[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firmware - what are we going to do about it?



On 2022-04-19 12:41, Jonas Smedegaard wrote:
> Quoting Christian Kastner (2022-04-19 11:33:30)
>> Here's a somewhat radical idea: I propose that we make option (1) and 
>> (2) conditional on all Debian infra switching to hardware entirely 
>> free of binary firmware/microcode blobs.
>>
>> Because if *we* can't do it, then imposing this stringency on our 
>> users is outright idealist hypocrisy.
>>
>> [Spoiler: we can't, unless some open x86_64 silicon has popped up 
>> somewhere (doubtful, because of the required patents).]
> 
> I certainly like "eat our own dogfood", but our infrastructure currently 
> runs on _top_ of Debian systems, using non-Debian applications.
> 
> I don't think we should put the bar higher for firmware than we do for 
> applications, regarding "eat our own dogfood".  What would be the point 
> of that (other than artificially creating an argument for option 5)?

I'm sorry, but I don't quite follow your argument?

In case my own wasn't clear, what I meant was: (a) all of the x86_64
hosts in our infrastructure use CPUs that utilize non-free microcode,
and (b) unless we're crazy, those hosts also use the non-free
intel-microcode or amd64-microcode packages to get security fixes.

Consequently, expecting our users to forgo non-free entirely is, in my
eyes, extremely hypocritical. We make exceptions for these microcode
packages because whether we like it or not, it's the only
reasonable/secure/sane thing to do.


Here's an even more radical thought: shipping any x86_64 installer CD
without amd64-microcode and intel-microcode installed by default is a
disservice to our users. There's no ideological "Win" when you're paying
for it with the user's security, especially when they might be unaware
of the problem.


Reply to: