On Fri, 08 Jun 2012 08:33:49 +0200, Per Jessen wrote:
It seems reasonable that CRLs could be retrieved and hardware/firmware updated with an appropriate utility running when the system is up, but OTOH, revoking a certificate in this context seems to be a potentially really dangerous move - disable hundreds-of-thousands of PCs in one fell swoop.
I don't know that we have individually compiled kernels out there that are used on hundreds of thousands of PCs. We'd be talking about (potentially) the users of an individual build service repo. But certainly having a certificate revoked has the potential to render a system unbootable, if the CRL does get updated (and we should find out rather than hypothesize about how that works. Unfortuntely, the closest I get to UEFI on any of my systems is in VirtualBox, and I'm not sure how to enable secure boot yet).
Wrt to $SUBJ, I see no problem in the fee itself - if that's what it takes to work on this new hardware without having to disable the secure-whatever. Let us not lose sight of that - as far as I understand, we're not looking to utilize whatever it is UEFI provides, we're only looking to help newbies and other converts overcome an initial hurdle that would otherwise make them go elsewhere.
The fee is pennies per installed system (if that), and yeah, I think we should for the distribution just handle it. But beyond the distro, I think it's important to understand the ramifications to systems like OBS and Studio and deal with that as well. That's probably a bigger issue to deal with than the releases of openSUSE with 'official' kernels. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org