[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#43173] Ensure that the correct linux-libre deblobbing scripts are u
|
From: |
Mark H Weaver |
|
Subject: |
[bug#43173] Ensure that the correct linux-libre deblobbing scripts are used |
|
Date: |
Wed, 02 Sep 2020 17:07:56 -0400 |
Leo Famulari <leo@famulari.name> writes:
> In recent discussions [0], people raised the possibility that we might
> accidentally leave non-free firmware blobs in our linux-libre packages.
>
> If I understand correctly, the root of the issue is that, currently, we
> manually specify the versions of the deblobbing scripts. They are not
> changed with every linux-libre release, so it is usually okay to use an
> older version number — the scripts themselves will be identical.
> However, sometimes the scripts do change, and we might not notice, and
> thus we would fail to remove every blob from the kernel sources.
>
> These two patches should make that failure mode impossible, by 1) making
> sure that the file names of the deblobbing scripts' store items include
> the full version number of the kernel and 2) only defining the version
> in one place. The hashes of the deblob scripts will be checked
> automatically when Guix downloads them for each new kernel release.
[...]
> [0] https://lists.gnu.org/archive/html/guix-devel/2020-08/msg00040.html
In the aforementioned discussion, I agreed to either:
(1) Wait until the linux-libre project publishes a new release, or
(2) Check for new blobs myself in the upstream release.
Since then, I've actually chosen option (2) a couple of times. I did so
by reviewing each of the upstream commits looking for new blobs.
I found that it took on the order of 10-15 minutes per release.
With this proposed change, we will lose an easy way to exercise option
(2), and will effectively be constrained to always wait until
linux-libre produces a new release.
I'll leave it to the maintainers to decide what to do here, but I wanted
to make it clear what's at stake. Personally, I do not find Jason and
Alexandre's arguments compelling, and would be in favor of retaining the
option to push these security updates more quickly by checking for new
blobs manually.
Thanks,
Mark
- [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used, Leo Famulari, 2020/09/02
- [bug#43173] [PATCH 1/2] gnu: Do not truncate the version of the linux-libre deblobbing script file names., Leo Famulari, 2020/09/02
- [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used,
Mark H Weaver <=
- [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used, Leo Famulari, 2020/09/02
- [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used, Mark H Weaver, 2020/09/02
- Message not available
- [bug#43160] Validate the result of our linux-libre sources clean up, Mark H Weaver, 2020/09/04
- [bug#43160] Validate the result of our linux-libre sources clean up, Maxim Cournoyer, 2020/09/07
- [bug#43160] Validate the result of our linux-libre sources clean up, Mark H Weaver, 2020/09/07
- [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases., Maxim Cournoyer, 2020/09/11
- [bug#43160] [PATCH v3 2/2] linux-libre: Enable multi-core xz compression during tarball generation., Maxim Cournoyer, 2020/09/11
- [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases., Mark H Weaver, 2020/09/12
- [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases., Maxim Cournoyer, 2020/09/13
- [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases., Mark H Weaver, 2020/09/15