From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Craven Subject: Re: [GNU-linux-libre] Free firmware - A redefinition of the term and a new metric for it's measurement. Date: Tue, 14 Feb 2017 19:43:48 +0100 Message-ID: References: <20170214131548.35dafcfc@second-laptop> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56759) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdi4w-0003Kj-UT for guix-devel@gnu.org; Tue, 14 Feb 2017 13:43:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdi4s-00063H-84 for guix-devel@gnu.org; Tue, 14 Feb 2017 13:43:55 -0500 Received: from mail-qk0-x235.google.com ([2607:f8b0:400d:c09::235]:33240) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cdi4s-00062v-2I for guix-devel@gnu.org; Tue, 14 Feb 2017 13:43:50 -0500 Received: by mail-qk0-x235.google.com with SMTP id p22so39467145qka.0 for ; Tue, 14 Feb 2017 10:43:49 -0800 (PST) In-Reply-To: <20170214131548.35dafcfc@second-laptop> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Denis 'GNUtoo' Carikli Cc: guix-devel , Workgroup for fully free GNU/Linux distributions Hi Denis, Thank you for your extensive feedback. > With that we can still use WiFi by ignoring the intel wifi card and > using an USB wifi card instead. I considered using this option but realized that I had a buggy thunderbolt controller in my laptop, that I can only update from a windows computer and therefore know for sure it can be modified remotely poses a much larger security issue, that I would not actually gain anything from replacing my wifi card. And besides these obvious and visible firmwares I have no clue what other non-free firmware is running on my laptop. I concluded that if I didn't know, that likely most linux-libre users didn't know either and where likely much less aware of what that could actually mean. While obviously you understand hardware and the hardware you are using, most people do not. And I think we need to make sure that people that don't - I consider myself being one of those people - can do the *best* with what we have and have the information available to us to make informed decisions. I bought my dell xps developer edition before I had any involvement with a GNU project, and I bought it because dell was actually providing at least some kind of linux support. I currently can't afford to buy a new laptop even if the one you are using is much more free. Besides I have the dream of building a replacement mainboard with a RISCV SoC for it. But that is still beyond my capabilities :) FYI: This dream mainboard would also feature a software defined radio [0] instead of a wifi card - another interesting free hardware project, although the sources have not been released yet. Another thing I found very frustrating was a conversation that I had on IRC. It went like this: Can guixsd run on a RPiv2? Yes, sure. You'll need to use vanilla linux and add some firmware, I'll show you how to do it. No thank you. I don't want to use binary blobs. I'll just use another distro until guixsd works without binary blobs. I expect that everyone recognizes the irony in that. > While this is really great and that each new free firmware is a great > achievement I agree. > When taking security seriously, the fact that a non-free firmware is > running in peripherals that can have access to the main system's RAM > has to be taken into account. > > However I don't have a clear idea on whether it has to be dealt with > within free software policies or not, and how much it is in the scope > of free software. > > I don't think we, as the free software community, can ignore it as it > means that some non-free code can take control of your computer... Yes with buggy thunderbolt controllers this is becoming a real problem. > For instance in Replicant, we decided not to focus on devices that can > permit non-free firmwares to take control of the main processor, and > instead to prioritize work on devices where the hardware doesn't have > any physical ways to allow a non-free firmware to access the main > processor's RAM. Replicant looks very interesting, especially since I owned quite a few of those nexus devices that are supported. Sadly not anymore :/ I wasn't aware that there was so much documentation available about mobile devices. How do you know all that stuff? :) Thank you for your input, David [0] https://xtrx.io/