Qubes Debian templates have non-free/contrib (apt) by default

This is a misinterpretation of what free software is. It always gives you the free choice, because you are allowed to modify it as you wish, including adding proprietary software. The problem with Debian is that it does not really separate proprietary software from free software much. I am undecided on this myself: Indeed some users are not aware of the problems with non-free software and could install it unknowingly. I did it myself at some point, long time ago!

I wish there was at least a warning. Qubes OS is trying to warn the users in case something security-related might happen.

Binary firmware is not “the same” as other software. Yet it’s non-free, isn’t it? See also the FSF’s explanation about BSD.

Personally, I find it valuable to question generally-held assumptions. Many of the greatest advances in human progress began by having the courage to question unexamined assumptions that most people took for granted at the time.

If the assumptions are warranted, then there is no need to fear. They will stand up to scrutiny.

However, if they turn out to be unfounded, then we will have discovered something important and taken one step closer to the truth. Sunlight is the best disinfectant.

In the case of a deadly poison, where even a tiny bit can be harmful to the body, that sort of classification makes sense. However, when it comes to classifying the terms under which software is distributed, that principle doesn’t seem to apply. Installing one piece of non-free software on an otherwise free system doesn’t harm the system as a whole so long as that piece of software itself is not harmful, and the action can easily be undone. This is quite different from a human ingesting something laced with a deadly poison, so I find these two scenarios to be rather disanalogous.

Some zealots seem to view all free software as good and all non-free software as evil. Perhaps that’s the motivation for requiring strict purity (the 100% requirement). However, these advocates should recognize that by allowing such value judgments to infect their classification scheme, they risk its credibility. The classification scheme itself should be neutral and objective. Let people make their own value judgments later. From this perspective, the stricture that even a single line of non-free code in an otherwise completely-free software compilation renders the entire thing non-free looks, from the outside, like nothing more than arbitrary puritanism.

To return to our earlier analogy, the reason the USDA Organic seal requires only 95% organic ingredients is, presumably, based on the recognition that 100% is impractical in the real world, where the realities of farming and manufacturing means that it is inevitable that a small amount of non-organic food will make it into many final products. It’s presumably also based on the recognition that there is considerable controversy over whether organic food is superior to conventional food. It would be improper for the classification requirements themselves to take a stand on that debate. Their job is simply to tell us which is which, not which is better. By the same token, the FSF would do well to recognize the practical requirements of running code on real-world hardware and accept the reality that a small amount of non-free code will make it into many otherwise-free products (at least those that can be relied upon for any use case where security matters). As things stand, their insistence on using their classification scheme to try tell the world which is better appears to have rendered it largely irrelevant to the rest of the world as a practical tool to which is which.

I see little reason that Debian, Fedora, Qubes, or any other operating system with a significant userbase should pay heed to a standard that is not fit for purpose in the practical world of computing on actual hardware and real security needs. Therefore, I reject the assumption that a compilation of software must be composed of 100% free components in order for the compilation as a whole to qualify as free.

Anything that has any nonfree software can’t be free software, you are also not allowed to give the user the option to install nonfree software, and this includes firmware blobs.

https://www.gnu.org/distros/optionally-free-not-enough.html

You can buy an extension card with the close source firmware blob in an eprom, but if you buy the same card which needs the firmware upload to ram the OS can’t support this if it wants to be free software.

This is not an all or nothing issue for me, I don’t want close source kernel drivers if there is any way to avoid it, and I support open source firmware. I also don’t want the OS I’m using to prevent from using my hardware, by taking away the option to use binary only firmware.

It has potential to harm the rest of the system, especially if it is part of the TCB. Determining if a piece of software is harmful is harder if it is not source-available, or if the license makes examining it illegal. If the software is part of the TCB, I really don’t think you can undo whatever it does on a system.

I don’t think that is what your link says. Your link is about distros that FSF recommends. FSF-recommended is a strict subset of FSF-free.

FSF-free distro can recommend non-free software to the user, it just won’t be an FSF-recommended distro.

Remember that the context was seeing whether this case is analogous to the case of a human body ingesting something laced with poison. You can always do a clean reinstallation of your free system in order to undo the effects of the non-free software. You can’t do a clean reinstallation of human life in order to undo the effects of poison.

The potential to harm is not what’s at issue here. Free software also has the potential to harm a system, especially if it’s part of the TCB. There have been many documented cases of free and open-source software containing serious vulnerabilities or even being outright malicious. This has happened even when the code had many eyes on it from experts. Yet we still support free and open-source software.

Remember, the context of this discussion is whether “free except for a few proprietary blobs” can still qualify as “free software” and, more specifically, whether a strict requirement that a compilation of software be composed of 100% free components in order to qualify is reasonable. Would it be reasonable for the USDA Organic standard to require 100% organic ingredients on the grounds that conventional ingredients have the potential to harm? Of course not, because many aren’t harmful, and organic ingredients also have the potential to harm. The standard isn’t about what’s harmful and what’s not, it’s about classifying what’s organic and what’s not so that consumers can make informed decisions. Such classification standards should be kept separate from value judgments. Their role is to tell us which is which, not which is better.

free system distribution guidelines

free distros

well-known nonfree distros

To me, this makes it clear what is and what isn’t a free distro.

Some applications and drivers require firmware to function, and sometimes that firmware is distributed only in object code form, under a nonfree license. We call these firmware programs “blobs.” On most GNU/Linux systems, you’ll typically find these accompanying some drivers in the kernel Linux. Such firmware should be removed from a free system distribution.

Debian’s wiki also includes pages about installing nonfree firmware.

You are clearly not allow to provide binary only firmware support, and this is the main issue I have with FSF. To me, this seems like “the end justifies the means”, and it is very anti consumer if there is no open source alternative to the firmware.

This doesn’t sound correct. You can always put a file to /usr/lib/firmware (or whatever path), and it should work. You are missing the point of the FSF. They want to educate users of dangers of nonfree software, not restrict users. They explicitly tell it in your link. If the users are already educated, then

We could recommend the distro privately to people in that first group if the distro provides a clear and reliable way to reject nonfree software.

You see here “clear and reliable way to reject”? Debian probably fits here, although I think it could show some warning at least.

This contradicts with your link. Quote from there:
the install fest installs a free distro, then “the devil” (a person wearing a devil mask) offers to install the nonfree drivers or blobs that machine needs.

In other words, the user does have the option to install nonfree software.

Yes, if you want to call your software package “free”, it must not contain non-free blobs. Do you want to say that it’s illogical? I agree that it’s impractical. FSF doesn’t prohibit you from doing it, they just disagree if you call it “free” and don’t want to recommend it to ordinary people. I fully agree with them here.

Yes, I don’t think it’s illogical to say to people who are using closed source / IP protected hardware that they shouldn’t use closed source firmware, unless an open source alternative exist.

Stallman is entitled to his opinion, just as everyone who agrees with him, I just don’t agree with Stallman on binary firmware.

How can you decide whether a proprietary piece of software is harmful or not? You don’t know what it does, and it’s really hard to find out, by design. The last thing is the most important. You do not control what it does. Worse, it’s usually constantly updated, without you knowing what changes exactly. How about just “one piece of non-free software” in dom0, which downloads evil_script.sh via sys-net and runs it? I think it’s very much similar to a drop of poison in an otherwise normal dish. You can’t really have security without freedom.

Also, it seems you are thinking only in terms of security here. Free software is a tangential thing to security, it’s about freedom first. (People need both, of course, but sometimes we are put in a position to choose.) What do you think dangers of non-free software are?

Consider control over what your device is doing. Apple may keep your device secure (against common threats) but when you want to do something they don’t like, you are in trouble. You stop owning your device in a general sense.

If you only have one single piece of proprietary software, then you don’t control this piece and are at the mercy of its developers. You can’t fix it when it breaks or gets insecure (only its developers can, so it’s an artificial monopoly with all the consequences). You can only trust it, but you can’t verify. Different pieces of proprietary software can interact with each other against your will (like Intel ME interacting with their WiFi card). I recommend you to read more about the FSF reasoning why free software is important.

You can call me a “zealot” if you like, but I fail to see any logical inconsistencies in the above reasoning, and it proves true time and time again in the modern world.

How is free vs non-free classification non-neutral or non-objective? It’s based on what you are and are not allowed to do with software. It’s like a basic definition of what freedom or rights are. The classification is not about people or companies.

Nobody prevents you from disagreeing with the FSF judgment. They are entitled to their opinion just like you are.

Unlike software, the organic seal may be indeed impractical in the real world due to the complexities of the manufacturing. In case of software, the “impracticality” is artificially forced on you by the manufacturers. Nothing technical prevents them from releasing the code, only, presumably, their will for power over you. The FSF is fighting with this by educating public about the dangers of non-free software.

