That wiki page buries what might be the rationale in the "What is UEFI Secure Boot?" section:
> Other Linux distros (Red Hat, Fedora, SUSE, Ubuntu, etc.) have had SB working for a while, but Debian was slow in getting this working. This meant that on many new computer systems, users had to first disable SB to be able to install and use Debian. The methods for doing this vary massively from one system to another, making this potentially quite difficult for users.
> Starting with Debian version 10 ("Buster"), Debian included working UEFI Secure Boot to make things easier.
Sounds plausible, but I don't know how seriously to take it, when that wiki page also includes very generous and regurgitated-sounding bits like:
> UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run. There are certain identification requirements that organisations have to meet here, and code has to be audited for safety. But these are not too difficult to achieve.
I normally look to Debian to be relatively savvy about detecting and pushing back against questionable corporate maneuvers, but it's not perfectly on top of everything that goes on.
Can you provide examples of such pushback from Debian? I always viewed them as a typically understaffed, underfunded volunteer effort without the resources to push back against funded technology. I'm ready to be wrong on this, if you can help me out!
For example, Debian putting their foot down on closed drivers and (for a long time) downloadable device firmware blobs.
I've also seen Debian very responsive when I pointed out that a particular package was phoning home before consent given.
And one of the notable annoying parts of the Debian installer forever is when you think it's started a long unattended period of installing packages, but it soon pauses to ask you for opt-in to some package usage telemetry (so at least they're asking before doing it).
I definitely get the understaffed vibe from Debian, but I'm also still pleasantly surprised how well they execute in general.
Contrast with a certain commercial derivative -- which snoops, installs closed software without the user understanding that's that they're doing, pushes an IMHO horrible different package manager, is sloppier about regressions in security updates, etc.
I wish I had time to volunteer right now to scratch some of the itches I have with Debian, and very much appreciate all the work that others have done and are doing on it.
Debian keeps track of all remaining privacy issues in all packages (i.e. such issues which have not yet been corrected or patched by the Debian package maintainer):
> Other Linux distros (Red Hat, Fedora, SUSE, Ubuntu, etc.) have had SB working for a while, but Debian was slow in getting this working. This meant that on many new computer systems, users had to first disable SB to be able to install and use Debian. The methods for doing this vary massively from one system to another, making this potentially quite difficult for users.
> Starting with Debian version 10 ("Buster"), Debian included working UEFI Secure Boot to make things easier.
Sounds plausible, but I don't know how seriously to take it, when that wiki page also includes very generous and regurgitated-sounding bits like:
> UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run. There are certain identification requirements that organisations have to meet here, and code has to be audited for safety. But these are not too difficult to achieve.
I normally look to Debian to be relatively savvy about detecting and pushing back against questionable corporate maneuvers, but it's not perfectly on top of everything that goes on.
reply