Reducing the bandwidth needs for fwupd [LWN.net]

By Jake Edge
September 5, 2023

The Linux Vendor Firmware Service (LVFS) provides a repository where vendors can upload firmware updates that can be accessed by the fwupd firmware update daemon on Linux systems. That mechanism allows users to keep the hardware components of their systems up to date with the latest firmware releases, but it has gotten so popular that the daily metadata queries are starting to swamp the LVFS content delivery network (CDN) server. So Richard Hughes, who developed fwupd and LVFS, suggested that it would make sense to start looking at ways to reduce that burden; the idea was discussed in a recent thread on the Fedora devel mailing list.

Hughes had a specific suggestion for an approach to spread the load by adding passim to Fedora 40 as an fwupd dependency and, potentially controversially, enable it by default. Passim will effectively allow systems on the same local network to share a single copy of the LVFS metadata, so that it is only downloaded once for a particular LAN. He wanted to discuss the idea before creating "lots of unnecessary drama". He described passim as follows:

The tl;dr: is I want to add a mDNS [multicast DNS] server that reshares the public firmware update metadata from the LVFS on your LAN. The idea is that rather than 25 users in an office downloading the same ~2MB file from the CDN every day, the first downloads from the CDN and the other 24 download from the first machine. All machines still download the [tiny] jcat file from the CDN still so we know the SHA256 to search for and verify.

It turns out that fwupd has been adopted by other operating systems, "ChromeOS, FreeBSD, Windows and macOS", which means that there is a "need to scale things up a couple of orders of magnitude". He thinks that passim could make a good test case for rolling out similar functionality for the DNF package manager and OSTree/libostree content. One important thing to note is that passim is not handling the actual firmware-update files, at least by default; it is only concerned with the metadata of the LVFS repository, which is roughly 2MB in size and is often downloaded daily.

Some of the concerns that were raised in the thread are, unsurprisingly, security-related. Getting some kind of malicious firmware metadata blob is the last thing anyone wants. But, as Stephen Smoogen put it, passim works on the assumption that "your local network (aka LAN) is a nice and friendly place, without evil people trying to overwhelm your system or feed you fake files", which may not actually be the case. He listed a few possible problem areas, including denial-of-service attacks or stolen signature keys that allow malicious versions of the metadata package to be created and continue to be distributed in the absence of some kind of key-revocation scheme. Hughes acknowledged those possibilities but noted that passim chooses a random source server if there are multiple offerings on the LAN, which may help reduce the scope of the problem if there is a single malicious provider.

The passim web page states that the metadata files are signature protected, and that clients will fall back to retrieving them from the CDN if the signature check fails. Files that are shared from a passim system are configured with a maximum age and a limit on the number of times they will be shared; once those are exceeded, the files are deleted and will no longer be advertised to others on the LAN. Clients will request the metadata file using HTTPS; local passim servers will use a self-signed TLS certificate for use in encrypting the connection.

As might be guessed, the use of a self-signed certificate was questioned; Leon Fauster asked what the benefit was since "it does not provide any 'security'". Hughes replied that it provides encryption so that other systems on the LAN cannot snoop on the traffic ("so client A can provide the file to client B without client C being aware what's being sent"). But, as Chris Adams pointed out, a self-signed certificate does not protect against a "man in the middle":

[...] there's no way for client B to know it is really talking to client A - it could be talking to client C with a man-in-the-middle attack and a different self-signed cert pretending to be client A.

It is not entirely clear what would be gained by snooping on the traffic, beyond knowing that a client is requesting the metadata, which might be inferred without actually snooping. Doing meaningful identification of LAN systems may be difficult as well. But the TLS protection is also meant to placate corporate security teams that would be unhappy with regular HTTP, "even if it's got two other layers of protection", Hughes said.

Simo Sorce had several suggestions, agreeing with Adams that the self-signed-certificate approach was only useful against passive, rather than active, attacks. "Trust on first use" (or TOFU) could be used on the clients to minimize the "window of impersonation", but there are still problems as it "requires clients to cache an association and then has weird failure modes to be dealt with if one of the actors get re-imaged or changes the cert for any reason". Overall, he did not think that using TLS added any real value; security teams that require it could provide their own certificates. Another option might be to use a pre-shared key, though Sorce did not really recommend it.

