| 1 |
On Fri, Jun 15, 2012 at 12:50 AM, Duncan <1i5t5.duncan@×××.net> wrote: |
| 2 |
|
| 3 |
> Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted: |
| 4 |
> |
| 5 |
> > So, anyone been thinking about this? I have, and it's not pretty. |
| 6 |
> > |
| 7 |
> > Should I worry about this and how it affects Gentoo, or not worry about |
| 8 |
> > Gentoo right now and just focus on the other issues? |
| 9 |
> > |
| 10 |
> > Minor details like, "do we have a 'company' that can pay Microsoft to |
| 11 |
> > sign our bootloader?" is one aspect from the non-technical side that |
| 12 |
> > I've been wondering about. |
| 13 |
> |
| 14 |
> I've been following developments and wondering a bit about this myself. |
| 15 |
> |
| 16 |
> I had concluded that at least for x86/amd64, where MS is mandating a user |
| 17 |
> controlled disable-signed-checking option, gentoo shouldn't have a |
| 18 |
> problem. Other than updating the handbook to accommodate UEFI, |
| 19 |
> presumably along with the grub2 stabilization, I believe we're fine as if |
| 20 |
> a user can't figure out how to disable that option on their (x86/amd64) |
| 21 |
> platform, they're hardly likely to be a good match for gentoo in any case. |
| 22 |
> |
| 23 |
> ARM and etc could be more problematic since MS is mandating no-unlock |
| 24 |
> there, last I read. I have no clue how they can get away with that anti- |
| 25 |
> trust-wise, but anyway... But I honestly don't know enough about other |
| 26 |
> than x86/amd64 platforms to worry about it, personally. |
| 27 |
> |
| 28 |
|
| 29 |
For the short term, we don't have many options beside either adding to the |
| 30 |
documentation that the User needs to disable UEFI or wipe the current valid |
| 31 |
keys and adding their own (Devs may need to make sure there's a way to do |
| 32 |
this on the livecd). Of course there's the third option of everyone |
| 33 |
purchasing a key from Verisign but.... |
| 34 |
|
| 35 |
As for non-x86 systems, Gentoo is in between a rock and a hard place. I |
| 36 |
hope there will be a similar mechanism for the user to implement their own |
| 37 |
valid key chain and remove Microsofts, but who knows. The the devs and we |
| 38 |
need to decide on a uniform way of handling this situation. |
| 39 |
|
| 40 |
- Matt |
Archives