*countable infinities only

Peter Jones pjones at redhat.com
Thu May 31 15:34:30 UTC 2012

On 05/31/2012 11:10 AM, Basil Mohamed Gohar wrote:

> This will exclude a whole class of usages that are currently available
> to Fedora users, such as the ReSpin projects that Fedora Unity used to
> produce from stock Fedora packages as well as any other downstream
> projects that build on Fedora.

It will make the barrier to entry for them higher, yes, by requiring them
to take one of the three previously described steps to get systems installed,
which I'll repeat here:

1) get users to turn off secure boot
2) get users to enroll a distro-specific key
3) pay the $99 bucks and sign the first stage bootloader.

Two are expensive in terms of will, the third incurs monetary cost.  Pick
your poison.

> This is not something affecting only a limit set of cases.  It's a major
> change to the ecosystem around Fedora.

We agree, but we don't see a good way around it.

> I'm not in a position at this point to provide a specific solution to
> this, but Windows 8 is not even out yet.  Fedora, Red Hat, and others
> may still have the option of putting pressure on either Microsoft or
> other entities (hardware manufacturers) to change how this is
> implemented to prevent the lockout that the key requirement causes in
> its current state.

We argued in public, and even more in private (by legal necessity) against
secureboot being enabled by default for quite some time. Ubuntu has done
some of that as well, but aside from that we're the only voices against it,
largely because vendors have a legitimate security concern and secureboot
does close that attack surface. We'd be happy to see others become involved
and find some other solution that everybody can be happy with, but at this
point market forces seem to indicate that we'll have to deal with this
solution. I'm sorry we haven't been able to stop this.

> But announcing support for it before it's even in  real systems widely
> is premature only serves their interests, not ours.

So your better solution is to develop this completely in private without
letting you guys know what we're planning to do or what we're working on,
ship F18 in a way that won't install on say 90% of the desktop/laptop systems
that ship between F18 and F19, and then roll out F19 with secureboot
support implemented to show our users how much we're protecting them
from the big bad Microsoft?

I'll write that one down on my list to consider. Thanks.


More information about the devel mailing list