Questions about Linux-Libre's effectiveness

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Wed Jul 6 14:18:54 UTC 2022 

On Wed, 6 Jul 2022 07:11:50 -0400
LUH LAH <welpthisdidnotwork at gmail.com> wrote:

> Hello there,
> 
> I am a general supporter of the Free Software movement. I try to do
> everything in my power to reflect this ideology.
> 
> However, I have been informed about some troubling aspects of
> Linux-Libre.
> 
> So, I will ask the following questions in hopes of having these
> worries squashed:
> 
> 
> 1.) Does Linux-Libre swap out proprietary blobs in the Linux kernel
> for fully free pieces of software, with no reliance on the hardware
> microcode?
Linux-libre makes sure not to redistribute non-free software and blocks
the loading of loadable non-free firmwares.

The reality is that linux-libre by itself doesn't solve all the
problems, instead you need to combine it with other things to get them
solved.

For instance if you install linux-libre on top of a non-FSDG compliant
distribution, you can still end up with non-free software in other
parts of the system. And with non-FSDG distributions, this is not a
bug.

Even Debian that is 100% free software + linux-libre is not sufficient
to avoid non-free software inside the distribution because in Debian you
have software like Firefox that have (add-on) repositories that contains
non-free software, so you might accidentally install non-free software
without knowing it.

And If you use an FSDG compliant distribution with non-free BIOS or
UEFI, linux-libre will run code from that BIOS/UEFI[1].

And if you use Libreboot with non-RYF compliant GPUs, Libreboot and
linux-libre will both run nonfree code provided by these GPUs.

So if you really want to get rid of non-free software, a RYF compliant
laptop combined with an FSDG compliant distribution is a pretty good
solution for that.

It's not perfect (for instance HDDs and SSDs have firmwares internally)
but compared to off the shelf laptops with a Management Engine or
equivalent, there is a huge difference.

As for microcode updates, the security issues that comes with not
applying them only applies to situations where you can't trust the
software that is running on your computer. There is a good article
about that here[2].

So the solution (beside designing our own hardware) is to avoid running
software you can't trust.

This means avoiding things like:
- Running JavaScript that comes from web pages that you don't trust.
- Running non-free software.
- Running virtual machines that you don't have control of or who are
  controlled by people that you don't trust.

References:
-----------
[1]That code is passed to the kernel through ACPI tables and then run
   by the kernel.
[2]https://jxself.org/afraid.shtml

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.fsfla.org/pipermail/linux-libre/attachments/20220706/1798cb42/attachment.sig>

More information about the linux-libre mailing list