Project

General

Profile

Freedom issue #2909

Do check fwupd

GNUtoo - 20 days ago - . Updated 19 days ago.

Status:
unconfirmed
Priority:
bug
Assignee:
-
% Done:

0%


Related issues

Related to Packages - Freedom issue #1035: [your-system-sanity]: Non-Free Software From Third-party Package Managersin progress

Actions

History

#1

Updated by GNUtoo 20 days ago

We ship the fwupd package unmodified from the various archlinux GNU/Linux distributions.

On i686 it comes from community:

$ pacman -sS fwupd
community/fwupd 1.4.6-1.0 [installed]
    Simple daemon to allow session software to update firmware
community/gnome-firmware 3.36.0-2.0
    Manage firmware on devices supported by fwupd

fwupd is a daemon that is meant to update various firmwares1 regardless of if they are free or not.

So it's a bit like a package manager for firmwares.

So if it has not been done already, it would be a good idea to check if its configuration is ok or not.

As at least one firmware (for the color huges if I recall the name well) is free software and known to be available through this system, so it might be a good idea to check if free firmwares are completely ok and keep such firmwares if that's easy to do.

1 Here firmware means code that is in various devices and not part of the operating system, so from SSD firmwares to even BIOS/UEFI.

#2

Updated by GNUtoo 20 days ago

I found some highly suspicious files:

$ pacman -Q -l  fwupd | grep -i lvfs
fwupd /etc/fwupd/remotes.d/lvfs-testing.conf
fwupd /etc/fwupd/remotes.d/lvfs.conf
[...]
$ cat /etc/fwupd/remotes.d/lvfs.conf
[fwupd Remote]

# this remote provides metadata and firmware marked as 'stable' from the LVFS
Enabled=true
Title=Linux Vendor Firmware Service
Keyring=gpg
MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
ReportURI=https://fwupd.org/lvfs/firmware/report
OrderBefore=fwupd

https://cdn.fwupd.org/downloads/firmware.xml.gz seem to contain references to many nonfree firmwares.

#3

Updated by bill-auger 19 days ago

  • Related to Freedom issue #1035: [your-system-sanity]: Non-Free Software From Third-party Package Managers added
#4

Updated by bill-auger 19 days ago

GNUtoo -

i notice that you do not fill in the descriptions for new
tickets that you open; but instead add a secondary comment
with the details later - the initial ticket form should have
a text field for the description - i wonder is the interface
broken for you maybe

this is also peculiar, because some people are not allowed to
submit the ticket if the description field is empty - redmine
normally rejects the post, with an error message: "description
can not be empty" - i have not investigated that, but i assumed
it was a global behavior

#5

Updated by GNUtoo 19 days ago

i notice that you do not fill in the descriptions for new
tickets that you open; but instead add a secondary comment
with the details later - the initial ticket form should have
a text field for the description - i wonder is the interface
broken for you maybe

The reason is simple:
  • The first description cannot be edited later on
  • I often make mistakes also because I've no preview without JavaScript1.

1 JavaScript isn't bad per-se but here it acts as arbitrary execution of code, can be viewed as as a security issue, depending on your threat model. It is a good practice to not tie the security of one's computer to the computer(s) serving serving the JavaScript code and all the infrastructure in between (SSL PKI).

#6

Updated by bill-auger 19 days ago

ok, understood - the description can be edited; but it does
require javascript to expose the form

this is the HTML element definition:

<span id="issue_description_and_toolbar" style="display:none">

you could probably do some magic by injecting some CSS with some
styling tool, to make the form always exposed

#issue_description_and_toolbar { display: block ; }

or with local javascript/greasemonkey:

document.getElementById('issue_description_and_toolbar').show()

a better solution would be to prevent redmine from hiding it for
admins and the OP - im sure thats a simple change

Also available in: Atom PDF