A lot of drivers for hardware are actually not open source, just unreadable binaries that do …something. No one knows exactly how they work, so some people consider them a security risk.
I think its because the linux kernel is GPL2, not the modern GPL3 like most free software, so I think thats why some components are allowed to be non-free. Not sure though.
So, that practice violates the spririt of free software. So some distributions have those components removed. Its safer, but you may lose functionality, depending on what computer components you have.
Its an important project, and judging by the other comments here, underappreciated.
A lot of drivers for hardware are actually not open source, just unreadable binaries that do …something. No one knows exactly how they work, so some people consider them a security risk.
While I do understand the security aspect of this here at the same time those people seem to be delusional. At some point there’s proprietary stuff in our computers, be it a driver, a BIOS or the code that runs on the various microcontrollers that run low level functions from the USB ports to simple power management.
The most “security paranoid” organizations in the world usually run a lot of stuff on Windows and HP hardware full of opaque and proprietary code and they consider it “safe enough”.
I may get that not free / license based stuff might raise concerns if you aren’t a mega corp. that can pay the fee either way, but… if a trackpad requires a free but closed-source binary driver why would a random guy on the internet consider that to be a risk?
At some point there’s proprietary stuff in our bodies, be it a driver, a BIOS or the code that runs on the various microcontrollers that run low level functions from the USB ports to simple power management.
The most “security paranoid” organizations in the world usually run a lot of stuff on children and babies are full of opaque and proprietary code and they consider it “safe enough”.
People are replacing lost/damaged organs and limbs with computer-controlled hardware. The same problems that occur in computers that exist outside of humans will occur in computers inside of humans. Do you trust non-open drivers from Corporation X or Government Y in your eyes telling your brain what you do or don’t see?
That’s the extreme, of course, but it isn’t any less scary than computers you trust with your credit card, bank account, etc information.
Open source drivers means when corporation X goes under, your hardware still can work and isn’t automatically abandoned. It keeps more hardware out of landfills longer, with the ability to drastically reduce e-waste.
Do you trust non-open drivers from Corporation X or Government Y in your eyes telling your brain what you do or don’t see?
I agree with your point, but I find it very unlikely to have cutting edge medical technology using open-source software - after all those pacemaker / brain implant companies want to protect their research (and profits) - and I’m not even sure if a FOSS solution for that would ever get approved by any legal body.
That’s the extreme, of course, but it isn’t any less scary than computers you trust with your credit card, bank account, etc information.
All those systems that process your financial transitions run on tons of proprietary software and the banks and credit card companies believe that software is secure enough.
Open source drivers means when corporation X goes under, your hardware still can work and isn’t automatically abandoned. It keeps more hardware out of landfills longer, with the ability to drastically reduce e-waste.
This is probably the most reasonable thing about having open-source drivers… however hardware is diverse and complex and so are drivers. The community might not be able to maintain such the driver for specific-version-x-hardware I have because it might not have access to all the design documentation of the hardware nor the time to reverse engineer it. It might not be worth keeping a driver around if it only serves a few people because everyone is mostly on a different revision of the hardware or some other detail like that.
To be fair Linux removed support for 386, 486, floppy drives, “Carillo Ranch”, and a bunch of other older hardware recently… at some point the few users that still have a piece of tech won’t care about it because they can just replace it by a new and better alternative for cheap.
You make wonderful points, but I think we can both agree that I’ve demonstrated that there is value open source drivers, however insignificant they may be in comparison to non open drivers isn’t really relevant. It shouldn’t be such a shock an individual may want an open source only version of Linux which is the topic of discussion here.
Depending on the vendor providing that trackpad driver it may not be a substantial security risk. But it is a loss of software freedom, which some people care about.
Yeah, sure, but if the largest companies in the world trust the vendor that proprietary firmware why would I not trust it?
I agree with your POV, in theory yes, having stuff you can’t inspect it’s a risk, in practice there are a few more nuances to that. It’s not reasonable to want to have a 100% open-source computer from the software to use down to the AVRs/PICs that run low level functions.
Could we please stop associating open source with security? Don’t get me wrong, I love open source software and it is easier to trust open source software than proprietary, because it is highly unlikely, that they hide stuff like trackers in there. It is also most of the time highly configurable and sometimes even hackable and as a software developer you are able to look into the mechanisms behind the APIs which is sometimes really helpful.
But events like the lzma incident last year and predictable openssl RNG in Debian some time ago (https://lists.debian.org/debian-security-announce/2008/msg00152.html) should tell us, that open source doesn’t mean secure software. And the argument, that there are many people looking at the code is not really true. E.g. many maintainers of the linux kernel only look at specific parts/drivers in it and maybe into some other things they need for that. There are probably only a few people if any (apart from governments), that have read, understood and analyzed the linux kernel in its entirety with all the (open source) drivers built into it and all the possible combinations of configurations. And I don’t want to know how many have done all that for less popular projects. And even if that is done at some point for an upstream project, you would have to check the patches from your distro and if there are any do it all for yourself again. And when the next release arrives you would have to do all that in its entirety again (although with some head start) if a new version arrives (that has, say, at least a thousand lines of code changed, removed or added). And now think about how many big releases come with some software per year. And don’t forget to also include all the dependencies you have to check including the compiler and standard library of the language(s) used.
Of course it is easier to do all that for OSS as an outside party because you don’t have to decompile it, but it is still increadibly hard. And only to be easier to analyze for security risks doesn’t mean to be more secure just like packaging being recyclable doesn’t mean that it will be recycled.
Well, to run with your analogy, I prefer things to be recyclable then to just throw them away.
I agree with you - to a point. The linux kernel is too big and complex to understand all of it as a single person. However, its critical software. Meaning, we are not depending on some nerd to find a bug anymore. There are companies that look through critical code to check for security issues.
Now imagine I made some somewhat popular open source server software that saved passwords in plaintext. Chances are good, that by sometime next week ill have someone on the internet scream at me for that. With proprietary software, no one is coming.
(Maybe at the next code review, someone will say something, but proprietary software does not imply me working at a corporation, and corporation does not imply the software having to be closed source)
Open source does not guarantee 100% secure software, but it does make obvious lapses in judgement much less likely. And sometimes, there IS a nerd who will look through the code because they wanted a feature, and finds a critical bug. Like the person that found the xz backdoor. The chance for that happening with closed source is zero.
I agree because it is exactly what my claim is. It would still be foolish to say that open source software is by design more secure than proprietary. I know that this is not what you said and you most likely also don’t mean that, but there are enough people who think that way because they read everywhere that OSS=secure software.
Your example with xz however does not really hold imo. The xz bug was not found because xz is open source but because someone realized, that their ssh session build up took longer than usual and they then used valgrind to check for issues and not because they looked in the source code. It wasn’t even really an easy to spot backdoor because it was a malicious compressed file that changed the build process while running the tests and injecting the actual backdoor in the compiled file. Therfore this would have been found with proprietary software with the same likelyhood.
And regarding my analogy: I also like it more when things are recyclable, that is also why I like open source software more and have more trust in it. But now that I think about it, that wasn’t the best analogy I could’ve chosen but it was the first thing that came to my mind.
Well, the majority still seems to be unhappy. I think it is mainly because I chose Linux as an example and it reads like I think that Linux is not secure software which is not at all what I intended to say and also (obviously?) not what I think is true.
It’s definitely not safer. It does not include microcode updates so it’s quite the opposite of secure. Technically you can load them at boot but why would you intentionally make security harder to achieve?
Not including microcode updates is also extremely dumb from the philosophical standpoint. Microcode is closed source firmware running “inside your CPU” so if you don’t include the updates, your CPU now runs on both vulnerable and proprietary firmware.
A lot of drivers for hardware are actually not open source, just unreadable binaries that do …something. No one knows exactly how they work, so some people consider them a security risk.
I think its because the linux kernel is GPL2, not the modern GPL3 like most free software, so I think thats why some components are allowed to be non-free. Not sure though.
So, that practice violates the spririt of free software. So some distributions have those components removed. Its safer, but you may lose functionality, depending on what computer components you have.
Its an important project, and judging by the other comments here, underappreciated.
You explanation sums it all up thanks.
While I do understand the security aspect of this here at the same time those people seem to be delusional. At some point there’s proprietary stuff in our computers, be it a driver, a BIOS or the code that runs on the various microcontrollers that run low level functions from the USB ports to simple power management.
The most “security paranoid” organizations in the world usually run a lot of stuff on Windows and HP hardware full of opaque and proprietary code and they consider it “safe enough”.
I may get that not free / license based stuff might raise concerns if you aren’t a mega corp. that can pay the fee either way, but… if a trackpad requires a free but closed-source binary driver why would a random guy on the internet consider that to be a risk?
People are replacing lost/damaged organs and limbs with computer-controlled hardware. The same problems that occur in computers that exist outside of humans will occur in computers inside of humans. Do you trust non-open drivers from Corporation X or Government Y in your eyes telling your brain what you do or don’t see?
That’s the extreme, of course, but it isn’t any less scary than computers you trust with your credit card, bank account, etc information.
Open source drivers means when corporation X goes under, your hardware still can work and isn’t automatically abandoned. It keeps more hardware out of landfills longer, with the ability to drastically reduce e-waste.
I agree with your point, but I find it very unlikely to have cutting edge medical technology using open-source software - after all those pacemaker / brain implant companies want to protect their research (and profits) - and I’m not even sure if a FOSS solution for that would ever get approved by any legal body.
All those systems that process your financial transitions run on tons of proprietary software and the banks and credit card companies believe that software is secure enough.
This is probably the most reasonable thing about having open-source drivers… however hardware is diverse and complex and so are drivers. The community might not be able to maintain such the driver for specific-version-x-hardware I have because it might not have access to all the design documentation of the hardware nor the time to reverse engineer it. It might not be worth keeping a driver around if it only serves a few people because everyone is mostly on a different revision of the hardware or some other detail like that.
