I am apalled.

Posted Jun 6, 2012 18:50 UTC (Wed) by ebiederm (subscriber, #35028)
Parent article: Fedora, secure boot, and an insecure future

I can not possibly see how a system that does not leave the owner of a system firmly in charge can make any sort of sense.

If you aren't installing the keys into UEFI that you trust and remove/revoking the keys that you don't trust this is in no sense
limiting a system to it's desired function by the owner of the device.

Frankly the proposed system would make the computer completely unworkable to me.

There might be an excuse for doing something like this after the distribution has been reengineered such that all of the needed policy and controls are in place to make the guarantees you want to make and
the only thing that would change in the magic UEFI secure boot mode would
be the key you sign the bootloader with. Making using UEIF with the
microsoft key as a fallback solution for those days when you just can't
install a key of the administrators choosing.

However doing this simply to get the hands of more people doing a half backed job of locking down the software is ridiculous. If you don't give people freedom to run the software of their choosing when being evangelical about free software and instead stick them with the a system where they can only run fedoras latest bugs I hardly see how that will improve the user experience.

I am apalled.

Posted Jun 6, 2012 19:06 UTC (Wed) by pjones (subscriber, #31722) [Link]

> I can not possibly see how a system that does not leave the owner of a system firmly in charge can make any sort of sense.

You are firmly still "in charge". You can install your own keys, and you can disable this feature altogether in the firmware. On x86, nobody is stopping you from that.

ARM Client machines are a different story. On Windows logo-bearing ARM client machines, you are not in control. That's why we've said we don't intend to support this functionality on ARM.