Intel processor microcode security update for Trisquel

57 replies [Last post]
kopolee11
Offline
Joined: 06/05/2013

I've noticed on the Debian-security mailing list information about an
update for Intel processors microcode that fixes several
vulnerabilities. More info can be found below.[1]

Are there any steps that Trisquel users should take to protect
themselves? Is a security update on its way?

[1]http://lists.debian.org/debian-security/2013/09/msg00002.html

jxself
Online
Joined: 09/13/2010

A security vulnerability in a piece of proprietary software. What else is new? Trisquel doesn't include it since it's proprietary. So, here's Debian pushing proprietary software yet again.

lembas
Offline
Joined: 05/13/2010

>Please install the "iucode-tool" package (from contrib) and the "intel-microcode" package (from non-free).
[...]
>Intel doesn't publish to the general public much data about microcode updates, therefore we only have very spotty information
Wow, I wouldn't touch that with a 20 foot barge pole.

trisq

I am a member!

Offline
Joined: 09/03/2013

Amazing. I couldn't fully comprehend why Debian was not listed by the FSF as a free distribution. Seemed like party politics or semantics. Now I see the real reason.

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The situation isn't ideal, but I can see where Debian are coming from here.

The Intel microcode is non-free. It comes pre-installed in the processor. It contains a security vulnerability.

Intel releases a security update to said non-free microcode. What's a free distribution to do? If they don't pass on the update, their users are stuck with the vuln for ever.

AIUI this update does not contain any non-free code that is executed by the system. It's simply a free package (from contrib) to load the firmware into the chip. The firmware itself is non-free (Intel's fault), and is therefore stored in the non-free repository.

Consider the alternative - a distro like Trisquel refuses the update because it's non-free. The old version of the microcode continues to reside inside its users' CPUs, and they are vulnerable to the security issue indefinitely. The irony is that Trisquel's users will still have non-free code in their system, just an older version. Worst of both worlds.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlIzDDEACgkQgijxUCZnvltjYQD/UBi7YR9r9ONmj6pNShEnqkHY
7iibTfU1a1AMxtgk8EUA/0/iYQ9ambQyr4fwQ7uYHqOZx34tWiibsUubsa+SHcc4
=RdtM
-----END PGP SIGNATURE-----

jxself
Online
Joined: 09/13/2010

Not really. CPUs have bugs all the time. They're worked around in software, just like GCC has workarounds for bugs in the CPU used in the Yeeloong. Accepting proprietary software isn't really required.

RedMondSux
Offline
Joined: 12/23/2013

In this discussion about an earlier Intel microcode update, Theo de Raadt says, "hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are." http://marc.info/?l=openbsd-misc&m=118296441702631&w=2

As I'm basically ignorant on this subject, I'm wondering how to square that with your statement that, "CPUs have bugs all the time. They're worked around in software, just like GCC has workarounds for bugs in the CPU used in the Yeeloong."

Please could you enlighten me? Thank you :)

jxself
Online
Joined: 09/13/2010

And so here we've got an announcement from the Debian Project that just might make people want to go enable both non-free and contrib. Despite what I hear most Debian defenders saying where it's the user that does it & Debian never recommends/encourages it.

And, once they do so, the *entire contents of non-free and contrib become available and viewable in the user's package manager*, not "just" the non-free stuff from Intel. So much for keeping stuff separate and users knowing that they won't accidentally install something non-free (another thing I hear from Debian defenders.) Just because they wanted one piece of non-free software.

trisq

I am a member!

Offline
Joined: 09/03/2013

I like Trisquel's stance on such updates. I'd rather have volunteer coders solve the issues rather than the proprietary issuers.

It is clear that funny stuff is being baked into some chips.

http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=1&

Closing one vulnerability may simply be an excuse to put in some new ones for later.

"If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors."

http://blog.cryptographyengineering.com/2013/09/on-nsa.html

I feel like a deer in the headlights at the moment. Proprietary anything would not seem to improve things, especially now.

Google has toughened their position recently, supposedly to protect their users interests, and then an article like this magically appears…

http://online.wsj.com/article/SB10001424127887323864604579069730686941454.html

What kind of arrangement was that? The headline and lead paragraph do the damage; there doesn't seem to be much to the overall story though.