To be fair Linux removed support for 386, 486, floppy drives, “Carillo Ranch”, and a bunch of other older hardware recently… at some point the few users that still have a piece of tech won’t care about it because they can just replace it by a new and better alternative for cheap.
You make wonderful points, but I think we can both agree that I’ve demonstrated that there is value open source drivers, however insignificant they may be in comparison to non open drivers isn’t really relevant. It shouldn’t be such a shock an individual may want an open source only version of Linux which is the topic of discussion here.
Fair enough :)
Depending on the vendor providing that trackpad driver it may not be a substantial security risk. But it is a loss of software freedom, which some people care about.
Yeah, sure, but if the largest companies in the world trust the vendor that proprietary firmware why would I not trust it?
I agree with your POV, in theory yes, having stuff you can’t inspect it’s a risk, in practice there are a few more nuances to that. It’s not reasonable to want to have a 100% open-source computer from the software to use down to the AVRs/PICs that run low level functions.
Could we please stop associating open source with security? Don’t get me wrong, I love open source software and it is easier to trust open source software than proprietary, because it is highly unlikely, that they hide stuff like trackers in there. It is also most of the time highly configurable and sometimes even hackable and as a software developer you are able to look into the mechanisms behind the APIs which is sometimes really helpful.
But events like the lzma incident last year and predictable openssl RNG in Debian some time ago (https://lists.debian.org/debian-security-announce/2008/msg00152.html) should tell us, that open source doesn’t mean secure software. And the argument, that there are many people looking at the code is not really true. E.g. many maintainers of the linux kernel only look at specific parts/drivers in it and maybe into some other things they need for that. There are probably only a few people if any (apart from governments), that have read, understood and analyzed the linux kernel in its entirety with all the (open source) drivers built into it and all the possible combinations of configurations. And I don’t want to know how many have done all that for less popular projects. And even if that is done at some point for an upstream project, you would have to check the patches from your distro and if there are any do it all for yourself again. And when the next release arrives you would have to do all that in its entirety again (although with some head start) if a new version arrives (that has, say, at least a thousand lines of code changed, removed or added). And now think about how many big releases come with some software per year. And don’t forget to also include all the dependencies you have to check including the compiler and standard library of the language(s) used.
Of course it is easier to do all that for OSS as an outside party because you don’t have to decompile it, but it is still increadibly hard. And only to be easier to analyze for security risks doesn’t mean to be more secure just like packaging being recyclable doesn’t mean that it will be recycled.
Well, to run with your analogy, I prefer things to be recyclable then to just throw them away.
I agree with you - to a point. The linux kernel is too big and complex to understand all of it as a single person. However, its critical software. Meaning, we are not depending on some nerd to find a bug anymore. There are companies that look through critical code to check for security issues.
Now imagine I made some somewhat popular open source server software that saved passwords in plaintext. Chances are good, that by sometime next week ill have someone on the internet scream at me for that. With proprietary software, no one is coming.
(Maybe at the next code review, someone will say something, but proprietary software does not imply me working at a corporation, and corporation does not imply the software having to be closed source)
Open source does not guarantee 100% secure software, but it does make obvious lapses in judgement much less likely. And sometimes, there IS a nerd who will look through the code because they wanted a feature, and finds a critical bug. Like the person that found the xz backdoor. The chance for that happening with closed source is zero.
I agree because it is exactly what my claim is. It would still be foolish to say that open source software is by design more secure than proprietary. I know that this is not what you said and you most likely also don’t mean that, but there are enough people who think that way because they read everywhere that OSS=secure software.
Your example with xz however does not really hold imo. The xz bug was not found because xz is open source but because someone realized, that their ssh session build up took longer than usual and they then used valgrind to check for issues and not because they looked in the source code. It wasn’t even really an easy to spot backdoor because it was a malicious compressed file that changed the build process while running the tests and injecting the actual backdoor in the compiled file. Therfore this would have been found with proprietary software with the same likelyhood.
And regarding my analogy: I also like it more when things are recyclable, that is also why I like open source software more and have more trust in it. But now that I think about it, that wasn’t the best analogy I could’ve chosen but it was the first thing that came to my mind.
This is why I like fediverse. Redditors would downvote this to oblivion.
Well, the majority still seems to be unhappy. I think it is mainly because I chose Linux as an example and it reads like I think that Linux is not secure software which is not at all what I intended to say and also (obviously?) not what I think is true.
I could understand that some distros’ kernel had binary blobs, but the main kernel?? I was not expecting that if it’s true.
BSD people laugh about linux because of that all the time
There were tons of comics by OpenBSD vs. Linux (being the corporate slave)
It’s definitely not safer. It does not include microcode updates so it’s quite the opposite of secure. Technically you can load them at boot but why would you intentionally make security harder to achieve?
Not including microcode updates is also extremely dumb from the philosophical standpoint. Microcode is closed source firmware running “inside your CPU” so if you don’t include the updates, your CPU now runs on both vulnerable and proprietary firmware.