Qubes Debian templates have non-free/contrib (apt) by default

You’re forgetting the context of this statement. The context was evaluating the following analogy:

non-free software : computer system :: poison : human body

or

Non-free software is to a computer system as poison is to a human body.

In particular, the question is whether this is an apt analogy when discussing software distribution classification schemes. My position is that it is not, for the following main reasons:

1. Poison is inherently harmful to human bodies, whereas non-free software is not inherently harmful to computer systems.
2. Computer software can easily be wiped from a system and reinstalled, allowing non-free software to be removed in a way that cannot be done with poison from a human body. [Some poisons have antidotes, but “most antidotes are not 100% effective, and fatalities may still occur even when an antidote has been given.”]

Therefore, the question of how one can determine whether a piece of non-free software is harmful or not, the merits of free software, and the deficiencies of proprietary software are all off-topic in the context of this statement. I was simply discussing the scenario in which the piece of non-free software is not itself harmful (e.g., installing a non-malicious copy of Microsoft Word onto an otherwise-free system) and whether the analogy is apt.

I never said that the distinction “free vs. non-free” is problematic. What’s problematic is the stricture that containing even a single line of non-free code means that a compilation of software cannot quality as “free software.” That fails to take into account reality. It prioritizes ideological purity over practicality and progress. It admits of no nuance, because even an open-source project that makes considerable sacrifices to fight for the cause of free software gets lumped in with the “non-free” likes of Microsoft and Apple simply for protecting its users from being instantly pwned the moment they connect to the net.

These are false dichotomies. They could simply expand their classification scheme to account for different levels of freedom and encourage incremental progress toward complete freedom instead of rejecting everything that contains even a drop of impure blood. How about at least recognizing that open-source Linux distros are much, much more free than Windows and partially endorsing them for all the good they’re doing for the cause of freedom? Instead, they say, “We don’t endorse other systems” because “they do not have a policy of only including free software.”

On the contrary, it’s quite common for the media to cover the dangers of big tech and their proprietary devices. A couple of recent examples that come to mind out of the constant daily stream of them:

It depends on the situation. If we were living under an oppressive totalitarian regime and all unapproved speech were punished by immediate execution, then yeah, I’d say someone who insists that we all exercise our First Amendment rights is largely irrelevant. He’s going to get us all killed. What we would need in that scenario is a long-term plan for taking back our rights by escaping or overthrowing the totalitarian regime that begins from a sober evaluation of our current circumstances and comes up with a realistic series of manageable steps we can take with the resources available to get organized and make incremental progress toward our ultimate goal, not someone who insists on 100% free speech or bust.

This comes across like you were looking for some opportunity to throw my words back at me in a sarcastic tone but couldn’t really find one, so you kinda just tacked it on at the end even though it doesn’t really make sense because there’s no clear unexamined assumption being questioned here. Reads like a failed attempt at copypasta trolling, tbh.

You have to remember that many visitors will have no background in free software, open-source, or anything like that. They will have no clue what you’re talking about, and you will immediately lose them before they even get a chance to understand what Qubes even is.

You can’t just assume that the most important things to know should be in large red text on the front page.* If we actually followed that principle consistently, the front page would just be a giant wall of red text that read like the scrawlings of a madman. That ignores all principles of web design, marketing, human psychology, UX, and common sense. (Also, people disagree about which things are most important.)

Does a great book contain all the most important information in the first chapter? Do the most effective ads always just tell you the most important things to know about the product?

[* I assume you meant “front page” when you wrote “main website,” because the FAQs are already on the main website, and footnotes are, by definition, on the same page as their text, so they’d also be on the main website. But even if you just meant “some very prominent place on the website,” I’d probably still say the same thing.]

So this is when the non-free repositories should be enabled, not in the default case. This is how I read “if possible”.

I just do not see any other reason to lower the security of the Debian templates by enabling the non-free repositories.

Please avoid personal attacks. This is not even about FOSS advocates or even FOSS at all. I just don’t see any reason to change the Debian templates from the default ones in the default installation case. It’s also about security, see below.

Did you miss my lengthy essay above explaining why non-free software is less secure than free software? I expected that you, as someone “caring very much about free software”, already knew this. Lack of the source code means trusting the developers of the blob, without community verification. This is, technically speaking, strictly less secure, all else being equal. People probably rely on Debian templates for offline storage of sensitive data, yet, these templates get auto-updates of closed software not controlled by the user or the community. Any serious reason why it must be like this? According to your well-worded list, I see no reason to do it. AFAIK it would not negatively affect anything in points 1-3.

You forgot that it should be also needed for something at all.

Adding unnecessary proprietary software into the Qubes templates is security-related.

Non-free software is harmful to the computer security. Well, not directly harmful of course. It just lowers the security by removing the “verify” from “trust but verify”, or at least making “verify” significantly harder. (I understand that sometimes non-free software is necessary to run your hardware. This is not the case that I am discussing.)

This is problematic, because (1) you have to know when your system is compromised, which is impossible, and (2) the BIOS can be infected, so reinstalling the OS won’t help. Of course, you can also reflash your BIOS with a flasher, but it drastically decreases the number of people who can do it and increases the effort of reinstalling. How often do you reinstall something to keep your system secure?

Therefore, the question of how to determine whether a software is harmful (or, more precisely, how to determine whether the software has unreasonably higher likelihood of being harmful) is not off-topic here.

This is a hypothetical situation, which does not occur in the real word. Every piece of software is potentially harmful. The only difference is the degree of how probable this is and whether you should consider replacing it, if this probability is higher than for the alternative software.

So you disagree with the Wikipedia definition, which you yourself insisted to be reasonable?

This is just a definition. Changing reasonable and clear definitions is not how you should “take into account reality”.

Just accept that your software is not “ideologically pure”. Problem solved?

I see your point. Consider saying “Qubes OS is licensed with GPLv2, except binary firmware” or something similar. This would be honest unlike trying to change the settled definitions in the community.

I agree and AFAIK they are working on it. See also: Support the Freedom Ladder campaign: Lessons we learned so far and what's next — Free Software Foundation — Working together for free software.

I put your reply in spoiler to keep this discussion more clear; I hope you don’t mind. I started another topic about it, will reply there.

Where do these articles say that the problem is proprietary software? They don’t even say anything about freedoms and rights. It’s just popular bashing of the big tech.

I agree with you. I hope FSF is going to follow such path, see my link above.

There is no sarcasm. I honestly believe in this quote and that lack of strong push for free software harms the humanity.

So why do you insist that it’s so important to say “Qubes OS is free software”?

FAQ doesn’t mention that Debian is non-free. Moreover, it misleads the readers by saying

Not currently, for the same reasons that Debian is not certified.

And the reason that Debian is not FSF-endorsed is not non-free software incorporated into the .iso file. By the way I was mislead by this, too.

This is our disagreement. Free and open software is just as insecure as is closed software is. The whole audit argument is shallow, because in reality most people don’t and most projects aren’t. It relies on the idea that because the code is open, someone will find the malicious code and bad guys won’t even dare to include it. Reality shows that’s complete non-sense.

The vast majority of vulnerabilities are introduced accidentally. What’s a hackers first step? Get the firmware, disassemble and analyze it. If there is no Disassembler then one creates a simulated execution environment to observe the code. You know when a researcher can simply skip that part? When it’s free and open source! (No, that doesn’t make FOSS less secure but it certainly doesn’t make it more so either … it’s just a question of effort).

There are very good reasons to promote and prefer FOSS. For me personally the most important one is that software I rely on can’t really be abandoned. In the worst case I can take the source and fix/extend myself. If the project goes into a direction I don’t like I can fork if I care enough etc. Or as happened once or twice with my use of Qubes OS, if I something works differently then I expect and no one can tell me why I can look at the code and find out myself.

This was insightful, thanks.

What are your thoughts on the Intel ME? Do you think it’s largely overblown hysteria - since anyone could “disassemble and analyze it” or “create a simulated execution environment to observe the code”? (The idea being, if there was anything malicious in there, someone could find it anyway, so why would Intel put it in there?)

I really hope so because it’s really tempting to get one’s hands on some faster CPUs.

For a few years I’ve thought of any computer without Intel ME disabled/neutralized to be compromised, even if it runs Qubes OS, because the Intel ME could be spying on everything anyway. Hence my question.

We agree, then.

That’s like saying, “It’s not off-topic, because it’s what I want to talk about.” Sure, I guess, but you’re the one who replied to me to begin with.

We’re just talking about different things.

The Wikipedia definition I quoted doesn’t say anything about a 100% purity requirement.

(Btw, it’s not that Wikipedia has any special authority or is a “good source” or anything like that. It’s simply a reflection of the edits of a large number of internet users over time, which can be a handy way to get a sense of how certain terms are commonly used and understood.)

It’s not just a definition. It’s a seal of approval. Even the FSF itself regards it as such. I think you already know that, and acting as though you don’t seems somewhat disingenuous.

We’ve never claimed that Qubes is ideologically pure by the FSF’s lights, so there is nothing new to “accept.”

The problem is not solved, because the problem is ideologues trying to come in here and tell us that we can’t call Qubes “free software” in a non-technical intro blurb even if we also go out of our way to painstakingly clarify to their satisfaction the precise ways in which it is and isn’t free in a footnote or extended FAQ entry, because the latter “aren’t visible enough.”

I have no problem with saying that.

Quote verbatim the allegedly dishonest thing I wrote and explain exactly how it’s dishonest. I’m waiting.

In the meantime:

You didn’t say “proprietary software”; you said “proprietary devices”:

Moving the goalpost.

Because the founders and developers of Qubes have made enormous sacrifices to make Qubes as free as possible without giving up security. ITL has donated countless funds to keep it afloat for over a decade. The developers, with their skills and experience, could have been making many multiples of their salaries by working on proprietary software. They’ve made immense personal financial sacrifices to give the world a secure open-source operating system that regular people can use without paying a dime. Telling them that they’re not allowed to call their creation “free” because it contains, by practical necessity, a few proprietary blobs (through no fault of theirs) denigrates their efforts and sacrifices. If everything short of perfection is all lumped into the same pile, then they might as well give up and go work for Google, Apple, or Microsoft, where their skills will be duly rewarded at market rates.

The reality is that, right now, a 100% free OS can’t be reasonably secure. Qubes is as close as we can get for now. It’s not the Qubes devs’ fault that security currently requires a certain number of proprietary blobs. They didn’t create that situation or ask for it. They don’t have the power to change it. They’re just trying to navigate around it as best they can while still maximizing freedom to the extent feasible. If Qubes isn’t free enough, then what are people who care about both security and freedom supposed to even use? The devs have worked tirelessly for the cause of secure free software, yet ideological purists are telling them, “Nope. Not 100%, so not good enough. Sorry.” Why should the rest of the world even care what they think, then?

The documentation is a volunteer community effort. We rely on the whole community to contribute, fix errors, and make improvements, and it’s all transparent and open-source. It looks like that line was added by @michael in 2015:

While I’m not well-versed in the specifics of the situation with the FSF and Debian, I’m confident that Michael did not intend to mislead you or anyone else. He was simply doing his best to help improve the FAQ with what he believed to be helpful information. If there is a factual error here, it was certainly not intentional. Our goal has always been for everything on the website to be factually accurate, and we’ve always welcomed good corrections.

I’ve updated the FAQ entry based on what was discussed here:

In 1995 someone pointed out the issues that were weaponized into spectre and meltdown, Intel/NSA/“they” could have had a working exploit for a really long time and not told anyone.

Even if Intel gave you a CPU with ME removed, there is no way for you to know if it’s safe to use, the backdoor doesn’t need to be in ME.

I’m personally, more worried about if I can trust the in hardware crypto then if there is a hidden backdoor in ME, I expect there to be undisclosed transient execution exploits that can do closed to the same as in backdoor in ME.

@gs-542 I’m not really worried about Intel putting anything malicious in there for legal and business reasons.

What I am worried about is:

1. Intel engineers creating imperfect software that then can be analyzed and exploited by malicious actors.
2. An architecture that creates a second computer (with network connection and access to all peripherals) that can observe and manipulate everything that runs on my CPU. Basically a build in KVM+. I get why that might be a desired thing for corporate uses, but I don’t want it and do not appreciate not being given an option.

I’m with you there because the ME is basically an undetectable backdoor. There could be people who have keys AND it might be exploitable by people without keys.

I don’t like it for the same reasons crypto with back doors doesn’t make sense. Once access is possible, bad people can use it too.

Note how none of this has anything to do with open source. I’d still be against the architecture even if it where fully open source. I just do not want the capability.

Hence disabling and neutering or removing it is the only reasonable action in my eyes.

Well it is until it isn’t. Maybe Someone somewhere already has a 0-day. Probably.

Long story short: there are many very good technical, political and ethical reasons to want free and open source code. Security is not a factor neither for nor against.

This is a perfect summary of why this thread bothered me so much. Thank you as always for cutting to the core and putting it into well thought out words.

This is why I prefer when people use libre to classify software that doesn’t contain any close source elements, it’s so much easier to understand, and you don’t have the issue with the word being used the “wrong way”.

