On May 29, 2022, at 6:40 PM, Theodore Ts'o <ty...@mit.edu> wrote:
>On Sun, May 29, 2022 at 05:33:21PM -0400, Bobby wrote: > FWIW, as a 10+ years >user (first time caller :p) I strongly support > sticking with the status quo. >There are plenty of systems that don't > require firmware to work, and often >when people say it doesn't "work" > they really mean that its functionality is >more limited. Unfortunately, that's not true. Without the firmware, in many >cases on modern laptops (for example, the Samsung Galaxy Book 360) the WiFi >and Ethernet devices will simply *not* *work*. If the user has only downloaded >the Netinst installer onto a USB stick (since most modern laptops also don't >have DVD drives), they will not be able to install their system. This is a >rather negative user experience. > Further, there are security concerns with >blobs. Yes, we can get > microcode updates, but were those updates themselves >actually audited? > As far as I know, they are just as opaque as the code >they're > replacing. They could be making security worse, and we won't know > >until someone finds the exploits. The rare event where a microcode > update is >released and it increases security is far outweighed by the > vast majority of >the situations where installing opaque code is > detrimental to security. On >many modern peripherals, the microcode updates are digitally signed by the >manufacturer. So if you didn't trust, say, the CPU updated microcode for your >Intel processor, why are you trusting the original CPU microcode, which would >have also come from Intel? > If people are unhappy with the status quo, my >proposal would be to > encourage more people to work on free alternatives. >There is an ocean > of possibilities here, from open hardware to reverse >engineering. My > feeling is that a lot more could be done to better support >hardware > that doesn't involve non-free code at all. There are many free > >projects that have never made it to Debian. Unfortunately, if you want a >modern laptop, which supports the latest WiFi standards, and which is thin and >light, you're not going to find one which is using purely free alternatives. >100% free laptop alternatives do exist, but typically you will end up are >using ten year old hardware, or the devices are significantly heavier and more >cumbersome. And unfortunately, open hardware is signficantly more difficult >and requires far more capital outlay than "open software". Simply encouraging >more people to work on free alternatives is not going to be enough unless >someone is willing bankroll these efforts to the tunes of millions of dollars. >If people want to use really awful, old hardware, all in the name of "free >software", they should certainly have the freedom to do so, and it should be >easy for them to make sure that the purity of their system is not compromised. >However, if someone has already purchased the hardware, it's rather horrible >user experience when they discover that Debian won't install a working system >on it, and to find the that the the non-free firmware in a locked filing >cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of >the leopard'. Remember, the Debian Social Contract says that our priorities >are our users *and* free software. Making it nearly impossible for a novice >user to install Debian on their brand new laptop where Windows 10 and Ubuntu >just *works* might not be the best way of balancing the competing needs here >of the users and free software. Best regards, - Ted I personally need the non-free firmware and would like the non-free installer to be easy to locate.
