Re: Firmware - what are we going to do about it?
On Tue, 19 Apr 2022, Andrey Rahmatullin wrote:
On Tue, Apr 19, 2022 at 02:38:03PM +0200, Jonas Smedegaard wrote:
When I install systems, I consider non-free blobs more risky than other
code.
Do you consider loadable non-free blobs more risky than their older
versions soldered onto the hardware?
Definitely "more risky" possibly not "less secure"
One of my biggest frustrations is that it's impossible to selectively
apply "security patches" and companies are wont to "smuggle" in feature
changes along with security fixes.
When I (sometimes, but not always?) choose to "infect" my systems with
non-free packages, I therefore consider each non-free package to try
minimize the amount of risky blobs on my systems. As an example, I may
choose to not apply realtek firmware updates when I can verify that my
ethernet device works adequately without it.
Do you see some inherent value in not applying a firmware update then?
No, but I do see a benefit in them not being applied automatically as
part of a standard update. And for something like a firmware upgrade for
a network card, I might only want to install it if there was a security
issue that might actually impact me or I was having a problem. Otherwise
it's hard to imagine a scenario where a firmware upgrade can make things
better but it's easy to imagine it making things much worse.
apt-get upgrade will tell you that linux-image-amd64 has a newer version
but it then takes apt-get dist-upgrade to commit to that update.
(kernels are a bit of a funny case because some kernel updates happen
under apt-get upgrade)
I'd like to see something similar for (non-free) firmeware where users
can choose to default upgrade with their regular updates or can hold
back updates.
I'd also like to see something that prevents accidentally installing
"non-free". perhaps apt-get dist-install needed to install non-free
packages.
Tim.
Reply to: