Re: [free-software-melb] secure boot discussion at last meeting

[Tim Cuthbertson]

On Mon, Jul 2, 2012 at 10:34 PM, Matt Giuca  wrote:
> I think it's quite amazing and sad that these companies, the "good guys" in
> this matter (if we oversimplify and consider the whole of the free software
> community as a single unit), are forced to work around their own license
> designed to prevent precisely this problem.
>
> I hope the FSF is right here -- my understanding of the situation is that
> they are. This is what I wrote on
> Google+
> :
>
> Key quotes:
>
> *"the Windows 8 Logo program currently mandates Restricted Boot on all ARM
> systems, which includes popular computer types like tablets and phones. It
> says that users must not be able to disable the boot restrictions or use
> their own signing keys. In addition to being unacceptable in its own right,
> this requirement was a reversal from Microsoft’s initial public position,
> ... Microsoft has demonstrated that they can’t be trusted. While we are
> interpreting their current guidelines, we must keep in mind that they could
> change their mind again in the future and expand the ARM restrictions to
> more kinds of systems."*
>
> *"Machines sold as “Ubuntu Certified,” preinstalled with Ubuntu, will have
> an Ubuntu-specific key, generated by Canonical, in their firmware.
> Additionally, they will be required by the certification guidelines to have
> the Microsoft key installed."*
>
> What? How did these terms get so skewed in Microsoft's favour that even in
> the very small market for "PCs sold with operating systems other than
> Windows," the manufacturer still needs to make it possible to install
> Windows?
>
> Crucially:
>
> *"[Canonical] plan[s] to drop GRUB 2 on Secure Boot systems, in favor of
> another bootloader with a different license that lacks GPLv3’s protections
> for user freedom. Their stated concern is that someone might ship an Ubuntu
> Certified machine with Restricted Boot (where the user cannot disable it).
> In order to comply with GPLv3, Ubuntu thinks it would then have to divulge
> its private key so that users could sign and install modified software on
> the restricted system.*
>
> *"This fear is unfounded and based on a misunderstanding of GPLv3. ... In
> such situations, the computer distributor – not Canonical or Ubuntu – would
> be the one responsible for providing the information necessary for users to
> run modified versions of the software."*
>
> I agree with the FSF here and I think their point is very important.
> The *entire
> point* of the GPLv3 and GRUB 2's usage of it (GRUB is owned by the FSF) was
> to prevent *precisely* this problem: a computer manufacturer distributing a
> Restricted Boot device that prevents the user from modifying the installed
> software. If Ubuntu uses GRUB 2, they do not put themselves in danger, and
> send a clear message to computer manufacturers: *if you distribute a
> computer pre-installed with Ubuntu and prevent users from disabling Secure
> Boot, then you violate the license.* If Ubuntu switches to a less
> restrictive boot loader, then they send an equally clear message: *feel
> free to restrict our users' freedom to install any operating system other
> than Canonical's official Ubuntu or Microsoft Windows.*

Unfortunately, I believe this may be the point. Or at least while not
the point, it may well be that canonical is not in a strong enough
position to be able to restrict their OEM partners to only act in a
gpl3-compliant way.

It's all very well saying "it's only the OEMs that could be in
trouble" - but they presumably have a direct line of pressure on
canonical if canonical wants them to keep shipping ubuntu boxes. Maybe
I'm misreading it, and the OEMs are more than happy to replace windows
with ubuntu - I'd like to hope that were the case, but I'm pretty
cynical ;)

Cheers,
 - Tim.
___
Free-software-melb mailing list
Free-software-melb@lists.softwarefreedom.com.au
http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb

Re: [free-software-melb] secure boot discussion at last meeting

[Matt Giuca]

I think it's quite amazing and sad that these companies, the "good guys" in
this matter (if we oversimplify and consider the whole of the free software
community as a single unit), are forced to work around their own license
designed to prevent precisely this problem.

I hope the FSF is right here -- my understanding of the situation is that
they are. This is what I wrote on
Google+
:

Key quotes:

*"the Windows 8 Logo program currently mandates Restricted Boot on all ARM
systems, which includes popular computer types like tablets and phones. It
says that users must not be able to disable the boot restrictions or use
their own signing keys. In addition to being unacceptable in its own right,
this requirement was a reversal from Microsoft’s initial public position,
... Microsoft has demonstrated that they can’t be trusted. While we are
interpreting their current guidelines, we must keep in mind that they could
change their mind again in the future and expand the ARM restrictions to
more kinds of systems."*

*"Machines sold as “Ubuntu Certified,” preinstalled with Ubuntu, will have
an Ubuntu-specific key, generated by Canonical, in their firmware.
Additionally, they will be required by the certification guidelines to have
the Microsoft key installed."*

What? How did these terms get so skewed in Microsoft's favour that even in
the very small market for "PCs sold with operating systems other than
Windows," the manufacturer still needs to make it possible to install
Windows?

Crucially:

*"[Canonical] plan[s] to drop GRUB 2 on Secure Boot systems, in favor of
another bootloader with a different license that lacks GPLv3’s protections
for user freedom. Their stated concern is that someone might ship an Ubuntu
Certified machine with Restricted Boot (where the user cannot disable it).
In order to comply with GPLv3, Ubuntu thinks it would then have to divulge
its private key so that users could sign and install modified software on
the restricted system.*

*"This fear is unfounded and based on a misunderstanding of GPLv3. ... In
such situations, the computer distributor – not Canonical or Ubuntu – would
be the one responsible for providing the information necessary for users to
run modified versions of the software."*

I agree with the FSF here and I think their point is very important.
The *entire
point* of the GPLv3 and GRUB 2's usage of it (GRUB is owned by the FSF) was
to prevent *precisely* this problem: a computer manufacturer distributing a
Restricted Boot device that prevents the user from modifying the installed
software. If Ubuntu uses GRUB 2, they do not put themselves in danger, and
send a clear message to computer manufacturers: *if you distribute a
computer pre-installed with Ubuntu and prevent users from disabling Secure
Boot, then you violate the license.* If Ubuntu switches to a less
restrictive boot loader, then they send an equally clear message: *feel
free to restrict our users' freedom to install any operating system other
than Canonical's official Ubuntu or Microsoft Windows.*
___
Free-software-melb mailing list
Free-software-melb@lists.softwarefreedom.com.au
http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb