GNU bug report logs - #43173
Ensure that the correct linux-libre deblobbing scripts are used

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 2 Sep 2020 18:30:02 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>, guix-patches <at> gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: Re: Ensure that the correct linux-libre deblobbing scripts are used
Date: Wed, 02 Sep 2020 17:07:56 -0400

Leo Famulari <leo <at> famulari.name> writes:

> In recent discussions [0], people raised the possibility that we might
> accidentally leave non-free firmware blobs in our linux-libre packages.
>
> If I understand correctly, the root of the issue is that, currently, we
> manually specify the versions of the deblobbing scripts. They are not
> changed with every linux-libre release, so it is usually okay to use an
> older version number — the scripts themselves will be identical.
> However, sometimes the scripts do change, and we might not notice, and
> thus we would fail to remove every blob from the kernel sources.
>
> These two patches should make that failure mode impossible, by 1) making
> sure that the file names of the deblobbing scripts' store items include
> the full version number of the kernel and 2) only defining the version
> in one place. The hashes of the deblob scripts will be checked
> automatically when Guix downloads them for each new kernel release.
[...]
> [0] https://lists.gnu.org/archive/html/guix-devel/2020-08/msg00040.html

In the aforementioned discussion, I agreed to either:

(1) Wait until the linux-libre project publishes a new release, or
(2) Check for new blobs myself in the upstream release.

Since then, I've actually chosen option (2) a couple of times.  I did so
by reviewing each of the upstream commits looking for new blobs.
I found that it took on the order of 10-15 minutes per release.

With this proposed change, we will lose an easy way to exercise option
(2), and will effectively be constrained to always wait until
linux-libre produces a new release.

I'll leave it to the maintainers to decide what to do here, but I wanted
to make it clear what's at stake.  Personally, I do not find Jason and
Alexandre's arguments compelling, and would be in favor of retaining the
option to push these security updates more quickly by checking for new
blobs manually.

     Thanks,
       Mark
This bug report was last modified 4 years and 315 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.