Using TOFU had some appeal, Hughes said, and asked for opinions on that. Sorce wondered how passim would deal with the new-certificate problem and asked about certificate expiration. Hughes's reply that currently the certificates effectively never expire (9999-year expiration) was not particularly well-received ("Ugh."). Meanwhile, certificate updates would cause that system to be ignored, Hughes said; that would eventually lead to all devices ignoring each other, Sorce pointed out.

Having a single host that was responsible for gathering the metadata file periodically and then serving it to the rest of the network was suggested by Peter Robinson. Hughes seemed amenable to that idea and asked Robinson to file a GitHub issue in order to track it. As the issue notes, some system administrators want to control where services run; there may also be a bastion host that is the only externally connected server, so it would be useful to be able to pin passim downloads to a particular host.

Enabling passim by default was questioned; Benson Muite said that it would be better to make passim opt-in, especially "for computers in an institutional setting where the LAN is well controlled". But Hughes replied that requiring people to enable it will simply lead to almost total lack of adoption and, thus, no real reduction in the network traffic. Marcus Müller agreed that opt-in was not really plausible, especially since it would need to enabled on a host-by-host basis.

He also asked about the plans for sharing firmware files in addition to the metadata; there are privacy concerns with advertising the firmware files that a system has downloaded. Hughes agreed, but firmware files are not included in phase one of his plan; if they are to be added at some point, there are some things to consider:

It's non-free software (which you have permission to redistribute, but still unpalatable for many) -- the compromise I've done for people changing the default to "metadata,firmware" is that you need to reboot into the new firmware before the published firmware gets shared; on the logic that you don't want to advertise to the world that you're currently running insecure firmware.

Privacy also came up in the context of Vit Ondruch's questions about the need to download all of the metadata daily. A given system will only have a handful of devices that get updated firmware, which should require far less than 2MB of metadata, he said. But Hughes replied that the whole database is always delivered from LVFS:

It is the metadata for every device -- every fwupd client deliberately gets the entire catalog rather than making a bespoke request like Windows update. This ensures that the LVFS doesn't know what hardware you have on your computer, and couldn't provide that kind of data even if compelled to by law enforcement. The entire architecture is privacy centric, and also allows it to scale to millions of devices without having thousands of servers.

There are, obviously, some problems that need to be addressed, but passim seems like a reasonable solution, at least for the metadata. The problem of scaling LVFS is real, so something will likely need to be done before too long. Those measures (whether passim-based or not) will need to be adopted widely, though, in order to make a serious reduction in the traffic burden. Fedora 40 is scheduled for April 2024, so even if the feature gets approved—Hughes is planning to proceed in making a change proposal—it will likely not make much of a dent until after that. A real dent in the traffic levels will require adoption in most or all of those other distributions or OSes that are now using fwupd.

to post comments

Reducing the bandwidth needs for fwupd

Posted Sep 5, 2023 20:14 UTC (Tue) by kepstin (subscriber, #72391) [Link] (5 responses)

I'm curious whether a delta update solution was considered for the fwupd metadata. It seems like there should be only a small number of changes from day to day relative to the total amount of firmware being tracked, so being able to request pre-computed delta updates relative to the timestamp of the currently known metadata would make a lot of sense.

Given the expected update frequency, I wouldn't expect this to require that much additional processing or storage (maybe generate delta updates that go back a week or two?); any client with a metadata file older than that could retrieve the latest full file instead.

Firmware deltas?

Posted Sep 5, 2023 20:55 UTC (Tue) by nickodell (subscriber, #125165) [Link] (4 responses)

There's a message about that in the thread.

>> You could have deltas, so that clients will not get the whole thing
>> every day, but deltas compared to what they have already (which would
>> be 0 bytes if thy are up to date).
>
>I'm trying to reduce the number of CDN accesses and the number of files.

https://lwn.net/ml/fedora-devel/CAD2FfiGsji0jz45m4HT43AL+...

Firmware deltas?

