|
|
Subscribe / Log in / New account

Linux Foundation Welcomes LVFS Project (Linux.com)

[Posted March 29, 2019 by jake]

Linux.com interviews Richard Hughes about the Linux Vendor Firmware Service (LVFS), which has recently joined the Linux Foundation as a new project. Hughes is the founder and maintainer of the project. "The short-term goal was to get 95% of updatable consumer hardware supported. With the recent addition of HP that's now a realistic target, although you have to qualify the 95% with 'new consumer non-enterprise hardware sold this year' as quite a few vendors will only support hardware no older than a few years at most, and most still charge for firmware updates for enterprise hardware. My long-term goal is for the LVFS to be seen like a boring, critical part of infrastructure in Linux, much like you’d consider an NTP server for accurate time, or a PGP keyserver for trust. With the recent Spectre and Meltdown issues hitting the industry, firmware updates are no longer seen as something that just adds support for new hardware or fixes the occasional hardware issue. Now the EFI BIOS is a fully fledged operating system with networking capabilities, companies and government agencies are realizing that firmware updates are as important as kernel updates, and many are now writing in 'must support LVFS' as part of any purchasing policy."
to post comments

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 29, 2019 20:44 UTC (Fri) by darwish (guest, #102479) [Link] (2 responses)

"Now the EFI BIOS is a fully fledged operating system with networking capabilities, companies and government agencies are realizing that."

It's really easy to misunderstand that part at first ;-)

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 30, 2019 21:46 UTC (Sat) by alison (subscriber, #63752) [Link] (1 responses)

It's great that the companies and government agencies have got our back here.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 15:50 UTC (Sun) by mjw (subscriber, #16740) [Link]

I am not sure that is what was meant. It is certainly possible to interpret the phrasing the other way around. Currently the whole project seems to be build around making it easier to insert unverifiable proprietary blobs into user machines. There doesn't seem to be any way to get the corresponding source code of these blobs and (re)build them to make sure they function as intended by the end user. So it could be read either as a great way for companies and government agencies to more easily sneak in backdoors and user restrictions, or as a hint that companies and government agencies think these kind of update mechanisms need to be Free Software and come with corresponding source. I hope the second meaning was meant of course.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 1:21 UTC (Sun) by pabs (subscriber, #43278) [Link] (29 responses)

I wish all that firmware was open source and I am sad that LVFS legitimises proprietary firmware.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 1:32 UTC (Sun) by intgr (subscriber, #39733) [Link] (19 responses)

Well it's a package manager and update system for firmware images. It doesn't really dictate whether they were compiled from open or closed source.

Unless you were expecting ordinary users to have to download compilers and specialized tools for all sorts of weird architectures and build the firmwares on their computer every time?

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 4:09 UTC (Sun) by pabs (subscriber, #43278) [Link] (18 responses)

The design of LVFS is heavily biased toward proprietary firmware, as far as I can tell there is no mechanism for source code distribution, which is often required for open source firmware (which is usually GPLed) and should be done even if it is not required.

https://fwupd.org/lvfs/device/40338ceb-b966-4eae-adae-9c3...
https://fwupd.org/lvfs/device/2082b5e0-7a64-478a-b1b2-e34...
https://fwupd.org/lvfs/device/84f40464-9272-4ef7-9399-cd9...
https://fwupd.org/lvfs/device/9c9871fe-75bd-5fde-9425-699...

Interestingly, LVFS are claiming that their distribution of the AltusMetrum ChaosKey firmware is proprietary and are not distributing any source code, but AltusMetrum themselves distribute the firmware under the GPL and provide source code.

https://fwupd.org/lvfs/device/b62500d7-c981-595b-a798-eb6...
https://altusmetrum.org/ChaosKey/

Seems like LVFS might be violating the GPL here.

For open source firmware I'd expect something like Debian packages (automatically built from source using properly packaged open source tools) to be available, same as for any other binary I install.

