*countable infinities only
Peter Jones
pjones at redhat.com
Thu May 31 19:23:20 UTC 2012
On 05/31/2012 03:18 PM, Adam Jackson wrote:
> On 5/31/12 2:17 PM, Peter Jones wrote:
>> On 05/31/2012 12:37 PM, Adam Jackson wrote:
>>
>>> Now if you're suggesting Fedora should ship another version of the
>>> shimloader that's signed with a common Fedora key... sure, why not,
>>> that could be nice.
>>
>> Of course since we have to /install/ a bootloader, for this to be
>> effective it needs to be the same bootloader signed twice, which is
>> not currently supported by the binary format. (It can, of course, be
>> adapted to support it trivially without even changing the bits on the
>> disk if we can talk them in to it, and my tools currently includes a
>> partial implementation of this that's merely #define'd away.)
>
> Not that I want to discourage multiple signatures - quite the opposite - but
> could we not install the bootloader after (and based on) looking at the
> enrolled keys?
Well, that adds complexity and makes files bigger and more numerous, but it
could be done. We all know how dangerous files are.
--
Peter
More information about the devel
mailing list