On Tue, 2022-04-19 at 01:27 +0100, Steve McIntyre wrote: > What would I choose to do? My personal preference would be to go with option 5: > split the non-free firmware into a special new component and include that on > official media. This is a great write-up and proposal, thank you very much for working on it! Personally, I'd even go for option 4, so that other drivers are covered too (the general advice that can be found on the internet for users with nvidia hardware seems to be: "avoid Debian, go Ubuntu/Mint/etc", which is just a sad state of affairs). But option 5 is already a great improvement upon the status quo. One thing about the write-up, did you consider mentioning explicitly the security angle in the rationale for the change? For packages like intel-microcode, not only is the non-free "firmware" necessary, but an old copy is "embedded", which means by default Debian users run with outdated and insecure microcode, exposing them to very real and very dangerous security vulnerabilities, unless they go out of their way to enable the non-advertised non-free repository. I don't know for certain, but I think there are other cases like this, with hardware that ships a full updatable firmware in flash storage, that gets security fixes and updates. -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part