Bug#898479: [gnome] gnome-software should detach fwupd as a dependency

Sat May 12 15:45:22 BST 2018

> What is your exact privacy concern and why is it so important that it
> outweighs our users having outdated firmware for their hardware, some
> with potential known security vulnerabilities?

A service hosted by amazon may not meet the high standards for FOSS.

My intention is to make the content of the article known to debian
users. They shall be able to make a knowledged decision when they
enable this feature to update their firmware. Citing the article:

> According to the developer, fwupd.org is hosted on Amazon EC2. Amazon
> (beside many other companies as well) has donated $2000 per year to
> develop the project, and provides some hosting features for free as
> well. fwupd.org domain name is registered in the personal name of the
> project’s developer (if you check from who.is).
> 
> The privacy policy page mentions that the metadata users send to
> fwupd.org is stored up to a maximum of 5 years:
> 
>     Anonymized user data (e.g. metadata requests) will be kept for a
> maximum of 5 years which allows us to project future service
> requirements and provide usage graphs to the vendor.

> The current CDN (~$100/month) is kindly sponsored by Amazon, but that
> won’t last forever and the donations I get for the LVFS service don’t
> cover the cost of using S3. Long term we are switching to a ‘dumb’
> provider (currently BunnyCDN) which works out 1/10th of the cost.

> We couldn’t find reports or sources on how many people in total are
> behind the whole project, or how many people are reviewing the
> pushed .cab files by vendors. The metadata stored in fwupd.org are
> said to be stored under a locked LUKS filesystem hosted on Amazon.
> 
> The other concerning issue is that the developers are not 100%
> financially covered. There has been multiple calls for donations by
> the developers:
> 
>     At the moment the secure part of the LVFS is hosted in a
> dedicated Scaleway instance, so any additional donations would be
> spent on paying this small bill and perhaps more importantly buying
> some (2nd hand?) hardware to include as part of our release-time QA
> checks.

According to this merge request the migration to a server under control
of the Linux Foundation is planned:

https://github.com/hughsie/fwupd/pull/444

> > If fwupd is an import service for the system, why is it only
> > included in GNOME?  
> 
> You're asking this question on a bug report for a GNOME package. The
> people responsible for that package generally don't have anything to
> do with other desktops. You're welcome to ask other desktops to
> implement this feature if you want.

Wouldn't it be more useful to provide a software that does not depend
on a single DE for updating firmware.

Currently gnome-software seems to be the only software to update the
OEM firmware (BIOS): https://fwupd.org/users

The list of vendors not supporting fwupd is still long. For buying new
devices following lists my be useful:

https://fwupd.org/vendorlist
https://fwupd.org/lvfs/devicelist

Another question, is who audits .cab files before they are delivered to
users:

> Vendors can push .cab files to users to be downloaded later by GNOME
> Software. These .cab filed are claimed to be tested by a separated QA
> team before released to users.

Where can I find more info about this QA team?

Best,
kardan