On Wed, 2018-12-26 at 21:32 +0000, Steve McIntyre wrote: > On Wed, Dec 26, 2018 at 10:27:35PM +0100, Cyril Brulebois wrote: > > Steve McIntyre <steve@einval.com> (2018-12-26): > > > > Philipp Kern <pkern@debian.org> (2018-12-26): > > > > > I'm not sure, though, if there is some philosophical > > > > > objection here in > > > > > that fwupd downloads non-free blobs and/or that Debian does > > > > > not actually > > > > > ship the blobs themselves. > > > > > > > > FWIW both parts seem unacceptable to me, esp. in a default > > > > installation. > > > > > > They're not all necessarily non-free, but it's a useful service > > > for > > > people to make safe firmware updates easy. > > > > How do we know those blobs are safe, and that they won't change all > > of a > > sudden if they aren't hosted on Debian infrastructure? > > We *don't* directly, but they blobs are signed and placed online by > the vendors. LVFS (the online backend) is a good Free > Software-friendly service. > > This is a major step forwards from the old Windows-only ot "boot a > DOS > floppy" style of firmware updates. To add my 2c to that, we also don't know that the firmware that is installed on the machine at the factory is secure - but we know it's outdated, and we know that security-related new versions are common enough to be worth worrying about. -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part