I am a user, but I will share my findings. On Wed, 09 Feb 2022 14:35:02 +0100 inasprecali <inasprec...@disroot.org> wrote: > Package: gnome-software > Version: 3.38.1-1 > Severity: normal > X-Debbugs-Cc: inasprec...@disroot.org > > Dear Maintainer, > > When installing new Debian system (stable release 11.2 at the time of > writing) with as little custom options as possible (e.g., changing none of > the ticks in the screen where you're asked which system components to > install), fwupd ends up being installed and its relative services enabled > and running. Specifically, these services are fwupd.service and > fwupd-refresh.timer, and they show up in "systemctl status" and > "systemctl list-timers" respectively. > > I ran "aptitude why fwupd" to check why it was installed in the first place > (since it did not appear to be installed with desktop environments other > than GNOME) and found out that the package that was pulling fwupd was > gnome-software, which has a "Recommends" dependency on fwupd. > > gnome-software itself ends up being installed together with GNOME as part > of the default install. Since it's a "Recommends" dependency, but not > a "Depends" dependency, it can be removed without an issue. > > However, I think that the "Recommends" dependency itself is a significant > problem, because it violates Debian's "stable" release philosophy.
BIOS is not part of the distribution. BIOS upgrades tend to be only for security upgrades or bug fixes so they are already in the Debian stable scope (I would even say it could be a security hole not to upgrade the BIOS nowadays that 90% of BIOS upgrades are only about security fixes). > This > amounts to upgrading firmware-packages "randomly", through an unaudited > process, effectively leaving the user at the mercy of vendors in the LVFS > program. The worst aspect is that, unlike buggy "regular" software which > one can always uninstall via apt, buggy firmware can brick hardware. In > fact, there are precedents of this happening on Ubuntu, for example: > https://github.com/fwupd/fwupd/issues/655 In this link, the upgrade is not automatic. There is a notification and the user acked the upgrade. This upstream report is about user having a buggy firmware version set after hitting the button to upgrade the firmware. https://github.com/fwupd/fwupd/commit/f3fc6461488ba7b3dfad6c4ff33b953a3f1abb8f I have seen an Ubuntu user telling that his BIOS was upgraded without him acknoweldging but I only saw one such report and it might be an Ubuntu program controlling fwupd for the user, even though I doubt they do. https://ubuntuforums.org/showthread.php?t=2475531&page=2 But not real investigation in these posts. But I have no practical experience with BIOS and fwupd, as my UEFI has no entry in the LVFS db used by fwupd as Lenovo only added their newest systems. Though I had to manually request the UEFI dbx upgrades (not BIOS per se even though updated thtough fwupd). If you have reports of autmotic BIOS upgrades on Debian (or even others reports than Even for non firmwares gnome-software does not do automatic upgrades. https://discuss.getsol.us/d/10282-fwupd tells the BIOS upgrades are automatic for Solus OS then that they are not. None based on experience. > Therefore, my personal recommendation is to remove the "Recommends" > dependency on fwupd from gnome-software (making it an "Suggests" dependency > at most). In fact, due to the potential issues caused by constant firmware > updates, I might recommend making sure that no package such as fwupd ends > up installed by default (of course, users can always install it manually > if they explicitly choose to do so). Of course, although I explained why This is not what Suggest is for. Recommands is to tell that the program still works if the package is missing but will lacks features. fwupd is a recommand per Debian definition. Mangling it into suggest as to not have it installed is abusing the policy. If a package should not be installed it should not be in the dependencies at all. I see the ability to upgrade unsecure BIOS without requiring to be a technician to be an important feature of a Debian system. I am against the "don't touch until it break" when it comes to security and bug fixes. One should not add feature to a stable realease, agreed. Even for BIOS. But these BIOS ugprades are not about adding feature (if only we could have manufacturer provides bug fixes ... they seem to only care about security uploads). You should open a bug report on fwupd for it to not auto upate firmware if it does. But I doubt they do. If it is gnome-software telling fwupd to do the update without the user consent you could reopen the bug against gnome-software. But moving a package from recommands to suggest because upgrading firmware can be risky, I disagree. If you agree with my points, you can send an email to bugnumber-d...@bugs.debian.org to close this report. https://wiki.debian.org/BTS#Closing_bugs As I am neither the reporter or the maintainer I am not supposed to do it. > I believe so, this is just my opinion, and I'm open to different suggestions. > > Thank you for your time. > > -- System Information: > Debian Release: 11.2 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads) > Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages gnome-software depends on: > ii appstream 0.14.4-1 > ii apt-config-icons 0.14.4-1 > ii dconf-gsettings-backend [gsettings-backend] 0.38.0-2
