Jim Henderson wrote:
On Fri, 08 Jun 2012 08:33:49 +0200, Per Jessen wrote:
It seems reasonable that CRLs could be retrieved and hardware/firmware updated with an appropriate utility running when the system is up, but OTOH, revoking a certificate in this context seems to be a potentially really dangerous move - disable hundreds-of-thousands of PCs in one fell swoop.
I don't know that we have individually compiled kernels out there that are used on hundreds of thousands of PCs. We'd be talking about (potentially) the users of an individual build service repo.
Sorry, I must have missed the context.
But certainly having a certificate revoked has the potential to render a system unbootable, if the CRL does get updated (and we should find out rather than hypothesize about how that works.
A CRL is typically only valid for e.g. 30 days, some systems (MS Exchange for instance) will not work unless they have a valid CRL. I guess the UEFI spec has a section on the importance/use of CRLs.
Wrt to $SUBJ, I see no problem in the fee itself - if that's what it takes to work on this new hardware without having to disable the secure-whatever. Let us not lose sight of that - as far as I understand, we're not looking to utilize whatever it is UEFI provides, we're only looking to help newbies and other converts overcome an initial hurdle that would otherwise make them go elsewhere.
The fee is pennies per installed system (if that), and yeah, I think we should for the distribution just handle it. But beyond the distro, I think it's important to understand the ramifications to systems like OBS and Studio and deal with that as well. That's probably a bigger issue to deal with than the releases of openSUSE with 'official' kernels.
Perhaps users of those could just disable the UEFI secure functionality? I appreciate that dual-booting Windows8 would be an issue, but maybe it would be worth looking at the user or system "demographics" - to gauge the impact. -- Per Jessen, Zürich (17.2°C) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org