From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Craven <david@craven.ch>
Subject: Re: Free firmware - A redefinition of the term
 and a new metric for it's measurement.
Date: Fri, 10 Feb 2017 18:31:34 +0100
Message-ID: <CAL1_immGW1dj0QnOROOZCuBbiMvN5R6c8JdsVq8QKcQZ1KLVCA@mail.gmail.com>
References: <CAL1_im=_R__Cp2aOAEAne7dveu6aYkg17zu0Pftg+pKAv_JbuA@mail.gmail.com>
	<87tw8bjhqm.fsf@gmail.com>
	<CAL1_imnr2tk9rNK2NyTX4sn8P07cR8x2Ge84M4c=hLYV4Bmy2Q@mail.gmail.com>
	<2c7ae911-863f-4831-f024-060e5f899d3a@alaskasi.com>
	<87k2948d2q.fsf@gmail.com>
Reply-To: Workgroup for fully free GNU/Linux distributions
	<gnu-linux-libre@nongnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Return-path: <gnu-linux-libre-bounces+gldg-gnu-linux-libre=m.gmane.org@nongnu.org>
In-Reply-To: <87k2948d2q.fsf@gmail.com>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/gnu-linux-libre>,
	<mailto:gnu-linux-libre-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/gnu-linux-libre/>
List-Post: <mailto:gnu-linux-libre@nongnu.org>
List-Help: <mailto:gnu-linux-libre-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/gnu-linux-libre>,
	<mailto:gnu-linux-libre-request@nongnu.org?subject=subscribe>
Errors-To: gnu-linux-libre-bounces+gldg-gnu-linux-libre=m.gmane.org@nongnu.org
Sender: "gnu-linux-libre"
	<gnu-linux-libre-bounces+gldg-gnu-linux-libre=m.gmane.org@nongnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>, Workgroup for fully free GNU/Linux distributions <gnu-linux-libre@nongnu.org>
List-Id: guix-devel.gnu.org

Hi Maxim

> +1. I don't see how having blobs helps security at all.

Well the problem I was getting at is that things are not as fixed as
they may seem.
Quoting wikipedia:

>> Decreasing cost of reprogrammable devices had almost eliminated the market for mask ROM by the year 2000.

Translation: ROM is not RO.

It is not a theoretical threat, and just as dangerous as other threats
that people put a lot of effort in avoiding [0]

I don't see how trusting the manufacturer when buying the product is
any different from trusting him down the road. I was talking about
malicious third parties. Obviously planting something in difficult to
upgrade persistent memory is a lucrative target for attackers -
manipulating firmware becomes plain uninteresting in the other case.

> The companies that should be the rewarded are the ones that release
> firmware, source code, and tool chain. E.g., Thinkpenguin and the TPE-R1100.

> Indeed, we ought to put our money where our mouth is, i.e. back the
> companies which are helping the cause of free software/hardware.

I don't think they actually produce any silicon, toolchain or firmware
themselves. At least I didn't find a link to it. So they are basically
using other peoples silicon, toolchain and firmware. Giving them
credit for complying with the GPL is not quite right either. (But I
don't know who's behind the thinkpenguin and it looks like a great
accomplishement).

To independently verify the claim that the firmware they are using is
indeed fixed, would actually require them to release both schematics
and datasheets of their designs.

[0] https://www.wired.com/2015/02/nsa-firmware-hacking/