Re: How secure is an installation with with no non-free packages?

To: debian-security@lists.debian.org
Subject: Re: How secure is an installation with with no non-free packages?
From: adrelanos <adrelanos@riseup.net>
Date: Fri, 13 Sep 2013 02:03:00 +0000
Message-id: <[🔎] 52327254.7030603@riseup.net>
In-reply-to: <[🔎] CAAr43iMfQByPp=+O+2B0Y1JLA7Ynwu7EkvcxLygPud_3FP=CFA@mail.gmail.com>
References: <[🔎] 523234F5.1090002@riseup.net> <[🔎] 52325160.1000606@riseup.net> <[🔎] 5232614A.7050708@debian.org> <[🔎] 52326419.2070605@riseup.net> <[🔎] CAAr43iMfQByPp=+O+2B0Y1JLA7Ynwu7EkvcxLygPud_3FP=CFA@mail.gmail.com>

Joel Rees:
> I am not Debian, but I am in rant-mode on this subject today, so bear with me --
> 
> On Fri, Sep 13, 2013 at 10:02 AM, adrelanos <adrelanos@riseup.net> wrote:
>> Jose Luis Rivas:
>>> So no, there's no other contrib/non-free packages there.
>>
>> I didn't want to imply, that there are preinstalled.
>>
>>> The reason why you can't install Debian directly from a WiFi with some
>>> manufacturers is precisely that we do not ship non-free nor contrib
>>> software by default in our Debian installation different to what does
>>> other distributions like Ubuntu (no offense meant).
>>
>> And this is fine and I don't want to go into that political vs
>> convenience discussion either.
> 
> You can't avoid it now. (Thanks to NSA and Intel deciding to boogie
> together. Let the children boogie.)
> 
>> So we have the (intel/amd)-microcode and the firmware-linux-nonfree
>> package which should be installed to improve security? Are there any
>> other packages of this type?
> 
> We'd like to say they are unique.
> 
> They are unique in that they are the CPU, but any binary blob required
> by the hardware you are using is going to have the same set of
> problems, and most of them, even when we move the drivers out of the
> kernel, are going to have the capability of subverting the whole box.
> 
> We'd like to say that it's all Intel's fault for pushing the market so
> far so fast, but we can only say they have been a major contributor to
> the problem. (We have, also, each one of us.)
> 
>> What would you do if there was an exploit in the wild, which uses an
>> vulnerability in (intel/amd)?
> 
> Do you mean, in the cpu itself, or in the microcode?

Microcode. (I guess if the vulnerability can not be fixed with some kind
of firmware upgrade and is used in the wild, that would be a reason to
get it replaced for free or being required to buy a new one.)

>> Let's say any website could prepare some
>> html code which would trigger a remote code execution.
> 
> Ergo, on vulnerable CPU/microcode combinations.
> 
>> One that can only
>> be fixed by having the (intel/amd)-microcode package installed.
> 
> So you're thinking the CPU, but which level of microcode?

No idea.

>> Is this a possible scenario?
> 
> Of course. Especially now that the "bad guys" have tools that allow
> them to build targeted tools fairly easily.
> 
>> What would you (Debian) do in this case?
> 
> Do you mean,

I don't try to mean anything in this thread. :) Just asking questions.

> would Debian fold up and go away if the only way to
> provide a secure OS were to be to include certain non-free packages by
> default?

And no, I think discontinuing Debian for such reasons is extremely
unlikely and many actions seem to be much more likely - I may not be
able to guess what you are going to do, hence I am asking.

> They already do (as Jose Luis Riva indicated). It just requires a
> certain amount of action on your part so that they can limit the
> amount of non-free stuff you have to load.

> At the very least, AMD machines do not need Intel microcode, and
> vice-versa.

Yes, that is very nice.

> That's why it's important to have more than one major CPU
> vendor,

Sure, I am not against having 10 or more per country either. I believe
monopolies are almost always bad.

> even if Intel's bragging that they have beaten everyone else
> on all technical fronts had any merits whatsoever. (It doesn't. They
> haven't even come close. Their current excesses are catching up to
> them now.)
> 
>> (I am not suggesting anything here, I am just interested in those
>> questions.)

> And I suppose I am not contributing anything meaningful to the
> conversation.

Happy to read your thoughts.

> Sorry, but this is a pet peeve of mine.

Understandably. It's a terrible pity. None of that is the fault of
Debian, you're doing fine providing a Free operating system and I am not
asking you to fix the rest of the world as well. Good to be aware of it,
however.

> We can't afford
> the results when microprocessors become this complex, and one of the
> reasons I hate Intel is that they have pushed the complexity so hard
> to maintain their "market advantage", and it just makes a mess of the
> industry.

Reply to:

Follow-Ups:
- Re: How secure is an installation with with no non-free packages?
  - From: Jordon Bedwell <jordon@envygeeks.com>

References:
- How secure is an installation with with no non-free packages?
  - From: adrelanos <adrelanos@riseup.net>
- Re: How secure is an installation with with no non-free packages?
  - From: adrelanos <adrelanos@riseup.net>
- Re: How secure is an installation with with no non-free packages?
  - From: Jose Luis Rivas <ghostbar@debian.org>
- Re: How secure is an installation with with no non-free packages?
  - From: adrelanos <adrelanos@riseup.net>
- Re: How secure is an installation with with no non-free packages?
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: How secure is an installation with with no non-free packages?
Next by Date: Re: How secure is an installation with with no non-free packages?
Previous by thread: Re: How secure is an installation with with no non-free packages?
Next by thread: Re: How secure is an installation with with no non-free packages?
Index(es):
- Date
- Thread