Re: Secure boot?
@Lee D - "To install ANYTHING on Windows or Linux which runs in the way of necessary drivers, you need to be able to slipstream things into the initial install which can be run as an administrator."
- I won't argue with the general thrust of your argument so far as Windows is concerned, but with Linux drivers are normally written by the chip manufacturers and are part of the Linux kernel, not a third party add-on. There are a lot of technical advantages of doing it that way, but from the user's perspective it means that if you have a reasonably up to date kernel, then any drivers you may need normally come built right in. The reason why things are different on Windows is that Microsoft doesn't (understandably) want to hand out their kernel source code to anyone who asks for it.
@Lee D - "hence why Linux can still boot on Secure Boot systems with (I believe) a Fedora/Microsoft-signed bootloader. "
- Different distros have different solutions to this, but it basically revolves around having a signed pre-boot loader. The pre-boot loader loads the real boot loader, which then loads the kernel. I believe that Ubuntu had this first, but Red Hat/Fedora and Suse now also have their own. Overall though, it works more or less as you said. Each step in the chain checks the next step before loading it. It's intended to prevent root-kits from being loaded before the OS.
@Lee D - "MS has to certify and pre-install ... every application as well. ... Want to install that freeware that you downloaded off the net to fix a problem? . "
The solution which Linux distros came up with in the 1990s was repositories. These days the proprietary vendors call them "app stores". There are tens of thousands of packages ("apps") in Debian or Ubuntu. You can add third party repos if you want, which is how some proprietary software vendors offer their products. If you are doing a corporate deployment, you can change the configuration to point at your own repos, which is how you can control what software gets installed. Packages in the repos are signed, and the signatures are checked before they are installed.
I think that this is the way which Apple is going with OS/X, and I imagine that Microsoft eventually will as well. If they copy the way that Linux distros do things, then third party repos will be supported so companies such as Adobe will be able to run their own independent "app stores" instead of paying 30% commission to Apple or Microsoft on every sale.
There is some talk among Linux developers about checking the signature on each program before running it, but I don't know if that can be made to work with user-written scripts. If not, then that idea obviously won't work. Ubuntu has been doing a lot of work on sand-boxing individual apps for their mobile efforts, and have lately realized that it has advantages for cloud (like Docker) and desktop uses as well. This is probably the future direction of security for the desktop.
Biting the hand that feeds IT
