Bug#916036: Install fwupd on a default installation
Luca Boccassi
bluca at debian.org
Wed Dec 26 21:42:00 GMT 2018
On Wed, 2018-12-26 at 21:32 +0000, Steve McIntyre wrote:
> On Wed, Dec 26, 2018 at 10:27:35PM +0100, Cyril Brulebois wrote:
> > Steve McIntyre <steve at einval.com> (2018-12-26):
> > > > Philipp Kern <pkern at debian.org> (2018-12-26):
> > > > > I'm not sure, though, if there is some philosophical
> > > > > objection here in
> > > > > that fwupd downloads non-free blobs and/or that Debian does
> > > > > not actually
> > > > > ship the blobs themselves.
> > > >
> > > > FWIW both parts seem unacceptable to me, esp. in a default
> > > > installation.
> > >
> > > They're not all necessarily non-free, but it's a useful service
> > > for
> > > people to make safe firmware updates easy.
> >
> > How do we know those blobs are safe, and that they won't change all
> > of a
> > sudden if they aren't hosted on Debian infrastructure?
>
> We *don't* directly, but they blobs are signed and placed online by
> the vendors. LVFS (the online backend) is a good Free
> Software-friendly service.
>
> This is a major step forwards from the old Windows-only ot "boot a
> DOS
> floppy" style of firmware updates.
To add my 2c to that, we also don't know that the firmware that is
installed on the machine at the factory is secure - but we know it's
outdated, and we know that security-related new versions are common
enough to be worth worrying about.
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20181226/a9e618c3/attachment-0001.sig>
More information about the pkg-gnome-maintainers
mailing list