Most people don’t automatically assume that free if the FSF definition of free, it has other meanings. To many people, it just means you can freely use the software, you don’t need to pay for a license, and you can freely copy it.

It seems this discussion mixes two very different things making some replies unclear: FSF-endorsement (which you can reasonably call “ideological pureness”) and the free code license (the Wikipedia/community definition). The former is not achievable for Qubes, because of its security goals (as @adw explained quite well in the updated FAQ), whereas the latter applies to Qubes code, except the binary firmware necessary to use it on most hardware. There is no ideology in the latter definition. It’s just based on the type of license. You shouldn’t call a mix of free and non-free software “free software”, because it’s simply misleading and wrong, even if you have good intentions. Yes, it’s an amazing and costly achievement that Qubes is almost fully free software, and the Community, including me, values it very much. It’s why I am using and supporting it and spreading the word. But stretching definitions is not how you gain community respect. Debian rightfully call themselves “free operating system” on the main website. This is about the practical, license-based definition. Qubes currently is using “Debian non-official” without telling anyone. Fedora is not a free OS as a whole, and Wikipedia correctly doesn’t call it “free software”. Official Fedora website doesn’t call Fedora “free software” either:

Fedora creates an innovative, free, and open source platform for hardware, clouds, and containers that enables software developers and community members to build tailored solutions for their users.

I fail to see how my personal opinion matters here. I remind that we are talking about absolutely unnecessary and potentially untrustworthy software in the official Qubes template, without clearly explaining it to the users.

Wikipedia is not a source. It’s a list of (reliable and verifiable) sources, which reflects the accepted point of view in the society. It’s not a reflection of a large number of edits, unless the article is unfinished, or has edit wars. I think in this case the definition of free/open source software is pretty much settled, which is precisely reflected there.

I was talking about the licenses, not FSF-endorsement.

I’m sorry that I was unclear. There was no personal attack here. I am not talking about you but about the text in the FAQ, which you are seemingly trying to defend:

Qubes is free and open-source software (FOSS).

See above why I think that it’s dishonest.

The articles you quoted don’t have word “proprietary” at all. What do you understand by “proprietary devices” anyway if not devices running and requiring proprietary software? Moreover, the context of this discussion is free software and how its freedoms help users. I’m sorry if I was unclear somewhere.

The articles do not mention how the lack of user rights leads to their powerlessness, they just say that the companies doing bad things are bad.

What do you think about saying something along the following lines?

Qubes OS is a free OS, except the microcode, which is necessary to achieve security in modern hardware. The operating systems running inside Qubes OS by default (Fedora and Debian*) contain proprietary firmware required by most hardware today.

In other words, I suggest to remove the Fedora and Debian from the definition of Qubes OS. I guess I’m still running Qubes OS even if I replaced all templates with Trisquel. Am I right that nothing proprietary except the microcode exists in dom0?

*Having said that, I would like to repeat that I see no reason whatsoever to include proprietary firmware into Debian in the default Qubes configuration. Even if you believe that FLOSS doesn’t improve security (I’ll try to find some evidence otherwise), any unnecessary software increases the attack surface. It also breaks the expectations of regular Debian users who come to Qubes (like me) and goes against the Qubes FAQ about changing the distros. Manually changing the template for sys-net is an advanced feature, so I expect that such users should know how to add non-free repositories; and I am ready to help them do it, too. Choosing Debian as main template at install should give a warning that non-free repositories will be switched on to get the firmware, if needed.

+1

If I understand correctly, you’re saying that it’s accurate to call something released under a free code license “free software.” Here’s what we currently have on the Software license | Qubes OS page:

Qubes OS is a compilation of software packages, each under its own license. The compilation is made available under the GNU General Public License version 2 (GPLv2).

The source code of Qubes OS is contained in repositories under the @QubesOS account on GitHub. This source code is made available under GPLv2, unless there is a LICENSE file in the root of the containing repository that specifies a different license.

The full text of the GPLv2 license can be found here.

If this page is accurate, and if GPLv2 is a free code license, then it seems to follow that it’s accurate to call Qubes OS “free software.” If this page is not accurate, then of course we should correct it, but I don’t recall anyone objecting to this page so far.

So, this says that Fedora “creates a free platform” (whatever that means). Compare:

Qubes OS is a free and open-source, security-oriented operating system for single-user desktop computing.

This says that Qubes OS “is a free operating system.”

You’ve stated that the former is acceptable to you, while the latter is not. Is that because of the verb “creates” rather than “is,” or the noun “platform” rather than “operating system,” or something else?