There probably is some kind of battle going on among the big guys. Therefore I want my fixes coming from little guys, volunteers, free software and so on.

kopolee11
Offline
Joined: 06/05/2013

I want to apologize for bringing up the topic the way I did. I'm fairly
new to Free Software, and not very technical either. I didn't realize
that Debian's Intel update was proprietary software. This supports
jxself's assertion that Debian may drive a naive users like myself
towards proprietary software. I wholeheartedly agree with Trisquel's
stance on not providing this "security update". (As who knows what's
included in the latest microcode)

> The situation isn't ideal, but I can see where Debian are coming from here.
>
> The Intel microcode is non-free. It comes pre-installed in the processor. It contains a security vulnerability.
>
> Intel releases a security update to said non-free microcode. What's a free distribution to do? If they don't pass on the update, their users are stuck with the vuln for ever.
>
> AIUI this update does not contain any non-free code that is executed by the system. It's simply a free package (from contrib) to load the firmware into the chip. The firmware itself is non-free (Intel's fault), and is therefore stored in the non-free repository.
>
> Consider the alternative - a distro like Trisquel refuses the update because it's non-free. The old version of the microcode continues to reside inside its users' CPUs, and they are vulnerable to the security issue indefinitely. The irony is that Trisquel's users will still have non-free code in their system, just an older version. Worst of both worlds.

That said, this seems like a real concern for free software users. Right
now many Trisquel users have a fully free software, except for some
microcode and the BIOS. And that microcode is now vulnerable. As
lloydsmart said,it truly does feel like the worse of both worlds. That
said, I reiterate that accepting proprietary microcode is unacceptable.
I don't know if a free software hack is possible - like Nouveau for
Nvidia drivers - but if at all possible, it should be a top priority.
(And I realize there is probably a vast difference between free software
drivers and a free software update for a non-free microcode)

If anything, this illustrates the importance for fully free computer
systems (including BIOSes) and ultimately the necessity for free and
open hardware. We simply can't trust the likes of Intel anymore.

Chris

I am a member!

Offline
Joined: 04/23/2011

This is one of the reasons I've been a big advocate of moving away from x86. It's getting worse and worse and there isn't a good solution. RMS speech talked about this issue (on a broader scale of hardware) at 2013 Libre Planet. The problem is the financial cost of fixing things and the lack of demand within the larger community. While a big part of the free software community is making a difference it's not sufficient or at least aware enough to address these kinds of issues. It is interesting to note that the less technical users from the broader community seem more apt to contribute to the change. That may be a good thing. Even if they're unable to adapt themselves easily (use 100% free distribution) they can contribute to fixing the issues.

I definitely recognize the problem with Debian's position and I also recognize the reason the non-free repository exists. I don't have a good solution to that problem given the lack of support from the larger community. RMS's stance I think would have solved that problem long ago had the larger community adopted it. Unfortunately that hasn't happened. Unless you can get them to agree it probably won't fix the problem either.

I'm going to credit Debian for one thing though and that is removing the non-free code from the base installation. Unfortunately it doesn't fix the problem when users are directed to add the non-free repository to install xyz firmware although it does give some weight to the argument that hardware design firms should consider the result of restrictive licensing. That is the support of Linux will be reduced and that could hamper (will likely hamper) sales. ThinkPenguin's started that trend... but... who knows... who might else adopt it going forward. And we already know that every user who runs into this problem ends up one customer more likely to avoid non-free dependent devices in the future as a result. It's why ThinkPenguin's been successful.

quantumgravity
Offline
Joined: 04/22/2013

There's a difference between "recommending non-free software" and "providing the possibility to install it", and perhaps this could solve the whole problem.
Imagine a user who doesn't know much about the problems with proprietary software.
He installs Debian, but on his pc is a wireless card which needs non-free firmware.
If the installer clearly points out the problems with non-free software and possible solutions (floss friendly wireless card from tp etc.) but provides the possibility to install it anyway, the new user makes a positive experience with his new "almost free" system. Don't push him away when he doesn't quite understand the reasons.
Very likely he will think about the problems the installer told him about and really replace his wireless card some months ago.
Result: a person uses his pc in freedom, a new member for the free software community.

The other possibility is not to provide the firmware because it's unethical.
Result: new users won't understand, become frustrated and go back to windows. The OS developers stayed pure and holy, they remain "ethical".

The only way of getting the ideas of free software in people's minds is the first one.
And we *need* more support, like chris pointed out, if we want to build a pure computer one day for an acceptable price.

The only thing I can blame debian for is the lack of information they give to the users;
they really should teach them when proprietary software might be installed everytime and teach them about the problems; they should not recommend it, but the possibility to do so should remain.

trisq

I am a member!

Offline
Joined: 09/03/2013

What would also be helpful is 100% free hardware that just works with 100% free software.

The days of "Hey, I have a computer, I'm gonna try some new software on it" are dying and in many cases are already dead.

How many people can change operating systems on their tablets or phone which are computers?

When you think of it, when paying customers have chosen Windows, why wouldn't hardware makers cater to them?

And when large corporate buyers want easier control at a distance of the masses of computers they own, that isn't necessarily a bad problem to try to solve.

But now that so many controls are available at the hardware level, additional powerful groups such as Hollywood and governments want a piece of that control action too.

These hardware control issues are sort of overtaking the fact that on a lot of hardware, free software won't work even now.

There needs to be a source of plain vanilla hardware that is a blank canvas so that people who have certain uses can install whatever they want and use it as they need to.

Many products now have small computers in them (and the computers are getting quite powerful) with most of them running some sort of specialized GNU/Linux already. Just not Trisquel for instance.

Set top boxes, TVs, appliances, machinery, cars, (some cars now have upwards of 30 little computers in them) so why aren't we focusing on those cheap, blank, almost throwaway computers as well? They are currently a hairs width from being powerful enough to easily put and run a full GNU/Linux system on them. Some people are doing it already with Debian or Ubuntu, but it's not easy yet.

https://en.wikipedia.org/wiki/ARM_architecture "…in 2010 alone, producers of chips based on ARM architectures reported shipments of 6.1 billion ARM-based processors, representing 95% of smartphones, 35% of digital televisions and set-top boxes and 10% of mobile computers." I'll bet there are more than 6 billion a year as of 2013.

I think there will always be a need to have these type of "chip computers as parts". It makes no sense to try and load into them all sorts of hardware backdoor codes and so on because the end usages of those parts covers the entire spectrum of daily living now. Medical devices, cars, washing machines, TVs. While it might be nice to have backdoor control to a TV, how would you do it without disrupting the chips in a in lawsuit prone medical device?

Its like in industry when at the most basic levels a producer gets raw plant or mineral material and turns it into base "goo". From there, other companies may add color, texture, odor; they may water it down, or harden it, and so on, it becomes many different things. Maybe some of the base material is used in food-related industry and some used for hazardous waste, as in plastic containers of various types.

If we can get to the lowest levels possible, connecting with sources who produce "raw" computers, we can add what we want to them.

I am looking for sources like that and have found some. More research is required because I don't know the industry, but basic computers--even if they do not resemble what we think of as a computer--are available right now. Lately, they have become powerful enough to be nearly equivalent to a basic desktop machine.

Again, if 100% free-as-in-freedom hardware were easily obtainable, free software would install and run on it without incident. Every time! In terms of fixes, no non-free code would ever be an issue, as nothing proprietary was ever there.

This is not a dream. It is possible. There are hurdles but they are not huge ones. quidam in his talk this past March indicated that Trisquel has some of the best accessibility in the GNU/Linux world and it took him about 2 days to implement it.

I'm not saying moving this way would be "easy", I'm saying it wouldn't be that hard and certainly not impossible given a proper hardware home.

bmw2qs
Offline
Joined: 12/20/2013

> The other possibility is not to provide the firmware because it's unethical.

> Result: new users won't understand, become frustrated and go back to windows. The OS developers stayed pure and holy, they remain "ethical".

Right. One does not do the regular windows updates so they have to be automated. But that person will dump a distribution for not giving an exotic patch to an invisible problem.

You are probably right as that person will weight the next update to LibreOffice and will feel frustrated about not having immediate access to a few kilobytes of data.

