From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1B32A138982 for ; Mon, 11 Feb 2013 00:15:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7B5E221C097; Mon, 11 Feb 2013 00:15:43 +0000 (UTC) Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5342321C063 for ; Mon, 11 Feb 2013 00:15:42 +0000 (UTC) Received: by mail-we0-f181.google.com with SMTP id t44so4365861wey.12 for ; Sun, 10 Feb 2013 16:15:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dee.su; s=google; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type:content-transfer-encoding; bh=625K7Tww3Xnmd0/KpsiNw7e0C99I8OSLvpmipeTimDQ=; b=fOMg+B0MD+0GoqQB1AXOQiQdXui/7Bb0ocHO394pdSZI67udsTl77UDnaeV5wZufiW gobjX36fEKTSQDns5IOFUm0gQM0uwemM3e7wlmf73bmk2o6mu8RArSzKCyImuON9QOqV 52FAFt5Mn9MJ6wGP/9+Kk9J+VIFJHkel5qcUw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type:content-transfer-encoding :x-gm-message-state; bh=625K7Tww3Xnmd0/KpsiNw7e0C99I8OSLvpmipeTimDQ=; b=HnLLVI6pucf4EjiZpQmNtrSSLojvl6fsuR6QZbCigdO/72lXmEU6bkbyncQGVmU7bY koZzvx9zSI7nNsCtuiNjNApxsIdd1vI1owsi45ChcDzGcLf9fjQZ8CVKrcvEy6OTHj2i c4tv0dg6eZXpxQMV/xR3yLLsAGCSaeI+NqHbTj5/Tte9TtxUfwBS02XWJdZfVmAHwS8D 2alTn5gtZGeotnotyF7NH3J0uBCcFbpp5Gt5CNvhL7XJD/CvecZz0K0m1rTR6yVUegCy yHyIQNH9LpjpCSLTzPhzkbPU1dRkUL3jFZ7zc/OZSWITNbGqV7svMNlNVByKH1DVHo30 ysWQ== X-Received: by 10.194.236.233 with SMTP id ux9mr17859490wjc.36.1360541740882; Sun, 10 Feb 2013 16:15:40 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.216.185.68 with HTTP; Sun, 10 Feb 2013 16:15:10 -0800 (PST) In-Reply-To: References: <5117560B.3090709@gentoo.org> <511805F0.9070101@gentoo.org> From: Maxim Kammerer Date: Mon, 11 Feb 2013 02:15:10 +0200 Message-ID: Subject: Re: [gentoo-dev] Lastrite: Firmware cleanup, part #1 To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQmg11GvWAO2LDf0PVMGeOsFdTTO5B3i+wLwIdUs+maI6wCjr6Z1BUL+84HGN5vdz3jSyYnE X-Archives-Salt: 53601abe-2623-47be-9ddd-79dc9864ea91 X-Archives-Hash: 092e4a499585fcb2339fcd6f2f6ad737 On Mon, Feb 11, 2013 at 1:12 AM, Douglas Freed wrote: > How does having additional firmware installed affect security at all? > Firmware is only loaded when specifically requested by a loaded driver th= at > needs to use it, and only if that driver is actually in use. That's like > saying a file that can only be written to by root, only normally read whe= n > it's specifically needed, and if for some stupid reason is executed by an > unprivileged process will just result in a crash, affects security (hint:= I > just described firmware). I can play captain obvious, too. Regardless, having to explicitly enable firmware based on need (e.g., after installing a wireless card) provides for more security. For instance, the user can opt to not enable the firmware and not use the card, if he doesn't trust manufacturer's software development process. If only the firmware that is actually used is installed, it is easier to go over it and review its security. Some firmware has multiple subversions, with the kernel being able to use any of them; some may be more trusted than others. Some firmware may be unnecessary for correct functioning of hardware, but is still loaded when available. All of these are valid reasons for not installing all possible firmware. Don't assume that your use case is identical to everyone else's. --=20 Maxim Kammerer Libert=E9 Linux: http://dee.su/liberte