Re: Firmware - what are we going to do about it?
On Sun, May 29, 2022 at 05:33:21PM -0400, Bobby wrote:
> FWIW, as a 10+ years user (first time caller :p) I strongly support
> sticking with the status quo. There are plenty of systems that don't
> require firmware to work, and often when people say it doesn't "work"
> they really mean that its functionality is more limited.
Unfortunately, that's not true. Without the firmware, in many cases
on modern laptops (for example, the Samsung Galaxy Book 360) the WiFi
and Ethernet devices will simply *not* *work*. If the user has only
downloaded the Netinst installer onto a USB stick (since most modern
laptops also don't have DVD drives), they will not be able to install
their system.
This is a rather negative user experience.
> Further, there are security concerns with blobs. Yes, we can get
> microcode updates, but were those updates themselves actually audited?
> As far as I know, they are just as opaque as the code they're
> replacing. They could be making security worse, and we won't know
> until someone finds the exploits. The rare event where a microcode
> update is released and it increases security is far outweighed by the
> vast majority of the situations where installing opaque code is
> detrimental to security.
On many modern peripherals, the microcode updates are digitally signed
by the manufacturer. So if you didn't trust, say, the CPU updated
microcode for your Intel processor, why are you trusting the original
CPU microcode, which would have also come from Intel?
> If people are unhappy with the status quo, my proposal would be to
> encourage more people to work on free alternatives. There is an ocean
> of possibilities here, from open hardware to reverse engineering. My
> feeling is that a lot more could be done to better support hardware
> that doesn't involve non-free code at all. There are many free
> projects that have never made it to Debian.
Unfortunately, if you want a modern laptop, which supports the latest
WiFi standards, and which is thin and light, you're not going to find
one which is using purely free alternatives. 100% free laptop
alternatives do exist, but typically you will end up are using ten
year old hardware, or the devices are significantly heavier and more
cumbersome.
And unfortunately, open hardware is signficantly more difficult and
requires far more capital outlay than "open software". Simply
encouraging more people to work on free alternatives is not going to
be enough unless someone is willing bankroll these efforts to the
tunes of millions of dollars.
If people want to use really awful, old hardware, all in the name of
"free software", they should certainly have the freedom to do so, and
it should be easy for them to make sure that the purity of their
system is not compromised.
However, if someone has already purchased the hardware, it's rather
horrible user experience when they discover that Debian won't install
a working system on it, and to find the that the the non-free firmware
in a locked filing cabinet stuck in a disused lavatory with a sign on
the door saying 'Beware of the leopard'.
Remember, the Debian Social Contract says that our priorities are our
users *and* free software. Making it nearly impossible for a novice
user to install Debian on their brand new laptop where Windows 10 and
Ubuntu just *works* might not be the best way of balancing the
competing needs here of the users and free software.
Best regards,
- Ted
Reply to: