Bug#916036: Install fwupd on a default installation
Philipp Kern
pkern at debian.org
Thu Dec 27 01:48:48 GMT 2018
On 26/12/2018 22:32, Steve McIntyre wrote:
> On Wed, Dec 26, 2018 at 10:27:35PM +0100, Cyril Brulebois wrote:
>> Steve McIntyre <steve at einval.com> (2018-12-26):
>>>> Philipp Kern <pkern at debian.org> (2018-12-26):
>>>>> I'm not sure, though, if there is some philosophical objection here in
>>>>> that fwupd downloads non-free blobs and/or that Debian does not actually
>>>>> ship the blobs themselves.
>>>>
>>>> FWIW both parts seem unacceptable to me, esp. in a default installation.
>>>
>>> They're not all necessarily non-free, but it's a useful service for
>>> people to make safe firmware updates easy.
>>
>> How do we know those blobs are safe, and that they won't change all of a
>> sudden if they aren't hosted on Debian infrastructure?
>
> We *don't* directly, but they blobs are signed and placed online by
> the vendors. LVFS (the online backend) is a good Free
> Software-friendly service.
Interestingly enough the vendor signs a blob (CAB file) and LVFS throws
it away and re-signs the blob with its own key. But then again I think
the base assumption is that the contained firmware images are themselves
signed as well and the BIOS does a check before ingesting them.
Obviously you end up with the usual concerns like the repository being
able to hold back updates from certain clients. The website's code is
supposedly available on https://github.com/hughsie/lvfs-website/ though
and I suppose a transparency effort could solve that particular problem,
too.
> This is a major step forwards from the old Windows-only ot "boot a DOS
> floppy" style of firmware updates.
Oh yes. Not just that, also finding the right image to apply and then
figuring out how the hell to apply it is a solved problem with EFI-based
fwupdate.
Kind regards
Philipp Kern
More information about the pkg-gnome-maintainers
mailing list