Re: [GNU-linux-libre] PureOS non-free repo

2018-01-22 Thread Denis 'GNUtoo' Carikli 
On Sat, 20 Jan 2018 06:34:21 +0100
Jean Louis  wrote:
> Free GNU operating system can be free on one
> domain while other domain selling laptops
> requiring some proprietary software.
> 
> Then again, such laptop sales shall not be
> promoted as having operating system endorsed by
> FSF if such is not fully free.
I don't see the issue here. Shipping Trisquel or PureOS on laptops is
good. However Trisquel or PureOS should not promote non-free software.
Being able to run an FSDG (Free Software Distribution Guidelines)
compliant distribution is not enough for freedom though, but there a
certification for full systems: The RYF (Respect Your Freedom)
certification. See fsf.org/ryf for more details.

> That is proprietary software within the CPU.
That proprietary software runs on a separate processor, and unlike the
BIOS/UEFI, it is not run by the main CPU.
When you buy a "discrete Intel CPU", nowadays, it also contains a GPU,
and also the management engine processor. They are all in the same
physical chip, but the management engine processor runs its own OS
and tries to prevent the main CPU from taking control of it.

> it further means that majority of Intel run computers are
> running non-free software on the CPU itself.
Not on the main CPU.

> The question is does the update of the Intel
> Management Engine constitute part of the operating
> system or not?
No, it's not. The flash chip that holds the BIOS/UEFI is partitioned
and has a partition for the management engine, and a partition for the
BIOS/UEFI.

> If such update is distributed by the operating
> system, then is the distribution free?
I guess that they do not distribute "BIOS updates" that as part of the
operating system, but if they did, they would need to remove it to keep
being FSDG compliant.

> Even those computers using Libreboot are still
> using the Intel Management Engine.
Not all are. The Thinkpad X200 has a management engine but it is
deactivated by removing the code it's supposed to load.

> That is different branch of the fight for privacy. Best
> would be replacing Intel with free CPU. But does
> it exist?
Computers that works with only free software would be enough, with the
additional requirement of having also free software microcode.
Free systems can work without shipping or using non-free microcode
updates, but then years later issues you end up with issues like
Spectre and Meltdown that you cannot fix.
See this link for more details:
https://libreplanet.org/wiki/Group:Hardware/ReverseEngineering#CPU_Microcode

> Intel processors already contain inside Intel
> Management Engine, isn't that modified MINIX
> inside?
[...]
> It means there is no current solution to have Intel
> Management Engine as free software,
[...]

See my article about the management engine here for more details:
https://www.fsf.org/blogs/sysadmin/the-management-engine-an-attack-on-computer-users-freedom

Denis.


pgpcWBvEIaRvA.pgp
Description: OpenPGP digital signature

Re: [GNU-linux-libre] PureOS non-free repo

2018-01-20 Thread bill-auger 
On 01/20/2018 01:54 PM, Caleb Herbert wrote:
> 
>> So in some ways maybe it could be seen as similar to RPM Fusion? 
> 
> That's what I think, and it makes sense that the RPM Fusion method was
> accepted, because the FSDG derives from Fedora guidelines.


to be clear, the "RPM Fusion method" is acceptable because fedora does
not officially endorse or even recommend it - it's softwre is accessed
only by the user explicitly adding the foreign URL to their mirror list;
which could be any standard RPM repo hosted by anyone, just as ubuntu
"PPA"s can be easily used in trisquel or debian non-free repos can be
easily used in pureos and gnewsense, if the user choses to do so - it is
not the aim of the FSDG to prevent users from installing their choice of
software; only that FSDG distros should not recommend or assist in using
non-free software



signature.asc
Description: OpenPGP digital signature

Re: [GNU-linux-libre] PureOS non-free repo

2018-01-20 Thread Denis 'GNUtoo' Carikli 
On Fri, 19 Jan 2018 21:16:49 -0800 (PST)
"Jason Self"  wrote:
> Another problematic point seems their statement that "all new laptop
> shipments include Meltdown and Spectre patches, as they will have the
> latest PureOS image (that includes the Meltdown patch) preloaded"
There are Software patches to mitigate Meltdown and Spectre issues in
software like Linux or Firefox based browsers.