I don’t see how they don’t recognize the practical requirements. Does it mean that they should endorse it? Or stop warning about the dangers? By the way, Stallman was using a proprietary BIOS when no other option existed.

No, there isn’t.

Their fight is similar to the fight for the freedom of speech in a world of censorship. (Compare: world of non-free software, where you are fighting for the freedom of the users.)
The censors don’t allow you to express your disagreement and you are silenced. (Compare: all media constantly advertise proprietary devices showing their advantages and ignoring the dangers.)
People tell you that they are fine with the “small” proprietary pieces, because they do no harm to them. (Compare: “I have nothing to say, so I don’t know why I need a freedom of speech”.)
Wouldn’t it be incorrect to say in such case that your “insistence … rendered you largerly irrelevant”, because you do not simply follow the “practical path” of following the accepted norms? After all, many of the greatest advances in human progress began by having the courage to question unexamined assumptions that most people took for granted at the time.

First, you did not answer my question. I was asking about naming things. You are instead saying that “impractical” advises are illogical. They aren’t, you just would have to decrease your quality of life to follow them. Sometimes freedom is worth it.

Second, it’s not even impractical, the open-source alternative does exist. I’m writing this post from it: My Librem 15 has Atheros WiFi card with free firmware. No proprietary firmware is needed to run my laptop. Only tiny part of Intel ME is left in my BIOS after the neutralization, which I can live with (but don’t like).

I didn’t see your first question.

And what about the microcode you seem to leave that part out, or are you just not using microcode updates?

I have 2 libreboot laptops, x200 and t500, I know a little about the decrease in quality of life once you are willing to remove the microcode.

This is exactly what had me confused. Qubes is supposed to be focused on security, but the cavalier use of “security” troubles me.

I’d love to see the ambiguity addressed in large red text on the main Qubes website - it’s too important to be relegated to mere FAQs or footnotes. This text would clearly mention something like this: “It is an unfortunate fact that security must currently rely on closed-source binary blobs in some cases, and there is currently no way around this because of hardware manufacturers.”

Why not make this as clear as possible to all downloaders of Qubes? Like right there, below the download button. This OS is all about security, after all. This is not all about marketing or trying to get as many users as possible - because this is a project funded by donors, not here to impress anybody or sell anything to anyone who doesn’t want what is clearly offered.

I have been using Qubes for 1-2 years, and I only found out about this issue 1-2 weeks ago because I happened to look into the Debian template’s “/etc/apt/sources.list” and being surprised as hell. (Why on earth was the Qubes Debian template different from the default Debian system offering?) The rest followed from there, and now I’m finding myself having to dig through FAQs, ask on forums, etc.

This is a sad state of affairs IMO, I’m sorry to say. (This discussion thread shouldn’t even have to exist.)

The problem with the microcode is really unfortunate, because originally one could consider this part as “hardware, not software”. According to the FSF, everything which is updatable is software (and it should be free to save you from the dangers of non-free software), whereas things which need no updates are hardware. Of course, it’s a somewhat arbitrary line to put, but you have to put it somewhere, otherwise you cannot consider anything free under any conditions, unless you have your own manufacturing process.

With such criterion, Librebooted laptops can be considered as running fully free software, because the microcode is just a part of the “hardware”. Now, it turns out that the updates are required for security.

In this situation, if the FSF would allow (or, more precisely, endorse) the microcode updates, they would be breaking their own strict rules for the free software. They would then have to remove the certification from all linked laptops and declare that no device can run free software today. Alternatively, they can continue to consider the microcode as “hardware”, which has newly found security limitations.

Look, they are the Free Software Foundation, not Security Foundation. Their main goal is to promote freedoms of software and educate the public about it. Of course, their only reasonable choice is the second one. I nevertheless think that they should be more explicit about the problems with such choice, instead of removing all warning from the kernel. Without telling it, they put the security of their followers at risk of course. Libreboot developer also disagrees with the current FSF position about it.

So in this case, one has to choose between security and freedom, as I mentioned above. I’m using Qubes OS, so I do value security to a large degree. I decided to install the non-free microcode. On Librem 15, it’s a part of the Coreboot updates, which already were non-free. Let us hope that the microcode can be freed at some point in the future.