Posted Sep 6, 2023 13:42 UTC (Wed) by wtarreau (subscriber, #51152) [Link]

Ah, it didn't work well for some other project and other use cases so let's not try again? Fortunately whenever I do a "git pull" from a repo with no modifications, I don't pull 2 MB of meta-data!

There's clearly an indexing problem there if every single day 2 MB of meta-data are updated and need to be re-downloaded, maybe it needs to be cut at an extra level above to enumerate more precisely what really changed among these meta-data ? Or maybe tens of thousands of firmwares change every day ? That would seem surprising...

Firmware deltas?

Posted Sep 6, 2023 17:32 UTC (Wed) by atnot (guest, #124910) [Link] (2 responses)

I don't know what those issues are because it doesn't say, but if they're really insurmountable there's another approach that you can use here. I don't know the official term, but I'll call it "deniable hash prefix".

Instead of one big file, you create e.g. 16, each of which only contain the devices whose hash values start with a specific hex character.

When the device updates the list, it looks at all of the devices it has, hashes their IDs, and takes the first hex char from all of them, ending up with a list like "a, a, 7, 4, f, 7". It can then fetch the corresponding file e.g. https://cdn.fwupd.org/a, for every unique hash prefix it found (and perhaps a few it didn't, just for privacy). This lets you reduce the amount of unnecessary data downloaded by exponentially for every bit of information about the client you can tolerate leaking. I reckon giving away 4 or 5 bits of information about a setup for an order of magnitude reduction in download size isn't something too many people would complain about.

Firmware deltas?

Posted Sep 6, 2023 19:09 UTC (Wed) by nickodell (subscriber, #125165) [Link] (1 responses)

The computer I'm writing this comment on has 35 different hardware devices plugged into it, according to lspci | wc -l. If you fetched the unique prefixes for each of those, you'd end up downloading a substantial portion of the catalog. On the other hand, not all of those need firmware. However, determining which of those devices can benefit from updated firmware without having the catalog seems quite difficult.

Firmware deltas?

Posted Sep 6, 2023 20:05 UTC (Wed) by atnot (guest, #124910) [Link]

Fwupd already does this anyway because every update method it supports needs to be able to enumerate which devices it can update, get their current firmware versions, etc. So a more useful command would be "fwupdmgr get-devices --filter updatable" which for me goes up to 28 on my best supported device.

So it does seem like the number would have to be one or two bits higher. You'd have to do some math on how identifiable you become at that point, but I reckon it's not that much.

Also, even if you end up downloading everything anyway, you still benefit in terms of caching. If you set the proper ETag headers etc, every firmware update will only invalidate a small subset of your cache. On second thought it might actually be worth doing this just to increase cacheability even without any of the hashing stuff.

Reducing the bandwidth needs for fwupd

Posted Sep 5, 2023 20:16 UTC (Tue) by willy (subscriber, #9762) [Link]

Without knowing any details, this feels a lot like Debian auto-update. Instead of fetching Sources.list every night, there's a ~daily "rred" which is essentially a diff to the previous Sources.list. It's typically quite small. If you miss a few days, you have to download a few of them, but it's usually much smaller than downloading the complete manifest of Debian packages.

Reducing the bandwidth needs for fwupd

Posted Sep 5, 2023 21:09 UTC (Tue) by gray_-_wolf (subscriber, #131074) [Link] (3 responses)

Why not distribute the metadata as a regular distribution package? That would neatly remove the traffic from LVFS CDN and push it onto the distributions' network, that are expected to handle people updating their systems already.

Reducing the bandwidth needs for fwupd

Posted Sep 5, 2023 21:43 UTC (Tue) by kaesaecracker (subscriber, #126447) [Link] (2 responses)

I imagine there are concerns about how fast distributions update the packages and how often the users update their systems

Reducing the bandwidth needs for fwupd

Posted Sep 15, 2023 19:02 UTC (Fri) by calumapplepie (guest, #143655) [Link]

I think firmware bugs are generally less exploitable than software bugs; as such, if a distro/user isn't updating packages, they're already insecure

Reducing the bandwidth needs for fwupd

Posted Sep 19, 2023 6:26 UTC (Tue) by LtWorf (subscriber, #124958) [Link]

If they don't update their software, you think they update their firmware?

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 1:59 UTC (Wed) by Paf (subscriber, #91811) [Link] (2 responses)

At first blush, this seems like an entirely unacceptable violation of expectation and something I hope would be blocked by default firewall rules? My view is nothing on a Linux system should run a server *by default* unless it’s either directly a server itself or an absolutely required part of the functionality.

Many, many LANs are not friendly places and the only thing I want inbound requests to be is refused unless I’ve specifically asked for something else.

This feels user unfriendly to turn user machines in to LAN servers. It exposes them to whatever bugs may be in this implementation.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 20:10 UTC (Wed) by ringerc (subscriber, #3071) [Link] (1 responses)

This.

Even if it's in a systemd confined service in its own pidns, mounts etc, using SElinux policy, seccomp rules, apparmor policy, no new privs flag and so on, id be hesitant. And is it even going to be in a totally locked down service at all?

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 9:43 UTC (Thu) by hughsient (subscriber, #52199) [Link]

See https://github.com/hughsie/passim/blob/main/data/passim.s...

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 2:02 UTC (Wed) by shironeko (subscriber, #159952) [Link] (3 responses)

I suppose a distro level mirror can solve most of the problem here. opt-in local (maybe even global?) sharing could be nice, but I doubt local sharing will make a big impact outside IT managed networks anyway, it's not like people run dozens of identical machines in their home lan.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 9:45 UTC (Thu) by hughsient (subscriber, #52199) [Link] (2 responses)

> it's not like people run dozens of identical machines in their home lan

They really do. There's a huge number of companies that are small enough to not have centrally managed updates, but also big enough that there's 25 identical computers sitting in one room.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:51 UTC (Thu) by pizza (subscriber, #46) [Link] (1 responses)

> They really do. There's a huge number of companies that are small enough to not have centrally managed updates, but also big enough that there's 25 identical computers sitting in one room.

Even putting that aside, I have the better part of a dozen Fedora systems here, on an internet conncetion that hasn't met the last two FCC definitions of Broadband.

Between fwupd and DNF every day we're talking a couple hundred MB just in metadata, to see if sometihng new has landed. Nevermind the actual updates themselves.

I welcome anything that reduces the amount of routine bandwidth usage just to see if something newer exists.

(I might add that of course it would be a lot more bandwidth efficient to tell the server "hey, I have this hardware/software, got any updates for me?" But that would be rightly trashed as a privacy nightmare)

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 22:26 UTC (Thu) by hmh (subscriber, #3838) [Link]

You can decouple "is there new data for me" from "please give me those updates".

The first one can use secure hashes and either DNS, DNSSEC or a static https entrypoint in a CDN serving a very small file (and can use HEAD, if-modified-since, etc). Maybe look at what ClamAV does.

You don't tell the server what you have. It tells you the latest hash, and if yours is different, you update.

The second one is harder, and might benefit from some P2P technology (which is also useful for the firmware data as well), or maybe differential updates like Debian does (which is just for metadata).

Obviously, if the metadata file changes everyday, it makes a lot more sense to break up that metada file into pieces in such a way that either the client gets just a subset of them, or that minimizes the number of metadata files that get changes every day/week..

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 3:31 UTC (Wed) by xecycle (subscriber, #140261) [Link] (9 responses)

So ChromeOS, Windows and macOS started using LVFS, can we ask Google, Microsoft and Apple to pay the CDN bills?

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 7:46 UTC (Wed) by pbonzini (subscriber, #60935) [Link]

Or move it to a foundation that gets money from them, or at least from a subset. Is it hosted by GNOME/freedesktop right now?

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 8:45 UTC (Wed) by Sesse (subscriber, #53779) [Link] (7 responses)

CDN “bills”? If you talk to pretty much any of the large CDN actors (Fastly, CloudFlare, Google, Amazon), I'm sure they'd be willing to foot this pretty much for free. With, say, 500M clients downloading a 2MB file every day, we're talking less than 100 gigabits per second! That's a blip on these actors' graphs.

