Reply 220 of 317, by SirNickity
wrote:wrote:Even if a source tree makes reproducible builds, most Linux distributions won't have a matching binary signature for the bootloader as each has their own build infrastructure and may use a different release version as well.
As I tried to say in my previous post: Then they should stop doing that, because that's clearly not how the world works!
You seem to be resigned to let the whims of others dictate your own course, and yet you argue doggedly about your perception of those events. Truly an enigma.
I am not so willing to give up. You and I (or others, on either side) can disagree, and that's fine. Anything of importance deserves the consideration of alternative points of view. As you mention, the FSF is vehemently idealistic, and while I think they are indeed a little over-the-top, I'm thankful for this. It balances out the insidious lean towards corporatism. Sometimes you have to steer hard left to correct for a long trend of curving gently to the right.
wrote:It's just a tiny shim that loads the initial bootstrapper for your OS. So even if you want to make modifications to the boot process, there's really no reason to modify the bootloader itself, you just move that into your own bootstrapper.
Which just makes the whole idea pretty much pointless, as it can be trivially bypassed with ONE signed, yet malicious (or not!), shim. Secure Boot doesn't protect against modification, and as you've pointed out, doesn't protect anything after the initial hand-off. Thus, the transition to a secure, validated environment is woefully incomplete. Which leads me right back to the question... is this really designed to be secure? Or just a first step toward locking down an ecosystem?
wrote:As Linus Torvalds tried to say, people are making a big deal out of nothing.
Linus is a subject matter expert, but he is not God Almighty himself. One dude, with his own opinions. He's rather pragmatic and has his own unsentimental motivations. That is to say, I appreciate his insight and value his experience, but I don't particularly place much stock in his opinions.
wrote:If a bios become a sort of o.s. itself that's so complex may need many more updates what's the point to put security in such priority with smart logics the o.s. booting while the bios itself may become in the future a more serious source of problems?
I have nothing to add that would be more profound than this statement, I just believe it bears repeating.
I am not a defeatist. I don't believe the status quo is immutable. I think the computing industry is heading down a path where the needs of a few, the convenience of enterprises, and the apathy and ignorance of most others, will strip away the ability for mere mortals to build, maintain, and innovate on their own property. Right-to-Repair is already a canary in this coalmine. Everything we consider essential (insofar as technology itself is essential) is encumbered by patents and licenses -- and it doesn't have to be. It really, truly doesn't. It is the way the world is, but it isn't how it has to be.