Re: How secure is an installation with with no non-free packages?

[Jose Luis Rivas <ghostbar@debian.org>]

On 09/12/2013 08:32 PM, adrelanos wrote:
> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
> package which should be installed to improve security? Are there any
> other packages of this type?

Who said they improve security? We don't know what they are. And I doubt
they will patch a backdoor at this moment, specially when you don't know
what the hell they have in your hardware. So my guess is that it's more
likely their microcode is inserting a backdoor instead of patching it.

> 
> What would you do if there was an exploit in the wild, which uses an
> vulnerability in (intel/amd)? Let's say any website could prepare some
> html code which would trigger a remote code execution. One that can only
> be fixed by having the (intel/amd)-microcode package installed.

I doubt there's HTML code with the ability to trigger remote code
execution. More likely some JavaScript which is still hard at CPU level
or an iframe downloading things. This will depend on vulnerability from
all levels to go into the CPU, which is a hard combination to get in the
open-source world. But let's say it's available an exploit like that: we
are an universal operating system because we do not only support
x86/x86_64. My suggestion would be: change your arch.

I already own several ARM-machines, I suggest you buy something like
this just in case.
> 
> Is this a possible scenario?

Everything is possible.
> 
> What would you (Debian) do in this case?

I don't know. We are a community, and I'm not a spokeperson for Debian
although I'm a Debian Developer. I can't answer this.

-- 
The Debian Project - http://debian.org/
Jose Luis Rivas - http://joseluisrivas.net/#ghostbar