Fwd: Re: Ubuntu 16.04 Secure Boot Policy

[Kaosu]

Yes, it would be more user-friendly to disable secure boot instead of 
asking a user to go through the process of importing a new key after 
every kernel or driver upgrade. Therefore, I will modify my proposal a 
bit and suggest that the menu to disable secure boot should have a new 
option to add an exception for the package being installed. The 
recommended option could be to disable secure boot, an option to add an 
exception could be recommended only for advanced users, and the final 
option would be to do nothing at all. This change would allow users to 
choose an option that best suits how they wish to use their computer, 
but still allow a novice user to select a recommended action and not 
deal with being asked to import a new key after upgrades. While a savvy 
user could easily do this on their own, it would be nice to have this 
functionality streamlined into the distribution.

I do believe there are benefits to using secure boot with any operating 
system. Keeping secure boot enabled, even with some exceptions, would 
still offer users protection from things like an evil maid attack. 
Additionally, people in the GNU/Linux or BSD world should not ignore 
secure boot simply because there aren't enough *known* threats to 
warrant the extra effort of keeping secure boot enabled. My 
recommendation would be to find ways to better implement secure boot 
*before* it is needed instead of trying to find ways to keep it enabled 
after *known* threats force the adoption of secure boot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20160704/2e7a53bf/attachment.html>