On 6/6/12 9:32 AM, Matthew Seaman wrote: > On 05/06/2012 23:10, Jerry wrote: >> I thought this URL <http://mjg59.dreamwidth.org/12368.html> also shown >> above, answered that question. > > Signing bootloaders and kernels etc. seems superficially like a good > idea to me. However, instant reaction is that this is definitely *not* > something that Microsoft should be in charge of. Some neutral[*] body > without any commercial interests should do that job, and > bootloader/kernel signing should be freely available. > > On deeper thought though, the whole idea appears completely unworkable. > It means that you will not be able to compile your own kernel or > drivers unless you have access to a signing key. As building your own > is pretty fundamental to the FreeBSD project, the logical consequence is > that FreeBSD source should come with a signing key for anyone to use. > > Which completely abrogates the whole point of signing > bootloaders/kernels in the first place: anyone wishing to create malware > would be able to sign whatever they want using such a key. It's > DRM-level stupidity all over again. > > My conclusion: boycott products, manufacturers and/or OSes that > participate in this scheme. FreeBSD alone won't make any real > difference to manufacturers, but I hope there is still enough of the > original spirit of freedom within the Linux camp, and perhaps from > Google/android to make an impact. > > I'm pretty sure there can be a way of whitelisting bootloaders and so > forth to help prevent low-level malware, but this isn't it. > > Cheers, > > Matthew > > [*] I suggest ICANN might be the right sort of organization to fulfil > this role. >
I agree with the whole post except that last bit about ICANN Matthew. The US already has enough dominance as is, without involving ICANN, a supposedly neutral body (yeah right...) any further. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"