*countable infinities only

Jay Sulzberger jays at panix.com
Mon Jun 18 03:52:48 UTC 2012 


On Sun, 17 Jun 2012, Jay Sulzberger wrote:

>
>
> On Sun, 17 Jun 2012, Jay Sulzberger wrote:
>
>> 
>> 
>> On Mon, 18 Jun 2012, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
>> 
>>> > On Sun, Jun 17, 2012 at 07:54:17PM -0400, Seth Johnson wrote:
>>> > On Sat, Jun 16, 2012 at 7:26 PM, Reindl Harald <h.reindl at thelounge.net> 
>>> wrote:
>>> > >
>>> > >
>>> > > Am 17.06.2012 01:14, schrieb Chris Murphy:
>>> > >> Please provide an example of a better option, with sufficient detail 
>>> as to constitute a successful relay of the baton.
>>> > >> The point of the thread from the outset was to explore alternatives, 
>>> but so far those alternatives are vaporware.
>>> > > > Numerous non-vaporware recommendations follow, snipped directly from 
>>> the thread:
>>> 
>>> (snip)
>>> 
>>> These suggestions boil down to:
>>> 
>>> 1) Do nothing
>
> Of course, I have never suggested "doing nothing".
>
> It is the secret negotiations with hardware vendors and
> Microsoft, which have culminated in a suggestion to make Fedora
> formally subordinate, at the hardware and legal and business and
> public relations levels, to Microsoft which would better be
> characterized as "doing nothing".
>
> Matthew, I know that you and the Fedora team have done your best
> in a difficult and dark corner, but I think if you consider a
> wider range of possible moves, the corner will not seem so narrow
> and dark and hopeless.
>
> This year's engagement is not all of the struggle.  So, if for
> some months, it is even more annoying than once it was to install
> Fedora, making use of all advertised hardware facilities, well,
> that is not losing the war.  My own estimate is that a strong
> stand now would result in more successful installs of Fedora,
> this year, than the suggested policy of accommodation to
> Microsoft's demands.
>
> oo--JS.
>
>
>>> 2) Become a hardware vendor
>>> 3) Use a Fedora key

I am not sure of the tactical situation here.

Doesn't Fedora already sign all software in the Official Repository?

Is it not the case that if Fedora's private signing key were to
be compromised, that a kernel controlled by an entity that is not Fedora, 
would be installed on many machines?

Is it not also the case that if a non-kernel piece of software is
sneaked into the Official Fedora Repository, we do not assume any
Fedora private key compromise in this hypothetical, that the
subverted non-kernel piece of software could do serious damage,
incuding perhaps an escalation to root privilege?

So why does the "SecureBoot" private key require a so much higher
cost of administration?

Thanks for reading this, Matthew!

oo--JS.


>>> 
>>> None of these solve the problem of getting Fedora onto arbitrary x86 
>>> hardware bought towards the end of this year.
>>> 
>>> -- 
>>> Matthew Garrett | mjg59 at srcf.ucam.org
>> 
>> I think 50 million dollars toward buying, and properly arranging
>> the UEFI, of several lots of x86 computers would indeed solve
>> part of the problem you point out.
>> 
>> Why not?
>> 
>> What does Red Hat have to lose?
>> 
>> If Red Hat takes no effective action, then Red Hat will lose much
>> more than 50 million dollars, and very soon too.
>> 
>> oo--JS.
>> 
>> 
>
>

More information about the devel mailing list