-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/31/2012 05:16 PM, Gerry Reno wrote:
On 05/31/2012 12:13 PM, Miloslav Trma? wrote:
On Thu, May 31, 2012 at 6:04 PM, Gerry Reno gr...@verizon.net
wrote:
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement
SecureBoot is
On 05/31/2012 12:57 PM, Basil Mohamed Gohar wrote:
On 05/31/2012 12:53 PM, Gerry Reno wrote:
On 05/31/2012 12:51 PM, Matthew Garrett wrote:
On Thu, May 31, 2012 at 12:49:53PM -0400, Gerry Reno wrote:
The issue could be solved by having the SecureBoot default setting depend
on the OS being
On Thu, May 31, 2012 at 12:53:30PM -0400, Gerry Reno wrote:
On 05/31/2012 12:51 PM, Matthew Garrett wrote:
On Thu, May 31, 2012 at 12:49:53PM -0400, Gerry Reno wrote:
The issue could be solved by having the SecureBoot default setting depend
on the OS being booted:
SecureBoot should
On 05/31/2012 01:03 PM, Matthew Garrett wrote:
On Thu, May 31, 2012 at 12:53:30PM -0400, Gerry Reno wrote:
On 05/31/2012 12:51 PM, Matthew Garrett wrote:
On Thu, May 31, 2012 at 12:49:53PM -0400, Gerry Reno wrote:
The issue could be solved by having the SecureBoot default setting depend
on
Gregory Maxwell wrote:
http://mjg59.dreamwidth.org/12368.html
What effect on CD or USB boot images does this have? Will Live images on
fp.o be required to be signed to be useful to the general public with a
Dell/HP machine that will most certainly have this feature enabled (and
possibly not
On Thu, May 31, 2012 at 1:07 PM, Gerry Reno gr...@verizon.net wrote:
Could be any of a thousand ways to implement this.
Maybe it checks the BIOS to determine whether some SecureBoot flag is set.
While it pains me to argue with someone on my side— you're incorrect.
The compromised system would
On Thu, May 31, 2012 at 01:07:13PM -0400, Gerry Reno wrote:
On 05/31/2012 01:03 PM, Matthew Garrett wrote:
How does the Microsoft OS know that it's being invoked in an
unauthorised manner?
Could be any of a thousand ways to implement this.
Maybe it checks the BIOS to determine
On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 1:07 PM, Gerry Reno gr...@verizon.net wrote:
Could be any of a thousand ways to implement this.
Maybe it checks the BIOS to determine whether some SecureBoot flag is set.
While it pains me to argue with someone on my side—
On Thu, May 31, 2012 at 12:16 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 1:07 PM, Gerry Reno gr...@verizon.net wrote:
Could be any of a thousand ways to implement this.
Maybe it checks the BIOS to determine whether some
On 05/31/2012 01:19 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:16 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 1:07 PM, Gerry Reno gr...@verizon.net wrote:
Could be any of a thousand ways to implement this.
Maybe it
On Thu, May 31, 2012 at 12:22 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:19 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:16 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 1:07 PM, Gerry Reno gr...@verizon.net
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:22 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:19 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:16 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012
Once upon a time, Michael Cronenworth m...@cchtml.com said:
What effect on CD or USB boot images does this have? Will Live images on
fp.o be required to be signed to be useful to the general public with a
Dell/HP machine that will most certainly have this feature enabled (and
possibly not
On Thu, May 31, 2012 at 01:42:30PM -0400, Gerry Reno wrote:
This game of cat and mouse with the blackhats is not going to end until we
have some type of read-only partitions where
known good code resides.
And the user must hit a hardware button to enable read-write to change
anything
On Thu, May 31, 2012 at 12:46:15PM -0500, Chris Adams wrote:
Once upon a time, Michael Cronenworth m...@cchtml.com said:
What effect on CD or USB boot images does this have? Will Live images on
fp.o be required to be signed to be useful to the general public with a
Dell/HP machine that will
On Thu, May 31, 2012 at 12:42 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:22 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:19 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:16 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:47 PM, Matthew Garrett wrote:
Platforms implementing secure boot will require cryptographically signed
firmware updates, so the only way an attacker
will be able to modify your system is by having physical access to the flash.
Well, at least that part is good.
--
devel
On 05/31/2012 01:48 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:42 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:22 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:19 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at
On Thu, May 31, 2012 at 12:52 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:48 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:42 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:22 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 12:21 PM, Bill Nottingham wrote:
Basil Mohamed Gohar (basilgo...@librevideo.org) said:
Remove Microsoft's keys, problem solved.
