Sven Slootweg (soft-deprecated) @joepie91@pixie.town

@rune I mean, hosting one monthly active user on a sufficiently optimized chat service would be easily possible within that budget, but... with the complexity and featureset of Discord? Ouch. Not so sure about that one.

@Angle @dee If I understand you correctly, what you're proposing is an organization that essentially does ecosystem monitoring and proactively connects maintainers and funders where that's necessary, but that itself does not do the maintenance?

@freakazoid I guess my more fundamental point here is that the situation with secure boot is similar to that with a lot of snakeoil.

If you start by assuming secure boot, you can certainly retroactively find reasons and justifications why it might be useful. But if you started with a *problem statement of end-user security*, and asked what the most effective and efficient solution would be, you would never end up at "secure boot" as the answer.

That sort of situation is a very reliable red flag for a bad technology choice, often one that has been argued for for undisclosed other reasons rather than the stated one (and I suspect that the 'DRM' and 'corporate hardware' cases are those reasons, here).

@freakazoid Right, and that is a legitimate issue, but - and this is the crucial point - that is first and foremost an *operating system* problem.

There's so much more that operating systems could be doing to be much more resilient against this type of issue, like capability security, but aren't. Instead, the problem got shifted to firmware, even though that's a much worse place to address it in in many ways.

(Also: something that fucks with the boot chain can still be removed. There's nothing that makes that *fundamentally* harder than any other kind of software repair, and with sufficient-yet-imperfect security on the OS level, it would be a rare enough occurrence that it can be trivially handled through all the usual repair venues.)

@freakazoid Does it, though? What is the actual threat model here? Because this whole boot security panic started with BIOS malware - which needs to get installed somehow, which is usually going to be done by something run *within the OS*. If the OS does not permit that, nothing *can* get between the two.

The only threat models that firmware-level protections actually protect against are those that involve someone with physical access - and even then if the whole thing is configured in a watertight way and there's zero vulnerabilities in the system, and absolutely nothing except for a specific boot image is allowed to boot.

That leaves us with roughly three categories of beneficiaries:
- Particularly tech-savvy high-profile activists,
- Corporations trying to keep out employees, and
- Manufacturers trying to implement DRM.

There are other categories of people who would benefit from protection against physical attacks (folks with abusive partners, for example), but they are vanishingly unlikely to be able to set up boot security in such a way that it actually *would* protect them. And the vast majority of people are not high-profile activists.

So who is this firmware-level protection actually *for*?

@freakazoid While complexity is a real issue, I think the problem is of a different nature here: bootloader security should not have been the firmware's job to begin with, this is something that is IMO handled much better on an OS level, which can finely control which things can or cannot mess with the boot setup.

@freakazoid The bigger problem is that manufacturers cannot actually be trusted to do this right and so implementations constantly get broken, regardless of what the cryptographic model is on paper

@SimonTesla I... question whether that is even compliant with the applicable legislation, to be honest.

@venite Duidelijk onmisbaar commentaar!

@nessie The "mutual" refers to "among peers", more or less - rather than depending on some central institution of power, we help each other.

There's some degree of reciprocity implied in that, in the "each other" part, but it's not a hard expectation, and it's not just about financial support either - it's much more about the underlying ethics of solidarity, helping when you're able and receiving help when you are in need.

Some people will need much more help than they can give, because they grew up in a much less privileged environment, and that's completely okay - they don't "owe" anyone anything. The help is freely given, it's just about recognizing the moral responsibility to give that help if you *are* able.

Summarized: if you are in need of help, money or otherwise, feel free to ask for it! You do not owe anyone anything for it. All that's asked is that *if and when* you find yourself in a situation where you're stable and doing well, you have a look at how you can help others still in need. If things never are stable enough for that, that's okay too.

As long as those who are doing well do their part in supporting those who aren't yet, we'll all get there.