Re: If Debian support OS certification?

To: debian-project@lists.debian.org
Subject: Re: If Debian support OS certification?
From: Paul Wise <pabs@debian.org>
Date: Wed, 17 May 2017 09:03:10 +0800
Message-id: <[🔎] CAKTje6Et5sj6cYR1uqQCdYcjuaEpHf1jLgtsOqvYNqB92TQNHw@mail.gmail.com>
In-reply-to: <[🔎] fc5c20b2-4aba-ae6f-1bb7-a26136e4dd4b@debian.org>
References: <7CBC77DE593A114587C3D1A3C385EAAFB54CA8@MAILBX03.quanta.corp> <CAKTje6F4xbk0ZoijpqJaENrPyNEivaAoYb0-bZaFs0whsz1ArA@mail.gmail.com> <[🔎] 75c0e8fa-e191-321b-ed6c-9bf0eb38df51@debian.org> <[🔎] CAKTje6GD+h732xxpfMSOow-=rgQoKLnPQO5G7bErQ5-kOLdCfg@mail.gmail.com> <[🔎] 1493747967.17987.1.camel@debian.org> <[🔎] 1493801723.2765.1.camel@debian.org> <[🔎] 1493828250.2564.31.camel@decadent.org.uk> <[🔎] CAKTje6FAFP2AxUAN05_ZVr2AzngNb5+bhswmnec4GNwG+qPYZQ@mail.gmail.com> <[🔎] fc5c20b2-4aba-ae6f-1bb7-a26136e4dd4b@debian.org>

On Wed, May 17, 2017 at 6:34 AM, Thomas Goirand wrote:

> I wonder what you call "everything". In the majority of the servers on
> which I have installed Debian, no non-free firmware were required.

That would be surprising to me, I imagine every one of those servers
was running non-free pre-installed firmware in multiple parts of the
machine. At minimum, every modern platform has a non-free boot ROM
(the first code run by the CPU, physically read-only, may do signature
checking). Then there are CPU microcode, Intel ME/AMD PSP, BIOS/UEFI,
BMC/IPMI/iLO/etc, hard drive or SSD firmware, NIC firmware, screen
firmware, keyboard firmware and so on.

I think what you meant to say was that the majority of the servers you
have run Debian on do not require loading externally supplied non-free
firmware before they will work normally.

I agree that as a practical measure, that is the certification target
that is most useful to end users and most appropriate for Debian right
now, at least until RISC-V/lowRISC hardware becomes widespread.

That said, from the things that the Debian Intel microcode package
maintainer says about microcode bugs on IRC, I'm not sure that it is a
good idea to recommend users run Debian systems without the updates to
the non-free CPU microcode provided by Debian.

>From a Software Freedom PoV though, "do not require loading externally
supplied non-free firmware" may be worse, since pre-installed firmware
is the elephant in the room (hello Intel AMT security bugs). It also
makes reverse engineering harder since pre-installed firmware is
harder to extract. Often there are zero mechanisms (or completely
proprietary ones) to update pre-installed firmware, which complicates
the reverse engineering process significantly and or prevents it for
all but the most sophisticated reverse engineers, for example to those
who can glitch signature checking code by altering power levels.

Only certifying hardware that does not require loading externally
supplied non-free firmware just *incentivises* vendors to just
pre-install their non-free firmware, which has the potential to
slightly reduce Software Freedom around firmware long-term.
So, I'd like us to counteract these incentives by encouraging hardware
vendors to support coreboot and other libre firmware projects and
exposing information to users and vendors about what proprietary
pre-installed software/firmware is present and how it could be
problematic.

> In my view, a certification Debian logo means we fully endorse.

For Debian I expect your proposal "do not require loading externally
supplied non-free firmware" is something that most of Debian can agree
is a reasonable endorsement target for now. We probably would require
a GR to make a decision about the target though. The FSF RYF
endorsement is approximately what you suggest:

https://www.fsf.org/resources/hw/endorsement/respects-your-freedom
https://libreplanet.org/wiki/Group:Hardware/Certification_criteria

> I do believe a vast majority of the Debian community do not fully
> endorse the requirement of non-free blobs.

I'm not sure that is the case, there appears to be significant support
for including NIC/WiFi firmware in the primary ISO that people
download from the Debian website (or also linking to the non-free ISO
from the front page), because the lack of it means it is harder to
install Debian on modern hardware. There also appears to be support
for installing CPU firmware by default.

> A certification is different from a compatibility checklist.
> Let's not confuse the 2.

Good point, I'd certainly made that mistake up till now.

> Otherwise, we'll have to display different types of logo, like "works
> with Debian ... but", and then that starts to confuse users, which is
> counter-productive.

I think for hardware that doesn't support whatever criteria we come up
with, we just wouldn't have a certification logo but would say "this
hardware is *not* Debian certified because ..., but can run Debian if
...". For "certified" hardware we would include the logo and say "this
hardware is Debian certified, but you need to be aware of these
proprietary components and what their capabilities are".

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: If Debian support OS certification?
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Re: If Debian support OS certification?
  - From: Thomas Goirand <zigo@debian.org>
- Re: If Debian support OS certification?
  - From: Paul Wise <pabs@debian.org>
- Re: If Debian support OS certification?
  - From: Ritesh Raj Sarraf <rrs@debian.org>
- Re: If Debian support OS certification?
  - From: Paul Wise <pabs@debian.org>
- Re: If Debian support OS certification?
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: If Debian support OS certification?
  - From: Paul Wise <pabs@debian.org>
- Re: If Debian support OS certification?
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Re: should debian comment about the recent 'ransomware' malware.
Next by Date: Re: should debian comment about the recent 'ransomware' malware.
Previous by thread: Re: If Debian support OS certification?
Next by thread: Re: If Debian support OS certification?
Index(es):
- Date
- Thread