I see in your link that FSF does require what they call a “free distro” to not recommend non-free. It still seems to me like they should more consistently call a “free distro” an FSF-endorsed distro instead, to avoid confusion with the different definition of free they use for individual software.

This makes sense when “free distro” is understood as FSF-endorsed. They wouldn’t endorse a product that goes against their principles.

Anyway, I don’t think FSF’s specific “free distro” definition is relevant to this discussion. A more relevant definition is that a distro is free if all its components are.

This caught me by surprise too (long time ago). So going back to the original topic of this thread:

I think the qubes debian template should contain no non-free components, because:

1. From a practical standpoint, microcode or firmware isn’t needed in a template that by default is not used for sys-net or sys-usb. The user has to opt-in to using debian for these, and the process is manual (if a remember correctly) [Correction: in the qubes installer, if you deselect fedora template from installation, then sys-net and sys-usb will be set to use debian. Thank you Sven for correction]. If the user wants to install closed firmware, they can just apt-get it, thanks to the fedora-based sys-net.
2. Qubes policy is “We try to respect each distro’s culture, where possible.” See What is Qubes’ attitude toward changing guest distros?. The official upstream debian images contain only FOSS, no firmware exception[1]. Unofficial images containing non-free are explicitly called out as such[2]. I think it says something about how strongly Debian feels against non-free software, that they would rather break network installation process, than bundle non-free network card firmware in their official images.
3. Having non-free software inside debian subverts some users’ expectation or intent in opting out of fedora, and opting into debian templates.

[1]see FSF’s evaluation of debian - Explaining Why We Don't Endorse Other Systems - GNU Project - Free Software Foundation
[2]Index of /images/unofficial/non-free/images-including-firmware

I care very much about free software which you can easily verify by reading my posts of the last 5+ years, but I am not deluded enough to think for a second that a 100% pure approach as discussed here works for anyone but the most nerdy fellows currently. If you have time and attention to spend on discussions around the importance of non-free binary firmware blobs … you can be expected to read forums and FAQs.

Our main focus here is security. FOSS, privacy etc are related but secondary. I want them all, but sometimes we have to trade one for the other.

Fine.

Which approach do you mean? Did anyone suggest to remove all proprietary software from Qubes OS? (Well, I wish there was such option, but not default.)

How about the problem of breaking the Debian defaults and not following the “Qubes’ attitude toward changing guest distros”? Should everyone expect it? What is the goal of having proprietary software in Debian templates? What is the tradeoff?

If there is no reason to keep non-free software, then it should not be kept for security reasons, should it be?

What I mean is that we should error on the side of security and usability.

Debian along with Fedora and Whonix are the standard distributions offered at install time. The installer allows you to choose Debian as the default distribution, which results in it being used for sys-net and sys-usb. For that to have any prayer of working on most machines, the most common firmware (e.g. firmware-iwlwifi) needs to be present. It happens to be non-free. I am sure there are more examples but this is the one most obvious to me.

I read “if possible”. What is more important to the usability and adoption of Qubes OS: the FOSS advocates’ expectation that there is no non-free software in Debian or everyone else’s expectation that WiFi works after install?

I have no idea what you mean. If I simply answer the question you posed then yes, non-free software should be kept for security reasons (if there is no equally safe free alternative). If your primary concern is security I can’t see any other answer.

If your primary concern is 100% purity in terms of FOSS (or privacy to name another hot topic) then there are better options for you then using Qubes OS. If your primary concern is security it depends on your thread model but in most cases Qubes OS is probably your best option.

In the end there are no perfect answers. As you know I prefer T430 with heads because my TCB / root of trust being FOSS is of higher security related concern to me and my thread model then having Intel’s CPU firmware updates addressing speculative execution attacks. But I still run Debian with firmware-iwlwifi in sys-net because I don’t care enough about purity and just want my WiFi to work. I don’t even care that much whether the firmware is secure/trusted because the whole point of sys-net is that it’s untrusted.

I can understand putting cognitive load on new users when asking them to make security related decisions absolutely necessary (what goes into vault, work etc). I don’t want to slow them down with purist thoughts about free software. That’s not the goal here.

A more simple and less moody answer from my perspective would be the following order of priorities:

1. security (balanced by usability)
2. privacy (as long as there is no major impact on security)
3. usability (if there is no major security or privacy impact)
4. foss (whenever possible)

I care about all of them, just not equally. Otherwise I’d be using OS X (usability) or Tails (privacy/deniability) or some FSF-recommended distro for freedom.