Originally posted by oiaohm
View Post
The vendor may go out of business, cease to be interested in a country when that country changes broadcasting regulations, tell you to buy a new gadget, or whatever.
Your point is valid but the consequence is you must look for devices with free firmware. Then others can fix it and adapt it to new laws, vulnerabilities, or whatever.
And if laws don't allow that, then we need better laws.
The firmware blobs Linux kernel loads do not go into eprom also none of them have any restriction against downgrading.
I can imagine devices only accepting signed firmware or at least increasing version numbers or whatever.
The allowing the OS to load the device firmware into a ram on the card/device reduces hardware bricking risk.
Nobody is against upgradeable firmware. We just want it free. So if it is proprietary we try to buy some other hardware, and when not possible,
at least don't load it because we can't know it's good.
This bit from the libre guys really does not make sense. From a security point of view old firmware in eeprom on the card and loading old closed-source firmware binaries from the OS provides the same security risks.
It's not really auditable and it could do whatever. But evry time you upgrade firmware you're taking that risk once again.
Trusting a vendor to be good once is less trust than trusting it to keep good forever.
Blocking loading closed source drivers in kernel space makes sense like the Nvidia binary blob. Going after hardware that has been designed from the ground up to have the firmware as open source as possible also makes sense.
Please note libre deblobing have broken some of those in the past that have open source firmware for their devices of course these are devices that need the driver to provide the firmware.
The problem is that upstream has a very different criteria, so it's either build something new with better criteria (Hurd?) and wait until it's ready,
or take all the job in upstream linux. But then you have a lot of work to correct the work done under different criteria, and sometimes some mistakes slip doing that.
You can blame linux-libre for not deblobing good enough. I can blame linux for enabling blob loading everywhere.
The point is that both projects will probably keep doing what they do.
Comment