On 26/12/2018 22:32, Steve McIntyre wrote:
On Wed, Dec 26, 2018 at 10:27:35PM +0100, Cyril Brulebois wrote:
Steve McIntyre <st...@einval.com> (2018-12-26):
Philipp Kern <pk...@debian.org> (2018-12-26):
I'm not sure, though, if there is some philosophical objection here in
that fwupd downloads non-free blobs and/or that Debian does not actually
ship the blobs themselves.
FWIW both parts seem unacceptable to me, esp. in a default installation.
They're not all necessarily non-free, but it's a useful service for
people to make safe firmware updates easy.
How do we know those blobs are safe, and that they won't change all of a
sudden if they aren't hosted on Debian infrastructure?
We *don't* directly, but they blobs are signed and placed online by
the vendors. LVFS (the online backend) is a good Free
Software-friendly service.
Interestingly enough the vendor signs a blob (CAB file) and LVFS throws
it away and re-signs the blob with its own key. But then again I think
the base assumption is that the contained firmware images are themselves
signed as well and the BIOS does a check before ingesting them.
Obviously you end up with the usual concerns like the repository being
able to hold back updates from certain clients. The website's code is
supposedly available on https://github.com/hughsie/lvfs-website/ though
and I suppose a transparency effort could solve that particular problem,
too.
This is a major step forwards from the old Windows-only ot "boot a DOS
floppy" style of firmware updates.
Oh yes. Not just that, also finding the right image to apply and then
figuring out how the hell to apply it is a solved problem with EFI-based
fwupdate.
Kind regards
Philipp Kern
