Matthias Urlichs <matthias@urlichs.de> writes:

On 08.03.25 15:36, Simon Josefsson wrote:

One difference is that you could chose to trust their hardware (CPUs)
but don't trust their software (non-free firmware).

True. But so, again, what's the material difference between "the
firmware is baked into the hardware and cannot be changed" vs. "the
firmware can be updated"?

Answer: there isn't one. They're both software, except that the vendor
can choose to fix bugs on the latter.

One plausible argument is that if the vendor is capable of resolving
bugs in writable firmware, it also suggests that a targeted attack is considerably easier than with hardware, which can presumably be trusted
to remain identical, unless one is a significant target.

However, for the majority of typical users, having the most recent microcode/firmware is likely a significant advantage for security, even
if it is some non-free binary blob (usually not even using the user
facing ISA that the user can understand).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Matthias Urlichs <matthias@urlichs.de> writes:

On 08.03.25 15:36, Simon Josefsson wrote:

One difference is that you could chose to trust their hardware (CPUs)
but don't trust their software (non-free firmware).

True. But so, again, what's the material difference between "the
firmware is baked into the hardware and cannot be changed" vs. "the
firmware can be updated"?

Answer: there isn't one. They're both software, except that the vendor
can choose to fix bugs on the latter.

I don't think that is the only answer. I believe there is a significant different between these two cases from, e.g., a consumer freedom
perspective (accepting a software EULA compared to purchasing a physical component). As far as I can tell, you wouldn't agree. The arguments
have been made many times already, so repeating them probably won't
convince either of us. I think both viewpoints are reasonable
positions, but they lead to different conclusions how to deal with
non-free firmware: either reject it as being non-DFSG, or accept
treating as an really-part-of-the-hardware-but-wasn't exception.

My personal opinion: You want open hardware? go and build some
yourself. That's the way how we got free/libre software, after all.

I believe almost all free/libre software were created on closed
hardware, and often using non-free operating systems. So I don't think
open hardware is a requirement for free software.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf3pfoUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFooObAQCH5eZ2ecO9 lYxBJQmKWY7j0zIz3U2mREHRB+cvkmR6pwEAmHGmnIMpvLplzseCBMoSyKQSWDJX REHQXAr1ABG83AY=
=L83F
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)