From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Lemmer Webber <cwebber@dustycloud.org>
Subject: Re: Meltdown / Spectre
Date: Wed, 10 Jan 2018 00:43:56 -0600
Message-ID: <87608ausb7.fsf@dustycloud.org>
References: <874lnzcedp.fsf@gmail.com> <20180106174358.GA28436@jasmine.lan>
	<87lghapeu5.fsf@gmail.com> <87incc6z9o.fsf@gmail.com>
	<87fu7g436e.fsf@fastmail.com>
	<807794bd-5262-8b36-1f9f-dd3a316928ff@tobias.gr>
	<87d12i7pud.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33021)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1eZA7F-0005IU-KX
	for guix-devel@gnu.org; Wed, 10 Jan 2018 01:44:02 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1eZA7E-0005yG-Qx
	for guix-devel@gnu.org; Wed, 10 Jan 2018 01:44:01 -0500
Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:60262)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <cwebber@dustycloud.org>)
	id 1eZA7E-0005xv-Mg
	for guix-devel@gnu.org; Wed, 10 Jan 2018 01:44:00 -0500
In-reply-to: <87d12i7pud.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Katherine Cox-Buday <cox.katherine.e@gmail.com>
Cc: development@libreboot.org, guix-devel@gnu.org

Katherine Cox-Buday writes:

> Tobias Geerinckx-Rice <me@tobias.gr> writes:
>
>
>> I think the real and thornier question for GuixSD
>> is: if the recent CPU vulnerabilities require a
>> microcode update to fully mitigate, then how do we
>> square not recommending proprietary globs like
>> this in official channels with giving users all
>> knowledge required to decide for themselves?
>
> Yes, this exactly.
>
> It's a unique (hm, is it?) situation pitting the ideals of copyleft
> against the welfare of users. If an opaque microcode is required to
> successfully mitigate these bugs, what is the moral stance to take?
>
> I don't have an answer and that's why I'm asking here :)

It seems to me that this is one of those "you need to upgrade some
lowest level firmware which you already didn't have access to in order
to keep your system secure"... I dunno if GuixSD should ship something,
but I wouldn't blame anyone updating their microcode for something this
critical.

That said, if the microcode were free in the first place, this would
probably be a lot easier to deal with?