XPost: linux.debian.project
To: debian-devel@lists.debian.org
Copy: debian-project@lists.debian.org

This is a multi-part message in MIME format.

--nextPart1837168.TLkxdtWsSY
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

On Friday, March 7, 2025 11:33:53 AM MST Simon Josefsson wrote:

pandya@disroot.org writes:

I urge Debian to rethink its decision to officially include non-free firmware and correct the social contract. Instead of making non-free firmware the default, Debian should ensure that users consciously
choose to install it while being made aware of the implications.

I agree and would personally come back to use Debian on some of my
laptops if there was a supported way to install Debian from official installer images that did not promote non-free software by including
firmware on them.

The recent AMD Microcode vulnerability is a good case-study on the
dangers of permitting non-free code to run on your CPU:

https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microco
de-hacking

There is no way for me as a user to audit that the Debian installer
images is not including vulnerable microcode, since source code for the firmware is not available.

My perception is that the Debian developer community rejected this, and
I'm not sure people are ready to reconsider just yet (the trend seems to
be the opposite way). Fortunately there are good libre alternatives in Trisquel and Guix available for recommendation meanwhile.

In the original GR, one of the options that lost was for Debian to host two sets of installer
images, one with non-free firmware and one without, and for users to be able to make an
informed decision before downloading the installer.

https://www.debian.org/vote/2022/vote_003#textc

This option did not prevail in the vote, but it would have been my preferred choice (I was
not a Debian Developer at the time and so did not vote, but I did follow the discussion).

As mentioned above, I don’t think most people’s feelings have changed enough to warrant
reopening this discussion, but I can imagine the day in the future where Debian moves
towards this option.

--
Soren Stoutner
soren@debian.org

--nextPart1837168.TLkxdtWsSY
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">On Friday, March 7, 2025 11:33:53 AM MST Simon Josefsson wrote:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; pandya@disroot.org writes:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt; I urge Debian to rethink its decision to officially include non-free</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt; firmware and correct the social contract. Instead of making non-free</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt; firmware the default, Debian should ensure that users consciously</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;marg

This is a multi-part message in MIME format.

--nextPart2476249.S38r39SQy0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

On Tuesday, March 11, 2025 8:29:24 AM MST Simon Josefsson wrote:

Aurélien COUDERC <libre@coucouf.fr> writes:

Le 10 mars 2025 11:56:28 GMT+01:00, Simon Josefsson <simon@josefsson.org> a

écrit :

https://www.gnu.org/distros/optionally-free-not-enough.html

https://www.gnu.org/philosophy/install-fest-devil.html

… of course … that's where the core of the disagreement lies !

Right, I think agreement (or disagreement) with those essays explains a
lot of what practical choices you make.

We're not a religion, we're just building a distro.

I'm not sure what to make of that. Are you saying that Guix, Trisquel
etc who strive towards these concepts are not distro's?

One person's religion is another person's reasonable beliefs. I'm not
sure who has the authority to judge. I'm sure some would dismiss the
DFSG as religion, even if we happen to like it here.

It is fine for the Debian community to dismiss the arguments described
in the links above. This appears to be the case, although I hear some
voices that are open to change.

However if Debian dismiss those ideas, the argument that the fully free installer doesn't exist because "nobody is working on this, go create
them and it will happen" does not seem valid to me. My reading is that
these images doesn't exist because Debian had a vote saying they should
not exist. I hope this will change in the future. Creating them won't change the decision, but it may be input to renewed discussion.

I want to say that I agree with Simon on this.

What we really need is the open hardware movement to catch up with the open software
movement. That will take 20 to 30 years as the open hardware movement is just getting
started. As many people have already pointed out, in most cases it isn’t practical to
operate the hardware that is generally available without the use of non-free firmware. My
sense is the majority of these people, perhaps all of them, are not saying they prefer
hardware with non-free firmware or that they don’t support the ideals of the open
hardware movement. Rather, they are making a pragmatic statement of the current state
of affairs.

To a certain degree, promoting official installer images without non-free firmware next to
installer images with non-free firmware can raise awareness of the problem. To another
degree, it probably wouldn’t do anything right now except confuse some subset of users
and require extra effort from those generating the images. Debian is simply too small of
an organization to make a very big splash by such a move.

As has already been mentioned, nothing of substance has changed since Debian held a GR
on this issue. However, if down the road open hardware with free firmware became more
widely available (I’m looking at you, RISC-V, although I understand that the most likely
short-term outcome is that companies will produce non-free firmware for their RISC-V
processors), then it might be worth reopening the issue for consideration.

--
Soren Stoutner
soren@debian.org

--nextPart2476249.S38r39SQy0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">On Tuesday, March 11, 2025 8:29:24 AM MST Simon Josefsson wrote:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; Aurélien COUDERC &lt;libre@coucouf.fr&gt; writes:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt; Le 10 mars 2025 11:56:28 GMT+01:00, Simon Josefsson &lt;simon@josefsson.org&gt; a écrit :</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt;&gt;https://www.gnu.org/distros/optionally-free-not-enough.html</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt;&gt;</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &g

This is a multi-part message in MIME format.

--nextPart2204598.7aMVyhfb16
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

On Wednesday, March 12, 2025 12:11:37 AM Mountain Standard Time Andrey Rakhmatullin wrote:

As has already been mentioned, nothing of substance has changed since Debian >held a GR on this issue. However, if down the road open hardware with free >firmware became more widely available (I’m looking at you, RISC-V, although
I understand that the most likely short-term outcome is that companies will >produce non-free firmware for their RISC-V processors), then it might be >worth reopening the issue for consideration.

That's just processors though, and processors usually contain their
non-free firmware anyway. The original issue was about hardware that
doesn't contain firmware but wants it loaded from the OS.

That’s a good point. RISC-V isn’t only being used as main CPUs, but also for all types of
other things that require firmware. For example, Western Digital is spending effort to
bring RISC-V to their storage controllers.

https://blog.westerndigital.com/risc-v-swerv-core-open-source/

The salient point is that the open hardware movement is just in its infancy and it is going
to be a long time before there are common production machines that can run securely
and well without the need to use and update proprietary firmware.

RISC-V has the potential to replace a lot of the current ARM micro controllers. RISC-V uses
a permissive license, somewhat akin to the Apache 2.0 License in the sense that anyone
who builds upon it can decide if they want the outcome of their work to be open or closed.
So, some RISC-V chips will ship with open hardware schematics and information and
others won’t. In addition, even if someone chooses to ship open hardware RISC-V, that
doesn’t mean they will provide the source information for the corresponding firmware, so
you could end up with a situation where there is an open hardware chip running non-free
firmware.

But it is a beginning, and some day we will probably see wireless chips and ethernet chips
and GPUs and TPMs and everything else shipping open hardware running open firmware.
At that point, it will be easy to advocate for installers that match.

Of course, there is nothing preventing companies from adopting free and open firmware
running on closed hardware. That is the current situation for most if not all of the free
firmware currently shipping in Debian. But my personal opinion is that the free firmware
movement won’t take off without the open hardware movement.

--
Soren Stoutner
soren@debian.org

--nextPart2204598.7aMVyhfb16
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">On Wednesday, March 12, 2025 12:11:37 AM Mountain Standard Time Andrey Rakhmatullin wrote:</p>
<br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt;As has already been mentioned, nothing of substance has changed since Debian</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt;held a GR on this issue.&nbsp; However, if down the road open hardware with free</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt;firmware became more widely available (I’m looking at you, RISC-V, although</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">&gt; &gt;I understand that the m