On 06/02/2012 08:38 AM, Gregory Maxwell wrote:
When I create a fork, respin, or remix of Fedora and distribute it to
people it will not run for them like Fedora does without a level of
fiddling which the people advocating this have made clear is entirely
unacceptable. This is because Fedora will be cryptographically
signing the distribution with keys these systems require and not
sharing the keys with me. Fedora be doing this even with software
that I wrote, enhancing it with a signing key only they have access
too, making it much more useful on hardware where it is not otherwise,
and not allowing me and or downstream recipients to enjoy the same
improvements for their modified versions.
What is unclear about this?
You do realize that if you create a fork, respin, or remix that you will
have packages on the system that are not signed by Fedora's GPG key, and
your generated ISOs will not be signed by Fedora's GPG key? Worse,
there is no amount of money you could pay Fedora to gain access to
Fedora's GPG key, nor is there any infrastructure for Fedora's key to
"trust" other keys. Fedora already takes "software you wrote" and
enhances it by signing it with a (gpg) signing key, which makes it much
more useful on hardware with Fedora installed where it is not otherwise.
(Users would have to disable yum's gpg checking in order to install
your unsigned package, or they would have to install /your/ gpg key and
trust it in order to install the package signed with your key).
Further, your product may not be hosted by our servers, and our mirrors.
It will not be produced into physical media and brought to Fedora
events to be handed out to users. There never was equal footing.
The only Freedom you've lost is that now, in addition to the
person-hours to do the work and monetary cost to host your bits or
generate physical media, you have an additional cost if you wish to have
your own cert that will be accepted out of the box by the next
generation of PC hardware. You have as much equal footing as Fedora
does to plunk down the $99 and play along in the PC sandbox. That's a
better deal than Fedora's gpg signing setup.
--
Help me fight child abuse: http://tinyurl.com/jlkcourage
- jlk
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
