Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login
Debian votes for non-free firmware in the installer (lists.debian.org) similar stories update story
6 points by simjue | karma 1143 | avg karma 10.21 2022-10-02 06:51:05 | hide | past | favorite | 77 comments



view as:

Yay, finally some common sense in the Debian UX.

Seems sensible, there's still purist debian distros for the purists

Mixed and competing thoughts and emotions. On the one hand, I love that Debian was the community GNU/Linux that shipped with the ability to be 100% unencumbered super easily. On the other hand, I feel like a system should be usable immediately with little effort if it is to be enjoyed and properly useful. Then there’s part of me screaming “tradition not trend” and another part of me is screaming back with “finally!” It would be nice if they made it optional within the installer I suppose. Maybe I’m just a crazy person.

> On the one hand, I love that Debian was the community GNU/Linux that shipped with the ability to be 100% unencumbered super easily.

There will probably be an "unofficial 100% free installer" for those who care about that. The SC change does not forbid that, it just says that what Debian publishes by default should not introduce obvious breakage on systems where providing non-free firmware is required for proper operation.


Isn't that kind of what Ubuntu is for? Without major players in the community taking a hard line on free software, incentives to support freedom will become even lower than they currently are today.

Ubuntu is far more than a Debian fork nowadays - I think of the packages that are installed on most user systems, very little of them share the same source between Ubuntu and Debian.

> I feel like a system should be usable immediately with little effort if it is to be enjoyed and properly useful.

More open source should think like this.

I’ve been aggressively trying to get OpenWRT to ship the images with WiFi on by default. At this point 99.99% of people are not leaving their network unsecured, and if for some reason you have to reset the router it becomes a plastic brick unless you have an Ethernet cable and an USB-to-ethernet adapter nearby.

Even suggestions of either creating a landing page that forces the user to set up security before allowing internet connectivity, or basing the WiFi password on the serial number (that is also on the back of any router) falls on deaf ears.


> At this point 99.99% of people are not leaving their network unsecured

99.99% of people are doing what? Sorry, the double negative above is confusing me.


I think they are suggesting that years of abuse hurled at the average user, coupled with legislation, have caused all new home networks to be secure, one way or the other.

There is regulation for that? I would be interested in finding out more.

> I’ve been aggressively trying to get OpenWRT to ship the images with WiFi on by default

With what password? Plenty of people won't configure things they don't have to and that's a huge security hole. I don't see the utility in this change frankly.


The comment you reply to both explains the utility and proposes ways of mitigating the "huge security hole".

So two clicks to turn on wifi that I can do from anywhere in my house is easier than digging my router out of my closet to write down and type in the serial number? This was supposed to be an idea that makes OpenWRT "usable immediately with little effort". This is not that.

I didn't see the part where they suggested to disable configuration over wired ethernet, or this was the only thing suggested. And yes, a lot of the time when people are setting up a router they have the router at hand.

> I didn't see the part where they suggested to disable configuration over wired ethernet

In case I wasn't clear, configuring it over wired Ethernet is exactly what I'm suggesting. This is a far more usable and secure default than default than wireless on with the password as some universal default or using the serial number.


> And yes, a lot of the time when people are setting up a router they have the router at hand.

While I have no doubt that this is true for home-grade firewall/NAT/wifi combo boxes in general, with very few exceptions OpenWRT is not a thing you get out of the box nor a thing "normal people" install.

The Venn diagram of "people who have chosen to install an alternate firmware on their home network appliance" and "people who don't have an ethernet capable device around at basically all times" can't have a lot of overlap.


The problem is not the fact of not having an Ethernet cable around, these days almost no laptop has an Ethernet port.

Which is a problem easily solved with a cheap USB ethernet dongle, and again while the general mainstream computing audience may or may not have those I think it's reasonable to assume that the average person who has chosen to install OpenWRT probably wishes laptops still came with ethernet ports and purchased an adapter immediately or soon after.

Maybe I'm wrong about that, but to me OpenWRT means geek audience, and geeks generally understand the value of a wired connection.


> So two clicks to turn on wifi

How would you communicate with the router without an ethernet connection to it?

Remember, WiFi is off by default.

At that point you're probably gonna have to do some serial or JTAG magic, which is gonna involve physically breaking open the router and soldering. So much for 'two clicks'.


> How would you communicate with the router without an ethernet connection to it?

Using the Ethernet port is exactly what I'm suggesting. This is far simpler than using the serial number as the wifi password, and more secure than a universal password.

