←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 2 comments | 18 Jul 25 03:53 UTC | HN request time: 0.001s | source
Show context
greatgib ◴[18 Jul 25 06:46 UTC] No.44601921[source]
It's totally crazy that we have to go through Microsoft to sign things to be able to have our OS run on third parties computers, and that Microsoft manage to win about this so easily as it was never seriously challenged.
replies(7): >>44601962 #>>44602085 #>>44602088 #>>44602288 #>>44602373 #>>44602674 #>>44615523 #
sugarpimpdorsey ◴[18 Jul 25 07:50 UTC] No.44602288[source]
It makes more sense if you view it for what it is: Honest Satya's Certificate Authority.

Microsoft showed they can semi-competently run a PKI. The end.

Now had the Linux folks stepped up to the plate early on, instead of childishly acting like Secure Boot was the computing antichrist, the story might be different. But they didn't. We only have shim because some people at Red Hat had the common sense to play ball.

replies(7): >>44602337 #>>44602402 #>>44602511 #>>44602526 #>>44602770 #>>44603173 #>>44604349 #
1. deknos ◴[18 Jul 25 09:32 UTC] No.44602770[source]
orrr we just have official institutions which do this and enforce vendors to add certificates from other trusted parties. not only microsoft is able to do this. also microsoft already also had fallout regarding signing.

and secure boot is still the antichrist, but we have to live with them.

replies(1): >>44606483 #
2. danudey ◴[18 Jul 25 16:18 UTC] No.44606483[source]
The problem here isn't that Microsoft is the one signing the shim, but that we can't trust systems manufacturers to update their systems, or even to have systems that can be correctly updated.

A public signing institution (or at least, a not-for-profit one) would be a great idea, but it wouldn't solve the core issue that we're worried about.