*countable infinities only

Gregory Maxwell gmaxwell at gmail.com
Thu May 31 14:23:12 UTC 2012

On Thu, May 31, 2012 at 9:56 AM, Bryn M. Reeves <bmr at redhat.com> wrote:
> abundantly clear that there are no restrictions placed on users who do
> not wish to have the secure boot signature checks enforced.

Yes, I read it and spent several hours talking to MJG before he posted
it, in fact.

I thought I'd pay him the respect of sleeping on it and giving someone
in support of this rather secretive move time to post about it and
discuss it, so that people wouldn't be learning about it from my
response.   I also wrote a simple, factual message.  Nothing I said
was distorted or untrue.

This may not be the end of the world, but it's a clear loss of a
freedom that Fedora has had in the past. See below:

On Thu, May 31, 2012 at 10:04 AM, Peter Jones <pjones at redhat.com> wrote:
> You're wrong.  Users will have the ability to create their own signing
> certificates with openssl and sign their own binaries. Using MS as a signer
> only buys you the convenience of not making everybody who wants to install
> your software enroll your key.  But they will be able to do that if that's
> what you want.

It's perhaps just as troubling that there are people involved in this
non-public decision who apparently have such a limited understanding
of free software that they were unable to understand the point I made
explicitly in my message (and more elliptically in my subject).   How
can I trust that you really had no other alternative, when you can't
even see the loss of freedom associated with this?

One of the "Infinite Freedom"s Fedora has previously included is the
infinite potential of creating forks— software that _other people_
will load— which are Fedora's technological equals and which
themselves enjoy the same freedom as Fedora.  A change from an
uncountable infinity of options, to a merely countable infinity.

Under this model there will be two classes of distributor: One which
loads easily on systems, and one which requires the additional effort
of disabling secure boot or installing user keys. (And ARM will be
even more interesting...)

You might argue that the cost of installing keys / disabling
secure-boot is sufficiently low— but if if it really were, why bother
with it for Fedora, why legitimize this kind of signed boot-loader
only control by playing along with it.

So perhaps in practice the loss of freedom is small—  but at the same
time people advocating closed software will rightly point out that
very few users can program and fewer still care to actually do so.
None the less,  I do not believe it is "FUD" or in any way inaccurate
to say that this will mean that Fedora will be losing a freedom it
once had— the freedom to make forks at no cost which are technically
equal to the projects, ones which are just as compatible and easy to

More information about the devel mailing list