Fedora not "free" enough for GNU?

Gregory Maxwell gmaxwell at gmail.com
Sun Sep 7 23:10:35 UTC 2008 

On Sun, Sep 7, 2008 at 3:54 PM, Andrew Haley <aph at redhat.com> wrote:
> Gregory Maxwell wrote:
>
>> The notion that firmware ought to be free isn't absurd: It doesn't
>> take much effort to find examples of firmware imposing unreasonable
>> limits on users, or firmware containing nasty hidden security bugs.
>
> Just to get away from the ethics flame^H^H^H^H^Hdiscussion for a
> moment...
>
> This makes me think of a really interesting question: security-
> critical organizations presumably have to make use of commercially
> available computers just like the rest of us.  Someone somewhere
> must have thought about the issues of binary firmware blobs for
> video and network hardware and their potential to leak data,
> either deliberately or accidentally.  One of the many nice things
> about free software is the fact that it's reasonably easy to inspect
> it for security analysis; binary blobs weaken that.

There are two broad classes of 'security-critical organizations', real
ones and pretenders. Most are pretenders, they fail to consider issues
like this, then when it fails they show that they tried really hard
and thus it isn't their fault.  Real ones consider these issues, and
demand manufacturers comply with various security standards  which
validate the security of the hardware/firmware.  Manufacturers often
fail to actually do a good job of this, and can get away with it
because bad security looks just like good security. ... so then when
it fails the security-critical organization points to the standards
that were violated, thus demonstrating the breech was not their fault.
 :) :)

I've found two blobs I use on my systems, one of them very obviously
is a FPGA image, another one is appears to be software for a small
micro-controller.  I'm not so sure that the FSF would consider the
FPGA image software, but I don't know that they've considered this
issue in the context of OS-shipped blobs (in fact, I've heard FPGAs !=
software from them in the past), I think the vast majority of the
blobs distributed in fedora are software for an embedded general
purpose CPU and not FPGA images (generally FPGAs are enough of an
additional per-unit cost thet you don't see them in mass market
devices). (RME hammerfall firmware is the FPGA image, incidentally).

As was pointed out here, a spin could be created easily enough.  It
would make the FSF happy, as well as some number of other people (it
would make me happy, if for no other reason than I'd get a better
understanding of which of these blobs I'm actually using).

More information about the devel mailing list