Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment Re:One size doesn't fit all (Score 1) 67

"There are other ways to lock down your system in Linux, which will leave it pretty much unhackable, such as signed binaries (the signature of binaries being checked with each execution), kernel and module signing, and a properly configured bootloader along with secure boot turned on"

This is an extension of exactly those mechanisms. The thing being addressed here is a huge gap in that security chain: currently if you're taking Secure Boot seriously, then nearly everything in the boot chain is signed...*except the initramfs*. Which can't be signed because it's generated locally on your machine. What is the initramfs? Well, it's an entire operating system in a box, basically, which gets run and does arbitrary stuff *defined within itself* on every boot.

So, uh...if everything in the boot chain is signed except the initramfs, how secure is boot? Answer: not very at all. That's why this effort exists.

I think if you take a step back, the overall debate about the whole effort to enable a truly secure boot on Linux is a 'hole hawg' problem: http://www.team.net/mjb/hawg.h... . People who hate all this stuff are Hole Hawg users. They reckon they know what they're doing (maybe they really do!), they don't think boot chain security is an issue for them, and every attempt to make it possible just smells funny to them because it's trying to achieve a thing they don't want.

But not everybody wants the Hole Hawg. IT admins, for instance, definitely don't want the people carrying around their company's sensitive data to have a Hole Hawg. They want that stuff safe. For those purposes, it really is important that we make it possible to have a truly secure boot environment on Linux (or at least one that's not wildly *less* secure than competing operating systems, which right now it kind of is).

I get that people worry this stuff will start out optional but somehow magically become compulsory. All I can say is there's really no reason for anyone to want that. It's plausible in the case of a proprietary monopoly OS that this feature comes with a handy side of control for the OS company, but that's much harder in the F/OSS world. If we somehow tried to make it so Fedora or RHEL didn't boot without all the secure boot features turned on (and why would we, anyway?), anyone could still create a clone which was the same thing but...without that. I also can't see really any benefit we'd get from requiring that. And you can note that Fedora and RHEL have supported Secure Boot for about a decade as of this point, and we certainly aren't requiring that that be enabled.

Comment Web Pages Use Same Imaging Model (Score 1) 227

Web pages use SVG to render vector graphics. It uses the exact same imaging model as PDF and is implemented in all modern browsers. The web in general has taken a lot of lessons from Adobe because Warnock and Geshke, in the PostScript Red Book, got so much right about how to build an image model that many GUI developers are still learning today. If you start with a PDF, it should be possible to machine-translate it to SVG and present it as a web page.

PDF exists because it is trivial to generate it from the document renderer meant for printing. Although I have once in a while run into an improperly scaled PDF meant to be printed 8-up, I'm just not

Slashdot Top Deals

"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos

Working...