Ah, yes, but then you also won't be able to run Fedora, under the
currently proposed solution. Oops! See how slick the slope is?
If you're dumb
On 5/31/12 12:20 PM, Basil Mohamed Gohar wrote:
On 05/31/2012 12:18 PM, Miloslav Trmač wrote:
Remove Microsoft's keys, problem solved.
Mirek
Ah, yes, but then you also won't be able to run Fedora, under the
currently proposed solution. Oops! See how slick the slope is?
False. Quoting
On 05/31/2012 12:15 PM, Basil Mohamed Gohar wrote:
On 05/31/2012 12:06 PM, Peter Jones wrote:
On 05/31/2012 12:04 PM, Gerry Reno wrote:
SecureBoot is not about security. It is about restriction.
If you're looking for a mantra to recite ad infinitum, that's a fine
one, but
right now we're
On 05/31/2012 01:57 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:52 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:48 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:42 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at
Gregory Maxwell (gmaxw...@gmail.com) said:
It's perhaps just as troubling that there are people involved in this
non-public decision who apparently have such a limited understanding
of free software that they were unable to understand the point I made
explicitly in my message (and more
On 05/31/2012 12:42 PM, Miloslav Trmač wrote:
Well, Fedora will enjoy a different security benefit by removing the
user-space ability to manipulate DMA, even for users that don't have
SecureBoot-capable hardware.
Our current plan is actually to only disable these methods if Secure Boot is
On Thu, May 31, 2012 at 1:08 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:57 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:52 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:48 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:42 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 12:37 PM, Adam Jackson wrote:
Now if you're suggesting Fedora should ship another version of the shimloader
that's signed with a common Fedora key... sure, why not, that could be nice.
Of course since we have to /install/ a bootloader, for this to be effective
it needs to be the
On 05/31/2012 02:17 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:08 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:57 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:52 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:48 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at
On 05/31/2012 02:08 PM, Gerry Reno wrote:
The hardware is under control of the user.
At some point the user has to know what they consider trusted.
I totally agree. This is why I've been writing tools to do your own signing
and key management. It's totally okay to do your own thing, I expect
On Thu, May 31, 2012 at 4:23 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
None the less, I do not believe it is FUD or in any way inaccurate
to say that this will mean that Fedora will be losing a freedom it
once had— the freedom to make forks at no cost which are technically
equal to the
On 05/31/2012 12:59 PM, Gerry Reno wrote:
On 05/31/2012 12:57 PM, Basil Mohamed Gohar wrote:
I take it that virtualization of the OS is completely off the table as
well, then? (I think it must be, if this is the case.)
Why would that be?
VM's have a BIOS. And SecureBoot can be part of that
On Thu, May 31, 2012 at 1:21 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:17 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:08 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:57 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:52 PM, Gerry Reno gr...@verizon.net wrote:
Once upon a time, Peter Jones pjo...@redhat.com said:
That's why we didn't simply ask vendors to ship our key. That would be
/less/ equitable to other distributions than the solution we're looking at
right now.
Has any thought been given to setting up group between various Open
Source
On Thu, May 31, 2012 at 12:47 PM, Bill Nottingham nott...@redhat.com wrote:
I'm not sure how you meant this, but I'm having a hard time reading this in
a way that's not:
- directly contradictory
- intentional raising of FUD then stepping back
- insinuating some Shadowy Cabal Of Others behind
On 05/31/2012 02:52 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:21 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:17 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:08 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 01:57 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 12:52
On 05/31/2012 02:55 PM, Chris Adams wrote:
Once upon a time, Peter Jonespjo...@redhat.com said:
That's why we didn't simply ask vendors to ship our key. That would be
/less/ equitable to other distributions than the solution we're looking at
right now.
Has any thought been given to setting
On 05/31/2012 03:03 PM, Gregory Maxwell wrote:
Because maintaining the boot portion of the system shouldn't
automatically create a position to make fundamental decisions like
this. The authors of Fedora packages also don't normally spend large
amounts of time in consultation with Redhat legal,
On 5/31/12 2:17 PM, Peter Jones wrote:
On 05/31/2012 12:37 PM, Adam Jackson wrote:
Now if you're suggesting Fedora should ship another version of the
shimloader that's signed with a common Fedora key... sure, why not,
that could be nice.
Of course since we have to /install/ a bootloader, for
On 05/31/2012 03:18 PM, Adam Jackson wrote:
On 5/31/12 2:17 PM, Peter Jones wrote:
On 05/31/2012 12:37 PM, Adam Jackson wrote:
Now if you're suggesting Fedora should ship another version of the
shimloader that's signed with a common Fedora key... sure, why not,
that could be nice.
