Does anyone know why fwupd/LVFS uses a separate repository to download from instead of downloading from a distro's repos like we already do for all packages?

Because it's managing firmware that is not distro-specific as it is using standard UEFI interfaces to install it, and is also a blob.

There is little reason to have it go through the usual packaging and testing and QA of each distro.

Are they even trustworthy? They injected spyware / malware in their UEFI blobs in the past. Their hardware is nice, but their firmware is trash.

Oh great, I'll have to take a look and see if my ThinkStation is working.

Update: turns out the ThinkStation P410 is not in there yet.

Their firmware is pretty decent actually, by UEFI standards anyway. For example it usually supports the UEFI capsule feature (necessary for this tool to work at all), which is uncommon even for HP, not to mention consumer brands like Asus, Acer and friends.

It seems they learned the lesson about injecting questionable applications as windows payloads in their UEFI, afaik it didn't happen again.

And you are willing to trust them on that? A pity recent laptops aren't supported by CoreBoot or something of that sort.

Too bad Solus is still working on integrating fwupd, else I could've update my shiny new ThinkPad right now.

Yeah, I do.

Let's have a look again at what they actually did, using a somewhat biased article https://www.makeuseof.com/tag/securi...-avoid-lenovo/

1. crappy bloatware program on windows that tracks users somehow, every other OEM has one, this was probably more sloppy than average.
1a. it was using a standard Windows/UEFI feature to reinstall it on boot. Hilarious that someone designed such features to begin with, but Linux does not support that crap anyway.

2. crappy bloatware program on windows is coded like shit to do what it is supposed to do and makes the PC more vulnerable. Not "malware" per-se, it's just written by monkeys.

3. more crappy bloatware programs on Windows tracking the user

4. A new and improved crappy bloatware Windows program with privilege escalation vulnerabilities.

For linux all four are completely irrelevant, so if we are talking of Linux it's a "case closed" right here.

For Windows, considering that HP and other consumer brands like Asus and Acer fill your PC to the brim with bullshit programmed by monkeys and user trackers anyway, I don't see that as particularly bad either.

It's garden variety bloatware that can be uninstalled in a couple clicks, and for sure won't survive a Windows reinstall (which is what most people recommend whenever you buy a new PC, strangely)

The only thing that actually was annoying is 1. as it was being reinstalled on reboot, but they were quick enough to react and have never done that again, so I guess they learned the lesson.

For the sake of pointing out that the article I cited is rigged, I'll also point out that the issue they point out about lenovo hardware (hinges on a low-end model suck), that is so fucking common on low end HP and Acer that I'm surprised that it's cited as a "reason to not buy lenovo". Just don't buy 500$ laptops and expect them to be sturdy, as they aren't.

Awesome! Finally!

Yeah, UEFI is a security trainwreck overall, that's why I had the "by UEFI standards anyway" caveat. I meant more about functionality, stability and Linux friendliness (aka decent ACPI tables).

But still, Lenovo is with the "better ones" there too, whatever that may mean.

And Dell actually knows its shit, they are the ones offering laptops with ME disabled with the killswitch and provide servers to the US government agencies under the supply program where they need to disable ME and all that crap after all.