*countable infinities only

Peter Jones pjones at redhat.com
Thu May 31 19:23:20 UTC 2012

On 05/31/2012 03:18 PM, Adam Jackson wrote:
> On 5/31/12 2:17 PM, Peter Jones wrote:
>> On 05/31/2012 12:37 PM, Adam Jackson wrote:
>>> Now if you're suggesting Fedora should ship another version of the
>>> shimloader that's signed with a common Fedora key... sure, why not,
>>> that could be nice.
>> Of course since we have to /install/ a bootloader, for this to be
>> effective it needs to be the same bootloader signed twice, which is
>> not currently supported by the binary format. (It can, of course, be
>> adapted to support it trivially without even changing the bits on the
>> disk if we can talk them in to it, and my tools currently includes a
>> partial implementation of this that's merely #define'd away.)
> Not that I want to discourage multiple signatures - quite the opposite - but
> could we not install the bootloader after (and based on) looking at the
> enrolled keys?

Well, that adds complexity and makes files bigger and more numerous, but it
could be done. We all know how dangerous files are.


More information about the devel mailing list