Indeed, for the AltusMetrum case, altos and the ChaosKey firmware are available as proper packages from Debian and are even reproducibly buildable.

https://tracker.debian.org/pkg/altos
https://tests.reproducible-builds.org/debian/rb-pkg/unsta...

Another case of properly packaged open source firmware is ath9k_htc.fw:

https://github.com/qca/open-ath9k-htc-firmware/
https://wireless.wiki.kernel.org/en/users/Drivers/ath9k_h...
https://tracker.debian.org/pkg/open-ath9k-htc-firmware

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 7:25 UTC (Sun) by Wol (subscriber, #4433) [Link] (2 responses)

> Seems like LVFS might be violating the GPL here.

Not if (a) Altus Metrum don't include 3rd-party code and (b) Altus Metrum explicitly provide the code to LVFS.

Not saying you're not right, but people are far to eager to jump to the conclusion "OMG!!! GPL violation!!!", even to the extent of claiming that people are violating the GPL *on their own code*, which any decent lawyer will tell you is an impossibility.

As I say, the obvious explanation is that Altus have put the code on LVFS and, absent any 3rd-party code, it's all legal and above board.

(Think of all the shenanigans on YouTube, where Marketing would upload videos, only for Legal to promptly demand they be taken down. Copyright - as implemented - is a badly mis-understood mess!)

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 7:28 UTC (Sun) by pabs (subscriber, #43278) [Link] (1 responses)

The GPL comment was referring to both Altus and the other instances of GPL firmware in LVFS.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 17:14 UTC (Sun) by Wol (subscriber, #4433) [Link]

Who uploaded that firmware to LVFS?

Without that, you can't come to any conclusions whatsoever.

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Mar 31, 2019 12:28 UTC (Sun) by intgr (subscriber, #39733) [Link] (5 responses)

Have you talked to Richard Hughes about this?

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 16:27 UTC (Tue) by hughsient (subscriber, #52199) [Link] (4 responses)

I wish someone would have emailed me rather than create all this drama... Hanlon's razor was at work, nothing more sinister: The firmware was mislabeled, and I've just changed it to GPLv2+ as it should have been from the start. Now https://fwupd.org/lvfs/device/b62500d7-c981-595b-a798-eb6... shows the license with a clickable link back to the source code.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 11:37 UTC (Thu) by mgedmin (subscriber, #34497) [Link] (3 responses)

Mild suggestion: when I see a clickable link saying "GPL-2.0+", I assume that clicking on it will lead me to the full text of the licence, rather than the source code of the firmware.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 12:35 UTC (Thu) by madscientist (subscriber, #16861) [Link]

Agreed: I would never guess that clicking that link would bring me to the source code.

And in the spirit of other comments here hoping we can boost the profile of FOSS firmware vendors, it would be a nice bonus to them if there were a separate line in the table labelled "Source code" explicitly, with a link for vendors that provide it and "unavailable" for those that don't.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 5, 2019 15:22 UTC (Fri) by hughsient (subscriber, #52199) [Link] (1 responses)

Can you file that as an issue here please: https://github.com/hughsie/lvfs-website/issues

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 5, 2019 15:29 UTC (Fri) by mgedmin (subscriber, #34497) [Link]

Here you are: https://github.com/hughsie/lvfs-website/issues/309

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 2:47 UTC (Mon) by medicalwei (subscriber, #103028) [Link] (4 responses)

If AltusMetrum has complete right to the source code (haven't fact checked that, but they seems to have right on most of the parts), they can of course license the firmware as proprietary, while providing GPL source code for users to build when necessary. It doesn't need to be strictly free software to comply the law. That also avoids the issue to require LVFS to distribute the source code per GPL.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 9:43 UTC (Mon) by nim-nim (subscriber, #34454) [Link] (3 responses)

And that fully validates the first comment “LVFS is a proprietary software distribution scheme”.

It's so proprietary oriented, you have to proprietarize free software firmware to use it.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 11:06 UTC (Mon) by pabs (subscriber, #43278) [Link] (2 responses)

On a related note: most of the LVFS is UEFI firmware. Why is UEFI firmware always proprietary? It is mostly forks of TianoCore, seems like there would be zero reason to not make such forks open source, or at least open except for the parts that involve Intel. Is it a culture thing? Are there important trade secrets? Do the vendor forks introduce any interesting features? Are UEFI vendors actually violating patents galore and like to obfuscate that?

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 16:15 UTC (Mon) by nix (subscriber, #2304) [Link]

Is the UEFI vendors' code just so entirely shit that they'd be embarrassed to show their work? (If pre-UEFI firmware is any guide: not only yes but hell yes).

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 3, 2019 17:11 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]

The DRAM and CPU model-specific initialisation code is often treated as a trade secret by the CPU vendor.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 19:46 UTC (Mon) by Uraeus (guest, #33755) [Link] (3 responses)

All firmware on LVFS are provided by the vendors themselves, so if AltusMetrum provides the source code there is no GPL violation. I assume AltusMetrum allows you to download the source code from their website and to quote the GPL3 rules you are in compliance with the GPL if you : (2) access to copy the Corresponding Source from a network server at no charge.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 20:58 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

Sorry wrong!

If as you say, provided the code is all owned by Altus Metrium, the GPL doesn't apply so it can't be violated. There is absolutely NO need whatsoever to comply with the GPL.

It is IMPOSSIBLE for the owner of the code to violate the licence - any licence. End of.

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 1, 2019 21:01 UTC (Mon) by Wol (subscriber, #4433) [Link] (1 responses)

Just to add - if Altus Metrium *have* included 3rd-party GPL code in their firmware, then LVFS are violating the GPL by distributing it without source - certainly with GPL2 they can't refer to Altus' source and I'm not sure of the situation with GPL3.

Cheers,
Wol

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 3, 2019 0:08 UTC (Wed) by xtifr (guest, #143) [Link]

From the GPL3 section 6d:
> "If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements."

So LVFS must provide clear directions, and have taken on responsibility for ensuring that the source hosted by Altus Metrium remains available. But as long as they do that, I believe they should be fine--if the code is GPL3.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 12:40 UTC (Tue) by ledow (guest, #11753) [Link] (8 responses)

We've spent over thirty years trying to get people to open-source their software, firmware and hardware. If anything, in that time we've actually gone BACKWARDS in those respects. Much of it is to do with the attitude we present

In software, we have succeeded to a vast extent, but it's still not quite the majority but people are beginning to see the benefits and most people are (often unwitting) users.
In firmware, we have almost nothing - unless you count devices specifically designed to run bog-standard Linux as firmware, even the RPi firmware isn't "open". Coreboot died. Phones don't even attempt to use such facilities, they are all proprietary bootloaders, driver firmware and system firmware.
In hardware, we have, again, succeeded but only to a tiny extent.

At this point, it's time to realise that people don't recognise the benefits, and the only way to make them recognise the benefits is to get them into the ecosystem and onboard with all the things they *could* do. How much easier would it be if vendors didn't have to make a BIOS for every machine, but could just use an already-written one? The option's been then for decades but almost nobody uses it. You basically can't buy a modern machine with Coreboot, they don't exist.

Rather than "fight the losing battle", we have to lead people half-way and then it's up to them to drink. Treating them as unwelcome visitors will just make them even more unlikely to touch our ideals.

And what better way than a vendor-approved firmware service that lets them standardise and be supported?

Myself, as a programmer, open-source lover, systems administrator, etc.... sorry, but if I can't buy products that are OS, and there are no OS equivalents, I have to use something. Pretty much people in my position cannot be fussy. I could not move my employer over to OS and all-free-firmware. We'd have to accept major compromises in terms of functionality and supported hardware (almost nil!). Even though my IBM servers are supported on Linux to a vast extent, there aren't free drivers for most of the main critical components, and firmwares are all proprietary.

We always complain about the apocryphal "Embrace, Extend, Extinguish" from the other side of the fence, but we don't embrace at all. It's almost impossible to convince such vendors to come 1% of the way towards us unless we're prepared to go 1% of the way towards them too.

As such a facility which *allows* proprietary firmware is necessary. Whether or not we use it that way. Nobody stopped git being used to develop closed-source code, or Linux to only run open-source binaries. There's a reason for that. It hurts us more to exclude them, than it hurts them to exclude us.

Nobody is saying that this facility will result in open-firmware. But if it didn't exist, closed-firmware would have to make its own way of doing so, which is a much worse situation.

It's time we opened up the evangelism to let people into our church - to see the benefits for themselves - rather than exclude them and have an isolated congregation.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 13:36 UTC (Tue) by madscientist (subscriber, #16861) [Link] (5 responses)

I agree with much you say here. Heck, even RMS saw value in doing the work needed to allow free software to run on non-free operating systems like Windows, way back in the 1990's.

I haven't looked into LVFS, but if the comment made by pabs above is accurate:

> The design of LVFS is heavily biased toward proprietary firmware, as far as I can tell there
> is no mechanism for source code distribution, which is often required for open source
> firmware (which is usually GPLed) and should be done even if it is not required.

then this project isn't helping to lead either users or vendors towards free software.

Hopefully they will address this and provide simple and prominent ways to distribute source code (optional, of course!) and make efforts to reward those vendors that do so... maybe provide a list of them so that users who want to build or purchase FOSS-friendly hardware can check it, or offer special badges for different levels of FOSS support, or something.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 16:29 UTC (Tue) by hughsient (subscriber, #52199) [Link] (4 responses)

We could certainly add an extra "green tick" to the device pages for open source firmware... https://fwupd.org/lvfs/device/b62500d7-c981-595b-a798-eb6...

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 21:30 UTC (Tue) by madscientist (subscriber, #16861) [Link] (2 responses)

That would be a great first step! Further steps to promote vendors providing FOSS firmware would be welcome as well: supporting links to source code, maybe ways to feature those vendors more prominently or give them some sort of special treatment. In other words it would be good to show a clear focus on FOSS vendors, but also say "oh and we support proprietary vendors too".

To be clear I definitely appreciate the work LVFS is doing! I'm pushing devs at my company off of Macbooks and onto Dell laptops running GNU/Linux and the presence of LVFS to support firmware upgrades makes this transition that much simpler for everyone. Great stuff!

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 2, 2019 22:07 UTC (Tue) by andresfreund (subscriber, #69562) [Link]

> Further steps to promote vendors providing FOSS firmware would be welcome as well: supporting links to source code

It has. Click on the license.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 3, 2019 11:12 UTC (Wed) by hughsient (subscriber, #52199) [Link]

Done in https://github.com/hughsie/lvfs-website/pull/301 -- comments very welcome.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 16:52 UTC (Thu) by kpfleming (subscriber, #23250) [Link]

This will need to 'flow down', in some fashion, to tools which are consuming content from LVFS and making it available to users. In my case I'm running Fedora 29 on two Lenovo laptops, both of which receive firmware updates from LVFS, but that interaction is completely hidden from my view. The "GNOME Software" tool alerts me when a new firmware release has appeared and prompts me to install it; that's it.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 4:58 UTC (Thu) by pabs (subscriber, #43278) [Link]

Interestingly, IBM is one of the few companies pushing open boot firmware in their OpenPOWER ecosystem. I expect IBM's own OpenPOWER servers are too expensive, but cheaper variants like those produced by Raptor Computing also have open boot firmware. That does mean any proprietary software you use won't run due to the architecture switch, but most software from Linux distros is available.

Linux Foundation Welcomes LVFS Project (Linux.com)

Posted Apr 4, 2019 7:53 UTC (Thu) by shiftee (subscriber, #110711) [Link]

What do you mean CoreBoot died?

Isn't it used in ChromeBooks?


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds