Tweet
Developer12. You haven't convinced me, but I just wanted to thank you for taking the time to give detailed explanations.
On microcode introducing other vulnerabilities:
- of course the patch breaks the published exploits or alleviates something. It would be ridiculous to put out a patch that leaves the exploit working.
- microcode is just one of the possible proprietary code loaded. The policy is general.
- I still believe microcode can open vulnerabilities, or incompletely patch already known ones so that they are restricted to unknown cases and seem fixed. In any case, linux-libre can't evaluate them, precisely because they don't know the secrets of the CPU design. So linux-libre shouldn't have any obligation to warn anyone. That's the manufacturer job. In the auto industry they wouldn't force the gas station workers to tell owners of certain model of car that they should visit the workshop. They recall vehicles by calling owners or publishing notices in the press. Linux warns users simply because it's like if it was coowned by Intel (part of the copyright certainly is). It works as part of the Intel distribution chain. Linux-libre is not owned or owes anything to Intel, so they're free to choose which contributions from Intel to Linux they let into linux-libre.
I agree with the RYF policy. If the user can't improve the code, then the vendor shouldn't be able either. Trusting a vendor once (when you buy the equipment) is not a reason to trust them forever any time they want to publish proprietary code. I had written here longer about it (long?) ago. You obviously don't agree, but the fact that you understand it means that the certification works. I'll be more likely to buy RYF hardware and you'll be less. It correctly labels how the device works. If it started to make all sort of exceptions then it'd end up meaningless.
On microcode introducing other vulnerabilities:
- of course the patch breaks the published exploits or alleviates something. It would be ridiculous to put out a patch that leaves the exploit working.
- microcode is just one of the possible proprietary code loaded. The policy is general.
- I still believe microcode can open vulnerabilities, or incompletely patch already known ones so that they are restricted to unknown cases and seem fixed. In any case, linux-libre can't evaluate them, precisely because they don't know the secrets of the CPU design. So linux-libre shouldn't have any obligation to warn anyone. That's the manufacturer job. In the auto industry they wouldn't force the gas station workers to tell owners of certain model of car that they should visit the workshop. They recall vehicles by calling owners or publishing notices in the press. Linux warns users simply because it's like if it was coowned by Intel (part of the copyright certainly is). It works as part of the Intel distribution chain. Linux-libre is not owned or owes anything to Intel, so they're free to choose which contributions from Intel to Linux they let into linux-libre.
I agree with the RYF policy. If the user can't improve the code, then the vendor shouldn't be able either. Trusting a vendor once (when you buy the equipment) is not a reason to trust them forever any time they want to publish proprietary code. I had written here longer about it (long?) ago. You obviously don't agree, but the fact that you understand it means that the certification works. I'll be more likely to buy RYF hardware and you'll be less. It correctly labels how the device works. If it started to make all sort of exceptions then it'd end up meaningless.
Comment