Furthermore, there are legal liabilities involved with the wifi spectrum. Different countries reserve different bands in the spectrum and have different limits on transmission power. OpenWRT would have to provide different builds for different countries, maintain and validate this list and risk making costly legal mistakes here, or if there's some lowest common denominator, then risk giving OpenWRT getting a reputation for bad wifi.

No, best to let the user take in the liability of configuring their own router. The improvements in usability are marginal and the potential costs to OpenWRT are considerable.


> Furthermore, there are legal liabilities involved with the wifi spectrum.

OpenWRT is already ‘exposed’ (not really) to this risk, because as soon as you flip the radio to ‘on’, it’s just set to the default, not your specific region.

> The improvements in usability are marginal and the potential costs to OpenWRT are considerable.

And here we have it, the exact attitude the OP was talking about. Open source needs to become more considerate of its users.


> OpenWRT is already ‘exposed’ (not really) to this risk, because as soon as you flip the radio to ‘on’, it’s just set to the default, not your specific region.

The radio does not turn on unless you tell it to by saving your configuration. That's where the liability lies and that liability falls on the user at present. Placing it on the project is not acceptable.

> And here we have it, the exact attitude the OP was talking about. Open source needs to become more considerate of its users.

Inapplicable when the attitude exists for a good reason. Users can go elsewhere for free stuff if they're not happy with it.


> Placing it on the project is not acceptable.

The liability isn't on the project regardless.

> Users can go elsewhere for free stuff if they're not happy with it.

You're literally a 'why open source keeps sucking' quote machine.


> The liability isn't on the project regardless.

OK random person on the internet whose word I should accept on a subtle legal question. Tools that assist in violating the law are often themselves classed as illegal or carry liability for the producers. For instance, tools that assist in bypassing copyright protections, and tools that assist in breaking locks to name but a few.

Go ahead and quote me some rock solid precedent that would shield OpenWRT from any kind of liability if they wifi enabled distributed images with illegal configurations. A precedent that would apply in every jurisdiction mind you.

> You're literally a 'why open source keeps sucking' quote machine.

You made your case, the people actually doing the work clearly disagreed, so time to move on. Use your own time to make your perfect solution if it's that important to you, instead of demanding others do the same.

OpenWRT already provides the image builder, so all you technically need to do is host it: https://openwrt.org/docs/guide-user/additional-software/imag...

Best of luck with that.


None

> On the other hand, I feel like a system should be usable immediately with little effort if it is to be enjoyed and properly useful.

Not all distros have to be everything for everyone. It's OK to have a niche. If you want a distro that you can "just install" on any old bit of hardware that you have lying around, there are plenty of other distros out there that will do that already.

I liked that Debian made you think about Freedom. If you wanted to use the "standard" installer and live up to Debian's Free Software ideals, as enshrined in Social Contract, you had to think about which companies made hardware that had Free drivers available, and make an effort to give your money to those that enabled that use-case. Or, burden of burdens!, you could spend a couple of extra minutes and a handful of clicks to track down the "unofficial" non-Free installer image.

Seriously, it wasn't that hard.

Yes, I know that the SC says that Debian's priorities are "our users, and Free Software" (but below "will remain 100% free"), but "our users" doesn't necessarily mean "all possible users". For those users that came to Debian primarily for the Freedom, I think this is a misstep.

But, I don't determine which priorities and users are the most important to Debian, the membership does. And Debian is still one of the most committed to freedom distros out there, especially for its size. So, while this is not the choice that I would have made, now that it has been, I hope it makes Debian stronger going forwards.


However, Debian doesn't really warn prospective users about the real-world ramifications of its commitment to free software. It's one thing if the homepage had a big warning "this is for free software purists and you'll need to do a complex procedure if you want to run non-free firmware - if you're not ready for this, consider an easier distro like Ubuntu", but they don't.

Technical people will understand or at least suspect these problems, but a novice user who wants to try Linux (they are non-technical and already don't fully understand the concept of distros - maybe someone once told them "try Debian" and so for them "Linux" is Debian), see a nice "Download" button on the homepage, try it out and then are left disgruntled not just by Debian but Linux in general when the thing doesn't work because their network card requires proprietary firmware, so they go back to Windows, running way more proprietary software than a firmware blob, and as a bonus they now have a negative opinion of "Linux".

Having more users use some free software is better than those users giving up just so that some purists' ideological concerns be satisfied.


You think all Distros that do something different need big warnings on their home page to make sure novices who just want to try "Linux" don't get stuck? Like Guix, or GoboLinux? (OK, GoboLinux says it "redefines the entire filesystem hierarchy" - but it makes it sound like a good thing, not a warning.)

