From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Craven Subject: Re: Free firmware - A redefinition of the term and a new metric for it's measurement. Date: Fri, 10 Feb 2017 18:31:34 +0100 Message-ID: References: <87tw8bjhqm.fsf@gmail.com> <2c7ae911-863f-4831-f024-060e5f899d3a@alaskasi.com> <87k2948d2q.fsf@gmail.com> Reply-To: Workgroup for fully free GNU/Linux distributions Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: In-Reply-To: <87k2948d2q.fsf@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gnu-linux-libre-bounces+gldg-gnu-linux-libre=m.gmane.org@nongnu.org Sender: "gnu-linux-libre" To: Maxim Cournoyer Cc: guix-devel , Workgroup for fully free GNU/Linux distributions List-Id: guix-devel.gnu.org Hi Maxim > +1. I don't see how having blobs helps security at all. Well the problem I was getting at is that things are not as fixed as they may seem. Quoting wikipedia: >> Decreasing cost of reprogrammable devices had almost eliminated the market for mask ROM by the year 2000. Translation: ROM is not RO. It is not a theoretical threat, and just as dangerous as other threats that people put a lot of effort in avoiding [0] I don't see how trusting the manufacturer when buying the product is any different from trusting him down the road. I was talking about malicious third parties. Obviously planting something in difficult to upgrade persistent memory is a lucrative target for attackers - manipulating firmware becomes plain uninteresting in the other case. > The companies that should be the rewarded are the ones that release > firmware, source code, and tool chain. E.g., Thinkpenguin and the TPE-R1100. > Indeed, we ought to put our money where our mouth is, i.e. back the > companies which are helping the cause of free software/hardware. I don't think they actually produce any silicon, toolchain or firmware themselves. At least I didn't find a link to it. So they are basically using other peoples silicon, toolchain and firmware. Giving them credit for complying with the GPL is not quite right either. (But I don't know who's behind the thinkpenguin and it looks like a great accomplishement). To independently verify the claim that the firmware they are using is indeed fixed, would actually require them to release both schematics and datasheets of their designs. [0] https://www.wired.com/2015/02/nsa-firmware-hacking/