Bonum Certa Men Certa

GNU/Linux Users Infuriated by Microsoft's Lennart Poettering Attacking Linux Freedom

Related: Microsoft is Trying to Hire (Read: Pay Salaries to) Matthew Garrett

Did you join Microsoft to attack Linux?



Summary: Microsoft's Lennart Poettering didn't take long to show his true colours... (and agenda)

AS just noted in Daily Links (or here), Lennart Poettering is being bossed by the NSA's foremost tentacle (Microsoft) and he acts accordingly. He says "I would go as far as saying that SecureBoot on Linux distributions is mostly security theater at this point, if you so will." (It is in general the case, not just in Linux)



But he wishes to go further with the security theater.

Although LWN lacks comments on this matter and Phoronix is, as usual, just Microsoft-friendly fluff these days, we need to examine comments in Phoronix. Here are some:

And of course, the UKI must include systemd, that will take over as a UEFI payload and control everything in the system!



Responding to the above:

Next year's new systemd plugin, same old story.



More:



Great. Some of the reasons I can't stand Windows.



How about no, especially if it makes it harder to build your own kernels or to make changes to the initrd



Responding to the above:

That's the fly in the ointment. The whole trusted boot and execution system requires end users to be able to load their own keys into the UEFI boot key store. Not all hardware allows that. For that matter not all PC hardware even allows for it. The only way this works is if there's some way to require OEMs to allow third party keys other than those signed by a megacorp. Apple and Microsoft will fight that with every dirty trick, lawsuit, and just plain underhandedness they can - and not enough users will even notice to bother to protest - so it's unlikely there would be any effective regulatory process to stop it. Think of the kids. Think of the corporate bottom lines. Think of national security. Think of...



To which the reply was:

That is not enough -- if there is a way to enroll user keys, evil maid can use it to inject her own. There are some solutions, but they are super complex in comparison to just fuse corpo-keys. Anyhow, all this requires user to fully trust the motherboard firmware, which is not verifiable.



More:

No, thanks. I'll opt to continue configuring and building my kernels (and initramfs) locally. Unsigned, very true. Trusted by .... me And yes, running an OpenRC system here.



Bureaucracy has arrived at Linux. Every bit needs a form and a signature before it can be flipped.


This is ridiculious. Securtity has nothing to do with signing if there is not trust in that chain. You must trust the parties involved in signing - and in case of Microsoft one would be crazy to trust it (we got lots of proofs). All those pseudo security features made the computers much less trust worthy - using minix to spy on users (Intel) - the stupid boot signatures which are more for making GNU/Linux more inconvenient or broken than making anything more secure. And the big binary monster of systemd may be nice to improve boot time and avoid race conditions, but the killing of processes and other things configuered in disguise does not make the situation better but much worse. Trust comes if you understand your system - and if other use reasonable defaults. Init scripts were easy - systemd is a monster in comparison. So while not against a trusted boot process in general, the authority must be trustworthy - and I am not aware of anything which would provide the necessary level of trust. And if big companies are involved it comes with a necessity of matching agendas - and not concerning security but more to the contrary. So this is just a Trojan Horse ... and a realy obvious one.



Bureaucracy came to Linux decades ago.
No, it was optional and so has not arrived, but was only lurking in the shadow. A bit like you.

The way I see it is this corporate FUD - the type of features corporations create when they have become too large to fail, and need to trick customers to get them to believe they need something they do not. And who is he working for now? Right, Microsoft ... I did not need a secure boot process in 25 years and I did not need Microsoft, and this is not going to change.


And? It's generated locally which makes it 1000 time more trusted than being generated remotely by who knows on what server run by who knows who! Why the fuck would I want it to be built and signed by someone who I don't know and trust? Lennart, get lost with your Microsoft infested ideas that can only think on how to infest more computers with its spyware! From all the employers you couldn't work for another one? I'm starting to feel more and more disgusted about this attitude and thinking that we are so stupid to want thing built by somebody else, especially by Microsoft!



