Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Can't Trust FSF's Secure Boot Solution

Posted by Soulskill on from the dem's-fightin'-woids dept.

sfcrazy writes "The Free Software Foundation recently published a whitepaper criticizing Ubuntu's move to drop Grub 2 in order to support Microsoft's UEFI Secure Boot. The FSF also recommended that Ubuntu should reconsider their decision. Ubuntu's charismatic chief, Mark Shuttleworth, has responded to the situation during an interview, and explained the reason they won't change their stand on dropping Grub 2 from Ubuntu. Shuttleworth said, 'The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it's hard for them to argue they never would!'"

12 of 377 comments (clear)

  1. They expect OEMs to lock machines down? by makomk · · Score: 5, Insightful

    The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.

    So in other words they're anticipating not only that OEMs are going to accidentally or intentionally ship machines running Ubuntu that are locked down so that you cannot boot your own kernels on them but also that they won't be able to convince the OEMs to fix their broken BIOSes to allow users to run their own code. By not using GRUB2 they ensure that said OEMs would have no legal obligations to allow you to run the code you wanted on the PC you'd just bought.

  2. Re:Ubuntu understands users by SuricouRaven · · Score: 5, Insightful

    Because:
    1. Once the technology is deployed, it requires only altering one line of a contract to kill linux on the desktop.
    2. Because being able to ensure the OS hasn't been tampered with by the hardware owner is vital for any attempt to make effective DRM schemes.

  3. I Call Bullshit. by darkonc · · Score: 5, Insightful
    Canonical can't be held responsible for somebody else's screw-up. If Canonical distributes GRUB consistent with the GPL3, then there responsibility is done. If somebody else screws up by distributing GRUB in a non-conformant way, then all they can do is ask canonical to distribute their private key to get the manufacturer's bacon out of the fire. Canonical would then be free to laugh at them.

    It seems to me that Canonical is missing the bigger piece -- which is that the vibrancy of Ubuntu depends on the wider vibrancy of Linux. If Ubuntu jumps into Microsoft's lifeboat and leaves the rest of the GNU/Linux community to sink or swim, Canonical is ultimately slitting their own throat slowly.

    Trusting Microsoft over the FSF seems foolhardy at best.

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  4. Re:Ubuntu understands users by Anonymous Coward · · Score: 5, Insightful

    Everyone knows the Free Software Foundation cannot be trusted, but Microsoft can.

    I just got back from vacation...did the universe invert while I was away?

  5. Re:Ubuntu is doing the right thing by betterunixthanunix · · Score: 5, Insightful

    If the only thing keeping this secure

    Secure from what? The goal is not to secure you from a bootloader virus; I doubt that was discussed for more than five minutes while this system was being designed. The goal is to secure DRM systems from you, the user, because of what happened with DVDs and deCSS, what happens with software cracking tools, etc. The goal is to turn PCs into iPads.

    This is a trap, designed to rob you of the freedom you have right now, which as it so happens is the freedom that PCs were meant to provide in the first place.

    --
    Palm trees and 8
  6. Not quite the flaw you make it sound like, Mark... by pla · · Score: 5, Insightful

    The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.

    Yes! Yes, they could - Because it would mean that the OEM had "accidentally" taken away the user's right to do whatever the fuck they want with hardware bought and paid for by that user. And I have no problem with requiring key disclosure in that situation.

    Look, Shuttles, we get the idea that you want every bit as much control over Ubuntu as Microsoft has over Windows, and UEFI has the potential to finally fulfill your little wet dream there. You seem to have overestimated your importance in the Linux world, however - If you won't honor the spirit of "free" software, we'll simply use a distro that does.

  7. But Microsoft isn't changing position? by CanEHdian · · Score: 5, Insightful

    As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change

    As nice as it is that someone at Microsoft says they will sell $99 keys, we have to plan for a world where leaders change and institutional priorities change

    --
    When the copyright term is "forever minus a day", live every day like it's the last.
  8. Re:Ubuntu understands users by Anonymous Coward · · Score: 5, Insightful

    If I don't have the keys to my computer, it's not mine.
    RMS's The Right to Read looks less and less paranoid all the time.

  9. Re:Why are we allowing these "people" to do this? by bill_mcgonigle · · Score: 5, Insightful

    Gees, ten years isn't that long, have you folks forgotten already?

    Two weeks after 9/11 the USAPATRIOT Act was highly controversial, despite the recent attack, and had sunset provisions.

    Ten years later, it's renewed without any real debate.

    "Keep us safe from the terr^H^H^H^H rootkits". In both cases the power-hungry gladly assume additional control and remove freedoms.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. Re:Which would be a greater attack on user freedom by betterunixthanunix · · Score: 5, Insightful

    Except that Canonical is in a position to demand that EFI boot restrictions be disabled by default. That does not seem to have entered the picture, because they do not care about user freedom. I disagree equally with Fedora's approach, because I personally switched away from Fedora when I disagreed with some changes they made, and this boot restriction system will make that harder to do.

    Now is the time to fight back, not compromise. Bootloader restrictions are a direct attack on free software and user freedom, and the response by Canonical and the Fedora project has been to just lie down and accept that attack.

    --
    Palm trees and 8
  11. Re:SECURE BOOT IS A FRAUD by Jeremiah+Cornelius · · Score: 5, Insightful

    Boot sector virus is not the target, to be fair.

    It's to prevent loading a compromised kernel image. A signed boot-loader chain will only load if uncompromisable with cryptographically verified signatures and checksums.

    But this is not the threat to most users, most of the time.

    And? If they are dumb or mistaken enough to get an infection that will compromise their OS image and ring-0 loadable software? They are going to be compromised in OTHER WAYS that will NEVER touch the system image. Secure system boot is a good way to protect a boot-loader for encrypted volumes - but not even needed for this to be effective.

    It is a security chimera - with more opportunity for mistakes and misuse than protection.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  12. Re:Not quite: They want to still work in a screwup by Anonymous Coward · · Score: 5, Insightful

    That’s why I prefer contributing to GPL projects over non-copyleft: I know that helps the fight for a world in which all computer users have the 4 freedoms.

    Canonical decided that they no longer care about that which made their founder rich.

    GPLv3 just closes some loopholes, so I prefer v3 over v2: more measures to ensure my freedom in the cases where I am a mere user (98% of all the software I interact with).