Quoting Andrey Rahmatullin (2022-04-19 19:49:59) > On Tue, Apr 19, 2022 at 06:51:16PM +0200, Jonas Smedegaard wrote: > > > > > > When I install systems, I consider non-free blobs more risky > > > > > > than other code. > > > > > Do you consider loadable non-free blobs more risky than their > > > > > older versions soldered onto the hardware? > > > > > > > > > Definitely "more risky" possibly not "less secure" > > > > > > > > One of my biggest frustrations is that it's impossible to > > > > selectively apply "security patches" and companies are wont to > > > > "smuggle" in feature changes along with security fixes. > > > [...] > > > > No, but I do see a benefit in them not being applied > > > > automatically as part of a standard update. And for something > > > > like a firmware upgrade for a network card, I might only want to > > > > install it if there was a security issue that might actually > > > > impact me or I was having a problem. Otherwise it's hard to > > > > imagine a scenario where a firmware upgrade can make things > > > > better but it's easy to imagine it making things much worse. > > > Then what about hardware that doesn't have soldered firmware, only > > > loadable one? Would you not use it at all? > > > > I notice that you shift the conversation topic from *upgrading* > > firmware to *introducing* firmware. > You partially narrowed the topic to upgrading firmware in > <[🔎] 165037188392.1708.14819384411900940205@auryn.jones.dk>, so yes, I'm > asking about both sides of the question. I will even say that the > situation where some perfectly usable firmware is already available on > the device, and Debian just offers an update to it, is much less > important (but still very important for e.g. intel-microcode) than the > situation where the device is not usable without firmware loaded by > Debian, which is the main usability problem with the status quo. Ah, so your view is that newer blob might... * fix bugs * add functionality that I want I can understand how in such a World there is no sense in avoiding newer blobs: They are only ever improvements. We do not share that view, though. Quoting Ansgar (2022-04-19 19:04:36) > Firmware shipped as packages part of stable releases will probably > change the same way as software (i.e., security updates, other > important updates). So there should be not much reason for such > concern. > > Such concerns would be more relevant for firmware updates using other > update channels such as `fwupd` uses. I wonder how you can confidently know that non-free blobs packages for Debian are only likely to be improvements, when you cannot verify their contents. And how is it that fwupd distributed blobs are less likely to be reliable. What am I missing here? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature