https://labs.parabola.nu/https://labs.parabola.nu/favicon.ico?15367742552020-10-11T01:30:07ZParabola Issue TrackerPackages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=154372020-10-11T01:30:07ZGNUtooGNUtoo@cyberdimension.org
<ul></ul><p>I found some highly suspicious files:<br /><pre>
$ pacman -Q -l fwupd | grep -i lvfs
fwupd /etc/fwupd/remotes.d/lvfs-testing.conf
fwupd /etc/fwupd/remotes.d/lvfs.conf
[...]
$ cat /etc/fwupd/remotes.d/lvfs.conf
[fwupd Remote]
# this remote provides metadata and firmware marked as 'stable' from the LVFS
Enabled=true
Title=Linux Vendor Firmware Service
Keyring=gpg
MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
ReportURI=https://fwupd.org/lvfs/firmware/report
OrderBefore=fwupd
</pre></p>
<p><a class="external" href="https://cdn.fwupd.org/downloads/firmware.xml.gz">https://cdn.fwupd.org/downloads/firmware.xml.gz</a> seem to contain references to many nonfree firmwares.</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=154392020-10-11T09:44:51Zbill-auger
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-3 priority-4 priority-high4 parent" href="/issues/1035">Freedom Issue #1035</a>: [your-system-sanity]: Non-Free Software From Third-party Package Managers (TPPM)</i> added</li></ul> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=154402020-10-11T09:55:15Zbill-auger
<ul></ul><p>GNUtoo -</p>
<p>i notice that you do not fill in the descriptions for new<br />tickets that you open; but instead add a secondary comment<br />with the details later - the initial ticket form should have<br />a text field for the description - i wonder is the interface<br />broken for you maybe</p>
<p>this is also peculiar, because some people are not allowed to<br />submit the ticket if the description field is empty - redmine<br />normally rejects the post, with an error message: "description<br />can not be empty" - i have not investigated that, but i assumed<br />it was a global behavior</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=154492020-10-11T17:24:44ZGNUtooGNUtoo@cyberdimension.org
<ul></ul><blockquote>
<p>i notice that you do not fill in the descriptions for new<br />tickets that you open; but instead add a secondary comment<br />with the details later - the initial ticket form should have<br />a text field for the description - i wonder is the interface<br />broken for you maybe</p>
</blockquote>
The reason is simple:
<ul>
<li>The first description cannot be edited later on</li>
<li>I often make mistakes also because I've no preview without JavaScript<sup><a href="#fn1">1</a></sup>.</li>
</ul>
<p id="fn1" class="footnote"><sup>1</sup> JavaScript isn't bad per-se but here it acts as arbitrary execution of code, can be viewed as as a security issue, depending on your threat model. It is a good practice to not tie the security of one's computer to the computer(s) serving serving the JavaScript code and all the infrastructure in between (SSL PKI).</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=154532020-10-11T23:02:45Zbill-auger
<ul></ul><p>ok, understood - the description can be edited; but it does<br />require javascript to expose the form</p>
<p>this is the HTML element definition:</p>
<pre>
<span id="issue_description_and_toolbar" style="display:none">
</pre>
<p>you could probably do some magic by injecting some CSS with some<br />styling tool, to make the form always exposed</p>
<pre>
#issue_description_and_toolbar { display: block ; }
</pre>
<p>or with local javascript/greasemonkey:</p>
<pre>
document.getElementById('issue_description_and_toolbar').show()
</pre>
<p>a better solution would be to prevent redmine from hiding it for<br />admins and the OP - im sure thats a simple change</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=169452022-03-11T15:10:25ZGNUtooGNUtoo@cyberdimension.org
<ul><li><strong>Status</strong> changed from <i>unconfirmed</i> to <i>confirmed</i></li><li><strong>Subject</strong> changed from <i>Do check fwupd</i> to <i>fwupd has a nonfree repository Was: Do check fwupd</i></li></ul><p>Guix has a patch with a patch to remove lvfs: <a class="external" href="https://issues.guix.gnu.org/46278">https://issues.guix.gnu.org/46278</a></p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=169472022-03-11T15:28:13ZGNUtooGNUtoo@cyberdimension.org
<ul><li><strong>Assignee</strong> set to <i>GNUtoo</i></li></ul><p>I've just blacklisted the package in the blacklist repository, and also gnome-firmware whose only goal seem to be a graphical interface on top of fwupd.<br /><pre>
f084014 Add gnome-firmware
1e458d4 Add fwupd
</pre></p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=169482022-03-11T15:28:22ZGNUtooGNUtoo@cyberdimension.org
<ul><li><strong>Status</strong> changed from <i>confirmed</i> to <i>fixed</i></li></ul> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=177352022-06-22T01:28:17ZMegver83megver83@parabola.nu
<ul></ul><p>Do we really want this? this issue is similar to the ones of third party package managers (pip, npm, flatpak) which offer both free and non-free software. However, the big difference here is that fwupd manages firmware updates, which are a critical component. I think it should not be blacklisted, specially because it provides updates for coreboot devices (e.g. System76)</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=177362022-06-22T05:28:30Zbill-auger
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/17736/diff?detail_id=9203">diff</a>)</li></ul> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=177372022-06-22T05:38:25Zbill-auger
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-2 priority-3 priority-default closed" href="/issues/3299">Freedom Issue #3299</a>: [kinfocenter]: blacklisted fwupd is a dependency</i> added</li></ul> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=177392022-06-22T05:44:25Zavalos
<ul></ul><blockquote>
<p>However, the big difference here is that fwupd manages firmware updates, which are a critical component.</p>
</blockquote>
<p>Firmware is indeed critical, so maybe we should not allow the manufacturer to introduce backdoors or shady stuff in further versions.</p>
<blockquote>
<p>I think it should not be blacklisted, specially because it provides updates for coreboot devices (e.g. System76)</p>
</blockquote>
<p>I don't think that's relevant at all. FSDG doesn't care about how important it is for you to update your blob-infested System76 laptop, but rather about shipping a system that is as free as possible, which blacklisting <code>fwupd</code> would help achieve.</p>
<blockquote>
<p>Do we really want this? this issue is similar to the ones of third party package managers (pip, npm, flatpak) which offer both free and non-free software.</p>
</blockquote>
<p>Well, seeing it from that perspective, then yeah, maybe <code>fwupd</code> shouldn't be blacklisted, it's just that maybe most firmware is proprietary. I don't know, avoiding proprietary firmware feels like one of the main reasons things like Parabola and Linux-libre exist, so it doesn't feel right to have a tool like this.</p>
<p>Let me know what y'all think.</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=177402022-06-22T17:37:45Zgap
<ul></ul><p>See also <a class="issue tracker-4 status-2 priority-1 priority-lowest closed" title="Freedom Issue: [fwupd]: is an auto-updater , may also download proprietary firmware (fixed)" href="https://labs.parabola.nu/issues/3000">#3000</a>.<br />As mentioned there, we can either:<br />1. Blacklist entirely<br />2. Blacklist and replace with libre version which patches out references to LVFS<br />3. Number 2 but also add references to an LVFS replacement repo which only hosts libre firmware</p>
<p>As 3 is not yet possible due to no such repo existing and 2 would incur a maintenance overhead for a package that doesn't do much in the free world because no FSDG-compliant repo exists to use it with, 1 is the only option we have at the moment.</p>
<p>Please add any other options if you think of one.</p> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=180162022-09-06T20:00:37Zbill-auger
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-2 priority-1 priority-lowest closed" href="/issues/3000">Freedom Issue #3000</a>: [fwupd]: is an auto-updater , may also download proprietary firmware</i> added</li></ul> Packages - Freedom Issue #2909: fwupd has a nonfree repository Was: Do check fwupdhttps://labs.parabola.nu/issues/2909?journal_id=184212022-12-21T17:07:56Zbill-auger
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-2 priority-3 priority-default closed" href="/issues/3270">Freedom Issue #3270</a>: [fwupd-efi] Appears only to be useful with blacklisted [fwupd]</i> added</li></ul>