Intel's "redundant prefix issue"

Posted Nov 21, 2023 10:13 UTC (Tue) by paulj (subscriber, #341)
In reply to: Intel's "redundant prefix issue" by pizza
Parent article: Intel's "redundant prefix issue"

I didn't really have your comments in mind with the fanatical.

On 3, the issue is it is not obvious now. The goal is great - everyone seems agreed - the problem is implementing a policy. I suspect every policy the FSF could have for RYF will have major holes, and hence every policy will be open to angry criticism on forums - some simply as a vehicle for general FSF hate. Farnz' ideas on tiered certification might be a good improvement. Who knows.

The root issue here is there isn't a perfect policy.

Even if tiers would be better now, that doesn't mean the original policy was wrong - just that it turned out there were more subtleties to it, and it needed gradations - but shooting for the moon with the original policy may still have been the right policy at that time.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 10:45 UTC (Tue) by khim (subscriber, #9252) [Link] (2 responses)

> but shooting for the moon with the original policy may still have been the right policy at that time.

No. RYF certification arrived in 2012. By that time it was much too late. GPLv3 fiasco was well underway. So FSF knew it's influence is pretty limited. And, worse, hardware manufacturers have already changed their development model to incorporate upgradeable firmware (that happened around the beginning of XX century, I remember how I bought the same Socket 370 motherboard in different revisions and while original one had “flash write enable” pins and one v2.0 it was no longer there… means MSI tech support complained enough that it was removed).

Yes, it was an interesting attempt to turn the tide (same as GPLv3), but at some point sane person would realize that it failed and would change the stance.

Right now FSF is fighting Paraguayan War and while it loses not lives buy “only” a mindshare consequences are dire: from someone who was respected and had lots of allies (even if not allies agreed on everything) they turned into someone who is not ignored entirely in the mainstream IT field only because it holds copyright for some important projects and you couldn't fix bug in these projects without assigning copyright to FSF. And even that chokehold is slowly eroding.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 14:19 UTC (Tue) by kleptog (subscriber, #1183) [Link] (1 responses)

> And, worse, hardware manufacturers have already changed their development model to incorporate upgradeable firmware

There are other forces at work here. Since devices sold to the public must have a two years warranty, if any serious bugs are found (as they will) the manufacturer has to fix it and given the choice between pushing a software update and replacing the device, the former is much cheaper. And additionally, pushing a update reduces the amount of electronic waste, for which there are also regulations.

Changes afoot making it harder to disclaim warranty for security issues in software is only going to accelerate this trend.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 14:37 UTC (Tue) by khim (subscriber, #9252) [Link]

These are minor details. Of course hardware manufacturers have changed their development model to save money! That's what businesses do.

And if you understand that then the next question that you should ask is: how may they earn some money from getting that RYF mark?

Taking existing hardware with proprietary firmware, crippling it and selling it at higher prices is profitable.

Developing hardware and open firmware just to get RYF mark is not.

It's as simple as that.

Now, you may play with these rules, try to make it more profitable for hardware manufacturers to use your free software instead of writing your own software (that's how Linux have become indispensable).

And then, when certain classes of devices would become available with free firmware — you may demand these these have to come with free firmware.

Or you may just ignore Goodhart's law and get the opposite of what you are trying to achieve.

I can understand why FSF doesn't want to change rules of GPL: it's hard and costly to do and often backfires. But “certification marks”? It's completely normal for the certification mark rules to change over time, it's more-or-less inevitable because of Goodhart's law!

Yet FSF acts as if it may design something that works once and for all. Worse: it believes that precisely ignorance of economics would help them to achieve their goals, somehow.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 10:49 UTC (Tue) by farnz (subscriber, #17727) [Link] (3 responses)

According to the FSF in 2014, my ideas are not an improvement - the FSF's policy is so great that by 2020, all firmware will be Free software.

I leave it to you to look around and determine if that's actually happened - and part of the problem here is that, having missed their original expectations for the policy, the FSF is not looking to see if a different policy might work better. That a policy has failed to meet expectations is one thing; that the FSF is not changing the policy is the problem. This is doubly problematic because the FSF has guiding principles (the four essential freedoms), and the policy enshrines cases where those principles are overriden by pragmatism to get a result that has not happened; the FSF should, if it were still the organisation I remember from the 1990s, either change the policy and accept a different pragmatic deficiency, or fall back to the principles and say that RYF will no longer certify devices with non-Free firmware, accepting that this reduces RYF hardware further.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 13:37 UTC (Tue) by khim (subscriber, #9252) [Link] (2 responses)

> or fall back to the principles and say that RYF will no longer certify devices with non-Free firmware, accepting that this reduces RYF hardware further.