Of course
On 05/31/2012 02:55 PM, Chris Adams wrote:
Once upon a time, Peter Jonespjo...@redhat.com said:
That's why we didn't simply ask vendors to ship our key. That would be
/less/ equitable to other distributions than the solution we're looking at
right now.
Has any thought been given to setting
On Thu, May 31, 2012 at 2:07 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:52 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:21 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:17 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:08 PM, Gerry Reno gr...@verizon.net wrote:
On
On Thu, May 31, 2012 at 2:57 PM, Jon Ciesla limburg...@gmail.com wrote:
On Thu, May 31, 2012 at 2:07 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:52 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:21 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:17 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 03:18:54PM -0400, Adam Jackson wrote:
Not that I want to discourage multiple signatures - quite the
opposite - but could we not install the bootloader after (and based
on) looking at the enrolled keys?
Certainly, providing you can boot the software that can examine the
On 05/31/2012 04:04 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 2:57 PM, Jon Ciesla limburg...@gmail.com wrote:
On Thu, May 31, 2012 at 2:07 PM, Gerry Reno gr...@verizon.net wrote:
On 05/31/2012 02:52 PM, Jon Ciesla wrote:
On Thu, May 31, 2012 at 1:21 PM, Gerry Reno gr...@verizon.net wrote:
On Thu, May 31, 2012 at 4:19 PM, Gerry Reno gr...@verizon.net wrote:
And I'd rather see a User-Controlled implementation rather than a
Monopoly-Controlled implementation.
SecureBoot is (currently, on x86 but not arm) _also_ user-controlled.
The monopoly controlled is just the default.
--
On 05/31/2012 04:26 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 4:19 PM, Gerry Reno gr...@verizon.net wrote:
And I'd rather see a User-Controlled implementation rather than a
Monopoly-Controlled implementation.
SecureBoot is (currently, on x86 but not arm) _also_ user-controlled.
The
On 5/31/12 3:23 PM, Peter Jones wrote:
On 05/31/2012 03:18 PM, Adam Jackson wrote:
Not that I want to discourage multiple signatures - quite the
opposite - but could we not install the bootloader after (and based
on) looking at the enrolled keys?
Well, that adds complexity and makes files
On 05/31/2012 04:32 PM, Adam Jackson wrote:
On 5/31/12 3:23 PM, Peter Jones wrote:
On 05/31/2012 03:18 PM, Adam Jackson wrote:
Not that I want to discourage multiple signatures - quite the
opposite - but could we not install the bootloader after (and based
on) looking at the enrolled keys?
On Thu, 2012-05-31 at 15:07 -0400, Gerry Reno wrote:
Yes, all these would currently support what I'm suggesting.
Actually, if you're willing to flip a lot of switches, you could
probably make your / a raid5 of floppies, but the performance would be
suboptimal.
-J
Ok, now you're
On Thu, 2012-05-31 at 16:31 -0400, Gerry Reno wrote:
On 05/31/2012 04:26 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 4:19 PM, Gerry Reno gr...@verizon.net wrote:
And I'd rather see a User-Controlled implementation rather than a
Monopoly-Controlled implementation.
SecureBoot is
On 05/31/2012 05:47 PM, Adam Williamson wrote:
On Thu, 2012-05-31 at 16:31 -0400, Gerry Reno wrote:
On 05/31/2012 04:26 PM, Gregory Maxwell wrote:
On Thu, May 31, 2012 at 4:19 PM, Gerry Reno gr...@verizon.net wrote:
And I'd rather see a User-Controlled implementation rather than a
Chris Adams wrote:
- Secure boot is required to be able to be disabled on x86 (the only
platform Fedora will support it).
And this is exactly why we should just require our users to disable it!
I don't see any advantage at all from supporting this feature, just
problems:
* extra restrictions
On 05/31/2012 09:14 PM, Kevin Kofler wrote:
Chris Adams wrote:
- Secure boot is required to be able to be disabled on x86 (the only
platform Fedora will support it).
And this is exactly why we should just require our users to disable it!
I don't see any advantage at all from supporting this
What if anaconda was change to a license which required forks to
certify and pay a one time $99 fee to some shell company, would anyone
call Fedora still a free software distribution with a straight face?
Yes, if after paying $99 you are free to redistribute your own modified
versions.
By the
This will exclude a whole class of usages that are currently available
to Fedora users, such as the ReSpin projects that Fedora Unity used to
produce from stock Fedora packages as well as any other downstream
projects that build on Fedora. This is not something affecting only a
limit set of
501 - 555 of 555 matches
Mail list logo
