[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#43173] Ensure that the correct linux-libre deblobbing scripts are u

From: Mark H Weaver
Subject: [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used
Date: Wed, 02 Sep 2020 17:07:56 -0400

Leo Famulari <> writes:

> In recent discussions [0], people raised the possibility that we might
> accidentally leave non-free firmware blobs in our linux-libre packages.
> If I understand correctly, the root of the issue is that, currently, we
> manually specify the versions of the deblobbing scripts. They are not
> changed with every linux-libre release, so it is usually okay to use an
> older version number — the scripts themselves will be identical.
> However, sometimes the scripts do change, and we might not notice, and
> thus we would fail to remove every blob from the kernel sources.
> These two patches should make that failure mode impossible, by 1) making
> sure that the file names of the deblobbing scripts' store items include
> the full version number of the kernel and 2) only defining the version
> in one place. The hashes of the deblob scripts will be checked
> automatically when Guix downloads them for each new kernel release.
> [0]

In the aforementioned discussion, I agreed to either:

(1) Wait until the linux-libre project publishes a new release, or
(2) Check for new blobs myself in the upstream release.

Since then, I've actually chosen option (2) a couple of times.  I did so
by reviewing each of the upstream commits looking for new blobs.
I found that it took on the order of 10-15 minutes per release.

With this proposed change, we will lose an easy way to exercise option
(2), and will effectively be constrained to always wait until
linux-libre produces a new release.

I'll leave it to the maintainers to decide what to do here, but I wanted
to make it clear what's at stake.  Personally, I do not find Jason and
Alexandre's arguments compelling, and would be in favor of retaining the
option to push these security updates more quickly by checking for new
blobs manually.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]