From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tobias Platen <trisquel@platen-software.de>
Subject: Re: Meltdown / Spectre
Date: Wed, 10 Jan 2018 13:35:37 +0100
Message-ID: <4b496567-2d50-6973-0eda-7c18946dac1b@platen-software.de>
References: <874lnzcedp.fsf@gmail.com> <20180106174358.GA28436@jasmine.lan>
	<87lghapeu5.fsf@gmail.com> <87incc6z9o.fsf@gmail.com>
	<87fu7g436e.fsf@fastmail.com> <87vagad3xx.fsf@netris.org>
	<87tvvukqct.fsf@gmail.com> <87efmy9bml.fsf@hyperbola.info>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34328)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <trisquel@platen-software.de>) id 1eZFbK-0002RN-Ih
	for guix-devel@gnu.org; Wed, 10 Jan 2018 07:35:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <trisquel@platen-software.de>) id 1eZFbF-0006r1-KD
	for guix-devel@gnu.org; Wed, 10 Jan 2018 07:35:25 -0500
Received: from v2201304502512175.yourvserver.net ([37.221.197.247]:56417
	helo=v220100350252766.yourvserver.net)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <trisquel@platen-software.de>) id 1eZFbF-0006qc-CA
	for guix-devel@gnu.org; Wed, 10 Jan 2018 07:35:21 -0500
Received: from [192.168.0.22] (p54A26421.dip0.t-ipconnect.de [84.162.100.33])
	by v220100350252766.yourvserver.net (Postfix) with ESMTPSA id
	85727140D3E
	for <guix-devel@gnu.org>; Wed, 10 Jan 2018 13:35:17 +0100 (CET)
In-Reply-To: <87efmy9bml.fsf@hyperbola.info>
Content-Language: en-US
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org



On 10.01.2018 12:49, Adonay Felipe Nogueira wrote:
> I don't know if this serves as guidance as to if microcode is functional
> or not, but from [1] I quote:
> 
> #+BEGIN_QUOTE
> 
> However, there is an exception for secondary embedded processors. The
> exception applies to software delivered inside auxiliary and low-level
> processors and FPGAs, within which software installation is not intended
> after the user obtains the product. This can include, for instance,
> microcode inside a processor, firmware built into an I/O device, or the
> gate pattern of an FPGA. The software in such secondary processors does
> not count as product software.
As an example there is still proprietary formware on the embedded 
controller of the Thinkpads supported by libreboot.
> 
> #+END_QUOTE
> 
> My (perhaps uninformed) opinion is that it's functional data, but not
> the sort of "functional" that every human would be allowed to modify
> after it was first written.
> 
> [1] <https://www.fsf.org/resources/hw/endorsement/criteria>.
> 
> 2018-01-10T01:36:18-0800 Chris Marusich wrote:
>> According to the user named _4of7 in the #libreboot channel of the
>> Freenode IRC network, the email list development@libreboot.org is down.
>> So the Libreboot maintainers have probably not seen this email thread.
>>
>> According to _4of7, currently the best way to contact the Libreboot
>> maintainers is IRC.  It would probably be best to ask there.  If you get
>> a response, please don't forget to update us here on this thread!
>>
>> When I asked in #freenode today, _4of7 responded as follows:
>>
>>    <_4of7> There's not much we can do from the Libreboot side, but there are
>>    <_4of7> mitigations on kernel side... since it's exploitable from javascript
>>    <_4of7> you could also e.g. not run JavaScript. specing on #libreboot IRC had
>>    <_4of7> the idea to run Firefox without the JIT enabled - we both tried to
>>    <_4of7> compile the latest ESR however, with --disable-ion, and it segfaulted.
>>    <_4of7> I tried to build ff 45esr instead, but that build failed.
>>
>> I'm not sure who _4of7 is, so I don't know if they speak for the
>> Libreboot project.
Leah Rowe uses the nickname _4of7 on IRC, she is the founder of Libreboot
>>
>>
>> Does the GNU Project have a policy regarding this sort of thing?  I
>> wasn't able to find any articles on gnu.org that discuss it.
>>
>> If no such policy exists, then should this topic be discussed somewhere
>> like gnu-system-discuss@gnu.org?  I don't know where discussions like
>> this normally take place within the GNU project.  It's definitely a
>> discussion worth having, though.
>