</style><!--[if gte mso 9]><xml><o:shapedefaults v:ext="edit" spidmax="1026" />
https://uefi.org/revocationlistfile
there are concerns if this would fit within the DFSG
https://uefi.org/revocationlistfile
Recently there has been a discussion within upstream fwupd to start including the UEFI dbx revocation list directly with the fwupd package.
Furthermore, if it is not acceptable to distribute this raw data in Debian, one of the options being considered is to programmatically re-generate a list of invalid hashes but without the signatures in the original file. Would that be acceptable todistribute in Debian instead?
It also has to be optional and disabled by default because a future
dbx update may be specifically designed to stop Debian systems from
booting. No Debian user will want to install such an update.
This sort of data is liable to be out of date if included in the
source code of fwupd, I think this should be separate to fwupd in the
same way that tzdata is separate to glibc and DNSSEC root keys are
separate to DNS servers and the web PKI CAs should be separate to web browsers. I suggest that fwupd download it directly from the UEFI
website and update the copy within the boot firmware that way.
On Thu, 2020-05-07 at 07:26 +0200, Florian Weimer wrote:
It also has to be optional and disabled by default because a future
dbx update may be specifically designed to stop Debian systems from
booting. No Debian user will want to install such an update.
Isn't the point of these updates to fix security issues, not to block
systems from booting?
-----Original Message-----
From: Steve Langasek <vorlon@debian.org>
Sent: Friday, May 8, 2020 3:35 PM
To: Limonciello, Mario
Cc: debian-legal@lists.debian.org
Subject: Re: UEFI Revocation List being distributed by Debian
Hi Mario,
On Thu, May 07, 2020 at 02:25:41AM +0000, Mario.Limonciello@dell.com wrote:
Hello,
Recently there has been a discussion within upstream fwupd to start including the UEFI dbx revocation list directly with the fwupd package. During the code review for this as part of reviewing the terms included with it there are concerns if this would fit within the DFSG. Would it be possible to request a review of these terms to determine if this is appropriate to distribute in Debian?
https://uefi.org/revocationlistfile
Furthermore, if it is not acceptable to distribute this raw data in
Debian, one of the options being considered is to programmatically re-generate a list of invalid hashes but without the signatures in the original file. Would that be acceptable to distribute in Debian instead?
First, the license is not an end-user license and if someone chooses to
agree to the license as part of downloading, this appears to only be binding on the downloader; it is not a license that must be included in the redistribution to users (as debian/copyright).
Second, the following URL is accessible without affirmatively agreeing to
the license.
http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
Third, the contents of this file are a non-copyrightable list of statements of mathematical facts. Distribution of this file is not subject to
copyright law.
I don't think there is any issue with Debian distributing this file.
FWIW Ubuntu already distributes this file in the secureboot-db package. I
do not think that Ubuntu would want to enable updates of the revocation list via the fwupd package since revocations could in principle impact the bootability of the system (if the dbx update included a hash of Ubuntu's shim, or Ubuntu's signing key). dbx updates should be carefully managed in conjunction with updates to the bootloader itself, which the tighter
coupling of a directly-managed native package gives us. I think similar reasoning would apply for Debian.
Hello,
Recently there has been a discussion within upstream fwupd to start
including the UEFI dbx revocation list directly with the fwupd package. During the code review for this as part of reviewing the terms included
with it there are concerns if this would fit within the DFSG. Would it be possible to request a review of these terms to determine if this is appropriate to distribute in Debian?
https://uefi.org/revocationlistfile
Furthermore, if it is not acceptable to distribute this raw data in
Debian, one of the options being considered is to programmatically re-generate a list of invalid hashes but without the signatures in the original file. Would that be acceptable to distribute in Debian instead?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 231:33:44 |
Calls: | 6,624 |
Files: | 12,171 |
Messages: | 5,319,429 |