Reply:

If it's reproducible, it kinda doesn't matter who signs it. If it also makes it 1000x harder for anyone to sign images that aren't reproducible, then most end-users have avoided plethora of attacks - quite unattainable for malware makers and most bad actors.

I'm starting to feel more and more annoyed how I can't give regular people an hardened Linux setup resistant to most ab- and misuse. All because of some pointless feet-dragging all while the actual threats to computing freedom fly past unnoticed.



More:

You are simply not save from mega corporations. They will try to cash in on every bit of fear, uncertainty and doubt you may have. They want you to need them and to buy from them. First they tell you it is 'locally generated', then it is 'generated', and then to best buy it from them for a price...



Uhu, so we all need to pay someone else to give us a f* rng nft: “hey daddy, can you please sign my initrd?, here are some bucks for your efforts”, to use whenever it actually matters because, yes, I bet everyone would be able to sign their own stuff, but of course, we would need certified signatures from some megacorp *cough, Microsoft, cough* to use our own things anywhere outside our home lab.

We have seen this sh* with secure boot or web certificates to name two from the top of my mind; good intentions on paper, implementation faulted by design to maximize profit for a selected few.





I have not lost time or work to an attack which would be hindered by secure boot and don't know anyone else who has either. I have repaired and recovered data from computers for myself and others by booting external media of my own contrivance. I gain substantial benefit from external media Linux installations where my usb stick or SSD carries a useful environment to most any machine.

I see zero benefit, only pain as the boot process gets locked down like a cell phone, game console or Windows. It is about security, not user security, not my security, not your security. Who is Lennart working for now? Who is putting up the money? There is a good place to start looking.


"How on earth that now would work" you say... So you do not know and have got no idea. At least are you not hiding your ignorance. You must think all this encryption can be disabled or worked around easily. It is like you expect nightclubs to have two entrances, one with a bouncer and one without, where you can choose one or the other in case the bouncer does not let you in. You seem to be missing the basic principle here. It has to be mandatory at every link and layer, or it will be as weak as the weakest point. So it is either a useless feature or a guaranteed source of trouble for admins and anyone who wants their freedom.



Seems like this is the biggest problem: Asshole vendors that don't allow the user to sign their own shit. Funny how the whole "Trust" issue requires me to trust corporations who have done the wrong things in the past that hire people I've never met and vetted that run closed source code that isn't audited or vetted by a greater community at large.

Am I the weird one for thinking that I don't like being forced to trust them and that it's fucked up that I'm not allowed to trust myself or those that I deem trustworthy? I feel like the phrase "Protect and Serve" comes to mind.

Since you're at Microsoft, how about getting them to flex their muscles into strong-arming vendors and BIOS makers into making a method that allows the user to add their own keys so the initrd can be added to the secure chain and mitigate all the systmed madness...Or have you taken too many Soma Tabs, Linus.

Systemd is great, but it doesn't have to be the solution to every problem. It can be A solution, but it sucks when it's THE solution.



Ah yes, another dubious "security feature" that is just another thinly veiled excuse for big corpos to control the open source ecosystem.

Never forget "Embrace, extend, and extinguish"!



Is Lennart Poettering the Klaus Schwab of linux world? Honest question.



There will be more to come for sure. Maybe even a bunch of Microsoft AstroTurfers.

Recent Techrights' Posts

Open Source Initiative (OSI) Privacy Fiasco in Detail: A "Deep Dive" Into the Complaint at the California Privacy Protection Agency
There are many facets to it and it may be the first complaint of several
Microsoft Problems in Europe Even Before the Cheeto Tariffs
The case of Romania, Europe's notorious Microsoft fan
Oman in 2025: GNU/Linux Growing to 5%
what can Microsoft do about it except sabotage the PCs?
Microsoft Shares Collapse Again (Down $101), Fifth Round of Microsoft Mass Layoffs in Less Than 100 Days in 2025
disaster
 
On Shutdowns and 2,000 More Layoffs at Microsoft (10,000 Microsoft Staff May Have Already Been Laid Off in 2025)
Microsoft tries to hide and belittle mass layoffs; its data centre business also flounders, so it issues puff pieces about some anniversary over and over again
Gemini Links 08/04/2025: Gabbro 0.1.4 and Disillusioned With Social Control Media
Links for the day
Microsoft Windows in Jordan: From 99% Down to 10%
This is becoming more "normal"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, April 07, 2025
IRC logs for Monday, April 07, 2025
Gemini Links 07/04/2025: Stock Market, Galène, and DMT Entities
Links for the day
During the Weekend We Said Fedora DEI Requires Proprietary Software, Now the Chat About It Is No Longer Accessible Over the Open Web
is this just a coincidence and an habitual change in Element?
Links 07/04/2025: US Measles Fatalities and China Launches HDMI and DisplayPort Alternative
Links for the day
Links 07/04/2025: More Cuts to Science Funding, Snail-speed Internet in Germany
Links for the day
Gemini Links 07/04/2025: Leasehold and Safe Gifts
Links for the day
In Some Countries, Laptops and Desktops Become a Dying Breed (Even Before Tariffs), Windows Has Nowhere to Go
expect more GNU/Linux on new and existing laptops
When the Credibility or 'Quality' of Clients Ceases to Matter, It's About Helping Rich Companies Like Microsoft Censor Critics (No Matter the Risks)
Bad ideas typically result in undesirable outcomes
UAE: GNU/Linux and Android at Record Levels, Windows at New Lows and Falling Below Apple
Even iOS is measured as bigger than Windows this month
Links 07/04/2025: Reddit Occupied (Social Control Media Controlled by Oligarchy), Demise of Globalisation Ongoing
Links for the day
Windows Has Fallen to All-Time Lows in Switzerland Since GNU Celebrated 40th Anniversary (GNU’s 40th Birthday in Biel, Switzerland)
GNU/Linux has been doing well in Switzerland
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, April 06, 2025
IRC logs for Sunday, April 06, 2025
Links 07/04/2025: Leaving Gemini/smolweb and Mastodon Migrations
Links for the day
In Iraq, Windows 3.1 (Percent)
There's also zero
One Person's Take on Jef Spaleta, the New Fedora Project Leader
"With a little searching, I wonder what else may be found regarding Microsoft."
Links 06/04/2025: Flood, Cool Gemini Capsule, and Long Form
Links for the day
Links 06/04/2025: Science, Politics, and Pricier Goods
Links for the day
LLM Slop Has Virtually Killed unixmen.com and Many Other Sites
There's no longer any incentive to write real articles in there
Sharp Declines for Microsoft Windows in Bangladesh (Pop. ~175,000,000), Big Gains for GNU/Linux
Microsoft Windows has been having a really hard time in poor countries
Links 06/04/2025: Fake Reviews, Privatisation Heists, and "AI" as Smokescreen for Impoverishing Humans
Links for the day
Taking a Moral Stand Against Strategic Lawsuits Against Public Participation (SLAPPs) and the Worst Offenders/Facilitators
Any other stance would sidle with moral depravity or moral hazard
Links 06/04/2025: Many New Acts of Repression and Elements of Financial Depression
Links for the day
In Qatar GNU/Linux Rose From Under 1% to Over 4% in Two Years (or Over 5% If Counting ChromeOS)
It's a big improvement compared to what we saw last year
LLM Scrapers Are a Nuisance, But They're Also a Reminder It's Time to Make Your Site Static
Perhaps the best protection is the ability to endure surges
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 05, 2025
IRC logs for Saturday, April 05, 2025
Links 06/04/2025: Attacks on Education, Fake Patents, and Fake (Illegal) Patent Courts
Links for the day
France: Apple and Microsoft Down, GNU/Linux Up to New Record Levels
How will tariffs against France impact things in the coming months?