[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian on Pine64 H64B?

On 2021.09.07 18:36, lkcl wrote:

On September 7, 2021 4:16:27 PM UTC, Pete Batard <pete@akeo.ie> wrote:

And my point is that, since we are dealing with non free systems, it
makes little difference whether the non-free blobs reside in an EEPROM
or on boot media.

it makes ALL the difference in the world.

not only is it deeply unethical to support non-free firmware, in the instance where such firmware contained spying backdoors that resulted in a user system being compromised, DEBIAN DEVELOPERS COULD BE HELD LEGALLY LIABLE.

No. Not when Debian are *NOT* the ones providing said non-free blobs.

Somehow I get the feeling that some people here are misconstruing the Pi 3 and Pi 4 installation process as: "Debian is in charge of providing the non free blobs along with the Debian installation files".

This is not the case

The process is as follows:

1. The user downloads the UEFI Firmware and non-free blobs (that are use SOLELY for UEFI bringup) FROM A THIRD PARTY that has no direct association with Debian. And let me be 100% clear on that, NOONE here is or has been even remotely asking that Debian should provide these files. NOONE.

2. Separately, the user downloads the vanilla installation ISO from Debian.

3. User extracts all of this content on a single installation media (or separate media if they are of the idea that having both contents reside on the one media somehow taints it) .

So you're going to have to explain to me how Debian developers, who had no involvement in the above process, and aren't providing any of the firmware blobs, are supposed to be held liable. If anything, it's the user choosing to place content from two independent project that are governed by two separate licenses, that is liable for the end result of what their own action of mixing the content entails (though, in the boot process we're talking about, I also don't see a liability in having binaries governed by different licenses when the handoff process between executables governed by these licenses is the same as the handoff process between non GPL UEFI and GPL Debian)

In other words, your assertion is exactly like saying that, if someone happens to download malware from a third party on a Debian OS, then "DEBIAN DEVELOPERS COULD BE HELD LEGALLY LIABLE".

That makes absolutely zero sense.

I do understand that you have strong objection to the Pi Foundation blobs, but that's not a reason for magically extrapolating liability of a process that does *NOT* involve Debian providing said blobs. Please bear in mind that we are talking about a process that is very *NOT* talking about a process that involves pre-built images, as the whole goal is to work with vanilla Debian ISOs, and guide the user into what preliminary, non-Debian related steps (since these steps can just as well apply to Windows or FreeBSD) they can take to achieve that.

As I tried to explain earlier, these blobs are associated with the UEFI firmware, not with Debian, in the same manner as x86 proprietary blobs are associated with the UEFI firmware and not Debian. And I am certainly not seeing anyone throwing a hissy fit at x86 UEFI requiring said proprietary blobs, or pretending that, because Debian boot relies on them, as part of the pre-Debian UEFI boot, Debian devs can be held legally liable. Therefore, it makes no sense to pretend that it should be any different for the Raspberry Pi, when the principle (UEFI early boot relies on proprietary blobs, that are consumed by UEFI and become completely irrelevant, apart from the fact that some of them may reside in memory, to the rest of the boot process after UEFI handoff) is the same.

And yes, it is also possible to use this blobs to boot a Linux kernel directly, but that is *NOT* at all what we are discussing here.

if however the Pi Foundation wishes to distribute such unethical firmware to individuals, then they have engaged in a Contract of Sale with those individuals and THEY are legally liable for any damage or harm caused, under various Sale of Goods Acts or equivalent in the respective country.

It is your right to refuse to use a system that relies on proprietary blobs. I therefore am going to assume that you are not using any modern x86 PC, because, even if you use CoreBoot, you will find that they are unavoidable.

likewise with a PC *that you bought* you did *NOT* buy that PC from a Debian Developer, you bought it from a PC distributor and your Contract of Sale is with THEM.

Yup, and in the case of the Raspberry Pi process we are describing here, the firmware blobs and UEFI firmware that you used were not provided by a Debian developer, but obtained from a third party (mostly EDK2 + Raspberry Pi Foundation) and whatever you want to pretend is a contract of sale is also with THEM, not Debian.

That these blobs and UEFI firmware are being provided on SD or USB media rather than an EEPROM does not change this picture.

if you want a Debian Developer to enter into a Contract to provide you with a preinstalled nonfree firmware blob

That is NOT AT ALL what I want.

Worst, that is not even remotely implied in any of the guides I linked to.

Thus, it looks to me like you are "debating" a completely mistaken idea of what the RPi installation process entails, and who is supposed to provide what.

NOBODY is asking Debian to provide preinstalled nonfree firmware blobs for Pi boot, just like nobody is asking Debian to provide nonfree EEPROM x86 UEFI firmware that they can flash on their specific system. That's what I went great length to try to describe as orthogonal to the Debian boot process earlier, because it genuinely is.

The whole point (at least for the guides I linked to) is to keep these entirely outside of the scope of what Debian has to provide.

That firmware blobs and UEFI firmware (provided by a non Debian related third party) and Debian installation content (extracted from *UNMODIFIED* vanilla Debian ARM64 ISO) happen to end up on the same media, if you *choose* to use a single media, is the result of a user operation that Debian has had no involvement with. So, again, I'm hard pressed how you can find a liability for Debian there.

you should pay them adequate amounts of money so that they can take out the requisite Liability and Indemnity Insurance.

if you are not prepared to do that please do not complain because your life is made more "inconvenient".

There again, you are asserting that somebody is somehow complaining that Debian should provide nonfree blobs for convenience.

I'm sorry but, CLEARLY, you have not read or understood the points I've been trying to make earlier, or looked at the installation guides I linked to.

The goal of the Pi Foundation has always been to provide the cheapest
platform they could, and eliminating the need of an Flash EEPROM for
platform bringup is one effective way to do that.

indeed.  thus, that places the product firmly in EXACTLY the same category as a non-free WIFI product that requires non-free firmware.

by forcing YOU to download that nonfree firmware, YOU take responsibility for that action.

Yup. Nobody is suggesting that Debian is supposed to provide the Pi nonfree blobs. And that is exactly the way it should be.

WHEN the Pi Foundation realise the seriousness of their laziness and provide an on-board EEPROM or SPI NOR Flash IC just like every x86 PC has done since the late 1980s THEN it will be possible for debian to support their products because Debian Developers will not find themselves in the situation of being legally liable for distribution of potentially dangerous firmware.

Irrelevant, since, again, you are asserting that someone here has been suggesting that Debian should distribute firmware, which is *NOT* the case.

i am ESPECIALLY getting fed up of people not fully and properly understanding the realities of the situation

Amen! Especially people who seem to be following an ill-placed misconception that somebody here is even remotely asking that Debian should provide nonfree firmware, when that provision is being entirely assumed by a non Debian third party, just as it is for x86 PC.

please therefore have a little more understanding and appreciation for what Debian Developers are doing, and why they are doing it, and the difficult (spongeing) circumstances and obligations they are under.

I have appreciation for them. That's why I made sure to write guides that describe a Raspberry Pi installation process that does NOT require Debian to provide anything but the vanilla installation ISOs.



Reply to: