From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 12:23:25 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4549A1065674 for ; Wed, 6 Jun 2012 12:23:25 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id C5FB68FC19 for ; Wed, 6 Jun 2012 12:23:24 +0000 (UTC) Received: by eeke49 with SMTP id e49so2546556eek.13 for ; Wed, 06 Jun 2012 05:23:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=5Il52+MXH43HfTjCH4jbic/quwL0SqMtnk6cfAwM2MA=; b=WGjPtelq3vKtGtZmqiJbC9WT8AO5enyHedK9ywlYYg2q0ZwBbWbSR0+X0mkgkMOw96 To/BUCKQRcpU5fmi05w9538PrpbfUdjgZxUwILZYcSVa9T9Zyo/zYWBhF46QsXIw7eQQ ywyYWIjNzasBeBfWFxDBbAq/hoSYqNJ4V//z/9vTT+ijn3MknO9I1mXj9t7svU5YIncI dD4MSBcReX42gmMbOl0N0Fry63xRsuH/m108DmR6nQwZiAgF3TL1CRJ5daIDXvlw9xps gPuGdA6oG8Nl4eqNTbiviK8qC1iObanvrES1hb/zE8YzoTXPJUuuN/szlNLB7YCPJPgj qrgA== Received: by 10.14.28.130 with SMTP id g2mr9207780eea.131.1338985402920; Wed, 06 Jun 2012 05:23:22 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id n52sm5849591eeh.9.2012.06.06.05.23.21 (version=SSLv3 cipher=OTHER); Wed, 06 Jun 2012 05:23:22 -0700 (PDT) Message-ID: <4FCF4BB8.8040703@my.gd> Date: Wed, 06 Jun 2012 14:23:20 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20120605203717.5663bdf7.freebsd@edvax.de> <20120605181055.4af65fdb@scorpio> <4FCF0772.8000609@FreeBSD.org> In-Reply-To: <4FCF0772.8000609@FreeBSD.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQmwcsVDUtpbpx0kzIxQ2jFx/mtEHmSoOsNOYlh9QHFPcrYlqlo86zeiulaaGcChMAbn7zbd Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 12:23:25 -0000 On 6/6/12 9:32 AM, Matthew Seaman wrote: > On 05/06/2012 23:10, Jerry wrote: >> I thought this URL also shown >> above, answered that question. > > Signing bootloaders and kernels etc. seems superficially like a good > idea to me. However, instant reaction is that this is definitely *not* > something that Microsoft should be in charge of. Some neutral[*] body > without any commercial interests should do that job, and > bootloader/kernel signing should be freely available. > > On deeper thought though, the whole idea appears completely unworkable. > It means that you will not be able to compile your own kernel or > drivers unless you have access to a signing key. As building your own > is pretty fundamental to the FreeBSD project, the logical consequence is > that FreeBSD source should come with a signing key for anyone to use. > > Which completely abrogates the whole point of signing > bootloaders/kernels in the first place: anyone wishing to create malware > would be able to sign whatever they want using such a key. It's > DRM-level stupidity all over again. > > My conclusion: boycott products, manufacturers and/or OSes that > participate in this scheme. FreeBSD alone won't make any real > difference to manufacturers, but I hope there is still enough of the > original spirit of freedom within the Linux camp, and perhaps from > Google/android to make an impact. > > I'm pretty sure there can be a way of whitelisting bootloaders and so > forth to help prevent low-level malware, but this isn't it. > > Cheers, > > Matthew > > [*] I suggest ICANN might be the right sort of organization to fulfil > this role. > I agree with the whole post except that last bit about ICANN Matthew. The US already has enough dominance as is, without involving ICANN, a supposedly neutral body (yeah right...) any further.