On 06/06/12 22:51, Tom H wrote: > On Wed, Jun 6, 2012 at 7:56 AM, Scott Ferguson > <scott.ferguson.debian.u...@gmail.com> wrote: >> On 06/06/12 20:47, Tom H wrote: >>> On Wed, Jun 6, 2012 at 6:06 AM, Scott Ferguson >>> <scott.ferguson.debian.u...@gmail.com> wrote: >>>> On 06/06/12 19:23, Tom H wrote: >>>>> On Wed, Jun 6, 2012 at 12:18 AM, Scott Ferguson >>>>> <scott.ferguson.debian.u...@gmail.com> wrote: > > > >>>>>> ;consider also that Fedora has *not* said they won't be sharing the key >>>>> >>>>> They won't share their Secure Boot key in the same way that they don't >>>>> share their RPM-signing key(s). >>>> >>>> I'm unable to find anything from the RedHat/Fedora community who >>>> supports that assertion, and it's not supported by the article:- >>>> >>>> "Adopting a distribution-specific key and encouraging hardware companies >>>> to adopt it *would have been hostile to other distributions*. We want to >>>> compete on merit, not because we have better links to OEMs. >>> >>> In this para, MG's saying that Fedora didn't want to buy a >>> 99-dollar-key and have it loaded into the firmware of the hardware >>> manufacturers who'd agree to do so. >> >> I read that as "there was no realistic chance that we could get *all* of >> them to carry it", and so they didn't. Tim Burke gives the same reasons. >> Aside from legal reasons (I'm not sure how UEFI and the Debian >> constitution fit) the only things stopping Debian from getting a key is >> that not many manufacturers would use it - and it'd require resources to >> manage and maintain, something better suited to a commercial enterprise. > > He made two arguments for not going the > have-the-Fedora-key-uploaded-by-OEMs way. He called the first > user-hostile because it would require having hardware-compatibility > lists because not all OEMs would be willing to upload the Fedora key. > And he called the second distribution-hostile because Fedora would > have had better success at having its key uploaded than other > distributions given Red Hat's more extensive relationships with OEMs. > There not even a hint of sharing Fedora's key with anyone. > > > >>>> An alternative was producing some sort of overall Linux key. It turns >>>> out that this is also difficult, since it would mean finding an entity >>>> who was willing to take responsibility for managing signing or key >>>> distribution. That means having the ability to keep the root key >>>> absolutely secure and perform adequate validation of people asking for >>>> signing. That's expensive. Like millions of dollars expensive. It would >>>> also take a lot of time to set up, and that's not really time we had. >>>> And, finally, nobody was jumping at the opportunity to volunteer. So no >>>> generic Linux key." >>>> >>>> Hardly "we don't want to share", more "we can't afford to" >>> >>> In this para, he isn't discussing a Fedora 99-dollar-key purchased >>> from Verisign, but a cross-distribution Linux key infrastructure >>> similar to the one that Microsoft's developed/developing. >> >> Two keys? >> I read it as *one* key bought (from Verison) for $99 through the MS >> sysdev portal that will be used to sign the first stage boot loader for >> use on hardware "certified" to support Windoof 7? > > Why would a 99-dollar-key cost millions?
No one said a key would cost millions. > > You're thinking of a third scenario that MG hasn't described where a > "Linux Secure Boot Foundation" buys a 99-dollar-key and shares it with > all (!) distributions - I'm of course assuming here and the previous > scenario of Fedora sharing its key that the agreement with Verisign > allows a key to be loaned out/shared - which puts us in the same > situation as the Fedora-key-sharing situation, that I posted earlier > and that you snipped from your reply, where the failure of one > distribution would result in all distributions having their one key > blacklisted. That's the management exercise that would cost millions. > > -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fcf5c20.90...@gmail.com
