[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Install fwupd on a default installation

On 26/12/2018 22:32, Steve McIntyre wrote:
On Wed, Dec 26, 2018 at 10:27:35PM +0100, Cyril Brulebois wrote:
Steve McIntyre <steve@einval.com> (2018-12-26):
Philipp Kern <pkern@debian.org> (2018-12-26):
I'm not sure, though, if there is some philosophical objection here in
that fwupd downloads non-free blobs and/or that Debian does not actually
ship the blobs themselves.

FWIW both parts seem unacceptable to me, esp. in a default installation.

They're not all necessarily non-free, but it's a useful service for
people to make safe firmware updates easy.

How do we know those blobs are safe, and that they won't change all of a
sudden if they aren't hosted on Debian infrastructure?

We *don't* directly, but they blobs are signed and placed online by
the vendors. LVFS (the online backend) is a good Free
Software-friendly service.

Interestingly enough the vendor signs a blob (CAB file) and LVFS throws it away and re-signs the blob with its own key. But then again I think the base assumption is that the contained firmware images are themselves signed as well and the BIOS does a check before ingesting them.

Obviously you end up with the usual concerns like the repository being able to hold back updates from certain clients. The website's code is supposedly available on https://github.com/hughsie/lvfs-website/ though and I suppose a transparency effort could solve that particular problem, too.

This is a major step forwards from the old Windows-only ot "boot a DOS
floppy" style of firmware updates.

Oh yes. Not just that, also finding the right image to apply and then figuring out how the hell to apply it is a solved problem with EFI-based fwupdate.

Kind regards
Philipp Kern

Reply to: