Slashdot Mirror
Ubuntu Can't Trust FSF's Secure Boot Solution
sfcrazy writes "The Free Software Foundation recently published a whitepaper criticizing Ubuntu's move to drop Grub 2 in order to support Microsoft's UEFI Secure Boot. The FSF also recommended that Ubuntu should reconsider their decision. Ubuntu's charismatic chief, Mark Shuttleworth, has responded to the situation during an interview, and explained the reason they won't change their stand on dropping Grub 2 from Ubuntu. Shuttleworth said, 'The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it's hard for them to argue they never would!'"
While FSF just tries to fight their ideological war, Ubuntu takes less hard road and understands why Microsoft needs to employ secure boot. Good for them, and better for Linux.
The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.
So in other words they're anticipating not only that OEMs are going to accidentally or intentionally ship machines running Ubuntu that are locked down so that you cannot boot your own kernels on them but also that they won't be able to convince the OEMs to fix their broken BIOSes to allow users to run their own code. By not using GRUB2 they ensure that said OEMs would have no legal obligations to allow you to run the code you wanted on the PC you'd just bought.
Not having a newer grub might suck in some regards but it appears as though they are looking out for our best interest here. If the only thing keeping this secure is a companies 'promise' they wont ever take action, then I'd have to agree with Ubuntu.
http://interserver.net/
Grub2 is an epic piece of shit anyway.
Give me Classic Slashdot or give me death!
I know this is offtopic, but just a quick request to the powers that be. I tried installing Ubuntu a while back, and 'Grub' not only made Ubuntu boot by defaut, but also wouldn't allow any easy way for to change that to Windows. In addition to that, uninstalling Grub proved to be very cumbersome.
I'm sure many would be far less patient than me, so it may help perceptions of Linux/Ubuntu if some of the basics were in place.
Why OpalCalc is the best Windows calc
Wow. Who knew Canonical had astroturfers? Either that or apologists.
First five posts on this article were all "FSF sucks, Ubuntu knows our Hearts! 3".
Serious Sandwich, aka Bonch, Sharklaser, Tech* etc is one of a number of sockpuppet accounts established and maintained by Burson Marsteller on behalf of Microsoft.
Their presence in this discussion means comments and moderation will be slanted to emphasize their client's viewpoint.
Treat all commenters in this discussion with suspicion and derision. Do not post or reply to posts yourself.
It seems to me that Canonical is missing the bigger piece -- which is that the vibrancy of Ubuntu depends on the wider vibrancy of Linux. If Ubuntu jumps into Microsoft's lifeboat and leaves the rest of the GNU/Linux community to sink or swim, Canonical is ultimately slitting their own throat slowly.
Trusting Microsoft over the FSF seems foolhardy at best.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
There have been a whole bunch of bugs filed against a "feature" of the new Ubuntu UI, which Ubuntu refuses to fix. I was considering writing a patch myself but then decided to just go with a different distro. I'm just about to evaluate the available new choices.
If one enlarges any one window so that it is more then I think 80% of the total size of the screen, from then on all new windows from that same application appear maximized. The even cover up the menu bar on the top and the dock on the left.
What that means to me is that I cannot use most of the screen on my laptop, because after that any new windows will obscure all the other windows that I wanted to be able to view in the background.
Michael David Crawford, who can't be bothered to recover his password.
If I can't boot linux on a motherboard, I return the motherboard. Its an anti-trust issue. A single motherboard can kill some village idiot outfit like mickeysoft. The FSF is correct. Grub2 is brand new, and works perfectly. Shills and luddites who argue otherwise are brainless pieces of shit. Microsoft needs to die anyway.
The expect that an OEM may screw up. In that case, their current solution will still allow users to run their own code except for the bootloader itself.
But if they used a GPLv3 bootloader, they have received advice that they might have to reveal the key when the OEM screws up, because that would be necessary for someone to provide their own bootloader.
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
Test your net with Netalyzr
Part of the vision is that you should buy a Ubuntu system, right? In this case, Canonical is working with the OEMs to produce a certified system.
Thus if one of the OEMs screws up, Canonical does have a relationship with the product, as provider of the software, and may, under the GPLv3's "anti-TiVoization" clause, have to provide the signing key.
This is "Better to avoid the problem altogether"
Test your net with Netalyzr
I'm sure the SFLC did tell him that a mistake by an OEM could force disclosure of the signing key. But notice he doesn't say explicitly that they told him it could force disclosure of Canonical's signing key. That's because I'm pretty sure they didn't tell him that. Think about it. The logic here is that an action that breaches the GPLv3 by a downstream distributor (the OEM) could force the upstream to correct the breach. Now, suppose I put that in the context of code: I distribute a GPLv3'd piece of software, you receive it from me, modify it and distribute the modified version. If Shuttleworth's argument is correct, then I am in breach of the GPLv3 because I'm not distributing the source code to your modifications as required by the GPLv3. But that's obvious nonsense, since I'm only required to distribute the source code to the software I'm distributing and I'm not distributing your modifications at all. Only you're doing that, and the only way you can pass your obligations back to me is if you're me in the legal sense (ie. a wholly-owned subsidiary company or a division of my company) or if I've signed a contract with you to take on those obligations for you.
So I suspect that while Canonical would be required to distribute any tools needed to create signed bootloaders and the keys needed for the BIOS to boot them, unless they're distributing the actual hardware it'd be on the OEM (who selected the hardware) to take any steps necessary to comply with the GPLv3 as regards the hardware (ie. either choose a BIOS that allowed keys to be enrolled or Secure Boot to be disabled, or distribute their own signing keys). Of course that could place the OEMs in a bind: if they used Canonical's signed binaries and keys then the OEM would be obliged to provide the signing key, but Canonical is not obliged to provide it to them. Which I think is exactly the situation the FSF desires: OEMs placed in a position where to use a very desirable bit of software in their equipment requires selecting a BIOS that permits user control over the Secure Boot process and keys.
The expect that an OEM may screw up. In that case, their current solution will still allow users to run their own code except for the bootloader itself.
In other words, what we had with OtherOS on the PS3.
But if they used a GPLv3 bootloader, they have received advice that they might have to reveal the key when the OEM screws up, because that would be necessary for someone to provide their own bootloader.
How is that a bad thing? This is not a key that is used to protect military secrets, it's a key that serves exactly one purpose: to prevent people from running modified software.
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
Your freedom to throw punches ends where my face begins. My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.
Palm trees and 8
AKA Drinkypoo, erris, mactrope, etc. on behalf of the communist website Techrights AKA Boycott Novell.
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
The "freedom" to actually be able to run the software you want on the computer you bought? You're right, they suck.
The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up.
Yes! Yes, they could - Because it would mean that the OEM had "accidentally" taken away the user's right to do whatever the fuck they want with hardware bought and paid for by that user. And I have no problem with requiring key disclosure in that situation.
Look, Shuttles, we get the idea that you want every bit as much control over Ubuntu as Microsoft has over Windows, and UEFI has the potential to finally fulfill your little wet dream there. You seem to have overestimated your importance in the Linux world, however - If you won't honor the spirit of "free" software, we'll simply use a distro that does.
I chose it because I could see the sources, update as I see fit, build as I see fit and be able to do a build without clobbering all my installed software.
So why would I suddenly want to chose a closed source Microsoft solution? This is the company, whose practices since 1995 are the major reason why we have malware, viruses and worms.
Such great vision from the start, nobody would even think to remotely try to control your computer, right?
As a mainframe admin I was charged with keeping sneaky bastages out all the time, why didn't Microsoft believe this sort of thing could happen on a PC? To this day they still have gaping holes in security and their transparency is a thing of fantasy.
A feeling of having made the same mistake before: Deja Foobar
As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change
As nice as it is that someone at Microsoft says they will sell $99 keys, we have to plan for a world where leaders change and institutional priorities change
When the copyright term is "forever minus a day", live every day like it's the last.
How is revealing the key bad?
Well, how about that it would be revoked! Having the key would allow one to subvert Secure Boot on windows systems, so you can bet dollars-to-doughnuts that if Canonical had to release its key, Microsoft would revoke Canonical's key.
Test your net with Netalyzr
Go the Mozilla way: Make deals with Google so you can build an open web. Don't listen to the voices from the cobwebs that speak a lot but don't deliver a usable product. Freedom is good only if it allows me to swim in it.
Screw you Ubuntu. Screw you Shuttleworth. Screw you Canonical.
You exploit the hell out of Debian and free software in general, and what do you give back?
Speaking of leaders changing, when is Shuttleworth's time going to be over so that some sense and honour can be brought into THAT organization?
Intel had the bright idea back in the nineties and it was soundly rejected; Intel got a lot of bad publicity and backed off. Then MS came up with "Palladium" ten years ago and it, too, was soundly rejected and MS got yet another black eye.
WTF, people?? FIGHT THIS MADNESS!! This is yet another round of MS's war against all other OSes. This is MS wanting to control YOUR computer. This has no upsides whatever, and is all bad.
Gees, ten years isn't that long, have you folks forgotten already?
Free Martian Whores!
Couldn't agree more. "We insist you write us a blank check, just in case we need it. We won't abuse it. We promise!"
No. Blank checks get abuse, pretty much always. It's difficult to find examples of where abusable rights were given and then later did not go on to get abused at least once. (and sometimes as a matter of policy) It's also sadly entertaining to watch how they tend to fight you when you try to add in anti-abuse clauses, things that make you go "hmmmmm...."
Good call, Shuttleworth. Stand your ground.
I work for the Department of Redundancy Department.
Otherwise, they are just legitimizing an attack on user freedoms, despite being the maintainers of the most popular GNU/Linux distribution out there (and despite the fact that those very freedoms are what enabled their entire operation).
Palm trees and 8
Except that key disclosure would cause a lot of harm.
Canonical's solution still allows you to run all your own code except the bootloader in this case. Since the bootloader itself is not locked down, you can boot anything from the bootloader.
But if they had to disclose the key, then this means Microsoft has to revoke Canonical's key, because that key would allow subverting Window's secure boot model, and now it can't be used to install without requiring user EFI reconfiguration on any PC that includes Canonical's key in its revocation list.
Test your net with Netalyzr
Anybody heard any reaction from the antitrust authorities?
US would probably remain mum, but I do not think EU would accept the OEM lockdown by convicted monopolist that readily.
Yes, there are security concerns, but they are negligible compared to the power grab by the convicted monopolist.
All hope abandon ye who enter here.
Which is a greater attack on user freedom?
a) Not being able to change the bootloader?
b) Not being able to install on new systems without changing EFI settings because the signing key got revoked?
Canonical chose "A". Fedora chose A, too, btw, because they didn't sign grub, but built a "pre-bootloader-bootloader" to load Grub.
Test your net with Netalyzr
I wopiudl be interested in the naive idea that users shouidl be able to turn secure boot on and off. So if it's off, no Windows but other OSes could boot. On, and Windows would boot, but other OSes may or may not.
Then, if I choose to NOT use Windows, I'm in a much simpler reality.
Of course, I'm certain this cannot work. Darn.
deleting the extra space after periods so i can stay relevant, yeah.
But if they had to disclose the key, then this means Microsoft has to revoke Canonical's key, because that key would allow subverting Window's secure boot model, and now it can't be used to install without requiring user EFI reconfiguration on any PC that includes Canonical's key in its revocation list.
Then maybe Microsoft shouldn't have picked such a fscked-up security model.
Ask yourself, what percentage of a system's time and lifecycle are spent in boot? What percentage of the binary runtime image is loaded in this process?
"Secure boot" is FAKE SECURITY whose ACTUAL risk is GREATER than its SUPPOSED benefit. Lock boot images, and the real security problems for persisting on a host and hiding activity will only move to the next rung on this ladder.
The only thing "Secured" is vendor lock-in.
Sure, you can detect a compromised kernel at boottime. That is a FRACTIONAL coutermeasure, to actual risk. EVERY driver and ring-0 loadable module needs also to be signed. It's bullsht, in the real computing world - unless you have an XBox or iPad model.
"Flyin' in just a sweet place,
Never been known to fail..."
Except that Canonical is in a position to demand that EFI boot restrictions be disabled by default. That does not seem to have entered the picture, because they do not care about user freedom. I disagree equally with Fedora's approach, because I personally switched away from Fedora when I disagreed with some changes they made, and this boot restriction system will make that harder to do.
Now is the time to fight back, not compromise. Bootloader restrictions are a direct attack on free software and user freedom, and the response by Canonical and the Fedora project has been to just lie down and accept that attack.
Palm trees and 8
It's funny how problems in MS's OSs to date have been, well,
MSs poor architecture problem, but yet are pushed off as the user's fault.
And, have all surfaced since Ballmer took the helm. A coincidence, not really.
And now innocent Linux users are being made to pay?
CAPTCHA = display
The FSF's version of freedom is equivalent to nanny-state socialism. They've basically decided that their idea of playing nice needs to be enforced by big stick, and will happily trample over anything and everything that does something they dislike.
In this particular case, Ubuntu wants to place a bootloader that will allow you to load ANY operating system, bypassing the "security" features they dislike in the new UEFI. Ubuntu wishes to ensure that users can boot any operating system they like and run any software they want. Their concern is that the GPLv3 makes provisions by which the FSF could, in this case as the owner of GRUB2, deem that a machine that won't let them replace GRUB2 with something else is in violation of the GPLv3. At that point, they can demand that Ubuntu surrender its encryption keys used to provide secure bootloader verification--which then allows anyone to sign any bootloader they want, thus negating any security features you could leverage out of the bootloader (for example, intentionally instructing it to boot only signed code--keeping the chain trusted, rather than booting a foreign OS as is the option).
The point of contention is where the FSF gets to demand Ubuntu hand over their encryption keys for this particular application because they've decided it's 'unfair' that users don't have the option to replace a bootloader. The GPLv3 is a restrictive license agreement whose provisions do in fact allow the copyright holder to make certain demands about HOW their software is used. Most people fixate on the "Free" part because you're free to distribute and modify the software; but you are also "Obligated" to publish your modifications in source form if published in any form.
The GPLv3 brings restrictions on how you can use the software, such that you must be able to modify it--the hardware you use the software on must be configured to allow the use of modified software (or any other software). 'Jailbreaking' is not a thing with GPLv3 because the vendors would have to supply a way to run custom software. If the Linux Kernel was GPLv3, then you wouldn't have to root any phones to install Cyanogenmod: vendors would be required to provide an official method for the end user to replace the software with custom versions.
The Affero versions of the GPL family of licenses go even further: if you USE a modified version of the software, you must publish its source. That means if you modify an AGPL Web server and use it to serve your Web site, you have to put up the Web server's source code. An AGPL Web application would work the same way: modify an AGPL CMS and you need to publish its source code on your Web site.
These licensing restrictions are important to understand when licensing Free software. Canonical has decided not to license GRUB2 in Ubuntu on UEFI platforms because of potential conflicts between their requirements and the requirements of fulfilling the licensing agreement in certain cases. The FSF is extremely well known for its hard-line enforcement stance and thus there is the concern that they would not negotiate to reconcile technical mistakes, but rather take advantage of them to file a hostile injunction and demand release of encryption keys. The FSF behaves in this way because they have high ideals about what's "good for everybody"--as I said, they are effectively nanny-state socialists and want to get their fingers in everything so they can make people "play nice."
In short, this is why we have many licenses. The FSF uses the GPLv3 because they have their ideals and can support them with the GPLv3 (which, by the way, was born mainly out of the FSF's distaste for locked-down TiVo platforms). Other people still use the GPLv2 because they understand what the GPLv3 entails and their ideals are dissimilar from the FSF--Linux is GPLv2 because the relevant bodies are not sharply against locked-down phones running android, something they could legally prevent with GPLv3. Similarly many people use the BSD and MIT licenses because their philosophy is, "Here is code! Somebody might find this useful!"
Support my political activism on Patreon.
CYA
Sadly.
Then IT checks the sig on Windows and tells it that "I'm the bootloader, you can trust me." and there isn't a 100% sure way to verify backwards.
For local malware: Indeed, there is no way.
In theory, the correct way to check anything in a Secure Boot environment is to ask the TPM chip.
In practice, a compromised machine might be running inside a hypervisor. All traffic to the TPM chip will be instead routed to a fake-TPM routine which sign stuff with the malware's private key, and at load time, the rogue hypervisor could patch Windows to put the malware's public key where normally the official TPM key resides.
Everytime Windows has a doubt, it will ask the TPM which will give a perfectly bogus positive answer, which will perfectly match the bogus patched in key.
For DRM: There is a way.
In this case the whole secure environment isn't only restricted to the local machine.
The streaming sever can require the compromised client to provide a proof that the machine is legit (an answer from the TPM chip "yes, I did boot only a legit version of windows" signed with the TPM key) but although the hypervisor fake-TPM can provide such an answer, it can't sign it with actual real keys that will be recognized by the streaming server.
It won't be impossible to circumvent neither, it just requires a bit more work than compromising a machine locally.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
But the mere existence of a signed but unlocked boot loader allows subverting Window's secure boot model.
Current situation: BIOS -> Rootkit -> Windows
New situation: EFI -> Unlocked Bootloader -> Rootkit -> Windows
Heck, just having unlocked Linux kernels is a threat since you should be able to modify kexec to allow you to boot Windows within Linux. (and we won't even discuss VM's)
Honestly, the only reason I'm not up in arms about this is because the whole thing seems to be so horribly mis-managed that I doubt we will have anything to worry about until at least Windows 9. (Now, the secure boot on ARM, THAT'S someplace I do take issue with M$'s policy, but no-one seems to be worrying about the implications or how to boot Linux there...)
Microsoft shill spotted! Look at his post history, especially this one:
http://slashdot.org/comments.pl?sid=2960369&cid=40564793
That's really impressive. In what world is Microsoft losing money ? They're the largest software house (and also hardware manufacturer) on planet. Everyone knows Microsoft, everyone trusts Microsoft and everyone loves Microsoft.
LMAO! Subtle!
"When information is power, privacy is freedom" - Jah-Wren Ryel
Creating a signed bootloader that can boot arbitrary Linux kernels - or even just kernels without restrictions on module loading - would subvert Secure Boot just as effectively though. Which is why I reckon they'd revoke Ubuntu's code signing key just as quickly if they didn't lock down their bootloader so that it only boots Ubuntu-signed kernels that are modified to only load Ubuntu-signed kernel modules. Basically, you can forget about installing third-party drivers or compiling your own kernels.
If you won't honor the spirit of "free" software, we'll simply use a distro that does.
I took that step several months ago as did many others.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
How about we just physically set a jumper in the computer PCB, and then new keys can be loaded to the device?
It's still secure. If someone unauthorized has physical access to do that, you're screwed anyway.
It adds basically NO COST or complexity to the system.
Why not do it? Because some people want to make sure the machine you bought will be a television where you keep on paying for content all the time.
And Microsoft can go fuck themselves for abusing their monopoly by requiring ARM OEMs to lock up the machine.
"we have to plan for a world where leaders change and institutional priorities change"
Time to plan for a move away from Ubuntu. Keep the sources safe, and when it's time - fork.
The Linux kernel is GPL v2 because many, many contributions were made without the "or later" clause. Regardless of any desire to, it is legally impossible to transition to v3 without a massive auditing effort to locate and rewrite every contribution made without the "or later" clause or to locate the original authors and secure permission.
My HP Pavilion dv8 came from HP with a real crappy WiFi card (Intel 5100 AGN (Shiloh)).. In reading many forums people have been throwing these cards away and putting in ANYTHING else they can find. Unfortunately for me HP decided that they would remove that option from people that chose to by their laptops inthat they HARD CODED the PCI device signature into the system BIOS!! If you swap out the mini-PCI WiFi card with ANY other card that does not have the same PCI device signature, the system reports the error at POST and refuses to use the device!! I have no idea what kind of back door dealing went on to get HP to do this kind of thing, but given when updating the BIOS (Had to update to fix Massive ACPI Bugs!) , the only tool to update the BIOS will only run on Windows 7, I guess I should not be too surprised... I do all my work on Linux (CentOS) and my home router/firewall and my NFS server are FreeBSD. All I can say is when I to buy a new development laptop IT WILL NOT BE AN HP!
I am however real concerned that with more and more of this type of hardware and software lock in, will I end up being forced to purchase some total off-brand no-name unknown product just to be able to run the OS I choose? I bought my HP laptop (real nice quad-core i7 w/ huge screen) for Linux development because our data-centers are running RHEL (Red Hat Enterprise Linux) on HP Servers. I just kinda assumed that with HP going full force into Linux on the Enterprise server side they would get the clue that someone has to write that code... My mistake for making that leap of logic.
How is that a bad thing? This is not a key that is used to protect military secrets, it's a key that serves exactly one purpose: to prevent people from running modified software.
Anyone who knows the key can then write malicious software that can be installed. For example, a hacked Windows 8 version. On any device made by any OEM that allowed not only Windows 8, but also Ubuntu on their device. I know you don't care, but Microsoft does, and if that happens, they will do their best to bankrupt whoever is responsible.
how can i trust THEM with my software freedom? fuck ubuntu. just a cheap apple knock off. mark shuttleworth is obviously a hack who doesn't deserve his money. ubuntu is pathetic.
In the interview Shuttleworth states Canonical's concern with secure boot and GRUB2 is that the GPLv3 requires distributors give up their signing keys. The FSF's response to this was to say, No, Ubuntu wouldn't have to give up their private signing key, the OEM would." Well, fine, but that completely misses the point. In either case the private key would still be released to the public, which would completely remove the usefulness of the key. The only way around this is to either get rid of secure boot or to use a license which doesn't require keys be shared.
Canonical is going with the only solution which both allows them to run on machines with secure boot and keep their private keys private. The FSF is asking them to do both and it isn't legally possible, even the Software Freedom Law Center says so. So who are you going to believe, some PR guy at the FSF or a lawyer whose job it is to understand this stuff?
I used Debian for years. Thought I would give Ubuntu a try, jus to what all the fuss was about.
Ubuntu was awsome until version 10.10.
Now, I feel like I can do without Ubuntu.
But if they had to disclose the key, then this means Microsoft has to revoke Canonical's key, because that key would allow subverting Window's secure boot model, and now it can't be used to install without requiring user EFI reconfiguration on any PC that includes Canonical's key in its revocation list.
Then maybe Microsoft shouldn't have picked such a fscked-up security model.
But they want to restore their monopoly, and what better way?
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
markets for other manufacturers to come in and build mother boards that don't have a secure boot. Fuck if I have to pay $50 more to own one of those boards so be it at least I still own the item and am free to do as I wish with my own property.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
This is the very question I keep posing, but no one seems to respond to. At what point is allowing owner-controlled code to execute 'ok' to qualify as adequate root kit deterrence?
