Quoting Andrey Rahmatullin (2022-04-19 14:47:27) > On Tue, Apr 19, 2022 at 02:38:03PM +0200, Jonas Smedegaard wrote: > > When I install systems, I consider non-free blobs more risky than > > other code. > Do you consider loadable non-free blobs more risky than their older > versions soldered onto the hardware?
I consider each blob differently risky. A newer blob might... * fix bugs * add functionality that I want * add functionality that I don't want * remove functionality that I want With Free Software I often read the changelog, or if that is missing or too terse then sometimes (for stuff that I care for in particular) I skim through upstream git commits. I am rarely enough expert to notice if changes are broken but at least I can get some sense of the intendes changes. I don't have the same options for most non-free code. So even for intended changes (i.e. ignoring tinfoil hat evil intents) I am less likely to know if the changes are wanted or not, I can only assume that "it is newer, gotta be better..." > > When I (sometimes, but not always¹) choose to "infect" my systems > > with non-free packages, I therefore consider each non-free package > > to try minimize the amount of risky blobs on my systems. As an > > example, I may choose to not apply realtek firmware updates when I > > can verify that my ethernet device works adequately without it. > Do you see some inherent value in not applying a firmware update then? Yes: The benefit of knowing what I have and (most often) not knowing what I get. I like to use an operating system that keeps itself updated - because I know that at any time I can dive in and inspect each detail, and either block or (unofficially, at my own risk) try roll it back. But for components that are essentially bkack boxes, I prefer a conservative approach of *not* updating by default, testing out updates on a few devices before trusting applying them generally (if at all). If I report an issue to a hardware supplier, and they say that the fix is to flash a newer firmware onto the device, then I am likely to do that - I trust my supplier (and can demand a replacement if the device breaks as a result of my flashing operation instructed by them). If I blindly flash newer firmware onto a device and it stops working, then there is a real risk that if I contact my hardware supplier they will tell me that I was wrong to change firmware and that they won't replace the device. I think that is fair treatment. Now, with OS-distributed firmware I am probably less likely to permanently damage my device, but for the runtime functionality scenarios are comparable: Just because a firmware loads might not mean that it is endorsed by my hardware supplier - it might cause operation of the device to be inferior compared to older firmware. I prefer to update firmware only when recommended, not whenever available, because it is (more often than with Free Software) unknown what exactly it changes: I know better what I have, than what I get. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
