Some people call Linus Torvalds "rude". I call him "honest".

Wed Feb 27 05:07:46 UTC 2013

| From: Sadiq Saif <s at sadiqs.com>

| Curious, has Linus always been like this or is the media just catching
| on to a trend? I know when I started using Linux a few years back, I did
| not read online news stories like the one you linked.

What's "like this"?

Opinionated?  Yes.

Strongly stating his opinion?  Yes.

Right?  Usually.

Using crude/rude words and analogies?  Yes, I think so.  I suspect
that it is cultural rather than idiosyncratic.  I know a lot of others
who talk like that but not so often in public venues.

BTW, I strongly sympathize with his position.  I don't understand the
issues deeply enough to see whether his position is impractical.

Microsoft really is at war with Linux.  Giving them the "keys to the
kingdom" would seem quite foolish.  Better to force a new Linux-wide
signing authority to be created.

Who needs this?  As far as I know, only publishers of distro-independent 
closed-source Linux Kernel modules and firmware binary blobs, a dubious 
category in itself.  And I would certainly not automatically/mechanically 
trust a system with such drivers.  I guess we've lost the fight about 
binary blobs.

X.509 certificates really are the industry standard and probably
should be sufficient.  Each (signed) cert needs to declare its competence
(i.e. what it is allowed to sign).  I don't know how you delegate a
delimited driver-signing competency (but I haven't tried to find out).
Perhaps Microsoft only signs PE binaries to avoid the issues of 
delegation.

It's important to know the meaning of a all signatures that could allow a 
system to be considered "Trusted" by this mechanism.  If the meaning of 
one signature is "this really came from a specific Yahoo email account", 
and another means "I've formally verified that this module meets its 
specs", and another means "The US government wants you to trust this", 
what does that say about the trust of a system with all those?  The things 
that are forbidden are the intersection of the complement of all those 
claims, and lot of bad things escape that.

Remember Microsoft's telling us we should trust ActiveX over the web?  
After all, all ActiveX modules were signed.  But all that proved was that 
Microsoft believed that the module it signed came from the source who had 
paid a license fee and agreed to license terms.  No verification of the 
code was involved.  Punishment for a discovered violation was loss of the 
license AFTER THE FACT.  No sandboxing or any other technical control.  
This went on for years.  Pathetic.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists