Debian 13 Live ISO without nonfree firmware
- Anmelden oder Registrieren um Kommentare zu schreiben
I removed the nonfree firmware and nonfree repos from a Debian Live XFCE ISO and uploaded it here: https://archive.org/details/debian-live-13.0.0-amd64-xfce-no-nonfree
Kind of a fun process to hack the ISO. General instructions are here: https://www.linuxquestions.org/questions/debian-26/tutorial-creating-a-custom-bootable-debian-live-iso-4175705804/
Although I had to alter the mount and umount commands for setting up the chroot environment to be more Ubuntu-esque since I was hacking the ISO on my Trisquel system. I'll probably list all the commands I used in a post below for posterity. Might help someone else hack a Debian-based live ISO someday.
I am a translator!
Thanks, this is interesting.
By the way, I tried installing a system in a vm with it, it adds non-free-firmware to the source but it looks like nothing was installed from therem. One interesting thing is the partitioning when selecting to encrypt the system: it makes two LUKS encrypted partition, one for root one for swap, and at boot, the prompt for the passphrase is from grub, it takes a rather longer time to react (because grub is slower than cryptsetup) and I need to assume a qwerty keyboard layout even though I installed my sytem with azerty, but then no need to type the passphrase twice (or even 3 times), I think the password is in some for in /crypto_keyfile.bin, which is referred to by /etc/crypttab. Typing the passphrase in grub is less convenient because there is no way to see the number of characters typed and in case of error, one goes to a grub rescue prompt. Strangely, once in the grub rescue prompt, the keyboard layout is azerty as expected, even though I need to assume qwerty for the passphrase to be accepted.
>"it adds non-free-firmware to the source but it looks like nothing was installed from there"
You are right, that's crazy, I guess the Calamares installer adds that to /etc/apt/sources.list. I wonder if there's a way to disable that, I don't know anything about hacking Calamares, but there's probably some simple config files somewhere.
So big warning:
AFTER INSTALLING THIS, YOU MUST GO BACK AND EDIT /etc/apt/sources.list AND DELETE OUT THE NON-FREE FIRMWARE REPOSITORIES THAT THE DEBIAN INSTALLER WILL PLACE BACK INTO THE FILE
The rest of your comment, I don't know, I didn't try installing an encrypted system. Hopefully that's a Debian set of bugs that will be fixed, and not anything to do with this No-non-free-Firmware ISO.
Did you remove the firmware packages on it?
That's a super cool project... thank you
Yes, I noticed that when I apt purged the non-free firmware packages from the squashfs that all the proprietary binaries seemed to disappear from /lib/firmware/. I think that swept them all away, and after installing the ISO /lib/firmware/ is still limited to the following small collection which I'm assuming are all free:
ls /lib/firmware/
ath9k_htc/
keyspan_pda/
regulatory.db.p7s-debian
av7110/
meade-deepskyimager.hex
regulatory.db.p7s-upstream
carl9170-1.fw
regulatory.db
skl_hda_dsp_generic-tplg.bin
cis/
regulatory.db-debian
usbdux_firmware.bin
dsp56k/
regulatory.db-upstream
usbduxfast_firmware.bin
isci/
regulatory.db.p7s
usbduxsigma_firmware.bin
Briefly and without much comment, here are the steps for producing this ISO:
From "Tutorial: Creating a custom bootable Debian Live iso", by m_yates, 01-04-2022, https://www.linuxquestions.org/questions/debian-26/tutorial-creating-a-custom-bootable-debian-live-iso-4175705804/
Download a Debian live ISO, in this case debian-live-13.0.0-amd64-xfce.iso
INSTALL DEPENDENCIES:
sudo apt install rsync squashfs-tools xorisso
PREPARE THE DOWNLOADED ISO
mkdir liveusb6/
cp ~/Downloads/debian-live-13.0.0-amd64-xfce.iso liveusb6/
cd ~/liveusb6/
dd if=debian-live-13.0.0-amd64-xfce.iso bs=1 count=432 of=isohdpfx.bin
mkdir isoextract mnt
sudo su -
UNSQUASH THE LIVE FILE SYSTEM
cd /home/ap/liveusb6/
mount -o loop debian-live-13.0.0-amd64-xfce.iso mnt
rsync --exclude=/live/filesystem.squashfs -a mnt/ isoextract
unsquashfs mnt/live/filesystem.squashfs
SETUP CHROOT ENVIRONMENT
mount --bind /dev/ squashfs-root/dev
chroot squashfs-root
mount -t proc /proc proc/
mount --rbind /sys sys/
mount -t devpts none /dev/pts
export HOME=/root && export LC_ALL=C
INSIDE CHROOT:
export TERM=xterm
nano etc/apt/sources.list
[remove the non-free firmware repos so that the file looks like this:
deb [trusted=yes] file:/run/live/medium trixie main
deb http://deb.debian.org/debian/ trixie main
deb-src http://deb.debian.org/debian/ trixie main]
APT PURGE THE NON-FREE FIRMWARE FILES
apt purge amd64-microcode atmel-firmware bluez-firmware dahdi-firmware-nonfree firmware-amd-graphics firmware-ast firmware-atheros firmware-bnx2 firmware-bnx2x firmware-brcm80211 firmware-cavium firmware-cirrus firmware-intel-graphics firmware-intel-misc firmware-intel-sound firmware-ipw2x00 firmware-ivtv firmware-iwlwifi firmware-libertas firmware-linux firmware-linux-nonfree firmware-marvell-prestera firmware-mediatek firmware-misc-nonfree firmware-myricom firmware-netronome firmware-netxen firmware-nvidia-graphics firmware-qlogic firmware-realtek firmware-siano firmware-sof-signed firmware-zd1211 intel-microcode iucode-tool
CLEAN AND UNMOUNT
apt clean
apt autoremove
rm -rf /tmp/* ~/.bash_history
umount /proc
umount /sys
umount /dev/pts
exit
OUTSIDE CHROOT
umount squashfs-root/dev
umount mnt
RE-SQUASH THE LIVE FILE SYSTEM
mksquashfs squashfs-root isoextract/live/filesystem.squashfs
BUILD THE ISO
xorriso -outdev debian-live-13.0.0-amd64-xfce-no-nonfree.iso -volid DEBIAN -padding 0 -compliance no_emul_toc -map isoextract/ / -chmod 0755 / -- -boot_image isolinux dir=/isolinux -boot_image isolinux system_area=isohdpfx.bin -boot_image any next -boot_image any efi_path=boot/grub/efi.img -boot_image isolinux partition_entry=gpt_basdat
Curious your iso is bigger after removing firmware?
I guess you installed some new packages or something
user@pc:/media/user/08a3c36e-208b-47b9-b112-59a4b851a099/1_OS/Gnu_Linux/ISO/Debian/Trixie 13$ ls -la
total 11108372
drwxr-xr-x 2 user user 4096 Aug 17 11:33 .
drwxrwxr-x 7 user autologin 4096 Aug 17 10:12 ..
-rw-rw-r-- 1 user autologin 3741319168 Aug 14 21:16 debian-live-13.0.0-amd64-lxde.iso
-rw-r--r-- 1 user user 3976200192 Aug 17 11:21 debian-live-13.0.0-amd64-xfce-no-nonfree.iso
-rw-rw-r-- 1 user autologin 3657433088 Aug 8 09:42 debian-live-testing-amd64-xfce.iso
user@pc:~/Downloads$ sudo dd if=debian-live-13.0.0-amd64-xfce-no-nonfree.iso of=/dev/sdb bs=512KB; sync
7766+1 records in
7766+1 records out
3976200192 bytes (4.0 GB, 3.7 GiB) copied, 174.269 s, 22.8 MB/s
I'm going to find out right now!
Whoops, there is non-free firmware on the disk : D
/media/user/DEBIAN/pool/non-free-firmware/
user@pc:/media/user/DEBIAN/pool/non-free-firmware$ ls -la
total 16
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 .
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 ..
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 a
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 b
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 d
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 f
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 i
dr-xr-xr-x 1 user user 2048 Aug 9 06:59 z
with microcode and everything, the debian wiki instructs us however,
that if we add
firmware=never live-installer/enable=false
to the boot command line on the live disk then non-free stuff wont install
Good catch, I should do a new version without the /media/user/DEBIAN/pool/non-free-firmware/
I did not add anything at all, and was also surprised that the ISO is bigger, since apt purging the non-free firmware packages deleted 834MB of data. I believe that the process of un-squashing and re-squashing the squashfs and then recreating the ISO image with xorisso probably causes changes in size. Possibly xorisso uses a different compression method than the original Debian ISO creation method. Might be some settings in xorisso that can reduce that ISO size, I'll need to explore that.
The Debian firmware page says about firmware=never that it will disable all firmware, including necessary free firmware:
"Note: using firmware=never will also skip free firmware detection and installation, so you will have to do it manually if it is needed."
https://wiki.debian.org/Firmware#How_to_disable_detection_and_use_of_non-free_firmware
This Live ISO hacking project is an attempt to remove everything from non-free, but leave all the freely licensed firmware in place.
Ok so I just tried booting up, and installing, and the ISO you made installed without issues, which is an amazing testament to fakeroot I think : D
I of course did a non-standard install so I used an msdos partition table, with an f2fs filesystem,
(have to connect to the internet and sudo apt update && sudo apt install f2fs-tools -y before running calamares to do it)
but then after the install completed, my boot up sequence was broken, I guess because of an error installing grub that way.
so I booted up a rescue cd, chrooted into debian, ran a grub-install /dev/sda
on my harddrive, and then poked around to look at things..
non-free-firmware was still active in the sources, but doing an apt search for ...
firmware
non-free-firmware
and
microcode
turned up zero results, i.e. no installed firmware packages on debian after using the command line commands
firmware=never live-installer/enable=false
on the grub command line before booting up.
after I fixed my grub, to work with my msdos partition/f2fs-filesystem
Trisquel-Debian andypough edition is now working flawlessly.
Now I will see if abrowser and libre-linux work
I also installed the system offline, so maybe that helped things... anyways I think your attempt didn't work : D but maybe the debian method works, if it's done offline
So now I've tried following the debian wiki firmware pages instructions on disabling it, and as far as I can tell, I haven't seen any of the instructions work, except for one interesting piece of information, the bullseye install media contain no firmware drivers
(it's wishful thinking that the wiki for debian has good instructions : D, or that things all work in every different scenario)
I tried installing just bookworm, your cd, and another debian 13 cd, with the instructions on the wiki to disable firmware, and actually only your cd, didn't install any firmware, unlike each of the debian cd's
each time I did have to disable non-free and non-free-firmware in the sources...
So now I'm going back to bullseye, I outlined my working method here...
https://trisquel.info/en/forum/libre-linux-and-abrowser-working-debian-bookworm-only-free-packages
USB -> msdos -> fat32 -> debian bullseye
hard drive -> msdos /f2fs/ext4
disable non-free and security repots, disable internet,
cleanly shut down the system with sudo poweroff (every time)
physically disconnect the internet repeatedly
fully upgrade the system, cleanly shutdown the system
dist-upgrade the system, cleanly shutdown the system,
then at that point hopefully at least bookworm is working,
and honestly I know from experience not to use a stable release even after it has come out,
so the next best thing to do is to fully upgrade the system asap, make a clone of it,
and then to disable apt sources before they break anything upstream,
and before the clone rebuild the libre-kernel with efi support totally disabled, and get abrowser installed,
and that, is a perfect system.
so I just did this install method, and it's painful, but that's what it takes to make a really stable debian system...
plus, every time you install something you have to jump around disabling all the automatic startup programs and services that are automatically enabled, it's a super pain...
for this reason I'm starting to think after years of using different live CD's, that the future, is in disk cloning, and sharing our clones with each other...
A trisquel install is so light for example, that it fits on a usb drive... then you can make an image of it, and share it...
simple, efficient, and that way you can fully customize it beyond default settings which is an effort that takes hours every single time we use a live cd alternatively.
Instead of using these "volatile" systems so much we could be using fully functional well designed operating systems! Which are actually super difficult to get into a stable state unless you know what you're doing.
Now I have to clone my disk before upstream starts pushing out packages that break it... right now, everything is in perfect alignment... and the only thing that can hurt this system are the updates themselves.
It might not be possible to do this in the near future btw, as packages shift around, it could break just like previous versions... so it's literally time sensitive to build this type of system
I think this version is as good as I can do at this point. I used fd-find to locate every mention of "non-free" on the ISO, which were in /var/lib/apt/lists/, and deleted them. But no matter what, once you install it the /etc/apt/sources.list is still populated with non-free repos and /var/lib/apt/lists/ are still populated with references to non-free sources. So Calamares must be adding them, but the Calamares config files in /etc/calamares/ don't give any clues about how to change that behavior. Until I understand how to hack Calamares better, there's nothing more I can do right now.
Anyone using this ISO, be sure to remove the non-free firmware repos from the /etc/apt/sources.list file after installing with Calamares. The installer is adding them even though I've removed them from the sources.list file on this ISO.
im thinking we should start collecting bullseye isos at this point
Good point.
So if you read the debian wiki page on firmware carefully, it says this
First of all bullseye(11) install media (the disks) do not contain firmware by default
but since bookworm, version 12, now debian install media contain firmware, and the installer
attempts to identify what firmware your PC needs, and to install it.
If you use the regular iso install media located here
https://cdimage.debian.org/mirror/cdimage/archive/12.11.0/amd64/iso-dvd/
(and maybe the network, and standard install?)
and apply firmware=never to the command line before booting,
the firmware will still be on the disk, but the installer
will not run it's automatic detection for firmware, and "add them as needed"
then if you use the live iso install media located here
https://cdimage.debian.org/mirror/cdimage/archive/12.11.0-live/amd64/iso-hybrid/
you have to add the commands firmware=never live-installer/enable=false
as "boot parameters" to achieve the same thing.
But after just installing bookworm like that, and trixie,
it doesn't seem to apply, or achieve the desired effect,
the firmware/microcode are still installed after the install is completed,
so it isn't clear to me, that the installer didn't auto load firmware(or the debian system itself)
now I didn't try the non-live dvd installer or the standard installer or the net install
and I always did the installs offline, which changes the situation.
it seems to me, the most important thing is that bullseye install media completely eliminate the ambiguity, the uncertainty, surrounding the situation. And now using offline mainly, disabling most automatic services, and programs that attempt to connect to the internet and update, as well as the security repo's, made upgrading bullseye to bookworm painless... it does however install a new kernel automatically, with it's new drivers, and because the packages become broken over time in old distributions you can't easily build a new one.
This is why it's essential to have clones, and offline storage of old working software sets, because you literally can't reproduce the ideal results otherwise, relying on upstream maintenance, which pressures us alternatively, to "Just Use The System," and also, "Don't Manage Your Own Kernel And Drivers, Let "Debian" Do It For You"
True. Debian really made a huge mess:
a) in deciding to shovel nearly 1GB of nonfree firmware packages and binaries onto every installation media;
and
b) in how they have implemented their nonfree firmware choice with almost ZERO ability for users to completely avoid Debian's huge pile of firmware junk
what's funny is that Im using the non-firmware version of debian right now... bullseye->bookworm->trisquelized
or the free version
and it works great... despite all those arguments @debian about the need to force everyone to use non-free and non-free-firmware, this free debian system is perfect to the contrary
Yeah, I've always noticed that unless a person has an Nvidia card or has some unusual hardware, and as long as they don't expect the proprietary wifi cards to work, there's usually zero issues with using 100% free software without added nonfree firmware.
I figured out a better way of installing - you have to use the Debian "regular" installer, not the Calamares installer. Then, if you use this ISO, you will get an installation without as many "non-free" problems to clean up.
So, Instructions:
When booting the ISO, choose the "Start Installer" option from the main Grub menu. Do NOT use the installer from the Live XFCE environment - that will be the Calamares installer which makes a mess of things.
After installing, the Debian regular installer will leave you with only the ISO image as a repository listed in /etc/apt/sources.list. Go ahead and comment out the ISO as a repository:
su -
nano /etc/apt/sources.list
comment out the line "cdrom" line and remove the "non-free firmware" source from the end of the line:
#deb cdrom:[Official Debian GNU/Linux Live 13.0.0 xfce 2025-08-09T10:59:34Z]/ trixie main
Then save and exit nano. In this case, we had removed all the non-free firmware packages from this ISO already, so the cdrom "non-free firmware" source should have been empty, but it seems best to remove the reference to it.
Add some repositories:
nano /etc/apt/sources.list.d/debian.sources
Add the following lines:
Types: deb deb-src
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb deb-src
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Then save and exit nano.
Then you can apt-get update and upgrade as normal.
This installation method will leave you without sudo privileges, so be sure to add a root password in the installer so that as root you can make these changes and add your user to sudo.
People won't believe it was an accident (I mean dumb isn't an accident), but I recently accidentally wiped out Aramo on sda instead of Ecne on sdb installing Bookworm over it. Well, I couldn't believe I did it because I double checked what I was doing before I committed. Not sure what part of me did the double checking but I guess it wasn't the best part. (Or it was a Calamares conspiracy)
Anyway, right after that, Trixie was announced but the wiki page on how to upgrade from Bookworm was empty.
I did install Bookworm twice, once using the live-install and once going direct to the 'Debian "regular" installer.' I like the Debian "regular" installer much better but did run into no root or sudo password problem.
AndyPrough, you mention 'this iso,' which one are you refering to? Is ythis it:
https://cdimage.debian.org/mirror/cdimage/archive/12.11.0-live/amd64/iso-hybrid/
>"AndyPrough, you mention 'this iso,' which one are you refering to?"
The one that I linked to in the first post in this thread - it's a Debian Trixie Live XFCE ISO where I tried to remove all non-free firmware packages and non-free firmware binaries and so forth.
Interesting, but why Debian when we can use Trisquel?
Show me where in any of this thread or on any of my posts ever that I said you should use Debian?
I really really dislike Debian, it annoys me to no end with its stupid, pointless, anti-user defaults, ugly themes and layouts, and the ridiculous way the project hides half of its documentation on obscure websites and the other half of its documentation was written in about 1995 and never updated. And Debian's forum is full of snide, sarcastic people that seem to want to ensure that no new user question ever gets answered.
So no, do NOT use Debian. Trisquel is a million times better in a million different ways.
That being said, I love nothing more than hacking stuff, and I just so happened to hack the new Trixie live xfce ISO this week. If it bothers you then don't read it - read some of my hacking Trisquel threads instead.
I am a translator!
My only usage of Debian is for https://www.freedombox.org, as it makes it really easy to host my own server for email, contacts/calendar, xmpp, irc bouncer and it can work with exclusively free software on a number of machines, like the Olimex Olinuxino Lime 2 or the more powerful rockpro64 (for the Olinuxino Lime 2, freedombox installers don't even put non-free-firmware in sources, I can't remember whether it was put and I removed it on rockpro64, perhaps it wasn't).
The freedombox package is in Trisquel too but it is only tested on Debian and issues are fixed regularly and the new version is backported to Debian, but not to Ubuntu (so not to Trisquel either). Besides, it is likely that there are settings specific to Debian that won't work on Ubuntu or Trisquel.
If you try using it, note that the current "stable" installers use bookworm but have "stable" in sources, so you need to connect via ssh and replace "stable" with "bookworm" before running any update/upgrade operation.
everything works on debian, it's the most stable gnu/linux system that also has the most interoperability.
you can do anything on it. and using a stable distribution, which despite @debians claims is called trixie, is actually the former bookworm, makes using the gnulinux system the best experience... it's also the easiest,
it has issues compared to ubuntu, mainly, in it's support for popularized hardware features, and proprietary use scenario's... also it's security is handled differently. it's similar in a lot of ways though actually, in how it is utimately put together.
you can expect that trixie, like bookworm, will probably be a candidate for consistent stability around the .5 point ugrade... or 13.5