You think that if someone tells a novice to "try Guix" or "try GoboLinux", and they get disgruntled with Linux in general that that's Guix's or GoboLinux's fault? Maybe Guix/Gobo should just go back to doing things the same way as everyone else?

Or is Debian's problem that it's just too good (too big/too popular/too established) as a distro to have a niche like "being Free"? Maybe it should work on being less user-friendly and shrink the user-base in order to keep doing the Free thing without accidentally getting recommended to newbies and turning them away from "Linux"?


> You think all Distros that do something different need big warnings on their home page to make sure novices who just want to try "Linux" don't get stuck?

Pretty obviously, they think exactly that. I agree. What's the harm, unless you were planning on deception?

More transparency to potential users is always good. Similarly, I try to be open about I'm not very experienced on my open source projects someone could conceivably rely on.


> Or, burden of burdens!, you could spend a couple of extra minutes and a handful of clicks to track down the "unofficial" non-Free installer image.

I only got to know about the unofficial installer on here, years after it could've been useful. At the time, I didn't have an extra machine to fetch the necessary binaries I needed to get networking working on my laptop. This was when I dropped Debian.

I'd be perfectly fine with an installer that lets me have the choice, as long as it doesn't require me to reboot into a different OS to actually fetch the stuff I need. Just think of the man-hours wasted globally.


> It would be nice if they made it optional within the installer I suppose.

Apparently this option lost by 6 votes:

    Option 5 "Change SC for non-free firmware in installer, one installer"
    Option 6 "Change SC for non-free firmware in installer, keep both installers"
    .
    .
    .
    Option 5 defeats Option 6 by ( 169 -  163) =    6 votes.

That's too close. I hope they can have another debate and vote about just these two options.

Option 6 was to make a separate image that doesn't contain any non-free firmware available. Option 5, the winning option, also intents to allow the user to choose whether non-free firmware should be used from inside the installer:

> The included firmware binaries will normally be enabled by default where the system determines that they are required, but where possible we will include ways for users to disable this at boot (boot menu option, kernel command line etc.).


Not sure how the vote was conducted, but if it was first past the post then it's a shame. Because I'm sure some of the folks who voted for other options would have preferred option 6.

Debian uses a Condorcet method (specifically the Schulze method?[1]). Here is the source code of their vote engine:

https://salsa.debian.org/debian/devotee

[1] https://en.wikipedia.org/wiki/Schulze_method


Oh nice, thanks for sharing! Seems like a very fair method of decision making. Go figure and organisation such as theirs would do so

There already was an ISO with non-free firmware. I think that's the only reasonable way to make such a thing optional.

What's "SC"?

Debian Social Contract: <https://www.debian.org/social_contract>

Debian Social Contract. More details about the vote are at https://lists.debian.org/debian-vote/2022/09/msg00196.html

I suppose this is meant for Debian developers, who are use to a certain style of communication, but that was a really hard read.

This is only an unofficial, automated message from the vote bot with the raw results. Once the Project Secretary certifies the results, they'll be published in a more readable way on the website, possibly accompanied by a press release.

Debian uses a Condorcet method[1] for voting, which may be a bit more complicated than traditional simple majority voting, but makes sure that the winner would also win in every pair-wise election, as opposed to a less desirable candidate winning thanks to a greater number of more desirable candidates splitting the votes between themselves.

[1]: <https://en.wikipedia.org/wiki/Condorcet_method>


I would argue that voting is neither necessary nor appropriate for this problem, but if you're going to have voting with people who are pretty technical then the usual objection to sophisticated voting systems for the general electorate doesn't apply.

[Confidence in a voting system is vital to the operation of democracy, once upon a time this needed a lot of explaining but I'd guess 2020 was recent enough that most readers know why it's a problem if loads of voters are somehow persuaded the results are bogus. Complicated systems make it harder to build confidence because some voters don't understand how it works and thus why should they have any confidence that it behaves correctly?]

Debian specifically uses the Schulze method (a particular Condorcet method which avoids need for a "tie-break" mechanism by always picking a winner). And yes, this involves a lot more maths than First-past-the-post which may be familiar to a lot of readers.

Note that "proportional" methods don't make any sense in this type of vote because there is nothing to share out. One of the options wins, all the others lose. Whether proportional systems are appropriate for electing members to a legislature for example, is a separate question.


> I would argue that voting is neither necessary nor appropriate for this problem

It's a change to the Debian Social Contract. Making it without voting would be like changing a country's constitution without voting. How else would you make such a change?


Unlike a country, Debian membership isn't foisted upon you. Debians members explicitly joined and if they don't like this change they can - regardless of how they voted - leave if they don't like it.

But beyond that, asking the general population to vote on constitutional amendments is cowardly. In the democratic countries you're presumably thinking of we elect politicians to make these decisions in a larger context, when they try to punt to the general population that's like if your taxi driver decides eh, I'll take your money but you'll need to actually do the driving. If they aren't going to do the job, what are we paying them for?


Switzerland is generally looked upon as the closest a country can get to democratic these days and, from what I understand, more contentious topics there are resolved by referendums. That's something I'd agree with. Generally politicians should be there to deal with the boring details, not to make decisions about the foundational law like constitution, because the general population doesn't know any better. They're there to make governing scalable to the size of modern countries, not to take decisions away from us (at least in an idealistic view of the world).

In some countries, when inevitably a party, which wouldn't win pair-wise elections with most of other parties, wins the elections nonetheless and forms a government, they proceed to make fundamental changes to the governance structures of the country, which the population does not support. That's not an edge-case of representational democracy, it's its MO.

If I were a Debian Developer, I would like a vote in such fundamental topics, instead of needing to rely on someone somewhere representing me. This change is different than a change of say optimisation flags used when compiling Firefox. Bear in mind that there are distributions which aren't as democratic as Debian. So to use your argument: if a member doesn't like this structure, they may leave for another distro.


None

Unfortunately "non-free firmware" doesn't really capture the entire issue, akin to how the FSF misses the mark with their baked-into-flash exception. Unknown binary blob on a device effectively separated by an IOMMU? That's a peripheral, they all basically run non-free firmware. Unknown binary blob on a device that has DMA access? That's a tainted main computer and security issue.

I hope the installer settles out into making these distinctions and informing users of the compromises being made. When I stick a Debian installer into a machine that requires non-free firmware to work, my intent is pretty clear. But that doesn't apply to someone just starting out.


>Proprietary binary blob on a device effectively separated by an IOMMU? That's a peripheral, most of them run non-free firmware. Proprietary binary blob on a device that has DMA access? That's a tainted main computer with a security issue.

I feel like that's a completely reasonable viewpoint to have. For example, MS Pluton bothers me 100x more than my car keys having nonfree, locked firmware. In an ideal world, both of them are open. But in the meantime I'd be content with not having desktop CPU's be controlled and monitored remotely by their manufacturers instead of their owner.


So this is only for the installer, right? The software that is not needed for basic functionality will not be installed permanently, right?

Also, if there are two driver implementations, as is often the case for GPUs, which will be preferred?


It's for firmware for network devices, especially wifi.

An annoying number of Debian installs fail on laptops because the wifi needs firmware and people expect it to work. You can choose to enable non-free after install, but the installer doesn't have that as a direct option.

Prior to this, an alternative installer was available that had the firmware in it... but it was not well-publicized, and was not the default or even available from the same page as the default.

If you install with non-free firmware, it will continue to be installed afterwards.


Some graphics and sound hardware also requires firmware these days, and working sound is important for accessibility.

> So this is only for the installer, right?

According to the Debian wiki description of this option[1]: "Where non-free firmware is found to be necessary, the target system will also be configured to use the non-free-firmware component by default in the apt sources.list file."

> The software that is not needed for basic functionality will not be installed permanently, right?

I'm not sure I understand you right. Unless the software is needed, the installer won't load it. And I'm not sure what you mean by "basic functionality" here, but the way I read the Debian pages it's about loading everything needed for the hardware to be fully-operational (or as close to it as is possible).

[1]: <https://www.debian.org/vote/2022/vote_003#texte>


Why don't they just make `contrib` and `non-free` selectable but default unselected within the installer?

I believe the issue is what the installer itself runs, and Debian already gives the option to install non-free from the installer.

Including ? selecting by default. Whatever default selection you want to choose, you still need to ship them.

Isn't this what made Debian popular? Maybe this is good news for new distributions like Nix and Guix

Open source Developers should be support more open hardware not worried about supporting the latest closed dodgy firmware

A firmware free wifi usb costs 10$ on ebay or ali express


>And a firmware free wifi usb costs 10$ on ebay or ali express

Is there anything newer than 802.11n that can run without firmware?

Also, I'm not sure ordering a random USB device off eBay is a good solution for the security paranoid.


Not sure but that is why an open source popular Linux distro like Debian was important, to put pressure on manufacturers

If at every point we just cede, there will never be one

Big company need not worry, Debian will now test, maintain and support your closed firmware, making it easy for everyone to use, but working for them for free

And especially because recycling is hard all hardware should be as open and interoperable as possible for us to avoid keep throwing working computer parts in the trash


Finally. The user experience of manually providing non-free firmware on a separate USB stick was horrible, even for a technical user.

What Debian really expects are DEB packages placed on the drive, not raw firmware files. Finding which package you need (the installer only tells you the raw firmware files, not the package containing them) and obtaining them is not straightforward - there is a web UI to browse packages and download files but navigating those requires existing domain knowledge of Debian and Linux in general. It is not a straightforward web form "want a package? enter package name and architecture and we'll give you the download link".

I now know from memory which firmware packages my systems need and the requirements for the USB stick and how to navigate the web UIs to download packages, but the first time probably wasted an hour of my time searching around before piecing all the various (and sometimes contradictory) resources out there into a coherent solution that worked.


The officially unofficial installer with non-free firmware has always been suitable for me when I needed it.

Shouldn’t firmware in general be considered part of the “hardware tier”? Free software, including Debian, had no choice but to run on non-free hardware since inception anyway, right?

”non-free” firmware refers to kernel modules that wrap proprietary device libraries - NVIDIA is/was one major culprit but some common wireless devices also require proprietary libraries to function.

I don't think non-free _firmeare_ has ever referred to kernel modules.

All _firmware_ in the Debian repos refers to stuff that does not run in the main CPU but on the CPU embedded in various peripherals.

Binary kernel modules such as the Nvidia driver are not generally considered firmware and are not covered by this vote as I understand it.


Many people make a distinction when the firmware is stored on the hardware and loaded by the hardware itself vs stored in the filesystem and loaded in cooperation between system software and the hardware.

Personally, this distinction doesn't make that much sense, if the firmware is opaque in both instances, eliminating (or vastly reducing) onboard storage seems like a cost reduction step that benefits the manufacturer and the user. [1] A more important distinction to me is if the interface documentation and drivers are open or closed.

[1] unless the device class is one that could be a boot time device, except that firmware loading would be required --- it's hard to pxe boot from a network card if it doesn't function without a firmware upload, and that's not good for users who may want to pxe boot at some point


This is almost lolsville. First they wall off the GNU Emacs documention for not conforming with the DFSG, but then they make the installer non-free? Sigh.

Emacs runs fine without its documentation, which you can find on the internet. Honestly, if GNU decided on a non-free license for Emacs, joke's on them.

Some hardware doesn't run at all without the non-free blobs, making the computer useless or not up to today's expectations. You can argue that these non-free blobs are unfortunately essential. Emacs' documentation is not.

I'm not saying anything about the decision at hand, but those things are not comparable. Not even relatable.


Debian has long had non-free drivers in its non-free repo, along with the Emacs manual. If the main installer now includes something non-free, that is new and upsetting.

I guess the Emacs manual and the non-free drivers will still remain in the non-free section of the repository. This is not changing. If this these packages were put in main, this would be upsetting indeed. I would consider switching to another distro, actually. I need to know if something I'm installing is free and a package being in main or contrib is a pretty strong guarantee that I rely on. I don't want anything non-free on my computer, and reluctantly tolerate the presence of the "necessary" non-free firmware blobs.

It's just that the installer, which also probably remains unchanged, will come with these additional deb packages available on the installation media. But those will still belong to non-free.

To be honest, this is the installation media I already download, so I'm not stuck if whatever computer I'm installing requires a non-free blob to function.

That this installation media becomes the default? I don't know what to think. I'm torn. I guess most people were downloading this "unofficial" installer, or the official installer and were downloading non-free firmware packages separately. These packages won't be touched by the installer if you don't want to, and I'm pretty sure the installer will warn/ask you. I can see why people could be upset anyway, I'm not. It's a hard decision to make. I think it's fine as long as the user is warned and can choose not to install and run non-free blobs.


Actually, the non-free firmware blobs will be put in a new non-free-firmware section, which is nice because I'll be able to get rid of the whole non-free section.

Like most folks here, I have mixed feelings about this. The dichotomy of "it's about time" versus "how tragic that it came to this" seems to be common, and I can get on board with that.

Having said that, I don't think that having firmware blobs in the installer should be Debian's hill to die on, and I'm glad they decided to acquiesce to practical necessity. Between wireless NICs and graphics devices, it's just too blasted difficult these days to install a FOSS operating system without binary blobs - good, bad, or ugly, it is what it is, and I respect their ability to recognize when something simply cannot be changed [at this time].

Keep picking your battles, Debian crew - keep fighting the good fight.



One of the things about debian that made it unique was the debian social contract, and the dedication to free software. The way this is celebrated in some quarters is troubling.

Getting the non-free firmware iso in case your hardware needed it was never difficult.


Legal | privacy