adw
August 16, 2022, 11:55pm
57
airelemental:
This caught me by surprise too (long time ago). So going back to the original topic of this thread:
I think the qubes debian template should contain no non-free components, because:
From a practical standpoint, microcode or firmware isn’t needed in a template that by default is not used for sys-net or sys-usb. The user has to opt-in to using debian for these, and the process is manual (if a remember correctly) [Correction: in the qubes installer, if you deselect fedora template from installation, then sys-net and sys-usb will be set to use debian. Thank you Sven for correction]. If the user wants to install closed firmware, they can just apt-get it, thanks to the fedora-based sys-net.
Qubes policy is “We try to respect each distro’s culture, where possible.” See What is Qubes’ attitude toward changing guest distros? . The official upstream debian images contain only FOSS, no firmware exception[1]. Unofficial images containing non-free are explicitly called out as such[2]. I think it says something about how strongly Debian feels against non-free software, that they would rather break network installation process, than bundle non-free network card firmware in their official images.
Having non-free software inside debian subverts some users’ expectation or intent in opting out of fedora, and opting into debian templates.
[1]see FSF’s evaluation of debian - Explaining Why We Don’t Endorse Other Systems - GNU Project - Free Software Foundation Index of /images/unofficial/non-free/images-including-firmware
fsflover:
I would like to repeat that I see no reason whatsoever to include proprietary firmware into Debian in the default Qubes configuration. Even if you believe that FLOSS doesn’t improve security (I’ll try to find some evidence otherwise), any unnecessary software increases the attack surface. It also breaks the expectations of regular Debian users who come to Qubes (like me) and goes against the Qubes FAQ about changing the distros. Manually changing the template for sys-net is an advanced feature, so I expect that such users should know how to add non-free repositories; and I am ready to help them do it, too. Choosing Debian as main template at install should give a warning that non-free repositories will be switched on to get the firmware, if needed.
I don’t really know anything about the Debian template situation except what I’ve seen folks say in this thread (and have hitherto avoided discussing it for that reason). Let’s ask @marmarek :
Is it true that we (the Qubes OS Project) add non-free code to our Debian templates that isn’t present in upstream Debian?
If so, why do we do that? Is this an exception to our attitude toward changing guest distros for some special reason?
What implications, if any, do you think this has on the accuracy of calling Qubes OS “free”? For example, is it inaccurate to say “Qubes OS is a free and open-source operating system,” and should we change that in our intro , FAQ , and the short description of Qubes OS we use around the web?