On Wed, Jun 6, 2012 at 7:56 AM, Scott Ferguson <scott.ferguson.debian.u...@gmail.com> wrote: > On 06/06/12 20:47, Tom H wrote: >> On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson >> <scott.ferguson.debian.u...@gmail.com> wrote: >>> On 06/06/12 19:23, Tom H wrote: >>>> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson >>>> <scott.ferguson.debian.u...@gmail.com> wrote:
>>>>> ;consider also that Fedora has *not* said they won't be sharing the key >>>> >>>> They won't share their Secure Boot key in the same way that they don't >>>> share their RPM-signing key(s). >>> >>> I'm unable to find anything from the RedHat/Fedora community who >>> supports that assertion, and it's not supported by the article:- >>> >>> "Adopting a distribution-specific key and encouraging hardware companies >>> to adopt it *would have been hostile to other distributions*. We want to >>> compete on merit, not because we have better links to OEMs. >> >> In this para, MG's saying that Fedora didn't want to buy a >> 99-dollar-key and have it loaded into the firmware of the hardware >> manufacturers who'd agree to do so. > > I read that as "there was no realistic chance that we could get *all* of > them to carry it", and so they didn't. Tim Burke gives the same reasons. > Aside from legal reasons (I'm not sure how UEFI and the Debian > constitution fit) the only things stopping Debian from getting a key is > that not many manufacturers would use it - and it'd require resources to > manage and maintain, something better suited to a commercial enterprise. He made two arguments for not going the have-the-Fedora-key-uploaded-by-OEMs way. He called the first user-hostile because it would require having hardware-compatibility lists because not all OEMs would be willing to upload the Fedora key. And he called the second distribution-hostile because Fedora would have had better success at having its key uploaded than other distributions given Red Hat's more extensive relationships with OEMs. There not even a hint of sharing Fedora's key with anyone. >>> An alternative was producing some sort of overall Linux key. It turns >>> out that this is also difficult, since it would mean finding an entity >>> who was willing to take responsibility for managing signing or key >>> distribution. That means having the ability to keep the root key >>> absolutely secure and perform adequate validation of people asking for >>> signing. That's expensive. Like millions of dollars expensive. It would >>> also take a lot of time to set up, and that's not really time we had. >>> And, finally, nobody was jumping at the opportunity to volunteer. So no >>> generic Linux key." >>> >>> Hardly "we don't want to share", more "we can't afford to" >> >> In this para, he isn't discussing a Fedora 99-dollar-key purchased >> from Verisign, but a cross-distribution Linux key infrastructure >> similar to the one that Microsoft's developed/developing. > > Two keys? > I read it as *one* key bought (from Verison) for $99 through the MS > sysdev portal that will be used to sign the first stage boot loader for > use on hardware "certified" to support Windoof 7? Why would a 99-dollar-key cost millions? You're thinking of a third scenario that MG hasn't described where a "Linux Secure Boot Foundation" buys a 99-dollar-key and shares it with all (!) distributions - I'm of course assuming here and the previous scenario of Fedora sharing its key that the agreement with Verisign allows a key to be loaned out/shared - which puts us in the same situation as the Fedora-key-sharing situation, that I posted earlier and that you snipped from your reply, where the failure of one distribution would result in all distributions having their one key blacklisted. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=SwEX3+6uN1Qu=w07vivqp0a0j5m51cgqfnqaakudjd...@mail.gmail.com
