my key.

Try for yourself, if you like: http://people.xiph.org/~greg/openssl/

> You have as
> much equal footing as Fedora does to plunk down the $99 and play along in
> the PC sandbox.

So if I were to take, say, a GPLed compositing window manager and then
I paid $99 for a license to embed a copy of commercial opengl special
effects— which prohibited modification, reverse engineering,
redistribution by unlicensed parties, and commercial use—  then I
started distributing this modified version... and I gave it to you and
told you that you were free to pay $99 to play in the
graphically-enhanced distribution sandbox,   you'd think that was
okay?

I'd like to now summon the folks arguing for this who earlier insisted
that Fedora was being upfront about the tradeoffs here to come argue
with people that there isn't a material loss of freedom.  Being
upfront means not only speaking up for points that support your
position.

More information about the devel mailing list