Thu, 20 Jan 2011

Myths and Facts about Firmwares and their non-removal from Debian

Debian's announcement to release Squeeze with a completely free Linux kernel caused quite some attention, which is actually a good thing. However, it also seems to have caused quite some uncertainty and was often partially misunderstood and miss quoted. I'll try to summarize and answer some of them in this blog post:

  • Myth: Debian removed all firmware files from its kernels!
    Fact: No, it's just about the kernels, which will be shipped with the upcoming release Debian 6.0 Squeeze. The kernels in the current stable release Debian 5.0 Lenny remain as they are... Well, of course we will release security updates for them, but they will still contain the same firmware files as the present kernels.
  • Myth: Debian is ripping stuff out of it's kernels
    Fact: Debian moved some firmware files from its main archive to the non-free part of the archive. They are still there, just in the part of archive for stuff not satisfying our Free Software Guidelines.
  • Myth: Debian will be uninstallable for many users
    Fact: The non-free firmware files are still available over our infrastructure. Those, who are needed during installation (e.g. for network or storage controllers) can also be loaded during the installation (be it from CD or USB-Stick). We offer tarballs with these files (just unpack them on a usb-stick and plug it in when asked) as well as netinstall iso images already containing these non-free files. Of course these will stay there, after Squeeze has been released, too.
  • Myth: Firmware files are needed, ripping them out doesn't accomplish anything and isn't good for our users
    Fact: Firmware files are needed by some drivers for some specific hardware, yes. But not all users want them. And, as we are now able to load all these firmware files when needed (in stead of compiling them into the driver itself), we are now able so ship them separately, why not do so? That allows those, who need non-free firmware to use them, while those, who don't want them, to not install them at all.
  • Myth: Ah, those Debian freedom zealots again...
    Fact: It's not only us, actually, without the cooperation of many Linux Kernel developers, we couldn't have achieved that goal again. And it's not only us, who's interested in creating a free Linux Kernel, other major distributions see the problems, too. See for example the recent comment by a Fedora developer about changes in such a non-free firmware file. It just seems, that Debian was one of the first to realise the problem of non-free firmware files.
  • Myth: Debian is going down on it's knees before Stallman
    Fact: I haven't talked with RMS about that, but I think Debian is still not free enough for him; as far as I know, he would like to see the non-free archive vanish completely, or at least not mentioned anywhere at all.

So, one question remains: What is to bad about non-free firmware files? Aren't they just some tiny programs executed in the CPU of the device? Why care about them Good question! Let's take possible legal issues aside, and just look the practical side. The core problem is: Without source (and tool chain to use the source) firmware files are just some random numbers for us. We don't know what they are doing, we can't analyse and improve them. We can't change them, we can't support them. Maybe you already followed the link above to comment of the Fedora developer. I cite him here again, because I think he summarized the problem so well:

Updated qlogic 2400 and 2500 firmware to 5.03.13. What does 5.03.13 do? No one knows, except for QLogic, and they're not telling. I asked, and they told me that information was only available under NDA. So, I encourage you to imagine what this firmware does, and the bugs it fixes. While you're at it, imagine a world where vendors release source code for their firmware.

So, now that we established the fact, that we can't support firmware files, one could wonder, if we actually need to do so. What harm can a simple, tiny program in a peripheral device do to your computer? Well, scientist already managed to created trojaned firmwares for some network cards. So it is a problem, and can even under some circumstanced lead to security problems!

So, to summarise: Yes, Debian changed something in the Kernels. No, it will continue to work as well as usual. Some users might need to enable the non-free repository in their sources list, but those who won't, don't have to. Firmware files needed during installation are also available, and can be loaded by the installation system. So, what's all the fuss about?

BTW: Those of you, who can't remember links very well, but fear, they still might need the links to the non-free images and tarballs. just remember two things: wiki and Firmware, as you'll find all you need on the Firmware page of Debian's wiki.

postet at 16:55 into [Debian] permanent link


Alexander Tolimar Reichle-Schmehl lives in Tuttlingen / Germany. Hw works as IT manager (specialized on Unix and SAN/Storage) for an international automotive supplier.