I think it would go a looong way toward sanity for this to be clarified. If it is a matter of 'anything as fine as long as it makes drawing an obvious banner a first item so it can't be subtle', then I'm not overly bothered by it.
XML is like violence. If it doesn't solve the problem, use more.
The FSF's version of freedom is equivalent to nanny-state socialism. They've basically decided that their idea of playing nice needs to be enforced by big stick, and will happily trample over anything and everything that does something they dislike.
Why would you start your comment with such drivel? The rest of your comment is better written.
I'm a little unconvinced by your anecdotal evidence:
1. LILO: Recovery always worked
2. GRUB2: Recovery always worked, except once
Even if you only ever recovered with GRUB2 once and it failed, how does anybody (yourself included) know that a) you didn't screw it up, b) some other software didn't screw it up, or c) your hardware wasn't screwed up?
The road to tyranny has always been paved with claims of necessity.
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
Your freedom to throw punches ends where my face begins. My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.
My freedom to install software on my computer is [vastly more] important than some OEM's [ability] to restrict what software runs on [the products that I buy from them].
I'm on your side on this but I had to fix that for you. Your freedom in your country is a right. In your country after a sale, a manufacturer does not have a right to dictate how you use what you bought. There have been many court cases on this and the companies keep losing. However, your politicians keep introducing legislation to change that. The legislation gets holes punched in it by your constitution, but only in court and years after the legislation has been in effect and ruining lives. And when the legislation is finally useless, the next even harsher version is already passed into law.
And we're copying you. (Canada). /sigh/
I think the Venetians were on to something.
GRUB 2 has been nothing but headaches for me if / when tinkering by hand becomes necessary. The old GRUB was a nice balance - powerful without being overwrought. GRUB 2 is like the Holy Roman Empire: It's neither Grand nor Unified. It IS a bootloader, though, have to give it that...
OK, isn't that the standard line when it comes to not wanting to abide by GPL terms? Just don't use it then and everything is kosher.
So Canonical decides not to use GRUB 2, as is its right to do when it would otherwise be impossible to follow the GPLv3. It should be simple. But no, FSF complains even in this circumstance. Childish.
Anyways, if someone wants to install The One True GNU/Linux GPLv3 edition, just disable the secure boot protection.
(and... before whining about Win RT ARM tablets, don't single out those when most ARM tablets supporting a secure boot also "lock out" Linux or other OS installations.)
Either way you slice it....
Taking FSF asssement at face value, the implication is that if you acquire hardware and software independent of each other and put them together, neither vendor is accountable for the others distribution model. If Asus releases a motherboard that requires signing but without linux, and Ubuntu distributes a bootloader that is signed and can work but cannot be modified and still work with that motherboard, then that falls outside the scope of Tivoization. If this is *not* true and somehow that arrangement would be construed as some sort of GPL3 violating collusion, then maybe Canonical can worry.
On the other hand, let's say the FSF gets their way and Canonical confidently ships Grub2 with GPL3 and things are signed and the world is happy. FSF likes this approach as it suggests that it legally forces OEMs to allow owner to disable SecureBoot even if the OEM wanted to force it on. This is overly optimistic. If an OEM really wanted to preload Ubuntu but wanted Secureboot locked in, they don't need to use Ubuntu's provided Grub, they could just use elilo or efilinux or whatever to load Ubuntu's platform.
XML is like violence. If it doesn't solve the problem, use more.
Except that key disclosure would cause a lot of harm.
Such as? The freedom to install Minix3? FreeBSD? Debian/Hurd? Or ReactOS? What harm is there?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Attention hardware manufacturers:
I for one am not about to buy any hardware that implements secure boot without a bios option to completely disable it.
(please note that I am NOT the same AC that made the accusation, but rather, one that wondered who this firm is, so I figured I would share my findings...)
Ok, so I do a bit of digging for two minutes, and came up with this:
Who:
Burson-Marsteller is a PR firm. As in, a really, really, REALLY big fuckin' firm. Apparently the only place on Earth worth mentioning that doesn't have an office of theirs is Antarctica.
http://en.wikipedia.org/wiki/Burson-Marsteller
Where:
Burson-Marsteller has been very, very busy. I haven't had time to second-source the entries from Wikipedia, but supposedly this firm has been at the forefront of a lot of really, really bad shit. The original Tylenol Poisoning scare, Three Mile Island, PR for Phillip Morris; you name the PR nightmare, and there's a good chance they've been there to mop up. In other words, these guys are "World-Class Spin Doctors".
When:
"When" really doesn't even apply in the context I'm using because they are still in business as part of the WPP plc, the world's largest advertising agency. Which means, "when" is really all the time.
http://en.wikipedia.org/wiki/WPP_Group
What:
It took a bit of digging but I found a set of links that tied them back to Microsoft. Ok, so now we have something tying the two together with Microsoft as Burson-Marsteller's client.
http://www.economist.com/blogs/babbage/2012/03/microsoft-v-google
http://www.techdirt.com/articles/20110513/15424314269/burson-marsteller-digs-itself-deeper-hole-deletes-critical-comments-its-facebook-page.shtml
The accusation:
I myself have observed "shill-like" behavior over the last decade on Slashdot, and in the last 4 years it has intensified quite a bit. I believe that, while there is no direct way to prove the accusation, there is sufficient background for readers to make an informed decision as to the possibility of the accusation being accurate.
Why AC:
Yes, I have an account here, let's just say numbered under 200,000 and leave it at that. No, I will not post this with my account for reasons that should be readily apparent to anyone with two brain cells attached - which is to say, attracting the attention of a world-sized firm to my little pittance is probably not the wisest move to make. If they have enough money to pay people to sit around all day and troll slashdot forums, then they certainly have enough money to harass me (given the opportunity).
Sometimes the best tactic to keep out of harm, is to simply not be seen.
This thread is a great one for exposing the paid (and/or sycophantic) Microsoft shills. It's pretty obvious that this 'secure boot' thing has no merits on its own and that anyone who comes in here singing its praises is probably one of them.
I'll try to watch this thread through the rest of the day and tabulate a list of the obvious examples/accounts for future reference.
That’s why I prefer contributing to GPL projects over non-copyleft: I know that helps the fight for a world in which all computer users have the 4 freedoms.
Canonical decided that they no longer care about that which made their founder rich.
GPLv3 just closes some loopholes, so I prefer v3 over v2: more measures to ensure my freedom in the cases where I am a mere user (98% of all the software I interact with).
Far better to not chance it and just avoid the GPLv3 for something that actually has a free license, rather than the significant impositions that GPLv3 attempts to impose in the name of the FSF's particular vision of "freedom".
So you are those who say that slavery is freedom....
That's wrong. Fedora will be signing grub (and disabling its module loading functionality), but with its own key.
You don't understand GPL.
GPL is there to allow the final user to do whatever he want with his hardware.
A developer is not the final users, if he wants to use GPL code, he must give the same rights he received to everyone.
GPL2 had some holes that allowed some developers/builders to take the work of others and not giving back what they should.
GPL3 was made to fix that holes... yep, some people that were abusing the GPLv2 holes didnt like it, but bad luck, its not their code.
If you don't like that license, don't use programs with it and start over with your preferred license. you are not important, the final users are!
So here is the global view:
GPL is to give ALL power to the final users
Closed source gives all the power to the product owners/builders... the user loses freedom
BSD/MIT gives all the power to the developer and hope that product owners/builders are nice to not take the user freedom...
<sarcasm>everyone knows that companies are always nice to the users!!</sarcasm>
Higuita
There is often an ideological debate on these pages about openness and transparency. Some believe open source is a democratic process and everyone should have a say. The debate of over .deb versus .rpm on the ill fated MeeGo forum a few years ago demonstrated this. The debate raged on and In the end, Intel made their choice.
Open source is not a democracy. Both Linus and Mark demonstrate this. It is a business and like most businesses leadership is not elected and therefore doesn't represent the views of the participants.
I am not surprised by Mark's decision. In the face of device lock out by the market leaders, it's best to align yourself with the 600 lb gorilla. If Ubuntu toes the line it will be hard for Microsoft to lock out Ubuntu based on security arguments.
In business I see large companies frightened by the GPL license. While the intent is good, there are too many grey areas that can open a company to litigation. Some are willing to take this risk and others aren't. Looks like Canonical is drawing a line in the sand. This could be interpreted as a wake up call the the FSF.
Sure, it would need to be finalized in a legal document, but the first draft can look something like this:
Canonical: Howdy, Partner. When we work together to bring a computer to market running Ubuntu and GPLv3'd GRUB, can you make sure that the end-user is able to install their own signing keys so they can install modified versions of GRUB, per the licensing terms?
Partner: Okay, how would we do that? I mean, how can we make sure that we meet the terms of the license?
C: It's not that difficult. Basically y'all just need to make sure that the end-user can change the set of signing keys listed in the firmware. The Free Software Foundation wrote a whitepaper about it. You can also contact them via email if you have any questions!
P: Wow. That's really difficult to understand, too bad we don't have any engineers on staff who can figure....awww... I'm just kidding with you, of course we have skilled engineers and lawyers on staff. We even have people who know how to write emails. We should be all set!
C: Awesome, Partner. Before you actually ship hardware with an Ubuntu-Certified sticker on it, why don't you send one of the pieces of hardware to us so that we can manually test to make sure that end users can install their own signing keys. We'll use my son jimmy, 'cause we want to make sure it's so easy a kid can do it.
P: Okay, sounds great on my end. Glad that we had this conversation. I was worried it would take all day, but it really just took 15 minutes of my time.
C: Yep. Now remember: If you do ship some hardware with GRUB installed and you make a mistake so that users can't install their own signing keys, you're going to have to make a firmware update or otherwise make this problem right. Understand?
P: Isn't that what we have to do when we break the license of any of the pieces of software that we ship on our devices?
C: Yes. But I just wanted to make sure that we stated it explictly so that you wouldn't try to push the mistake off on us.
P: Fair enough.
C: Great to talk. We'll put all of this down in the formal contract when our lawyers draw it up. Have your engineers call our engineers about any kernel bugs. We should be able to get this hardware out by Q1 of 2013. So long!
P: Bye!
---------------
I mean, seriously, what's The Big Deal here? Just make some contracts with your hardware partners and hold them to the terms of the contracts like every other business deal that has ever happened. Why does Canonical think this is so difficult?
coding is life
My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.
THEIR products? You paid for them, they're yours. I'd say you have every right to do anything you damned well please on your own equipment, and the vendor has no rights whatever after he has your cash. His rights are completely unimportant, yours are supremely important.
This is like Ford saying you're only allowed to use Firestone tires, Goodrich aren't allowed.
It's madness to go along with this evil bullshit.
Free Martian Whores!
He who sacrifices freedom for security deserves neither - Benjy.
In this case Caninical is right.
Who cares about Ubuntu anyway ? It's not like we don't have a bazillion other distros to choose from. ... is Unity ... too bad ...
The only thing we would loose if they became as undesirable (sorry not english) as Microsoft
What I'm worried is the future availlability of non secure boot motherboards.
Canonical is in a position to demand things....from *Microsoft*. Really?
Fedora/RHEL, they employ a lot of Linux developers.
If you don't like that license, don't use programs with it and start over with your preferred license. you are not important, the final users are!
Isn't that exactly what Ubuntu is doing here, but the FSF is still objecting?
This space for rent.
No, from their OEM ( ie, OEM shipping Ubuntu ).
The whole point of being certified is that, checking the software and that it run. If Canonical certify something without verifying, that's not good.
Not to mention there is a REASON that everyone seems to have forgotten as to why MSFT is worried about bootloaders and it ain't malware. Go to TPB and look up "Windows 7 SP1 X64 all versions pre-activated" and you'll find you can download and install Win 7 which WILL pass muster when it comes to updates, in fact it will even automatically uncheck the WGA update that could possibly block the pirate version from getting updates. Feel free to scan the ISO, you'll find that it passes clean with the exception of a few "keygens are naughty!" pop ups from AVs like...well MSE.
So while I personally would have fought piracy by making Win HP upgrade $50 and the Pro and Family Packs $100 you can see why they don't want anyone getting to the Windows bootloader as the pirates have figured out long ago how to completely ruin their shit when it comes to piracy. Hell the Win 7 pirate version is EASIER to install than the old Razr1911 Corporate XP, it doesn't even need a key! So you can bet your ass if Canonical or any other corp lets their keys slip they'll be banhammered majorly quickly. While nobody in the home will give a shit and will just bypass Secureboot for BSA audits it makes it damned easy to spot those pirated Win pro stations because they'll stick out like a sore thumb. One switch to secureboot and they will fail, and then they can pay up for running hot software. Again not how i would have done it, but ultimately its their OS and they can do what they want.
ACs don't waste your time replying, your posts are never seen by me.
Would it be technically impossible to have a hardware switch on the motherboard that says to the UEFI BIOS "No, I don't care how fricking insecure it is. Go ahead and boot whatever the hell I tell you to."
We all know that if you have physical access to the machine, you're screwed anyway. Provide a way for hardware to optionally disable SecureBoot, and I might consider buying it. Otherwise, no.
You obviously don't have a clue what made their founder rich.
How EXACTLY is this insightful? did Canonical stop bleeding money and get some major OEM deals i've not heard of? Last i checked they had a couple of low end units hidden on the back page of Dell, so they don't have anymore pull than "Bob's Distro" in that regard. hell looking at their number fall on distrowatch since Unity Mint would probably have a better shot of influencing the OEMs than canonical has at this point.
sorry but being a big fish in a little pond is a hell of a lot different than being a little fish in a big pond, and compared to OEM sales Canonical's ubuntu wouldn't even be considered a guppy. personally i blame the community for not supporting linux retailers like System76 and instead buying the cheaper Windows units and slapping whatever they wanted on after getting the in reality "Windows tax break" thanks to the trialware and economies of scale. if you want to affect a market you need to be counted, and you're not being counted when you buy Windows units folks, simple as that.
ACs don't waste your time replying, your posts are never seen by me.
It's so hard to take you seriously when you keep using phrases like "nanny state" and "socialist". It would be better if you actually used those terms correctly.
I support Ubuntu's right to use whatever software they prefer, but this choice will prevent me from recommending it.
But it is, in fact, unfair if users don't have that option. Or, at least, it dramatically devalues the computer as you no longer really own it.
And wouldn't that be a wonderful world to live in?
So Debian away.
So the issue for Canonical is whether FSF might use the terms of GPL3 to force disclosure of Canonical's key? And Canonical won't take their word that they can't or won't? Then there's a simple solution on FSF's part.
FSF is also the holder of the copyright on GRUB 2. All they have to do is to double-license it, adding a second license that is the same as the GPL3 except for explicitly granting the right to NOT be subject to forced key disclosure. This would make Canonical safe in a legally binding way, as long as any modifications they make to GRUB 2 don't merge in other GPL software that doesn't carry the extra license term.
Problem solved.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Because it's actually true. The heart of socialism is often stated as "from he who has the ability to he who has the need" or such; and overall it's basically a system by which the group shares what it produces. The basic theory is each man can produce more than he needs, and thus we should produce enough for everyone and then share the excess.
The Free Software Foundation is Richard Stallman's brainchild. Stallman's philosophy is that programming code and other creative works are the righteous property of everyone. Because they can be duplicated freely, they should be duplicated freely; and because programming object code is much less elegant and harder to modify than programming source code, programming source code should be supplied with programming object code and should be traded freely as well.
The entire purpose of the FSF is to take Stallman's vision of a world where proprietary, closed, restricted software doesn't exist and shape reality around it. In other words: he wants to take from those who can produce programming code and give to all of us so that we can benefit from that work freely. He'll use any leverage he can to force the issue, too: he's happily forced a few proprietary software applications into GPL by threatening injunction for them linking to GPL libraries (this is covered on the GNU site under Stallman's 'philosophy' area, in an article about why glibc is LGPL and not GPL--he noted as an aside that gettext is GPL and has allowed him to force two closed products into a GPL release thanks to their oversight).
Support my political activism on Patreon.
No, it would be a terrible world to live in, because network operators would demand a "secure" phone from vendors so they could rid themselves of built-in e-mail applications and then charge $10/month for them (Verizon did this with the RAZR, for example) without pesky end users replacing the OS. Thus we'd all have Symbian or maybe Windows Phone 7 phones instead of Android.
Support my political activism on Patreon.
The one and only problem: Microsoft.
Solution: nuke Redmond.
TL;DR
Also, forest for the trees. FSF is not condoning locked bootloaders, just responding to their potential adoption with a way to limit their abuse.
Just for your information, that's not an HP thing, that's a Windows thing. It checksums your hardware at install time and won't boot if you change it to prevent people duplicating installed images.
Doesn't matter, they screwed the pooch with forcing Unity anyway--Ubuntu is, unfortunately, on the way down.
Check out the interest ratings at Distrowatch, for example...and I know I've personally just gone to Mint after years of happy Ubuntu usage. I tried to like Unity, failed, and going back to Gnome stock interface (without the nice Ubuntu configurations) just doesn't cut it.
expandfairuse.org
In a "properly" secure system the hypervisor would be signed with a key as well and the OS wouldn't allow it to boot if it's been tampered with. That hypervisor would then virtualize secure boot and only boot signed binaries, same as the real hardware.
The key will be revoked and lots of software will stop running.
Doesn't matter, they screwed the pooch with forcing Unity anyway--Ubuntu is, unfortunately, on the way down.
Check out the interest ratings at Distrowatch, for example...and I know I've personally just gone to Mint after years of happy Ubuntu usage. I tried to like Unity, failed, and going back to Gnome stock interface (without the nice Ubuntu configurations) just doesn't cut it.
Amen bro. After happy years with Ubuntu, I gave up on Unity. I've switched to a new distro. Debian.
"The FSF's version of freedom is equivalent to nanny-state socialism. They've basically decided that their idea of playing nice needs to be enforced by big stick, and will happily trample over anything and everything that does something they dislike."
That's funny. A private foundation having to use a license to force copyright law to do the job it was intended to do. Doesn't seem socialistic to me, if it does to you read your constitution. The goal of copyright and patents is to get developments out in the public as soon as possible for the benefit of all(you know the public) not the developer. Copyright/patent was intended as a short term trade off not a long term benefit to encourage further development.
"In this particular case, Ubuntu wants to place a bootloader that will allow you to load ANY operating system, bypassing the "security" features they dislike in the new UEFI. Ubuntu wishes to ensure that users can boot any operating system they like and run any software they want. Their concern is that the GPLv3 makes provisions by which the FSF could, in this case as the owner of GRUB2, deem that a machine that won't let them replace GRUB2 with something else is in violation of the GPLv3. At that point, they can demand that Ubuntu surrender its encryption keys used to provide secure bootloader verification--which then allows anyone to sign any bootloader they want, thus negating any security features you could leverage out of the bootloader (for example, intentionally instructing it to boot only signed code--keeping the chain trusted, rather than booting a foreign OS as is the option)."
You mean public actually having control of both their hardware and software, especially software as the hardware is worthless without it, that they paid for. And yes they paid for it as all money for development comes from the public via investment to buying the actual devices to taxes that pay for company support(tax breaks, land grants, legal/judges) and other support infrastructure(roads).
"The point of contention is where the FSF gets to demand Ubuntu hand over their encryption keys for this particular application because they've decided it's 'unfair' that users don't have the option to replace a bootloader. The GPLv3 is a restrictive license agreement whose provisions do in fact allow the copyright holder to make certain demands about HOW their software is used. Most people fixate on the "Free" part because you're free to distribute and modify the software; but you are also "Obligated" to publish your modifications in source form if published in any form."
A license version that attempts to control the irresponsible behavior of business types that match toddlers "everything is mine" attitude and attention span of the quarterly stock report. If you don't like the GPL don't use it, you still have your freedom to be selfish and publicly irresponsible as you wish. You know, the public that helped feed, clothe, house, and educate you to be a meaningful member of society rather than kill you for the real threat pure competition would make you out to be.
"The GPLv3 brings restrictions on how you can use the software, such that you must be able to modify it--the hardware you use the software on must be configured to allow the use of modified software (or any other software). 'Jailbreaking' is not a thing with GPLv3 because the vendors would have to supply a way to run custom software. If the Linux Kernel was GPLv3, then you wouldn't have to root any phones to install Cyanogenmod: vendors would be required to provide an official method for the end user to replace the software with custom versions."
The only reason I see you would want to restrict people from altering their software is to lock them out of their hardware. So who's doing the restricting now? Vendors providing options for you to control your device that you paid for in more ways than one, who would have thought? Wouldn't that make it easier for customers/public to
...cannot stand.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I'm about to go to Mint after years of happy Ubuntu usage, not because of Unity which I think is OK, but because they keep breaking shit. Right now I can't print because of some fuckup in AppArmor or cups or something. (They just sent my bug from cups to apparmor, we'll see what happens.) It worked a week ago.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
the maintainers of the most popular GNU/Linux distribution out there
Canonical maintains Fedora? No, they do not.
Fedora has a much larger user base than Ubuntu.
I'm sorry but unless you use newspeak freedom means the freedom to choose or NOT to choose, and the GPL V3 takes part of those freedoms away because you no longer have the right NOT to choose. i would argue that is why Linux will never go anywhere on the desktop, because religious dogma refuses to allow a hardware ABI and they make sure their kernel fiddling breaks shit constantly. Now i'm sure those in the kernel dev team think they can make supporting Linux such a PITA that everyone opens their drivers, but in reality many simply won't support you at all.
if you force me to share with my neighbors at the barrel of a gun, which is what all patents and copyrights are, using the big arm of government to give one group control of something that is neither scarce nor expensive to copy and allowing them to treat it as it is a scarce good, then that is STILL force no matter how much newspeak you use. just because YOU think that force is "good" doesn't change the fact that it is still force anyway you slice it.
ACs don't waste your time replying, your posts are never seen by me.
Yeah I am getting some crash dialog at startup and every hour after that. And Thunderbird crashed yesterday. Its very strange for an LTS release.
http://michaelsmith.id.au
...gay and stupid
A bigger problem for free software is the current boom in closed tablet devices. Some android devices are open. iPads and MS Surface devices are not.
http://michaelsmith.id.au
The FSF's version of freedom is equivalent to nanny-state socialism. They've basically decided that their idea of playing nice needs to be enforced by big stick, and will happily trample over anything and everything that does something they dislike.
Please put such remarks at the end of your postings, if at all. It helps a lot to not induce a feeling of "oh dear, another childish rant" and thus a negative disposition in the reader for the rest of your text.
