On 2012-06-06 11:04:14 (-0500), Bryen M Yunashko
On Wed, 2012-06-06 at 16:31 +0200, oldcpu wrote:
Pony up the $99 would be my view also, although that worries me. Can be certain this will be a one time $99 fee and not an 'in for a penny, in for a pound' type rabbit hole ?
out there, it seems that the $99 wouldn't be a one-time thing, or I'd say just pay it and let's get on with our lives.
If I'm reading correctly, kernel variations and even customized images created with SUSEStudio might be affected. Maybe I'm wrong, but if I'm reading it right, this is a $99 tax on anyone who wants to create custom images.
That said, if we can't get around it, I guess we have to figure out how to deal with it head on. That's what we should be discussing here on the Project ML. How to "react" to this from a political or social position. But if there's an actual technical solution, then it probably should be discussed on -Factory ML.
For as far as I've skimmed over the UEFI boot topic, the deal is to actually have one of the vendors who have their CA certificate in the PC vendors' trust store to sign images. It seems to me to be essentially the same as when you want a TLS certificate for e.g. doing HTTPS: you send a request to a root CA (Certificate Authority) (such as Verisign, Thawte, ...), pay a fee, and they send you back your certificate, signed by them. In the same way as e.g. Verisign's CA certificate (which is used to verify that _your_ certificate has been signed by their private key) is included in all the CA certificate bundles (by Mozilla for Firefox, by Google for Chrome, by Opera for Opera, for the operating system, ...), Microsoft's CA certificate (or its technical equivalent in UEFI) is included and, hence, trusted, by hardware vendors. I don't know whether there are other CAs that can be asked to sign our openSUSE release images though. So, about "one time or not": it is one time for each openSUSE release image we want to be installable on hardware that uses UEFI. For custom images, such as those created by SUSE Studio, it's toast, indeed. Haven't checked the details about what is verified by the UEFI bootstrap though. (For those who want details about how the signing and CA stuff works, read up on X.509, PKI and asymmetric cryptographic (such as RSA or ECC)). cheers -- -o) Pascal Bleser /\\ http://opensuse.org -- we haz green _\_v http://fosdem.org -- we haz conf