If you somehow don't like them, talk to someone running a couple of distribution mirrors. Serving nearly-static files over the Internet is a pretty much solved problem in 2023.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 8:55 UTC (Wed) by gioele (subscriber, #61675) [Link] (6 responses)

> If you talk to pretty much any of the large CDN actors (Fastly, CloudFlare, Google, Amazon),

Debian has an agreement with Fastly for https://deb.debian.org.

If Fastly is FLOSS- and privacy-respecting enough for Debian it is probably good enough also for LVFS/fwupd.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 8:57 UTC (Wed) by Sesse (subscriber, #53779) [Link] (5 responses)

Yes. And seemingly cdn.fwupd.org _already_ points to Fastly, so I have no idea what the actual issue is. How is this getting “swamped”?

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 13:46 UTC (Wed) by wtarreau (subscriber, #51152) [Link] (4 responses)

> How is this getting “swamped”?

Maybe they're just feeling bad for wasting bandwidth that is generously offered to them, and that's perfectly understandable. It's while it's working that it's the best moment to try to improve the situation, not once the free service has to stop.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 14:07 UTC (Wed) by Sesse (subscriber, #53779) [Link] (2 responses)

Then I really feel that should be part of the discussion. “I'm making this new on-by-default server, with unproven code and a home-grown protocol involving crypto, written in a non-memory-safe language, and I want to make it default for all desktop installs of Fedora. It doesn't solve a real problem except that I want to save some bandwidth for a sponsor who by definition has plenty of bandwidth and hasn't expressed any desire for me to reduce that bandwidth usage.” Like so? :-)

(Of course, if the real situation are “Fastly does not want to sponsor bandwidth anymore, I've talked to several others who refuse”, it might be different. Might.)

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 14:12 UTC (Wed) by zdzichu (subscriber, #17118) [Link] (1 responses)

Ugh, you're right, passim is written in C. This should disqualify it, new software written in C in 2023…

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 20:11 UTC (Wed) by ringerc (subscriber, #3071) [Link]

Wow. For an externally facing service. That's not really acceptable.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 17:48 UTC (Thu) by dbnichol (subscriber, #39622) [Link]

I disagree. This is exactly the use case for a CDN - mostly static files that are downloaded a lot. It's essentially an automatic global mirror.

We also use Fastly at Endless and they just gave it to us for free and never asked another question. Similarly, Flathub uses Fastly, got it for free, and pushes a ton of data. This includes the ostree repo summary file, which is very similar to the LVFS firmware.xml.gz file in that clients download it all the time to see if there's anything new. But the flathub summary file is 7.5 MB and the LVFS firmware.xml.gz file is 900kB. I'm not aware that Fastly has ever said anything to the Flathub folks about using too much data.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 5:50 UTC (Wed) by matthias (subscriber, #94967) [Link] (3 responses)

> It's non-free software (which you have permission to redistribute, but still unpalatable for many) -- the compromise I've done for people changing the default to "metadata,firmware" is that you need to reboot into the new firmware before the published firmware gets shared; on the logic that you don't want to advertise to the world that you're currently running insecure firmware.

I do not understand this part. If you only advertise firmware once you have booted into it, one can conclude that you are running insecure firmware on the basis that you do not yet advertise the new version. If you advertise firmware independently on whether you have bootet into it or not, such a conclusion should not be possible.

The world will know anyway what kind of devices you run on the history of your previous advertisements.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 10:03 UTC (Thu) by hughsient (subscriber, #52199) [Link] (2 responses)

> If you advertise firmware independently on whether you have bootet into it or not

But we only download that firmware when it's needed -- we don't advertise everything.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 10:14 UTC (Thu) by matthias (subscriber, #94967) [Link] (1 responses)

> But we only download that firmware when it's needed -- we don't advertise everything.

Yes, so you always advertise which kind of hardware you have. An attacker can monitor the system and knows whether it advertised some old version of some firmware previously, proving that you have the hardware.(*) If a new firmware is out and the host does not yet advertise it, one can conclude that it still uses the old firmware, as it will advertise the new firmware once it has rebooted into it. If you would advertise the new firmware independently of whether you already use it, this conclusion is not as simple.

