*countable infinities only

Paulo César Pereira de Andrade paulo.cesar.pereira.de.andrade at gmail.com
Wed Jun 6 19:04:34 UTC 2012

2012/6/6 drago01 <drago01 at gmail.com>:
> On Wed, Jun 6, 2012 at 4:51 PM, Paulo César Pereira de Andrade
> <paulo.cesar.pereira.de.andrade at gmail.com> wrote:
>> 2012/6/6 drago01 <drago01 at gmail.com>:
>>> On Wed, Jun 6, 2012 at 3:24 PM, Paulo César Pereira de Andrade
>>> <paulo.cesar.pereira.de.andrade at gmail.com> wrote:
>>>> 2012/6/5 Kevin Kofler <kevin.kofler at chello.at>:
>>>>> Tomas Mraz wrote:
>>>>>> That's a total nonsense unless the restriction is by-license and not
>>>>>> just technical obstacle. If it is just a technical obstacle in the code,
>>>>>> you can remove it and run the software on any crippled machine at your
>>>>>> will. So no, making your software not to work on particular machines
>>>>>> does not make it non-free at all.
>>>>> That doesn't mean we should ship it in that state.
>>>>> If Fedora decides to support "Secure" Boot, it needs to be distro-wide.
>>>>  Could it be done in a "pretend to be supported mode", somewhat
>>>> like having a known public grub key, and then provide some Linux
>>>> certified stickers :-) Then let grub load any OS, or chain load windows
>>>> as usual.
>>> That makes no sense at all.
>>> 1) How would you get OEMs to support add that key?
>>> 2) How do you prevent malware authors to use this public available key
>>> to sign there malware?
>>  That is the part of "pretend to be supported", just to avoid needing
>> users to go to some setup mode to disable secure boot, and then
>> offer other means of security audit, like a custom boot image for
>> an external device. For windows, it could be some certified bootable
>> DVD, that would be guaranteed to be clean, and from there run
>> anti virus, or any scanning tools.
> Now back to reality ... how do you intend to support that?
> Talking about how things "should" be done is nice and all but not
> really productive.

  That suggestion is impractical for end users, but a way to do
a truly assurance that the system is secure (provided that it has
an as up to date as possible information on known exploits).

  Anyway, I am pretty sure several distros will ignore this issue,
possibly until too late, and the end solution at worst, for
computers where secure boot cannot be disabled should
be to have someone providing a signed first stage loader
(until such key is revoked...)


More information about the devel mailing list