1 |
On Fri, Jun 15, 2012 at 12:50 AM, Duncan <1i5t5.duncan@×××.net> wrote: |
2 |
|
3 |
> Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted: |
4 |
> |
5 |
> > So, anyone been thinking about this? I have, and it's not pretty. |
6 |
> > |
7 |
> > Should I worry about this and how it affects Gentoo, or not worry about |
8 |
> > Gentoo right now and just focus on the other issues? |
9 |
> > |
10 |
> > Minor details like, "do we have a 'company' that can pay Microsoft to |
11 |
> > sign our bootloader?" is one aspect from the non-technical side that |
12 |
> > I've been wondering about. |
13 |
> |
14 |
> I've been following developments and wondering a bit about this myself. |
15 |
> |
16 |
> I had concluded that at least for x86/amd64, where MS is mandating a user |
17 |
> controlled disable-signed-checking option, gentoo shouldn't have a |
18 |
> problem. Other than updating the handbook to accommodate UEFI, |
19 |
> presumably along with the grub2 stabilization, I believe we're fine as if |
20 |
> a user can't figure out how to disable that option on their (x86/amd64) |
21 |
> platform, they're hardly likely to be a good match for gentoo in any case. |
22 |
> |
23 |
> ARM and etc could be more problematic since MS is mandating no-unlock |
24 |
> there, last I read. I have no clue how they can get away with that anti- |
25 |
> trust-wise, but anyway... But I honestly don't know enough about other |
26 |
> than x86/amd64 platforms to worry about it, personally. |
27 |
> |
28 |
|
29 |
For the short term, we don't have many options beside either adding to the |
30 |
documentation that the User needs to disable UEFI or wipe the current valid |
31 |
keys and adding their own (Devs may need to make sure there's a way to do |
32 |
this on the livecd). Of course there's the third option of everyone |
33 |
purchasing a key from Verisign but.... |
34 |
|
35 |
As for non-x86 systems, Gentoo is in between a rock and a hard place. I |
36 |
hope there will be a similar mechanism for the user to implement their own |
37 |
valid key chain and remove Microsofts, but who knows. The the devs and we |
38 |
need to decide on a uniform way of handling this situation. |
39 |
|
40 |
- Matt |