(*) The security implications are not really clear. Of course an attacker can know your hardware this way. However, security by obscurity is no good idea anyway and you should always assume that an attacker might know which hardware you are operating on.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:46 UTC (Thu) by pizza (subscriber, #46) [Link]

> The security implications are not really clear. Of course an attacker can know your hardware this way.

The attacker already has to pretty much own your local network by this point too.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 7:46 UTC (Wed) by Sesse (subscriber, #53779) [Link] (15 responses)

“The” CDN server? They have one, and call it a CDN? :-)

I'm not sure what to make of this. They are worried about increases of “orders of magnitude”, but how would passim help with that? I'd assume there are not a lot of LANs where this would actually help you at all, much less have ten machines. What's the difference between this and going full BitTorrent?

What is the amount of load here anyway? A single 2MB file with how many downloads per day?

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 8:10 UTC (Wed) by NTmatter (subscriber, #118709) [Link] (2 responses)

Perhaps a multifaceted approach would be more appropriate. Publish a metalink containing a SRV record, local MDNS, torrent, IPFS, and finally a public HTTPS source. Take the bandwidth savings and invest in a modest SSL certificate for signing and pinning.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 8:42 UTC (Wed) by Sesse (subscriber, #53779) [Link] (1 responses)

Why this amount of complexity for something that's not really a lot of traffic?

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 9:58 UTC (Wed) by NTmatter (subscriber, #118709) [Link]

It might not be much traffic, but it sounds like there's enough egress to put a dent in the maintainer's income.

The added complexity here would allow data to be pushed out to external services, while still allowing local users and site administrators to override behaviour inside their networks, all while using existing technology. I'm sure there are plenty of other interesting and secure solutions being proposed as well.

At the end of the day, yes, it'd be easier if some other entity would pay the maintainer a healthy wage and cover the infrastructure bill until the end of their stewardship. If only this was the default state of affairs.

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 13:42 UTC (Wed) by paulj (subscriber, #341) [Link] (1 responses)

I was about to post the same question: Why re-do Bittorrent? Bittorrent is almost surely better.

There are mega-large, global, DC network that use Bittorrent as part of their internal software distribution system... How is this better? Indeed, could it be worse?

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 10:04 UTC (Thu) by hughsient (subscriber, #52199) [Link]

> Bittorrent is almost surely better.

As I went into on the Fedora thread, there may be ITAR/EAR legal considerations if sharing more than metadata.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 9:41 UTC (Thu) by hughsient (subscriber, #52199) [Link] (9 responses)

It's about 10GiB/minute -- every minute of every day.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 9:49 UTC (Thu) by Sesse (subscriber, #53779) [Link] (8 responses)

So barely 1.5 Gbit/sec? And Fastly is seeing this as a real problem?

(FWIW, Debian uses ~30 Gbit/sec on Fastly's donated mirror.)

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 10:12 UTC (Thu) by hughsient (subscriber, #52199) [Link] (7 responses)

> Debian uses ~30 Gbit/sec on Fastly's donated mirror

Is Debian growing by 30% every year? Exponential growth is a killer, and time to make the infrastructure changes is _not_ when we're asked to. It takes *years* to get new packages into distros.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 10:29 UTC (Thu) by Sesse (subscriber, #53779) [Link] (6 responses)

> Exponential growth is a killer

With 30% year-over-year growth, you are more than _ten years_ away from the 30 Gbit/sec level. Is this project rooted in real signals that it will be hard to get donated enough bandwidth in the future, or is it over a general fear of having a dependency that will be yanked?

How much do you actually anticipate saving in bandwidth by this? Will it matter meaningfully in the amount of bandwidth that needs to be procured/donated, or save maybe 1–2 years of growth and then you're back to where it started?

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:02 UTC (Thu) by hughsient (subscriber, #52199) [Link] (5 responses)

> Is this project rooted in real signals that it will be hard to get donated enough bandwidth in the future,

Can it be both? I'm also thinking about the *planet* here -- distributing even 1GiB/sec sure isn't going to be carbon neutral.

> How much do you actually anticipate saving in bandwidth by this?

In honestly, I have no idea -- and I think it's impossible to say beforehand. Certainly, the data I do have is that a lot of people are using obsolete versions of fwupd that are several years old, so anything we do add now will take a long time to have any effect whatsoever.

A more general point: There really should be a tax on "it should be easy" comments. So many people have *no clue* how hard it is to run a webservice like LVFS in the real world, or how hard to maintain an opensource project used by millions of people. This isn't some big team of developers with project managers -- this is 98% just me.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:14 UTC (Thu) by Sesse (subscriber, #53779) [Link] (4 responses)

> Can it be both? I'm also thinking about the *planet* here -- distributing even 1GiB/sec sure isn't going to be carbon neutral.

Datacenters are _extremely_ energy efficient at serving data. Much more than e.g. your workstation is. Why would you want to serve from a less CO2-efficient platform?

> A more general point: There really should be a tax on "it should be easy" comments. So many people have *no clue* how hard it is to run a webservice like LVFS in the real world, or how hard to maintain an opensource project used by millions of people. This isn't some big team of developers with project managers -- this is 98% just me.

I feel your pain, I'm working on a FOSS project with a couple of billion users (and a couple of million developers) who all think it should be easy. :-) But really, what _is_ easy here is to keep having a CDN; everything else is adding complexity.

(If Fastly gives you up and you need a couple of gigabits of serving capacity, let me know—I'm sure we can talk to some people)

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:20 UTC (Thu) by hughsient (subscriber, #52199) [Link] (2 responses)

> Datacenters are _extremely_ energy efficient at serving data. Much more than e.g. your workstation is.

Less electricity (carbon) is used downloading data from a computer physically next to you compared to from a CDN on the internet?

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:30 UTC (Thu) by Sesse (subscriber, #53779) [Link] (1 responses)

No? Your local PoP (CDNs have PoPs that are generally close to you, so the external network distance traveled is negligible) will serve hundreds of gigabits per second in a couple of hundred watts. Your desktop uses much more than (in relative terms, per bit) when it has to wake up from power save. Then of course, if you are invoking mDNS, you are waking up every device on your LAN more often, which costs power. If the serving machine is on wireless, it's even worse.

The big gaming companies (e.g. Blizzard, IIRC?) used to have this kind of peer-to-peer technology ten years ago, but abandoned it because he problems you create are so large and the bandwidth they saved eventually got so cheap (both in dollars and CO2). Of course, if you're 10% of the total web traffic (think Netflix), then it's a different game, but I don't really think fwupd will ever get there. :-)

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 11:53 UTC (Thu) by pizza (subscriber, #46) [Link]

> No? Your local PoP (CDNs have PoPs that are generally close to you, so the external network distance traveled is negligible) will serve hundreds of gigabits per second in a couple of hundred watts.

That's all well and good, but when my internet connection doesn't even qualify as broadband, it's a _lot_ more power efficient to download it once from the internet and re-serve it internally, because then the internal systems can go into a low power state all that much more quickly.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 12:46 UTC (Thu) by Wol (subscriber, #4433) [Link]

> > Can it be both? I'm also thinking about the *planet* here -- distributing even 1GiB/sec sure isn't going to be carbon neutral.

> Datacenters are _extremely_ energy efficient at serving data. Much more than e.g. your workstation is. Why would you want to serve from a less CO2-efficient platform?

Cue my obligatory database rant ... SQL / Relational databases are high in entropy, therefore are extremely inefficient. If my Pick database can complete an un-optimised query faster than the equivalent relational database can optimise the SQL, something's wrong here ...

(I very much like Khim's response to my statement "Pick requires the analyst to think about the database design" - he responded "There's the problem, people don't want to think". They leave it to the SQL optimiser to (mess up) the thinking, wasting energy in the process, while if your database is properly thought out to start with you don't need an optimiser.)

(If I get the chance to implement my ScarletDME system at work, it will be replacing a horrid mass of Excel spreadsheets. And I seriously expect it to massively reduce our need for disk space, at the same time as speeding up development, speeding up workflow, and kicking the shit out of Oracle / BigQuery. If I fail, my reputation will take a drubbing. I don't expect to fail ...)

