On Sat, Mar 08, 2025 at 02:51:29PM +0100, Johannes Schauer Marin Rodrigues wrote: > Hi, > > Quoting Simon Josefsson (2025-03-08 13:43:26) > > My point was that there is no reasonable way to gain confidence about > > security properties of any piece of non-free microcode. Everyone can now > > produce AMD microcode that corrupts your machine in advanced ways that evade > > detection, but we don't know if such malicious corruption is included in the > > official microcode. Having source code for the microcode would help gain > > confidence in it, and is the reasonable request. If the request is denied, > > I > > would consider the vendor not trustworthy and look into options. > > I do not understand something about this argument. > > If you don't trust the vendor, then it makes no difference whether or not new > official firmware/microcode can be uploaded/flashed or not. If you don't trust > the vendor, then the initial microcode that came with your device might > already > be doing things that go against your interests.
Trust in wendors (actually also their trustworthiness) is a function of time. Remember when Github was bought by Microsoft? Remember when Twitter was bought by -- uh -- whatever? Cheers -- t
signature.asc
Description: PGP signature
