Conversation

John-Mark Gurney

Lol, that's an interesting take on security. We'll run on closed source microcode that is buggy because any updates are considered closed source. I mean, I'm kinda surprised they they haven't limited their supported arches to risc-v.

Quote Tweet

Matthew Garrett

Again reminded of lists.gnu.org/archive/html/i, in which a GNU project removes a warning message informing users that their CPU microcode leaves them vulnerable to CPU microarchitectural attacks

Show this thread

1

1

4

Replying to

FSF is fine with closed source hardware and firmware. It's the ability to update closed source firmware that they're against. They're particularly opposed to it if there's signature verification of the firmware updates. They regularly endorse closed source hardware/firmware.

1

1

Replying to

and

It's not the closed source firmware and hardware they have a problem with but rather the fact that the company is able to release updates for it but others cannot create them. If you block updating firmware, such as by breaking it in the efuse configuration, they'll endorse it.

1

1

Replying to

and

So, for example, the Librem 5 is all about choosing hardware which has persistent firmware so that they don't need to load it from the OS. They go out of the way to prevent it from being updated too. That's the path they're taking to seeking FSF endorsement for their products.

2

Sebastian Krzyszkowiak

Replying to

and

> They go out of the way to prevent it from being updated too. That's FUD that keeps being repeated over and over again. Nothing updates the firmware (or suggests updating it) on Librem 5 automatically, but users are always able to update it if they really want.

1

Replying to

and

Your claims are untrue. Not everything critical of your employer is FUD. Purism makes devices less secure and offer less freedom through crippling them. Those are facts. It's the opposite of making things better. It's also incredibly hypocritical for you to be claiming that...

1

Replying to

and

You work for a company entirely based around spreading FUD and misleading users. You trick users into thinking you're selling them devices with open hardware and firmware. You do the opposite of making things more open. It's simply a bunch of inaccurate branding/marketing.

1

Replying to

and

You sell users devices that are less secure and less open for exorbitant prices. It's the equivalent of greenwashing. Choosing less secure components and designing around loading firmware from the OS does not make the closed source hardware and firmware go away. It's all there.

1

Replying to

and

Preventing the OS from updating firmware does not mean there isn't firmware. And to be clear, Purism goes beyond simply not shipping the firmware updates. They go out of the way to cripple hardware to prevent updating firmware from the OS at all. It's the core focus for them.

1

Sebastian Krzyszkowiak

Replying to

and

Show a single way the Librem 5 is "crippled to prevent updating firmware". Spoiler alert: you can't, because this is just a lie.

1

1

Replying to

and

I don't even understand what you're trying to argue when pursuing this is an explicit point for marketing: puri.sm/posts/librem5- Not particularly interested in demonstrating how that isn't an isolated choice or talking about the SoC configuration shipped to users. Why bother?

6:18 AM · Apr 3, 2021Twitter Web App

Replying to

and

You're falsely accusing me of lying, and I have no interest in further discussion.

1

Sebastian Krzyszkowiak

Replying to

and

So, in other words, you cannot point to a single way the user is prevented from upgrading the firmware. Just as I said. The SPI flash that the article talks about can be reflashed by the user. The same applies to other separated blobs, like WiFi firmware. You are mistaken.

2

1

Show replies