Now, how was that sarcasm sign?

quantumgravity
Offline
Joined: 04/22/2013

I really don't know what you're talking about. I never said anything about an "exotic patch to an invisible problem".
Maybe you posted your reply somehow wrong.

bmw2qs
Offline
Joined: 12/20/2013

> This is one of the reasons I've been a big advocate of moving away from x86.

Moving away means wasted talent. Because not everybody is going to be interested in the new options. And from what I have noticed around me, the competent ones are less willing to change than the newcomers. So you lose a big part of those able to do an audit just for the sake of new.

Also, if the move is a partial failure, than you have a mess. People willing to bet their privacy all isolated, marked.

Moving away also means ignoring a good part of what GPL stands for and start reinventing the wheel.

Finally, make it too resistant to this and that and you will have zero support from the mainstream. That means exotic hardware that is hard to get, hardware that is too expensive when you finally get and with (see above) almost no software.

> It's getting worse and worse and there isn't a good solution.

No. It was never better.

Email was made unsecure. The SMTP servers were never that secure and that protected as today with all this spam and security updates. Today GnuPG is easy to get. And you have quite a few of proposed alternatives.

The web? The web was junk from any tech point. Today most admins bother to patch their servers, there are even sites that offer a basic checkup for free. Today we have HTTPS for most respectable sites and quite a few of the not so honorable ones as well. Not happy with that? NoScript, RequestPolicy, AdBlock, all sort of extensions to fix the mess made by self-called designers. Not good enough? Tor works rather nice.

bmw2qs
Offline
Joined: 12/20/2013

> The Intel microcode is non-free. It comes pre-installed in the processor. It contains a security vulnerability.

You are told it contains a security vulnerability. Than how does a closed, unverified, hidden patch fix that? Does the patch fix that? Does the patch fix something else? Does the patch breaks something by fixing this? I've seen all this happening in open source software. Do you think Intel is above that?

> Intel releases a security update to said non-free microcode. What's a free distribution to do? If they don't pass on the update, their users are stuck with the vuln for ever.

Gosh!

I'm sure the PR for Intel would have written the same thing. And I can bet a rather large sum you are not part of their PR campaign. So why this reply?

There are many *other* ways of fixing that. You don't need to taint Trisquel for the sake of an (see above) illusion.

GNUser
Offline
Joined: 07/17/2013

Well, first I would like to thank kopolee11 for bringing this up, it might
be important for some people to know about the update.
Second, I will also thank lloydsmart for his clear explanation of the real situation. Man, you explained it all, I doubt I could do any better.
I will however, reinforce the ideas that I believe are the most important ones.

1. Trisquel users are already running non-free software on their computers (Bios, etc).

2. If a security update comes out, you can say "I don't know what is in that update for my non free software, so I won't install it". It's fair, but you should also think "I don't know what is in the current version I am using." So, anyway you are running non-free software, and it should be up to you (not your distribution's manager) to decide which version of that non-free software will you trust. I believe the idea of using Trisquel is to have control over our own computers. So, by having someone else (in this case, Trisquel's developers) choosing what updates you are given and what updates you are not, you have NO control over your software, it's your software that has control over you, and in an extent, the person who controls the software. I believe, in all RMS speeches, that is something he considers as evil and unjust power.

3. Debian gives the CHOICE to the people to install or not the new security update. They make it clear that they will have to install it from the non-free. So users already know they will be using non-free software. They are nor trying to "hide that".

4. I might be wrong, but I think you can add the non-free repository, reload the software list, install the Intel update, remove the non-free repository, reload list again, and you are back to having access to free software only. I might be wrong, as I have never tested it. As I have said, I use a free distro of GNU/Linux. I run free software, that empowers me. I run Debian.

Now, I don't have the need for the new update (since I don't have a Intel), but if I had I would choose... NOT to install it. Why? Because, even though proprietary software has always been a chance for backdoors and malware, it is WORSE these days. So, there is more of a chance of having a backdoor being pushed to me in a update in 2013 than it is that the same backdoor exists in the original version of 2005 or 2007. Especially if my computer was older than 2007, I would recommend against installing it (issues concerning NSA). However, again, it's up to the USER to CHOOSE what HE will do with HIS OWN computer. So, Debian made the right choice.
I agree with some users that Debian should have made a better job at explaining exactly the point of not having non-free software and the way to install the update without sticking with the non-free afterwards. Still, they at least provided all the information they had about they why the update is necessary and how exactly it works. So, I think the person who wrote the announcement is not a "free software only" minded person, but still that doesn't mean the distribution should not be trusted.

ZykoticK9
Offline
Joined: 04/07/2011

see http://trisquel.info/en/wiki/trisquel-community-guidelines

#5 Non-free software is never a solution so please do not rationalize, justify, or minimize the consequences of proposing non-free software as a solution.

GNUser
Offline
Joined: 07/17/2013

"1. Trisquel users are already running non-free software on their computers (Bios, etc)."

I hate to repeat myself. Please, throw away your computer now, you are running proprietary software. Don't try to rationalize, justify or minimize that fact. Throw your computer away now, and also format the hard drive so if anyone find it they won't be able to know that you were violating the Trisquel guidelines (by running Trisquel with non-free software).

ZykoticK9
Offline
Joined: 04/07/2011

GNUser I really don't understand what you are doing in the Trisquel forums? If you are so happy with Debian, why don't you participate in that community? Why do you come here and advocate for Debian usage? When you repeatedly say: I'm using Debian and I consider it Free - that's basically what you are doing.

GNUser
Offline
Joined: 07/17/2013

So, you have realized that my argument was right and now instead of acknowledging that, you try to attack me (in my decision to use Debian and still be a part of this community) to make it look bad. That would be almost a ad-hominem fallacy.

I have made my point. He who has hears, hear.

Have a nice day.

ZykoticK9
Offline
Joined: 04/07/2011

@GNUuser that was certainly not an attack, but an honest question (which you chose NOT to answer). I do NOT agree with your "argument" in this case, or the fact that you generally view so many posts as arguments (you vs. trisquel). I am honestly, confused, as you don't seem to share the values that are associated with the Free Software Movement and Trisquel, and your posts generally appear (at least to me) to be a constant "attack" on the Trisquel community and it's development. IMO (and my "opinion" only) trisquel-forums would be a better place without your presence - but obviously others disagree... take care.

oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

I've been deleting GNUser messages unread for a while, as he perfectly fits the definition of a troll (from wikipedia: "In Internet slang, a troll is a person who sows discord on the Internet by starting arguments or upsetting people, by posting inflammatory, extraneous, or off-topic messages in an online community (such as a forum, chat room, or blog), either accidentally or with the deliberate intent of provoking readers into an emotional response or of otherwise disrupting normal on-topic discussion.").

Reading his recent messages, it's clear he's crossed the line too many times, and since he himself admits that he doesn't use Trisquel, I agree that he should be banned from this forum, as he's actively working against the community.

GNUser
Offline
Joined: 07/17/2013

And so the censorship begins. You have proven unworthy of being a part of the free software movement, or any "freedom" movement at all. The sad truth is that I would not get this kind of treatment had I given money to the project. There are other people who post "unpleasant" threads but since they gave money, you let them be. Seeing as I never made a donation, you just think "what the hell, he is of no use for us, let's get rid of him." Of course, the fact that I helped many people here by sharing knowledge is of no importance to you, because you don't care about that. You care about controling the people which makes you look more like "Evil Big Brother" than anything else.

It's a good thing that many of my comments were replied to, so the truth remains here for those who want to see it.
n this case, the only thing I did "wrong" was pointing out that when you run Trisquel, you also run non-free software because of the BIOS on your computer. But you can't afford to deal with that idea, you just want to appear "holy".
Well, seeing as my banning is imminent, I will take the time I have to deliver an important message to you and other who want to turn this place into a dictatorship using censorship and attacking anyone who has a different idea:

SUCK MY DICK, ASSHOLES.

(P.S.: It's not just me you will lose, other people here will also want to speak up their minds and you will have to ban them as well. Soon there will be only a handful of people in here, which will eventually kill this project which is halfway dead already.)

bmw2qs
Offline
Joined: 12/20/2013

> Reading his recent messages, it's clear he's crossed the line too many times, and since he himself admits that he doesn't use Trisquel, I agree that he should be banned from this forum, as he's actively working against the community.

You are a reminder that Free Software can be used by the bad and the ugly too. Why not try Facebook where only likes are allowed and accounts are banned for the sake of not offending even the darkest abrahamic fundamentalist.

Sim
Sim
Offline
Joined: 09/29/2013

I don't think that it was his intention to attack you nor does it sound like an attack. We are not your enimies!

trisq

I am a member!

Offline
Joined: 09/03/2013

The non-free BIOS--which is an issue for the majority of computers now available--has troubled me too as there are few (almost no) free options. In general you cannot buy a new modern computer to escape this problem.

But how does that have anything at all to do with Trisquel, or Debian? It's hardware. Coreboot in the BIOS isn't Trisquel either.

I've considered throwing my computer away two times, once because I had enough of Windows faults and crashes, and about 10 years later I had had enough of OS X!

Trisquel and true free software communities offer more. But changing software is only half the solution. Hardware is where more and more controls and unwanted "features" are. Debian solves nothing over Trisquel in that regard.

bmw2qs
Offline
Joined: 12/20/2013

> 1. Trisquel users are already running non-free software on their computers (Bios, etc).

Huh? Are you sure?

> 2. If a security update comes out, you can say "I don't know what is in that update for my non free software, so I won't install it". It's fair, but you should also think "I don't know what is in the current version I am using." So, anyway you are running non-free software, and it should be up to you (not your distribution's manager) to decide which version of that non-free software will you trust. *I believe the idea of using Trisquel is to have control over our own computers.* So, by having someone else (in this case, Trisquel's developers) choosing what updates you are given and what updates you are not, you have NO control over your software, it's your software that has control over you, and in an extent, the person who controls the software. I believe, in all RMS speeches, that is something he considers as evil and unjust power.

Any OS is created in order to have control over hardware. Maybe you're missing the point with Trisquel.

> 3. Debian gives the CHOICE to the people to install or not the new security update. They make it clear that they will have to install it from the non-free. So users already know they will be using non-free software. They are nor trying to "hide that".

Are you sure?

GNUser
Offline
Joined: 07/17/2013

Yes, I am sure, because most people here do not have a computer with a free BIOS. That's why many people are interested in glug project and someone talked about getting a lemote. Almost everyone here who runs Trisquel, runs proprietary software, at least in the form of BIOs (even if not anything else, which is doubtful due to the CPU arquitechture).

What I said is true: when you use Trisquel or GNewSense, you have someone else imposing their power over you, by not giving you the choice of running a free software distro BUT updating a proprietary software that is ALREADY in your system to begin with.

And yes, Debian explained the update the best they could. Just read the link kopolee provided.

I see you (like many others here) have problems dealing with the fact that Trisquel developers may not always make the best decisions, that sometimes in order to be "FSF endorsed" they actually sacrifice freedom of the users. It's a trade off that I don't have to feel imposed on me. And I am not pormoting Debian, I am sayind that in that regard, Debian is better prepared than Trisquel, and Trisquel should make some changes. that is a totally acceptable thing to say and consider.

bmw2qs
Offline
Joined: 12/20/2013

> Yes, I am sure, because most people here do not have a computer with a free BIOS. That's why many people are interested in glug project and someone talked about getting a lemote. Almost everyone here who runs Trisquel, runs proprietary software, at least in the form of BIOs (even if not anything else, which is doubtful due to the CPU arquitechture).

Could you please give me/us some data about how many people run Trisquel on free BIOSes, as opposed to those running it on a closed flavor?

You see, most laptops won't run Trisquel precisely because of those limitations. So maybe the people running it do get the time to go one step further.

> What I said is true: when you use Trisquel or GNewSense, you have someone else imposing their power over you, by not giving you the choice of running a free software distro BUT updating a proprietary software that is ALREADY in your system to begin with.

Than you don't understand what freedom is about. Or the works of GNU/Linux. Or both.

> And yes, Debian explained the update the best they could. Just read the link kopolee provided.

Does it flash a red and blue window saying what the user is about to do? Or just some previous action binds the user the same as clicking I agree on a Microsoft licence?

> I see you (like many others here) have problems dealing with the fact that Trisquel developers may not always make the best decisions, that sometimes in order to be "FSF endorsed" they actually sacrifice freedom of the users. It's a trade off that I don't have to feel imposed on me. And I am not pormoting Debian, I am sayind that in that regard, Debian is better prepared than Trisquel, and Trisquel should make some changes. that is a totally acceptable thing to say and consider.

As long as Trisquel keeps to the FSF philosophy, than they are taking THE BEST decisions.

And don't forget, Trisquel exists only because Debian failed to take the good decisions in this direction.

GNUser
Offline
Joined: 07/17/2013

I could argue that you first paragraph makes no sense and such... but the truth is that when someone writes "As long as Trisquel keeps to the FSF philosophy, than they are taking THE BEST decisions." that person is to be considered a FSF parrot (kind of an internet troll) and it is useless to argue with that person.
You have apparently decided to give up your own rational thinking and just accept whatever comes from the FSF mouths. Suit yourself.

trisq

I am a member!

Offline
Joined: 09/03/2013

GNUser offers worthwhile and pointed observations that I do not always see or share, and that's ok--to a point. Because his posts make me think about things from different angles and in more detail.

Ideally this ought to happen while honoring the forum guidelines though.

ZykoticK9
Offline
Joined: 04/07/2011

I think it's the later point, "while honoring the forum guidelines" that is really at issue here. I wasn't suggesting GNUser should be banned - I just hoped they would leave quietly, and not return... I guess that was overly optimistic... you could count them, but I believe within this very thread GNUser has broken at least two (perhaps more) of the community guidlines (non-free recommendations and language).

Arguments, typically, aren't nearly as interesting as discussions with like minded people IMO.

trisq

I am a member!

Offline
Joined: 09/03/2013

ZykoticK9, I hear you re: the forum guidelines. True. But arguments aren't interesting?!! What about Jerry Springer? :) https://youtu.be/hCL36ogOFDo?t=2m7s

A bit of conflict is good for the soul. So is laughter and lightening up now and then...

ZykoticK9
Offline
Joined: 04/07/2011

Jerry Springer... i hope you're joking ;) no, i don't find that interesting in the slightest (ps. i didn't check your provided YouTube link).

Something I was today (on Pump.io) was an image with the following saying/quote:

I don't share my thoughts because I think it will change the minds of people who think differently.

I share my thoughts to show the people who already think like me that they're not along.

@olabetiku

(EDIT / PS.) i DO agree laughter (even at ones self) IS important!

GNUser
Offline
Joined: 07/17/2013

You know, you are kind of funny... You say I recommended non-free software in this thread. Mind to show us where I wrote that? If you will be so kind please... OR MAYBE you will read what I actually wrote that was this:

-Everyone who is running Trisquel or Debian with a Intel processor is already running non-free software. I AM NOT RECOMMENDING, THEY ARE ALREADY DOING IT! Updating or not should be their choice, and again if your read what I wrote you will see that I recommended AGAINST THE UPDATE!

In the end the problem is this:

1. You don't like me telling you that you are running non-free software (which you are, unless you have a 100% BIOS and no microcode running inside any chip);
2. You try to spread lies about what I say or not say (first it was tct, now it is you, why is it that people who never really participated in the forum now appear saying "GNUser should be banned"??)
3. You refuse to either REFUTE or ACCEPT AND ACKNOWLEDGE the facts that I pointed out (mostly facts, I barely even expressed an opinion in this thread).

And I know I am getting myself into trouble for feeding what seems to be a troll, but I couldn't let you spread lies about me and not react. However, I won't keep doing this, so don't get used to my attention.

ZykoticK9
Offline
Joined: 04/07/2011

"4. I might be wrong, but I think you can add the non-free repository, reload the software list, install the Intel update, remove the non-free repository, reload list again, and you are back to having access to free software only."

---

I have NO issue with you saying I, and i agree, probably many others, are running non-free BIOS firmware. I NEVER had issue with that.

ZykoticK9
Offline
Joined: 04/07/2011

I also never said you should be banned (i think you should) - but I never said that. which i stated elsewhere in THIS thread. I just hoped you'd leave, and not return...

I'm not going to debate this with you further - i view it as a waste of time.

It's YOU now, that needs to read more carefully, what others write.

good luck.

trisq

I am a member!

Offline
Joined: 09/03/2013

Of course I was joking! Given the subject matter, not much is funny you know. Needed a break. :)

ZykoticK9
Offline
Joined: 04/07/2011

/me breaths a sigh of relief. sorry, perhaps after reading/replying to GNUser today - I'm a little uncertain about everything regarding trisquel forums and it's user base ;) thanks for trying to lighten the mode - even if i failed to pick up on it. take care.

sebelius
Offline
Joined: 08/22/2013

You cannot trust proprietary developers.
They say it's a security update, while in reality it could be the opposite. It's so naive to believe them, these criminals.

trisq

I am a member!

Offline
Joined: 09/03/2013

sebelius, Yes. That is how it seems. When a "security" company is involved in the following type of activity, where should one go? To another proprietary vendor? Heck no!

http://www.reuters.com/article/2013/12/21/us-usa-security-rsa-idUSBRE9BJ1C220131221?type=companyNews

JimRussell
Offline
Joined: 12/07/2012

This thread has some interesting points but I found discussion unproductive at times, but here are a few points I'd like to make.

I was interested to hear about microcode, I've heard it mentioned before in a similar debate about graphics cards, so I will be researching this topic further.

Even though it wasn't explicitally stated in this thread, it's ridiculous to suggest that this project should distribute non-free software. Yes, my computer may be running this non-free firmware already, but it wasn't installed or distributed by anyone in the Trisquel project and furthermore I trust the maintainers to continue to reject non-free software.

Without Freedom 1 we can even assertain whether this patch is even an actual security fix.

Debian's approach of distributing non-free software under a different repo so as not to endorse it is disingenous but regardless, if a trisquel user wants to install this microcode update, they could. I install (free)software outside of the Trisquel repos from time to time, but with caution mind you. So the argument that the users freedom to install this non-free software is practically infringed isn't even true, you don't need the distro maintainers say so or help to do so. Of course you shouldn't install this, you should reject it as it's non-free software.

The argument that debian respects your freedom absolutely and so this project should do the same and distribute non-free software is ridiculous.

The argument that someone may be deterred from the free software community because their computer doesn't work without non-free software may be the case and a hard truth. But helping them install non-free software would surely be poor advocacy when other solutions exist like explaining the significance of the situation.

RedMondSux
Offline
Joined: 12/23/2013

+1 :)

roboq6
Offline
Joined: 05/03/2013

>Without Freedom 1 we can even assertain whether this patch is even an actual security fix.

We can test so-called "security fix". If the exploit doesn't work after installation of it, then it is really "security fix". Of course, it can contain new backdoors and new security vulnerability. But then it is definitely a security fix.

>Even though it wasn't explicitally stated in this thread, it's ridiculous to suggest that this project should distribute non-free software. Yes, my computer may be running this non-free firmware already, but it wasn't installed or distributed by anyone in the Trisquel project and furthermore I trust the maintainers to continue to reject non-free software.

But how about warning about the security vulnerability? Only warning, without distribution of the patch. Like this: "Warning, there is a security vulnerability in proprietary microcode of Intel's CPUs."

> when other solutions exist
Really? I request the list.

lembas
Offline
Joined: 05/13/2010

>the exploit
>the security vulnerability

What exploit? What security vulnerability?

roboq6
Offline
Joined: 05/03/2013

Sorry?

G4JC
Offline
Joined: 03/11/2012

Hmm sad to see all the flamewar above, but back on topic.

1) I find it very strange that there has been no public announcement of which exploit or vulnerability the proposed patch fixes. Where's the changelog??
The very vague information I found on Intel's website doesn't leave me wanting to install the patch even if it were good. Patches can have unintended consequences and break other things.

2) The entire code is heavily obfuscated and no telling what is in it. Backdoors are possible.

3) The code does not "patch" the Intel chipset per-say, it runs quote "at system boot". If it were a real patch I would certainly hope it would flash the chipset, rather than installing something as root into my operating system and running at boot time.

I suggest everyone write to Intel and ask:
1) What does the microcode fix exactly
2) Why not opensource it?

jxself
Online
Joined: 09/13/2010

"Where's the changelog??"
My understanding is that Intel doesn't provide detailed information like this. What you see is what they share.

roboq6
Offline
Joined: 05/03/2013

I have more important question. Where is exploit?