Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Sam Varshavchik mrsam at courier-mta.com
Fri Jun 1 22:47:58 UTC 2012 

Thibault NĂ©lis writes:

> On 06/01/2012 02:40 PM, Sam Varshavchik wrote:
>>> they can't possibly review all the software that could follow the boot
>>> loader down the chain,
>>
>> They won't have to. Once they have a signing key that boots their
>> current Windows OS, they have no further need for a certification
>> process. What value added benefit does it bring to them?
>
> For now, they avoid public outrage and keep control.  I personally believe

Who exactly is outraged right now? A bunch of geeks on a mailing list? So  
what? Who cares?

You really expect John Q Public to be howling in outrage, because he can't  
get his keys loaded into Dell Ultra Precision XKZ100+ laptop?

> I agree it's not ideal, so we must still demand for alternatives to  
> Microsoft, preferably unbiased, now.

We can start by not playing their games.

> Verisign must be paying back a good share.  Or maybe I'm looking at it the  
> wrong way and it's not about money, but..  well it usually is.

Of course it is about the money. Not /this/ money. But everything is about  
money.

>> Please prove me wrong. Where can I get the details of those plans?
>
> Well I don't see why Matthew Garrett would lie about that in his article (we  
> all read his post right?).  Maybe I trust his word too easily, or maybe his  
> source is wrong, but I certainly think he's way more informed about the  
> situation than any of us.  You're right in that we should wait to see it  
> formally announced by the OEMs before shouting victory though, but I kind of  
> got from the vibe that it was a sure thing, so I don't think we should worry  
> about that too much until the situation changes, hoping that it won't.

I do not share your optimism. Let's just say that, a very very long time  
ago, I was developing Windows software. Not for very long. I don't even  
remember for how long, probably a year, no more. Even though it was a long  
time ago, I still remember what I figured out myself, on my own, back then.  
And I believe that there are some things out there that don't ever change.

>> And would you care to take my bet, for 1,000 quatloos, that Microsoft's
>> certification program will be a farce? They'll sign Oracle's key, that
>> can only boot Solaris, sure. They may very well sign an RHEL key, that
>> will boot a locked-down RHEL.
>
> A $100 farce?  At that price, they are *clearly* targeting very small  
> players.

The price is irrelevant. That's just one part that makes it a farce.  
Nobody's going to get a key to boot an open OS on the same hardware that can  
boot a Microsoft OS. Doesn't matter what the price is.

> I know it doesn't help that their site has been down since the  
> beginning of this discussion, we can't really evaluate, but I got the  
> feeling that Fedora's decision to use Microsoft's services was informed and  
> not just thrown in the wild, so they presumably know for sure that they can  
> get it.

Oh, I'm sure that it was informed. Like I said, all that's about, is getting  
RHEL into the secure boot chain.

> So yeah, okay, trekker, I take the bet, they get the key.  :)

Not the Fedora key. My bet was on a key that can boot an open Fedora, which  
can do everything that Fedora can do today, on the same hardware.

They might get a key signed to boot a locked-down RHEL. Might. Not a  
guarantee. There will not, I repeat, NOT, going to be a signed key that  
boots Fedora, where "Fedora" refers to Fedora as we know it today.

The most you're going to get, is a key that will boot Fedora that's been  
built and signed on Fedora build servers, using this key, that will refuse  
to load unsigned modules, and with certain Linux kernel features disabled.  
And nobody, but those build servers, will have the key.

>> An open Fedora? Not going to happen.
>
> Ah come on, it's not the end yet.

No, it's not.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120601/ea5afd11/attachment.sig>

More information about the users mailing list