Wouter Verhelst <[email protected]> writes: > On Fri, Feb 13, 2026 at 11:54:37AM +0100, Simon Josefsson wrote: >> What I hope to be saying is that Debian can be improved to not force >> non-free software into users' software supply-chain. > > This is actually not true.
I think discussion about this topic could be improved by not claiming that ones own interpretation of the situation is the only valid and factual way to think. If Debian would ship installer images without non-free blobs on them, things would be better for me, and Debian improved as a result. That invalidates your claim, and could be the end of discussion. In the hope of conveying WHY that would be better for me, I'll respond to the rest of your e-mail. I doubt it will change yours or my opinion, but I'm hoping this may lead to a more nuanced discussion, and lead to understanding that there may be other way to think about non-free binaries than yours. You may continue to disagree, but maybe we can get to a state where you acknowledge that other opinions are valid. > Debian not shipping non-free firmware means that our hands are clean. Right. > But the non-free software in question would *still* be forced into > users' software supply-chain. I disagree. I can use Debian Libre on several machines without having to inject non-free software into the machine. For example my main laptop, a Novacustom NV41. Granted, the non-free firmware embedded in the hardware would be part of my hardware supply-chain. But that is a completely different topic, and embedded outdated non-free firmware probably doesn't even make it on my top-5 list of concerns with hardware supply-chain issues. You can shoot down my choice of Novacustom NV41 as my laptop on many reasons related to hardware supply-chain security, and I'll probably agree with all of them. But Debian isn't selling laptops, we publish an OS. What we can influence inside Debian is what Debian is about. > It would just use different channels, not Debian. On my Framework 13" laptop, I can install Debian Libre and then opt-in to add non-free stuff (e.g., firmware-amd-graphics) coming from Debian after the installation. So it is possible to use Debian as the channel for non-free stuff even if the installer images doesn't contain them. > There are really only four options you can take: I disagree, and use different approaches for some machines (see below), so I think this summary is talking past each other. > 1. Do not ever install updates for non-free firmware, keep the firmware > version that is shipped with the hardware. This is the choice > Trisquel made; this is the choice the FSF wants you to make. I believe that misattribute the Trisquel/FSF position and recommendations. Basic intro pages about what free software is on www.gnu.org or www.fsf.org should explain that this is not something they recommend. > It > however does not result in the user not running non-free firmware, I disagree -- the user will not install and run non-free firmware in this case. In that sense, the user is not "running non-free firmware" here. > it only results in that fact being less obvious. We can educate users about this matter. I think there is growing awareness of this concern. > It *could* be a valid > choice for Debian to make, but I don't think we should take that, and > the GR we took on the non-free firmware issue confirms that this is > the opinion of a majority of us. Right. > This choice means that Debian keeps > its hands clean, but users run insecure and buggy versions of their > firmware. What is a bug depends on the use-case. In this example, the user has a choice of running a libre OS on old non-free firmware shipped with the product and at least in the EU has access to customer protection laws that in theory hold the producer accountable for defects. The machine works fine for many use-cases. Or install Debian accepting the non-free firmware update license agreements which voids the users rights and subjugate them into whatever the whims of the producer will be at any future date, in order to access newer firmware code that allegedly (there is no way to really prove anything without access to source) has some improvement according to marketing. For me, which buggy situation that I would prefer to be in is a simple choice. I'm sure it is is the reverse for many others. > 2. Do not ship non-free firmware through Debian, but users install > updates through upgrade packages that they download directly from the > vendor. Debian's hands are clean, and users (could) run up-to-date > versions of their non-free firmware, but they have to manually keep > track of what's available as well as verify code signatures on the > upgrade packages provided by the hardware manufacturer. I think this > choice is objectively the worst for our users; you get all the > downsides and no upsides. I think this would be a good improvement, so I really don't understand where your "objectively" is coming from. This makes it clear that Debian focus on free software, and for unethical non-free software the user has to ask the vendor, which will over time make products that work better on Linux. This approach has worked well for 30+ years, even if I hear everyone still complaining about this aspect. Today I can buy products that work well with GNU/Linux presumably thanks to users continued and increasing requests for products to support GNU/Linux. I think we should be happy of what has been accomplished here, and be optimistic about further improvements for the next 30+ years. > 3. Do ship non-free firmware updates through Debian. If you want to > install updates for non-free firmware, this is better for you than > the second option; you do not need to manually track and validate > upgrades, Debian does that for you. Other than that, there is no > difference with option two. That is fine for Debian to do, and I have no objections to Debian doing this. This is what Debian used to do, and what I think Debian should continue to do. A simple way to achieve this is to publish both free and non-free installer images. I'm happy to support these free images, as I already do for Debian Libre. > 4. Install coreboot on your laptop, and make sure that any form of > non-free firmware in any flash memory is erased; additionally, update > coreboot such that any hardware which has non-free firmware in ROM > rather than flash memory is disabled. This means that you are not > running any non-free firmware. That's a fine approach, but I suppose not many people will bother. > It also means that some part of the hardware of your laptop will not > work. Most likely, this will include things like the display, the wifi > interface, and the USB controller, amongst others. Again, "work" depends on what your use-case is. > There is no option 5, "do not buy hardware that does not require > non-free firmware", because such hardware does not exist. I both disagree and believe this is irrelevant. I have a bunch of machines that do not require non-free firmware (e.g., Talos II, NV41, Framework 13", Protectcli VP2440). Even if no such machines were available, someone could still build one from scratch. It wouldn't be performant, and not economical, but not impossible. Debian could be made to work on such a platform. Probably you mean something else than I do with "require" here. > There *is* an option to buy hardware that makes more of its parts > functional if you choose to go for option 1, but that is absolutely > not the same thing. Maybe this explains your definition of "require" here. Is the following the distinction at play here? 1) You define "require non-free firmware" to mean that somewhere inside the hardware there is non-free firmware embedded. 2) I define "require non-free firmware" to mean that the user has to supply non-free firmware to be able to use the machine. I think both definitions are reasonable. There are more: 3) Define "require non-free firmware" to mean that anywhere in the design, manufacturing, selling and shipping the product, some non-free firmware code is loaded by users responsible for doing that part. Or even: 4) Define "require non-free firmware" to mean that anywhere in the design, manufacturing, selling and shipping the product, some non-free firmware code is stored inside any hardware used by any user responsible for doing that part. > Now, it would be one thing if option 1 were to bring us closer to a > situation where option 5 does become available. But that is not the > case; a hardware manufacturer couldn't care less whether you installed > firmware updates (option 2) or not (option 1), they do the work anyway > and it's your choice whether to install it; whether you go for option 1 > or option 2 makes absolutely zero difference for them. I disagree -- and believe the past 30+ years of product improvements disprove that claim. Selling products that work better for GNU/Linux is now common and an important business criteria. I say that both as consumer seeing products on the market, and with my background at Yubico where GNU/Linux compatibility was a key enabler for selling hardware. > Worse, the FSF's "respect your freedom" campaign, which effectively > claims that option 1 is good enough, means that manufacturers with > good intentions have now settled for the easier to accomplish goal of > hardware that makes option 1 an option, rather than option 5. Had the > FSF held that option 5 must be an option, then we might have had > working hardware that allowed option 5. But alas, the FSF decided that > *true* freedom from non-free firmware does not matter... The FSF decided, for better or worse, that their focus is on software. The approach follow from that decision. I would be happy to see someone promote hardware freedom in the same sense as the FSF has done for software. Seems like you would too? My reading here is that you blame the FSF for focusing on software freedom, and that they are bad for not taking on hardware freedom. /Simon
signature.asc
Description: PGP signature
