Paul Wise writes ("Re: Bug#820036: No bug mentioning a Debian KEK and booting 
use it."):
> On Tue, Oct 18, 2016 at 7:36 PM, Ian Jackson wrote:
> > I'm afraid I can't make sense of this.  You have posted it to
> > debian-devel, but without any kind of sensible explanation of the
> > context.
> It was posted to bug #820036, which is tracking Debian support for
> secure boot. Peter was advocating quite correctly that as well as
> having our copy of shim (the first-stage bootloader on secure boot
> systems) signed by Microsoft, we should also have a copy signed by a
> Debian signing authority, so that users can theoretically choose to
> distrust the Microsoft key. IIRC, unfortunately in practice that is
> unlikely to be possible since various firmware blobs are only
> Microsoft-signed.

Ah.  Maybe it would be worth doing anyway.  There might be machines
which work with some kind of libre firmware.  But of course actually
doing this depends on someone having the effort.

Anyway, thanks for the explanation.


Ian Jackson <>   These opinions are my own.

If I emailed you from an address or, that is
a private address which bypasses my fierce spamfilter.

Reply via email to