The other thing to bear in mind - and I've just done a work report on exactly that - your workstation may be wasting energy. Re-purposing that waste *may* be greener than moving to a more energy-efficient platform. Indeed, moving that task to a more energy-efficient platform could *increase* your energy demands.

Cheers,
Wol

Reducing the bandwidth needs for fwupd

Posted Sep 6, 2023 10:23 UTC (Wed) by gmgod (guest, #143864) [Link] (2 responses)

Could we get the fwupd server to sign the firmwares with its own key and provide its public key (or subkey or rotating subkeys) with the fwupd binary? Unless it already does?

The guarantee is stronger as you ultimately don't only rely on CAs for authentication but a set of public keys provided with the fwupd binary (though the hash could still be retrieved as planned now). What's good with the approach is that downloading from peers or from the CDN become equivalent from a security perspective. And with many third parties adding CAs to local DBs (some companies, most "antivirus" programs), even them screwing up won't matter anymore.

The other elephant in the room is a new program written in C broadcasting on all devices on the network.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 9:35 UTC (Thu) by hughsient (subscriber, #52199) [Link] (1 responses)

> Could we get the fwupd server to sign the firmwares with its own key and provide its public key with the fwupd binary

It already does that, for firmware payloads and also metadata.

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 9:44 UTC (Thu) by gmgod (guest, #143864) [Link]

That's brilliant then. I hope this will have a meaningful impact on bandwidth!

Reducing the bandwidth needs for fwupd

Posted Sep 7, 2023 13:17 UTC (Thu) by mebrown (subscriber, #7960) [Link]

If the actual content doesnt change very often, I wonder if a merkle tree concept would apply here. Instead of a 2mb database, just hash the database entries, then hash groups of the hashes, recursively, until you get down to a single hash, then you only need to publish and check a single hash value. Depending on how you hash the tree, you could make it much easier to download only a portion of the full database.

Reducing the bandwidth needs for fwupd

Posted Sep 8, 2023 10:45 UTC (Fri) by jeremyhetzler (subscriber, #127663) [Link] (1 responses)

CDNs have already solved the problem of serving static data. Re-inventing a bespoke CDN at the local level is the least efficient, least secure, and most labor-intensive way of getting the LVFS project what it needs.

LVFS should talk to Fastly/Cloudflare/whomever about just having them do the hosting for the metadata files. They may very well do it for free, in which case you're done. If not, this is a cheap and easy sponsorship from a corporate point of view.

Benefits:
- You don't have to develop and maintain something like Passim
- You don't have to convince every distribution to turn on a new service by default
- You don't have to convince every large and medium enterprise to allow this new service on their LAN
- You don't have to convince Apple and MS, which according to the article have adopted fwupd, to also deploy passim to their users
- You get all the simplicity and privacy benefits of the current design

Reducing the bandwidth needs for fwupd

Posted Sep 14, 2023 22:16 UTC (Thu) by fuhchee (subscriber, #40059) [Link]

And if it's the client <-> ISP hop that's slow, then let the client run http proxy caches on their LAN.

Reducing the bandwidth needs for fwupd

Posted Sep 8, 2023 20:24 UTC (Fri) by flussence (guest, #85566) [Link] (1 responses)

My one beef with this is that it's limited to LVFS. A generic local-network update distribution system would be so useful across the board. I used to run a local apt-cacher-ng to save bandwidth but because it was so non-standard it ended up being more effort to maintain than it was worth. Something that's built in to multiple pieces of software and can be switched on centrally by the presence of a special DNS record (like DoH) would be ideal.

Reducing the bandwidth needs for fwupd

Posted Sep 16, 2023 2:37 UTC (Sat) by calumapplepie (guest, #143655) [Link]

Apt-cacher-ng is installed on a lot of Debian dev's machines, because it makes package building in a clean environment not have to re-download over and over again. I myself run it on my laptop. I guess that using it for what it was meant for (a dedicated box rather than a daemon on your only machine) is an atypical use case...