In this particular case, Ubuntu wants to place a bootloader that will allow you to load ANY operating system, bypassing the "security" features they dislike in the new UEFI. Ubuntu wishes to ensure that users can boot any operating system they like and run any software they want. Their concern is that the GPLv3 makes provisions by which the FSF could, in this case as the owner of GRUB2, deem that a machine that won't let them replace GRUB2 with something else is in violation of the GPLv3. At that point, they can demand that Ubuntu surrender its encryption keys used to provide secure bootloader verification--which then allows anyone to sign any bootloader they want, thus negating any security features you could leverage out of the bootloader (for example, intentionally instructing it to boot only signed code--keeping the chain trusted, rather than booting a foreign OS as is the option).
Exactly. However, in practice there are a few questions: will Canonical care about making other OSs work with their bootloader? Will Microsoft omit the possibility of leveraging SecureBoot to impose more and more stringent conditions over time?
Basically, does the perceived advantage outweigh the possible disadvantages? Think about it: Canonical says "the FSF might go nuclear" right here and thus plays it "safe", so why shouldn't we say "Microsoft might go nuclear" and play it safe as well (by not supporting SecureBoot)?
The point of contention is where the FSF gets to demand Ubuntu hand over their encryption keys for this particular application because they've decided it's 'unfair' that users don't have the option to replace a bootloader. The GPLv3 is a restrictive license agreement whose provisions do in fact allow the copyright holder to make certain demands about HOW their software is used. Most people fixate on the "Free" part because you're free to distribute and modify the software; but you are also "Obligated" to publish your modifications in source form if published in any form.
I don't really understand this perspective. By the word "use" we mean "run", not "distribute". The "HOW" in this case is: in order to distribute this software, you must comply with it's conditions. The FSF says it will not enforce the full set of conditions now or at any later point in time (=demanding the keys), but Canonical/Mark are afraid they still might if their mood changes. ;)
Of course, "may not distribute" leads to "may not _use_ in packages that we distribute"
The GPLv3 brings restrictions on how you can use the software, such that you must be able to modify it--the hardware you use the software on must be configured to allow the use of modified software (or any other software). 'Jailbreaking' is not a thing with GPLv3 because the vendors would have to supply a way to run custom software. If the Linux Kernel was GPLv3, then you wouldn't have to root any phones to install Cyanogenmod: vendors would be required to provide an official method for the end user to replace the software with custom versions.
Now wouldn't it be awesome if this was considered normal by the vendors? How about we work towards such a world?
The Affero versions of the GPL family of licenses go even further: if you USE a modified version of the software, you must publish its source. That means if you modify an AGPL Web server and use it to serve your Web site, you have to put up the Web server's source code.
... call The Software Problem
Software failure is fundamentally a human problem, not a technical one.
Purely technical solutions fail to effect truly meaningful and lasting change.
I haven't written up Burson-Marsteller yet, but I will Right Here over the next day or two. That's just a placeholder directory for now - it gets you a default Apache index page - but I just updated the sitemap at Solving the Software Problem, so all the search engines - not just Google, but also Bing (!), Yahoo, Baidu, SoSo, Yandex, Seznam and so on - will be picking it up over the next few days.
Bring It On, You Ignorant Mother Fuckers!
-- Jonathan Swift, who can't be bothered to recover his password.
Instead of requiring that OEMs shipping Ubuntu ("Ubuntu Certified" or whatever) install the Canonical signing keys, they should require that the machines be shipped with secure boot turned off by default (i.e. it will boot any bootloader that doesn't specifically care about secure boot)
That way all the issues about keys and GPL3 and OEM lock-downs and stuff don't matter.
Based on what I have seen of Win8, Microsoft is about to be dead, not the PC.
If people buy a "secure" computer, that's what they expect. Ubuntu isn't preventing you from buying something else..... Ubuntu is providing a solution to dual boot with windows on a "secure" computer.
If you want the ability to easily install something else, then it's no longer secure and defeats the whole purpose.
Perhaps Canonical actually wants secure boot and are willing to use a different boot loader in order to use it (and mitigate the fear of FSF incase there are technical problems)
AccountKiller
nanny-state socialism? This was upvoted to insightful 5? Since when is declairing basic rights (like the EU, UN, Consitution of USA has) a nanny-state socialism?
Can I JailBreak my PC ?
I want Desktop computing not tablet computing.
Heck.
Again with this "a fixed driver ABI would fix all business"
The internal kernal abi changes because it's INTERNAL. If I wrote a piece of software, then someone else proceeded to write a binary that hooked into my software without integrating it properly (getting it to mainline) then when my software changes of COURSE they should expect that some of my internal functions have changed... it's called progress.
You want a stable internal abi, then pick a kernel version, a compiler, an architecture (because even with a single version, changing the compiler WILL change the abi) and stick to it, no changes equals no changes.
Otherwise any change at all would break it.
For further reference, see here
Don't fight for your country, if your country does not fight for you.
Aside from that, it's also v2 b'cos Torvalds disagrees w/ the FSF on its fanaticism, and doesn't even describe Linux as 'free software' these days. GPLv3 is to GPL what Windows 8 is to Windows, or GNOME3 is to GNOME or KDE4.0 was to KDE. Except that there is no indication that it will get any better, unless RMS gets abducted and held hostage for life in Argentina
Goodbye Ubuntu.
How is that a bad thing? This is not a key that is used to protect military secrets, it's a key that serves exactly one purpose: to prevent people from running modified software.
The point of the signing the bootloader is to prevent malware subverting the boot process, if the key is available then malware can be signed as though it were legitimate and thus defeating the point of this.
AFAIK, what Ubuntu is doing isn't to lock down the hardware that is to be shipped with Ubuntu, but allow Ubuntu to be installed on computers, that because of Windows 8, have secure boot enabled. Now you should be able to disable Secure Boot in the BIOS which will allow you modify the boot loader and/or kernel to your heart's content, but Ubuntu want things to be as easy as possible for new users and don't want user's to be put off by disabling secure boot -- it's called "secure boot", I don't want my computer to be insecure do I? -- or giving up because they have problems because they forgot (or were unable to) disable secure boot.
I don't like it myself, but I completely understand where Shuttleworth and Ubuntu are coming from and I think it would be a losing proposition not to do it.
And then I might as well use Win98 because the amount of resources required to make it functional and still keep security patches would cost millions....or i can just sell and support an OS that is a guaranteed 10 years of support and ignore your fiddly bullshit. Maybe NOW you see why people would rather steal the other guy's than have yours for free? hell you get longer support with a Hackentosh than with your average distro, thanks to Linus and his fellow fiddlers.
Not that you will bother, because I have a feeling i'm talking to a "follower of the one true way' which is about as likely to listen to reason as showing carbon dating to those that believe Adam rode a dino, but for everyone else there is this nice list with over 100 links published THIS YEAR so you can't claim "it's old, not like that anymore' showing just what I said which is YOUR SHIT BE BROKE BRO and pretending your shit be NOT broke is just that, pretending.
Now you can stick your head in the sand, pretend that Linus is smarter than the dev teams for BSD, OSX, Windows, and even OS/2 who ALL HAVE AN ABI but that don't make it reality, anymore than you pointing at a chicken and saying "its a cow!" will make it go moo. The reason your OS doesn't go anywhere unless a corp locks it down and puts it in embedded hardware (like Android) is precisely because Linux is a fiddly PITA without an ABI. Like it or lump it, really don't care at this point.
ACs don't waste your time replying, your posts are never seen by me.
Yes, and?
Free Software has never meant 'free of cost'. If you want to use and modify an AGPL web application, the republishing requirement is the price you have to pay. You still have the freedom to modify the software, a freedom you won't get if you use a proprietary application.
As usual, an anti-GPL ranter shows himself up to be just another freeloader who wants to use a piece of software without paying the cost.
Mart
"I know I will be modded down for this": where's the option '-1, Asking for it'?
Mark Shuttleworth is not a stupid guy, and it seems likely that he is engaging in a misrepresentation rather than a misunderstanding of what he was told by the SFLC. There are a couple of points worth making in this context.
First, the SFLC does not appear to sanction Shuttleworth's interpretation of Grub2 and its implications for UEFI. The SFLC is a signatory of the FSF's statement on UEFI, "Stand up for your freedom to install free software." It has also called out Microsoft's, er, flexible attitude toward its statements and representations about UEFI in the ARM context.
Second, Ubuntu has often shown this inclination to make a "separate peace" with Microsoft and the OEMs without really helping the larger community. The certified hardware deals with Dell and others don't really guarantee a system that will run any distro well without the help of binary blob drivers, and if that's not the point of the certification process, I'm not sure what is--other than to gain some positive cred and some market share in the corporate IT world.
Third, the scenario Shuttleworth is purportedly so worried about--an OEM "screwing up" and not shipping a PC in custom mode, making it impossible to replace its bootloader--is a pretty bad one to have to worry about in the first place. It sounds more like making a deal with a hostage taker than making a deal with the FSF does, because although the FSF does try to be litigious about its copyright, at least you know what its red lines are. Microsoft, as is shown by what they're doing with UEFI in the ARM space, is playing games here, trying to stay one step ahead of antitrust litigation in the Wintel world but no farther.
How will the hypervisor load if it is not signed?
if the firmware isn't 100% locked (like required for current x86 platforms) :
- by using some exploit in the OS at infection time to gain administrative privileges and disable secure boot in the firmware setting
- or add an extra key into the TPM keychain (thus following the same route as proposed by the FSF to boot into customised Grub2 bootloader)
- or the same as any of the two precedent entries, but simply using the legit software by the motherboard manufacturer for that operation and overlaying some click-jacking shit above it ("please punch the moving monkey to prove that your not a robot before seeing the video of the naked cheerleader in the dressing room") given how well this kind of shit works on current social networks, it might be good enough, without even needing to use any actual exploit.
- or getting chained from a legit signed bootloader designed to boot custom code (thus following the same route as proposed by canonical to get custom kernels to be booted onto a secure boot authorised efilinux)
if everything is locked for Microsoft-only booting (like on future ARM platforms running WinRT):
- by getting signed with a stolen key (has been recently be seen on some government cyberwar malware [was it Stuxnet?] using stolen keys from Realtek)
- by getting signed with a forged key that looks similar enough (some other recent cyberwar malware used a forged Microsoft key to pretend being WHQL approved. Not the real stuff, but thank to some collision it looked mostly legit enough to get a critical piece of the code to pass as signed. Similar here: the forged key might not be able to sign any arbitrary piece of code without the forgery getting noticed, but that might be well enough to get the first stage of the bootloader
The only way to prevent this is to go 100% the Apple way: /. a few days ago. The only reason they got caught is that this specific malware had the brilliant idea to start spamming the whole contact list with SMS originating from the infected phone) . Bonus point if the leak looks accidental. (like most winners of the UCCC). - you get your malware functionality and don't even need to mess with the whole secure boot shit.
- a completely locked platform executing only microsoft-approved code, and getting new software only from the single repository approved by Microsoft. No possibility to side-load (no possibility to install something you go from an arbitrary source, not possibility to use an alternative repository (no more Steam, GOG, etc.)
And even that could be abused:
- Apple iDevice *HAVE* been exploited (for jail break and the like). So a walled garden done by someone with such a security record track like Microsoft is bound to be exploitable.
- "Underhanded C code contest"-like style! In this situation you don't even *need* to find a way around the the mini inner-security theatre provided by secure-boot/TPM. You embrace the walled garden and find a way to get the malware approved: Write some app that does synchronise the contact list with some social web service, or a game which use some form of social score board to compare with friends (so the app has a naturally obvious reason to need to access the contact list and to need online access - and thus can ask for these privilege without raising any suspiction. Thus it gets approved/whitelisted for the walled garden), but secretly it uploads the whole contact list to some malicious server where it will be used to build a list of SPAM targets, or initial infos to perform identity theft (and this exact situation was reported here on
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And then I might as well use Win98 because the amount of resources required to make it functional and still keep security patches would cost millions....
People can and do keep drivers outside of mainline and keep up with internal api changes. Some also release binary only drivers and just compile it once for each target platform.
These people are insane, and doing it the hard way, but they do it without _that_ much trouble. It just limits their target audience to specified platforms.
Now you can stick your head in the sand, pretend that Linus is smarter than the dev teams for BSD, OSX, Windows, and even OS/2 who ALL HAVE AN ABI
Oh, so how are your win98 drivers running in windows 7?
They break their abi periodically too, they just prolong it by keeping faulty interfaces for longer, a design flaw for different goals.
You seem to want a "one kernel version to rule them all" effectively by demanding a stable internal kernel abi, which will never happen as every person is free to do what they wish with it unlike windows/os x.
Mainline drivers make sense, it helps the system to "just work" when they boot it.
Will regressions occur? sure. But so long as more things are fixed than broken progress is made, and in the mean time you just revert back to the older kernel that lacks the regression.
Going to the windows/os x development model of a release every couple years as opposed to three months would slow progress immensely. There are long term 'stable' kernels for this use, where the internal kernel api's do not change (not abi since as mentioned, that requires same kernel and arch etc which you are fine to do if you wish) that you can use in that manner.
hell you get longer support with a Hackentosh than with your average distro, thanks to Linus and his fellow fiddlers.
I have a p3 733 which is still running fine for card games etc for old people, I also have a g4 mac because I like unique architectures, the latest linux runs on both, how long ago was the g4 unsupported from the mac line? I'm guessing at least 7-8 years ago.
You want linux to be a turn-key system? get someone who knows what they are doing to build it for you, get it going and support it. Same deal with a windows machine. I've seen plenty of windows machines that have had no end of trouble with drivers for peripheral cards when the windows vista/7 upgrades came, all because the users were silly enough to not check the drivers etc beforehand. Same deal with linux.
Nothing will replace knowledge of the system, ever. You want something to magically work, get someone else to make it magically work for you (whether that be the oem, or an individual) and then don't touch the internals.
And who, exactly, thought it was a good idea to give Microsoft those keys? This is the company known for leveraging their position to screw over any potential competition at every turn.
Why is any hardware manufacturer still taking these clowns seriously?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
The problem is that in the view of FSF (and many, many users in the last few years) if that ubuntu doesnt care about its users and is removing user freedom. They just want to grab windows users, no matter what.
Ubuntu trusting Microsoft and the OEM instead of trusting the FSF might give enough excuse for the former saying that their solutions is good enough, that FSF is crazy and so, affecting the freedom of all users. That is why FSF is objecting, ubuntu decision might not affect just the ubuntu users.
Higuita
Interesting that in the name of freedom Canonical is being targeted for not doing it the way someone else wants, even when their way is essentially open.
Your freedom to throw punches ends where my face begins. My freedom to install software on my computer is not less important than some OEM's freedom to restrict what software runs on their products.
And they won't be at odds unless you - for some reason - purchase a locked down device, like many people do every day with bootloader-locked phones and tablets, at which point the simple fact of the matter is you bought the wrong product.
THEIR products? You paid for them, they're yours. I'd say you have every right to do anything you damned well please on your own equipment, and the vendor has no rights whatever after he has your cash.
That's correct, and we've seen precedents set that reinforce that, for example the ruling on the legality of jailbreaking iDevices.