Re: How secure is an installation with with no non-free packages?
I am not Debian, but I am in rant-mode on this subject today, so bear with me --
On Fri, Sep 13, 2013 at 10:02 AM, adrelanos <adrelanos@riseup.net> wrote:
> Jose Luis Rivas:
>> So no, there's no other contrib/non-free packages there.
>
> I didn't want to imply, that there are preinstalled.
>
>> The reason why you can't install Debian directly from a WiFi with some
>> manufacturers is precisely that we do not ship non-free nor contrib
>> software by default in our Debian installation different to what does
>> other distributions like Ubuntu (no offense meant).
>
> And this is fine and I don't want to go into that political vs
> convenience discussion either.
You can't avoid it now. (Thanks to NSA and Intel deciding to boogie
together. Let the children boogie.)
> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
> package which should be installed to improve security? Are there any
> other packages of this type?
We'd like to say they are unique.
They are unique in that they are the CPU, but any binary blob required
by the hardware you are using is going to have the same set of
problems, and most of them, even when we move the drivers out of the
kernel, are going to have the capability of subverting the whole box.
We'd like to say that it's all Intel's fault for pushing the market so
far so fast, but we can only say they have been a major contributor to
the problem. (We have, also, each one of us.)
> What would you do if there was an exploit in the wild, which uses an
> vulnerability in (intel/amd)?
Do you mean, in the cpu itself, or in the microcode?
> Let's say any website could prepare some
> html code which would trigger a remote code execution.
Ergo, on vulnerable CPU/microcode combinations.
> One that can only
> be fixed by having the (intel/amd)-microcode package installed.
So you're thinking the CPU, but which level of microcode?
> Is this a possible scenario?
Of course. Especially now that the "bad guys" have tools that allow
them to build targeted tools fairly easily.
> What would you (Debian) do in this case?
Do you mean, would Debian fold up and go away if the only way to
provide a secure OS were to be to include certain non-free packages by
default?
They already do (as Jose Luis Riva indicated). It just requires a
certain amount of action on your part so that they can limit the
amount of non-free stuff you have to load.
At the very least, AMD machines do not need Intel microcode, and
vice-versa. That's why it's important to have more than one major CPU
vendor, even if Intel's bragging that they have beaten everyone else
on all technical fronts had any merits whatsoever. (It doesn't. They
haven't even come close. Their current excesses are catching up to
them now.)
> (I am not suggesting anything here, I am just interested in those
> questions.)
And I suppose I am not contributing anything meaningful to the
conversation. Sorry, but this is a pet peeve of mine. We can't afford
the results when microprocessors become this complex, and one of the
reasons I hate Intel is that they have pushed the complexity so hard
to maintain their "market advantage", and it just makes a mess of the
industry.
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: