On Mon, Jun 25, 2012 at 9:01 PM, Michael Chang
As one of the guys AJ mentioned who is working on the issue, I could tell that two basic principles for openSUSE
[snip]
2. Be equal or friendly with other distribution That means the solution has to align with what most other distribution be able to choose and would allow co-operate with them. This implies the windows signing service would be used as it's an fair offer for all with a universal key installed. Until there's another signing authority recommended by uefi forum, this is the only possible way to go.
The Fedora proposal, presumably blessed by Red Hat, seems radically different from the Ubuntu proposal, presumably blessed by Canonical. So is there a "middle ground" between the two that would be friendly to both?
I think the decision would be Fedroa's proposed solution, that is we have a first stage bootloader signed by Microsoft signing service and a second stage bootloader signed by us, thus we can avoid to integrate Ms signing process to our infrastructure (OBS or whatever) as it's painful (a *real living person* is involved to authenticate) and we still have flexibilities for signing our bootlo.
I'm a big fan of simplicity - as in "do the simplest thing that will work". There are an awful lot of "moving parts" here. There's the firmware, the boot-sector-resident code, the rest of the bootloader, the initrd and the kernel just to get to the point where all the other miscellaneous code running as a privileged user gets into RAM. After *that* is all accomplished, *then* all the userspace stuff can happen. [snip] Is there a way to eliminate a few layers of complexity? Operating systems are supposed to be *simple*. Linus has complained about "bloat", I know, but the hardware keeps getting better and things like a provably secure microkernel running Linux as a guest aren't as farfetched on a 2012-vintage quad-core x86_64 as they were on a 386. -- Twitter: http://twitter.com/znmeb Computational Journalism Server http://j.mp/compjournoserver Data is the new coal - abundant, dirty and difficult to mine. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org