They couldn't do that. They like to claim that the FSF members, themselves, only use 100% RYF devices. But there are no storage devices with non-free software on the market today. All the HDDs, all the SSDs and all SD cards include non-free firmware. I think the last devices not to include firmware were old RLL HDDs manufactured more than 20 years ago. And I'm pretty sure they are not using these.

Of course most of such devices (if not all!) can upgrade that firmware “in the field”. And it's non-free. Which is in direct contradiction to stated rules, but can be easily fixed: just cripple the device, make sure firmware couldn't be updated and voila: you have RYF device.

Instead of accepting that reality and trying to see what can be done in this new reality they keep RYF in the state which allows them to perpetuate their lie of only using free software.

If you view FSF as religious cult which values the ability to claim that practice what they preach then this stance is pragmatic.

But I, for one, is not ready to accept such thing as my religion. And they are not even formally framing it as such, they tell us that this St IGNUcius stunt was just a joke.

I probably would have respected them more if they actually tried to portray what they are doing as a religion, complete with temples, imaginary gods and maybe some ritual sacrifices.

But they are acting as a cult while simultaneously preaching how they are all about practical advantages.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 14:53 UTC (Tue) by brunowolff (guest, #71160) [Link] (1 responses)

> But there are no storage devices with non-free software on the market today. All the HDDs, all the SSDs and all SD cards include non-free firmware. I think the last devices not to include firmware were old RLL HDDs manufactured more than 20 years ago. And I'm pretty sure they are not using these.

While from a free software viewpoint this isn't going to change any time soon, from an owner control viewpoint, you can mitigate against hostile storage devices. While they can execute denial of service attacks against your system, you can keep them from reading the data being stored on them by using encryption. Some traffic analysis attacks will still be possible, but those should be a lot less damaging. If you use them to provide data for early boot, before you can use encrypted data, you can use digital signatures to make sure your system is being provided good data. You'll need to be extra carefull about replay attacks of old versions of the boot data. They could alo try to exploit driver bugs to compromise your system. Mostly, you don't want to trust encryption built into the drive or assume you can erase everything written to it. If you are getting individually targetted by hostile hard drives, you are probably dealing with an adversary you're going to lose to.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 15:14 UTC (Tue) by khim (subscriber, #9252) [Link]

Sure. And that work would be much more useful then pretence that work of someone who takes devices with potentially-hostile firmware and cuts the wire to make sure further updates are no longer possible (which magically turns it into “Respects Your Freedom” device) is, somehow, beneficial to your privacy.

Intel's "redundant prefix issue"

Posted Nov 21, 2023 14:31 UTC (Tue) by pizza (subscriber, #46) [Link] (1 responses)

> but shooting for the moon with the original policy may still have been the right policy at that time.

No, it was wrong at the time and they were told so at the time.

By the time this landed in 2014, a majority of hardware (and _all_ newish designs) required some sort of embedded firmware, and making it runtime-updateable was a highly sound business and engineering practice. Given the still-increasing complexity of hardware designs, there is no turning back that clock.

Also by the time this landed in 2014, it was clear to everyone (but the FSF) that the FSF's industry influence was way, way less than they believed -- Indeed, seven years after the GPLv3 landed, instead of enabling their devices to be user-modifiable, device makers stuck with old GPLv2 versions long enough to write their own permissively-licensed replacements. [1]

And then there's the logically absurd stance that claims that devices with immutable proprietary firmware are somehow "freer" than ones that can be updated, as the latter at least has the potential for libre firmware. This make-believe farce completely alienated the folks that have been doing the actual "hardware lberation" [2] work all along, resulting in the entire RYF initiative to devolve into nothing more than a virtue signaling exercise.

[1] Device makers that ever cared about licensing, that is. Most of the stuff churned out by Chinese OEMs has _never_ complied with the GPL.

[2] eg reverse engineering hardware and proprietary software/firmware, writing Libre device drivers, and other such tasks that enable folks to run free software on hardware they already own. ie GNU's entire raison d'etre!)

Intel's "redundant prefix issue"

Posted Nov 21, 2023 14:43 UTC (Tue) by pizza (subscriber, #46) [Link]

> No, it was wrong at the time and they were told so at the time.

Just to be clear, I don't fault them with trying something that failed; what I take issue with is that they are _still_ doubling down on a policy that has accomplished nothing beyond harming their cause.

(well, aside from the virtue-signaling aspects. Which is even more damning if that is all they apparently care about...)