On 26/12/2018 22:32, Steve McIntyre wrote:
On Wed, Dec 26, 2018 at 10:27:35PM +0100, Cyril Brulebois wrote:Steve McIntyre <steve@einval.com> (2018-12-26):Philipp Kern <pkern@debian.org> (2018-12-26):I'm not sure, though, if there is some philosophical objection here in that fwupd downloads non-free blobs and/or that Debian does not actually ship the blobs themselves.FWIW both parts seem unacceptable to me, esp. in a default installation.They're not all necessarily non-free, but it's a useful service for people to make safe firmware updates easy.How do we know those blobs are safe, and that they won't change all of a sudden if they aren't hosted on Debian infrastructure?We *don't* directly, but they blobs are signed and placed online by the vendors. LVFS (the online backend) is a good Free Software-friendly service.
Interestingly enough the vendor signs a blob (CAB file) and LVFS throws it away and re-signs the blob with its own key. But then again I think the base assumption is that the contained firmware images are themselves signed as well and the BIOS does a check before ingesting them.
Obviously you end up with the usual concerns like the repository being able to hold back updates from certain clients. The website's code is supposedly available on https://github.com/hughsie/lvfs-website/ though and I suppose a transparency effort could solve that particular problem, too.
This is a major step forwards from the old Windows-only ot "boot a DOS floppy" style of firmware updates.
Oh yes. Not just that, also finding the right image to apply and then figuring out how the hell to apply it is a solved problem with EFI-based fwupdate.
Kind regards Philipp Kern