Skip Navigation
32 comments
  • A lot of drivers for hardware are actually not open source, just unreadable binaries that do ...something. No one knows exactly how they work, so some people consider them a security risk.

    I think its because the linux kernel is GPL2, not the modern GPL3 like most free software, so I think thats why some components are allowed to be non-free. Not sure though.

    So, that practice violates the spririt of free software. So some distributions have those components removed. Its safer, but you may lose functionality, depending on what computer components you have.

    Its an important project, and judging by the other comments here, underappreciated.

    • You explanation sums it all up thanks.

      A lot of drivers for hardware are actually not open source, just unreadable binaries that do …something. No one knows exactly how they work, so some people consider them a security risk.

      While I do understand the security aspect of this here at the same time those people seem to be delusional. At some point there's proprietary stuff in our computers, be it a driver, a BIOS or the code that runs on the various microcontrollers that run low level functions from the USB ports to simple power management.

      The most "security paranoid" organizations in the world usually run a lot of stuff on Windows and HP hardware full of opaque and proprietary code and they consider it "safe enough".

      I may get that not free / license based stuff might raise concerns if you aren't a mega corp. that can pay the fee either way, but... if a trackpad requires a free but closed-source binary driver why would a random guy on the internet consider that to be a risk?

      • At some point there's proprietary stuff in our bodies, be it a driver, a BIOS or the code that runs on the various microcontrollers that run low level functions from the USB ports to simple power management.

        The most "security paranoid" organizations in the world usually run a lot of stuff on children and babies are full of opaque and proprietary code and they consider it "safe enough".

        People are replacing lost/damaged organs and limbs with computer-controlled hardware. The same problems that occur in computers that exist outside of humans will occur in computers inside of humans. Do you trust non-open drivers from Corporation X or Government Y in your eyes telling your brain what you do or don't see?

        That's the extreme, of course, but it isn't any less scary than computers you trust with your credit card, bank account, etc information.

        Open source drivers means when corporation X goes under, your hardware still can work and isn't automatically abandoned. It keeps more hardware out of landfills longer, with the ability to drastically reduce e-waste.

      • Depending on the vendor providing that trackpad driver it may not be a substantial security risk. But it is a loss of software freedom, which some people care about.

    • I could understand that some distros' kernel had binary blobs, but the main kernel?? I was not expecting that if it's true.

      • BSD people laugh about linux because of that all the time

        There were tons of comics by OpenBSD vs. Linux (being the corporate slave)

    • It's definitely not safer. It does not include microcode updates so it's quite the opposite of secure. Technically you can load them at boot but why would you intentionally make security harder to achieve?

      Not including microcode updates is also extremely dumb from the philosophical standpoint. Microcode is closed source firmware running "inside your CPU" so if you don't include the updates, your CPU now runs on both vulnerable and proprietary firmware.

    • Could we please stop associating open source with security? Don't get me wrong, I love open source software and it is easier to trust open source software than proprietary, because it is highly unlikely, that they hide stuff like trackers in there. It is also most of the time highly configurable and sometimes even hackable and as a software developer you are able to look into the mechanisms behind the APIs which is sometimes really helpful.

      But events like the lzma incident last year and predictable openssl RNG in Debian some time ago (https://lists.debian.org/debian-security-announce/2008/msg00152.html) should tell us, that open source doesn't mean secure software. And the argument, that there are many people looking at the code is not really true. E.g. many maintainers of the linux kernel only look at specific parts/drivers in it and maybe into some other things they need for that. There are probably only a few people if any (apart from governments), that have read, understood and analyzed the linux kernel in its entirety with all the (open source) drivers built into it and all the possible combinations of configurations. And I don't want to know how many have done all that for less popular projects. And even if that is done at some point for an upstream project, you would have to check the patches from your distro and if there are any do it all for yourself again. And when the next release arrives you would have to do all that in its entirety again (although with some head start) if a new version arrives (that has, say, at least a thousand lines of code changed, removed or added). And now think about how many big releases come with some software per year. And don't forget to also include all the dependencies you have to check including the compiler and standard library of the language(s) used.

      Of course it is easier to do all that for OSS as an outside party because you don't have to decompile it, but it is still increadibly hard. And only to be easier to analyze for security risks doesn't mean to be more secure just like packaging being recyclable doesn't mean that it will be recycled.

  • It really depends how you see the firmware boundary. You can either treat it as a set of magic numbers you load onto the hardware so it works or see it as an intrinsically programmable part of your system that you should be able to see the source code for or live without support for the device.

    • Concrete examples of such firmware: NVIDIA cards and nouveau. All of the kernel code is GPL, but you still need the firmware, which must be signed by NVIDIA and thus can't be modified at all. Or some WiFi chip firmware.

      Technically those could be permanently burned into a ROM chip on the device itself, but for convenience the vendor ships the firmware with the driver and load it at runtime so it always matches what the driver expects and save on a ROM chip. But now that means the driver is uploading a proprietary blob and being unable to provide your own is an artificial limitation imposed by the hardware. Sometimes such firmware artificially limits what the hardware can do, so the magic numbers can absolutely infringe on your freedom. Such firmware can also be the programming for an FPGA so it can get really complicated really fast. There's also a legal aspect to it: FCC regulations on WiFi chips are typically enforced in firmware, so the manufacturer isn't even allowed to let you modify it, but that's also violating your right to tinker with your hardware and assume the liability. What if you're not even in the US?

      Some people would rather only have fully libre systems, but for most people a libre driver is better than a fully proprietary driver which is better than no driver at all and having to run a completely proprietary OS.

  • Linux itself is Libre on its own, but its modular and anybody can add non-libre software/drivers to it. Android is a popular example to see what that means. But to be fair, I don't understand why Linux-libre exist. These projects would remove proprietary software from Linux. It's a script, so maybe its intended to be used with any Linux Kernel you have, that comes with proprietary blobs? In that case the project makes very much sense to me.

    But as you I am not educated enough to understand all of this.

    Edit: Found the script, so you can look at what it does to understand its purpose better: https://www.fsfla.org/svn/fsfla/software/linux-libre/scripts/deblob-6.9

32 comments