Why is this nothing to worry about?
Similar holds for Fedora. Plenty of non-free packages reported by vrms-rpm.
And are these packages really needed for proper functioning of the VMs under Qubes 4.1?
It’s Debian - already not FSF endorsed for just this reason.
If you look you will see that these packages are mainly
firmware.
They are needed for (e.g) users to be able to use some NICS out of the
box. If we didn’t ship them then many users would be left with non
functioning systems.
If you are using a fully free machine then you can remove the non-free
packages. You could also move to a trisquel template - I provide one at
https://3isec.qubes.org
There’s one area that you cant avoid - Qubes ships microcode.
If you don’t install microcode updates, then your system is vulnerable to
known exploits. As a security OS it would be foolish to do this. (I
think it’s foolish of the FSF to insist on this, and the workaround that
Purism has, shows this.)
When I comment in the Forum or in the mailing lists I speak for myself.
5 Likes
Thanks for the response!
-
I run Librem Mini v2 from Purism. Is this a “fully free” machine, or at least enough to remove those non-free packages? Purism– Librem Mini
-
What about dom0? How do I remove as many as possible non-free packages from there?
-
The microcode you mentioned, is this non-free but still open-source or is it also closed-source?
-
What do you think about providing this non-free-removal option as an option during QubesOS install?
I have no thoughts on Purism.
Clone the template, remove packages from the clone, and use that as replacement
for the standard template in your qubes.
Identify any non-free.
sudo dnf remove ....
Pray.
Closed source
Qubes is focussed on security.
Since there will always be non-free elements in Qubes, it seems
pointless.
It would be possible to produce a free version of Qubes with no non-free
firmware or microcode, but like all FSF endorsed products it would be
fundamentally insecure.
( I know the hack that Purism uses to get around this at build time,
which shows how ridiculous the FSF position is. I don’t know how they deal
with later released microcode.)
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes
Unlike the qubes debian templates, official debian actually excludes non-free firmware, according to Explaining Why We Don't Endorse Other Systems - GNU Project - Free Software Foundation . That page also gives the reason FSF does not endorse Debian: the project hosts and occasionally has pointers to the non-free firmware.
1 Like
Honest question:
“Qubes OS is a free and open-source security-oriented operating system…”
This is not accurate IMO. What do you think about having the entire truth on the website?
“Qubes OS is a free and open-source (apart from a relatively small amount of closed-source binary blobs - read details here) security-oriented operating system (where in certain relatively small cases the security is based on trusting vendors of closed-source binary blobs - read details here)…”
These really are honest questions… not meaning to be rude at all. I’m not here to stir up any trouble or attack anyone. I love Qubes and use it daily.
I’m always suspicious when I see things like “Honest question”.
You’re right - it isn’t accurate.
If any one is bothered I would include the caveat in a footnote, here
and in the FAQ.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like
Indeed, strictly speaking, it’s not true. However, Qubes is free and open-source to a similar degree as Fedora or Debian are. Both are not endorsed by the FSF, while trying to avoid the blobs as much as practically possible.
From the Fedora web page:
Fedora creates an innovative, free, and open source platform
From Debian web page:
Debian is a complete Free Operating System!
Should they also change their wording?
The Qubes FAQ already explains that Qubes is not 100% free. I personally think that it should also include a list of non-free software, so anyone would be able to remove it if they wish.
See also: Is Qubes fully free? and Does Qubes meet the GNU FSDG?
Purism put their microcode (and its updates) to the Coreboot, which is already non-free. Their OS stays free and FSF-endorsed. Thanks to this, I don’t need to have non-free binaries in my Qubes installation. I wish I knew precisely how to get rid of them all.
The microcode issue is not as straightforward as you seem to imply: You have to choose between freedom and security here, a choice forced by unethical corporations. This is like a choice between Linux and MacOS, assuming the latter is more secure. Not very simple choice and shouldn’t be necessary… Also, I believe that true security is impossible without freedom and ownership of your hardware.
1 Like
I think in Debian’s case it is actually strictly true - they really do have no blobs in the official images. (They lack FSF-endorsement for a different reason, as I mentioned earlier.)
Here is how Debian describes their unofficial images - Index of /images/unofficial/non-free/images-including-firmware . They are very transparent about it.
(I don’t have any opinion on if this level of transparency is relevant for Qubes. I only think that Debian is not a good example of a distro that isn’t 100% FOSS saying it is FOSS, actually quite the opposite.)
The Debian example simply shows that different shades of FOSS exist: although it’s “strictly” free in your view, the FSF disagrees here. Indeed, one wrong move (adding something to your /etc/apt/sources.list) could make your system (quite) non-free, even though it will only connect to the Debian servers.
AFAIK Fedora contains no blobs executed on the CPU, which is sufficiently free for many people, too.
1 Like
“Qubes OS is a free and open-source security-oriented operating system…”
How exactly is this not accurate? So far, I’ve seen several people in this thread say they agree that the statement isn’t accurate, but I haven’t seen anyone actually explain why they believe that. It obviously depends on how you define terms like “free” and “open-source.” The dispute seems to center on the term “free.” It’s clear that Debian, Fedora, and Qubes are not free (as in speech, aka libre) software according to some very restrictive definitions of “free” (namely, the FSF’s), but to claim that the statement in question is “inaccurate” seems to imply that Qubes is not free according to any common reasonable definition of free software, which sounds quite dubious to me. I’d like to hear a proper argument for that claim.
1 Like
I think that you should provide a link to a “common reasonable definition”, to which Qubes fits as “free”. Not sure which one you mean here.
I am aware of two reasonable (in my opinion) definitions: the one from the FSF (so neither Debian, nor Fedora fit here) and the one saying that the license for the software is in the list of free or open-source licenses (then, Debian main is free software, Fedora and Qubes aren’t).
Free and open-source software (FOSS) is a term used to refer to groups of software consisting of both free software and open-source software[a] where anyone is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve the design of the software.[3] This is in contrast to proprietary software, where the software is under restrictive copyright licensing and the source code is usually hidden from the users.
Qubes seems to check all the boxes:
- Source code is publicly available
- Licensed under GPLv2
- Everyone is allowed to use, copy, study, and change it
- Everyone is encouraged to volunteer improvements
What am I missing?
Why do you think that those are the only two reasonable definitions? Why is the one from Wikipedia not reasonable?
1 Like
You are missing that the current Qubes iso does not follow the above points, because it contains proprietary blobs, which have no source code and are not licensed with GPLv2.
AFAIK, the Widipedia definition is the same one, which I list as the second definition, i.e., based on the license of the software.
Ah, I see. When I think of “Qubes OS,” I think of the code created by the Qubes OS Project. I don’t think of proprietary blobs from Intel, for example, as belonging to Qubes, because, well… they don’t. The Qubes devs didn’t write them. Intel devs did. The Qubes devs have to include them in the final ISO, or else Qubes won’t be able to run securely on people’s machines. (An OS that only runs “in theory” would be rather useless.) So, perhaps it’s fair to say that Qubes itself is FOSS, but it comes packaged with some non-FOSS stuff by necessity so that people can actually use it.
There seems to be an underlying assumption that 100% of the code has to satisfy the definition of “free” in order for the final product to be considered free, and even a single proprietary blob makes it non-free. But that seems like a strange assumption, because that’s not how we use similar language in other areas of life.
For example, in order for a food product to qualify for the USDA Organic seal, it has to contain at least 95% organic ingredients, not 100%. And if 3/4 of my grandparents are Asian, I doubt anyone would say it’s inaccurate for me to call myself Asian because it’s not 4/4. And so on.
1 Like
I suppose my point is that Qubes OS being “free except for a couple of proprietary blobs” seems sufficient to make the general statement “Qubes OS is a free and open-source security-oriented operating system" true in the same way that a food product having 95% organic ingredients is sufficient to make the statement “this product is organic” true.
The “underlying assumption” that you identify is generally held in the
field of free software.
It’s also held in some other areas of life. For example, if my medicine
is adulterated with 1% strychnine, that’s enough to make it poisonous.
Even a very small level of contamination is significant.
As you say, the Qubes code is free/libre and opensource.
Equally, Qubes OS is not free, because it contains those blobs.
For example, Debian is a free distribution. The official installer
contains only free software. There is an “official unofficial” installer
that contains non-free packages, mainly drivers, and there was a recent
lengthy discussion on debian-devel about just this issue.
The FSF don’t endorse Debian because it includes repositories that allow
users to install non free packages. Just a whiff of non-free software
is enough for the FSF not to endorse it.
This has ridiculous consequences imo - endorsed distributions have
kernel code where the warnings about security vulnerabilities are
stripped out in case users might be tempted to install non-free blobs to
address those vulnerabilities.
The language here is significant - “tempted”. Discussion about free
software is often quasi religious in tone.
QubesOS is a security distribution. So it includes binary blobs.
The QubesOS installer is intended to enable users to be able to use it
across a wide range of devices with minimum fuss. So it includes
non-free drivers.
Angels on pins.
1 Like
I always found it funny that giving people the freedom of choice automatically means the OS isn’t free.
I don’t agree with the idea that binary drivers and binary firmware is that same, and taking away the right to use the firmware to me isn’t freedom of choice, it’s the freedom to do as you are told.