Group: Hardware/Strategies/Advocacy strategies

Source code quality

When the code derived from other code under a copyleft license like the GPLv2 or GPLv3, the hardware manufacturers are required to publish the source code to the people they distribute the hardware or binaries.

However sometimes the hardware manufacturers manage to avoid reusing copyleft code and decide not to release the source code. In cases like that it pushes us to re-implement the nonfree software under a free software license, or pressure vendors to publish the source code in some ways.

As hardware vendors often rush to release their hardware (this is called time to market in economics), the code quality is often very bad.

It's also a common practice in free software projects to do hardware bringup in a way that doesn't have the best code quality and cleanup the code later.

Unfortunately some companies use the excuse of having bad code quality to not publish their work under a free software license.

Examples of bad quality code preventing release under free software licenses

"Once the code is cleaned up, we will publish it in open-source. It's just a matter of our resources to tidy everything up.": https://github.com/xtrx-sdr/images/issues/44
The ath9k_htc firmware liberation process required someone to step up to clean the code.

Examples of bad quality code that gave good quality code

On the other hand there are also some bad quality code having been released under a free software license that was used to get very high quality code:

wl1251
All the drivers that went into the staging area of the linux kernel and that later made it into the main area of Linux.

Possible strategies

It would be best to advocate for people not to insist on code quality too much but instead to insist in releasing the work under a free software license, or doing other things that results in a free implementation (like publishing documentation, etc).

It would also be a good idea to point at examples where in the long run, releasing the code as free software was also beneficial for the company or the code quality, to counter the fact that companies don't release because of the code quality.

TODO

Find and add more examples
Investigate the relationship between bad code quality, and companies's reputation.

Users advocacy to improve the danger of nonfree software in various areas

This could be done through several approaches:

We could explain hardware capabilities (Management Engine, WiFi chips, etc)
We could also show examples of issues a bit like gnu.org/proprietary/malware-appliances.html
We could show practical differences between free and nonfree software firmwares (like with WiFi, mesh networks etc).

Explaining why nonfree CPU microcode is bad

Example of hardware capabilities of CPU microcode updates

Microcode updates can contain a backdoor.^[1]

Example of issues with nonfree nonfree CPU microcode updates

At some point, Intel forbid its users to publish benchmarks by changing the license of the nonfree microcode updates.^[2] While they reverted the license change, it shows the power that these companies can have over people through nonfree microcode updates. We should resist it by not depending on nonfree microcode updates (for instance by not using it, finding fixes to issues in other ways like it was done in Libreboot before, etc).

Explaining why nonfree peripherals firmwares are bad

Hardware capabilities of hardware running nonfree peripherals firmwares

Complete computer takeover
- On many computers, the nonfree Intel WiFi firmware can take the control of the computer. This is for instance shown by security researcher that found security issues in the nonfree Intel WiFi firmware.^[3] Only intel can fix these vulnerabilities and they probably don't fix them for older WiFi chips. However even if there was no such vulnerabilities, the nonfree firmware has the ability to do such attacks. Combined with automatic updates through fwupd and LVFS, that gives intel an universal backdoor in many cases. Potential attacks can be blocked with special hardware^[4] or by not running the nonfree firwmare.
- Many Intel computers have a Management engine. By design this allows complete control of the computer.

Explaining why nonfree boot software is bad

The FSF has a Free BIOS campaign for that.

References

↑ Security research on microcode updates state that "We demonstrated that malware can be implemented in microcode [updates]."
↑ https://www.tomshardware.com/news/intel-cpu-microcode-benchmark-mitigation,37684.html
↑ https://www.sstic.org/media/SSTIC2022/SSTIC-actes/intel_wifi/SSTIC2022-Slides-intel_wifi-campana_iooss.pdf
↑ This requires an IOMMU, and to have it enabled. That can depend on the distribution or your BIOS/UEFI.

[1] Security research on microcode updates state that "We demonstrated that malware can be implemented in microcode [updates]."

[2] ttps://www.tomshardware.com/news/intel-cpu-microcode-benchmark-mitigation,37684.html

[3] ttps://www.sstic.org/media/SSTIC2022/SSTIC-actes/intel_wifi/SSTIC2022-Slides-intel_wifi-campana_iooss.pdf

[4] This requires an IOMMU, and to have it enabled. That can depend on the distribution or your BIOS/UEFI.

[1]

[2]

[3]

[4]

Navigation menu