has been hugely successful, to the point of being used by the majority of significant Linux distributions and many other third party products (even, apparently, Solaris
). The aim was to ensure that it would remain possible to install free operating systems on UEFI Secure Boot platforms while still allowing machine owners to replace their bootloaders and kernels, and it's achieved this goal.
However, a legitimate criticism has been that there's very little transparency in Microsoft's signing process. Some people have waited for significant periods of time before being receiving a response. A large part of this is simply that demand has been greater than expected, and Microsoft aren't in the best position to review code that they didn't write in the first place.
To that end, we're adopting a new model. A mailing list has been created at firstname.lastname@example.org, and members of this list will review submissions and provide a recommendation to Microsoft on whether these should be signed or not. The current set of expectations around binaries to be signed documented here
and the current process here
- it is expected that this will evolve slightly as we get used to the process, and we'll provide a more formal set of documentation once things have settled down.
This is a new initiative and one that will probably take a little while to get working smoothly, but we hope it'll make it much easier to get signed releases of Shim out without compromising security in the process.