As for the microcode, they can ship it to new customers without having
to touch PureOS at all. This can be done in Coreboot by selecting
"Include CPU microcode in CBFS (Include external microcode header
files)" during the compilation.

> I realize that, in the FSF's announcement of endorsing PureOS, they 
> said that it wasn't "a certification of any particular hardware 
> shipping with PureOS" although some people might buy Purism's
> computers thinking that they're getting an FSF-endorsed distro along 
> with it that doesn't have any proprietary junk when -- by Purism's
> own announcement -- they're shipping with it included.
I run PureOS on a Thinkpad X200 that runs a 100% free software Coreboot
image[1].

There is a PureOS bug tracker where we can report bugs[2], including
freedom issues with PureOS. I've already reported 1 freedom issue and I
hope it is or will be fixed.

I looked for a potential microcode update with "apt search microcode"
and found nothing. So this is good news.

Like with other FSDG compliant GNU/Linux distributions, there might be
some packages that needs to be fixed, and it would be nice to open bug
reports on that.

I'm personally very interested in PureOS because it's is supposed to be
FSDG compliant, and can replace Debian in some cases. I intend to use
it to be able to compile Replicant without depending on Debian, to fix
one of the FSDG-compliance issues Replicant has.

It would be nice if PureOS could run on all architectures that Debian
runs on, as we would have an FSDG compliant GNU/Linux distribution that
would run on more hardware that can function with only free software.

I also didn't find x86 32bit versions of PureOS, which is sad because a
lot of Libreboot compatible hardware is still 32bit only.

So far we have, as general purpose GNU/Linux distribution:
- Parabola that can run on ARM.
- Guix that can also run on ARM.

Trisquel doesn't run on ARM, and as far as I know we have no easy to use
general purpose distribution for ARM.

It would also be nice to have more FSDG distributions, for instance I
came across Hyperblola[3], which claims to be FSDG compliant. I didn't
find it in the official list of FSDG compliant distributions[4].

I also wonder whether all the distributions listed there are maintained
and if not, it would make sense to move the unmaintained distributions
in another section (like "Historic", "Unmaintained distributions", or if
we want new maintainers, "Distributions looking for new maintainers").

References:
---
[1]Coreboot itself is not entirely free software: The freedom you get
   depends on the hardware and the build configuration you use.
   I use hardware and build configuration that doesn't include any
   nonfree software in the image.
[2]https://tracker.pureos.net/tag/freedom-harm_need_nonfree_code/
[3]https://www.hyperbola.info/
[4]https://www.gnu.org/distros/free-distros.html

Denis.


pgpYpoYa9RBLe.pgp
Description: OpenPGP digital signature

Re: [GNU-linux-libre] PureOS non-free repo

2018-01-19 Thread Jean Louis 
On Fri, Jan 19, 2018 at 09:16:49PM -0800, Jason Self wrote:
> Alexandre Oliva  wrote ..
> > It certainly sounds odd.  But, honestly, right now I'm more
> > concerned that updates for PureOS seem to have been published in a
> > non-free repo. Specifically, non-free microcode for CPUs affected
> > by Spectre.  Surely we don't mean to endorse distros that do that,
> > do we? Purism's messaging seems to attempt to distance their new
> > nonfree repos and dists from PureOS, but...  I fail to see the
> > difference between that and what Debian does.  But then, I haven't
> > looked very closely.  Am I missing something?
> 
> >
> https://puri.sm/posts/purism-patches-meltdown-and-spectre-variant-2-both-included-in-all-new-librem-laptops/
> > https://deb.puri.sm/pureos/dists/purism-nonfree/>
> > https://deb.puri.sm/pureos/pool/non-free/i/intel-microcode/>>
> > Thoughts?
> 
> It seems similar in some ways and dissimilar in others.
> 
> My understanding is that the challenge with Debian's non-free stuff 
> is "the repository is hosted on many of the project's main servers,
> and people can readily find these nonfree packages by browsing
> Debian's online package database and its wiki." (To quote from the
> common distros page.)
> 
> Purism seems to avoid at least some of this this by having it on a
> different domain, and I don't seem to find information at
> http://pureos.net about installing the
> proprietary software.

That is good that there is no information.

Free GNU operating system can be free on one
domain while other domain selling laptops
requiring some proprietary software.

Then again, such laptop sales shall not be
promoted as having operating system endorsed by
FSF if such is not fully free.

But that is all theoretical statement.

Intel processors already contain inside Intel
Management Engine, isn't that modified MINIX
inside?

That is proprietary software within the CPU. It
means there is no current solution to have Intel
Management Engine as free software, it further
means that majority of Intel run computers are
running non-free software on the CPU itself.

The question is does the update of the Intel
Management Engine constitute part of the operating
system or not?

If such update is distributed by the operating
system, then is the distribution free?

Or shall such update be ignored, as it is maybe
not part of the operating system?

Even those computers using Libreboot are still
using the Intel Management Engine. That is
different branch of the fight for privacy. Best
would be replacing Intel with free CPU. But does
it exist?

Jean Louis

[GNU-linux-libre] PureOS non-free repo

2018-01-19 Thread Jason Self 
Alexandre Oliva  wrote ..
> It certainly sounds odd.  But, honestly, right now I'm more
> concerned that updates for PureOS seem to have been published in a
> non-free repo. Specifically, non-free microcode for CPUs affected
> by Spectre.  Surely we don't mean to endorse distros that do that,
> do we? Purism's messaging seems to attempt to distance their new
> nonfree repos and dists from PureOS, but...  I fail to see the
> difference between that and what Debian does.  But then, I haven't
> looked very closely.  Am I missing something?

>
https://puri.sm/posts/purism-patches-meltdown-and-spectre-variant-2-both-included-in-all-new-librem-laptops/
> https://deb.puri.sm/pureos/dists/purism-nonfree/>
> https://deb.puri.sm/pureos/pool/non-free/i/intel-microcode/>>
> Thoughts?

It seems similar in some ways and dissimilar in others.

My understanding is that the challenge with Debian's non-free stuff 
is "the repository is hosted on many of the project's main servers,
and people can readily find these nonfree packages by browsing
Debian's online package database and its wiki." (To quote from the
common distros page.)

Purism seems to avoid at least some of this this by having it on a
different domain, and I don't seem to find information at
http://pureos.net about installing the proprietary software.

So in some ways maybe it could be seen as similar to RPM Fusion? On
the other hand, my understanding is that RPM Fusion is operated by a
third party. I'm not sure how Purism being the folks behind this repo
will change anything. We know that Debian's method was deemed not
acceptable and the RPM Fusion method was since it was on a different
site run by different people but Purism's method seems somewhere in
between these two cases. And in the case of RPM Fusion that "separate
domain" wasn't the domain of the primary driving force behind the
distro who also made made news posts about how to set it up.

It would be good to get clarification from the FSF on this on how
this all fits in FSDG-wise.

Another problematic point seems their statement that "all new laptop
shipments include Meltdown and Spectre patches, as they will have the
latest PureOS image (that includes the Meltdown patch) preloaded"

I realize that, in the FSF's announcement of endorsing PureOS, they 
said that it wasn't "a certification of any particular hardware 
shipping with PureOS" although some people might buy Purism's
computers thinking that they're getting an FSF-endorsed distro along 
with it that doesn't have any proprietary junk when -- by Purism's
own announcement -- they're shipping with it included.