Sounds fine, except this is still too much detail for the short <200-character description of Qubes OS that we need for the website meta description and character-limited descriptions in various places around the web, so we still need a solution for that. Remember that the entire description can’t just be about software freedom. People also need to know what the thing actually is, what it does, and why they should care. Those are actually the most important parts. (While software freedom might be the most important thing to you and some others in this thread, it’s not the most important consideration for everyone, and most regular folks have never even thought about it.)

I don’t really know anything about the Debian template situation except what I’ve seen folks say in this thread (and have hitherto avoided discussing it for that reason). Let’s ask @marmarek:

1. Is it true that we (the Qubes OS Project) add non-free code to our Debian templates that isn’t present in upstream Debian?
2. If so, why do we do that? Is this an exception to our attitude toward changing guest distros for some special reason?
3. What implications, if any, do you think this has on the accuracy of calling Qubes OS “free”? For example, is it inaccurate to say “Qubes OS is a free and open-source operating system,” and should we change that in our intro, FAQ, and the short description of Qubes OS we use around the web?

There are few points here:

1. Please do not confuse “firmware” with “applications”. Both are software, but there is a huge difference of their impact on the attack surface. Firmware does not run on the main CPU, it runs on specific device (be it network card, sound card, or something else). If a qube doesn’t have any of those attached, it has literally zero impact on attack surface.
2. We want standard Qubes OS installation be as easy to use as possible (which is already “hard” in case of Qubes OS for many people). Setting Debian as a template for sys-net/sys-usb is one of the supported configuration (you can choose it during installation - there is a drop-down for default template, or you can trivially change it later in sys-net’s settings). This feature was requested by many users. If default Debian template wouldn’t be usable for sys-net/sys-usb by default, we’d need to rollback that feature too (or even remove Debian from default installation). I’d hate to do it, but we don’t have capacity for handling even more support requests “I installed Qubes and cannot connect to the network” (we’ve been there before…).
3. Finally, and perhaps most importantly, not including firmware packages in many cases does not mean device won’t run “non free software”. Some will still run it, just an older version from its internal ROM, possibly with many bugs that were already fixed in later version. Not including firmware updates is a security risk.

Also, take a look at this issue: https://github.com/QubesOS/qubes-issues/issues/5123

Running an x86 system without microcode updates is foolish. Projects like Libreboot and Trisquel that support x86 but do not include the needed microcode updates are fundamentally insecure and misguided. x86 is a fundamentally closed platform and will always require non-free microcode at a minimum. If you want to run Qubes OS on a fully-free system, the best way to get that is to help with the port of Xen to POWER, as POWER can be secure without non-free firmware.

Most of this thread is not actually about microcode, but firmware for various auxiliary devices (wifi etc). Those are totally independent of CPU architecture you use.

You can attempt to build your system with devices running only open-source firmware. If you want to achieve it in full, you’ll indeed probably need POWER CPU (disclaimer: I haven’t checked microcode situation there, but it is possible it’s better than on Intel/AMD). But it is very easy to get into a trap of old (proprietary or not) firmware. If you get a device that appears to work fine without loading any firmware blob, it simply runs a firmware stored on the device itself. It could be an open source firmware, sure, but in fact, you have very little ways of verifying that claim (you’d need a trustworthy way of extracting the firmware, and a reproducible build to compare against). In some cases this embedded firmware can in fact be updated (devices with writable firmware flash), but has its own set of issues (you loose reliable way to reset device to a “clean” state).

Ideally you want auxiliary devices without mutable internal storage and all the firmware must be loaded when device is initialized. And that firmware you want to be free and open source and can be built by anyone.

In practice, many attempts at “blob-free” devices in fact fall into some of those categories:

1. embedded non-updateable proprietary firmware; if that firmware is bug-free, then great, but we all know such thing doesn’t exist, so you are forced to replace the whole device to get patches (if you are lucky enough to find one that actually exists)
2. embedded (old) proprietary firmware, that is used if OS doesn’t load newer one; here, rules for “blob-free” system prevents you from shipping such update, so while in theory it’s slightly better for user security than previous point, in eyes of FSF it is worse
3. embedded updatable proprietary firmware; here device has mutable firmware storage, that can be updated - if you load the update, it will run it later too; the downside is you loose some of the control what firmware device actually runs, because if your system become compromised once, the firmware can be replaced with malicious one (including modification to refuse further updates). This is BTW a model that BIOS rootkits use - trendy topic recently, but those exist for decades already.

Note FSF recommends option 1 (if no free firmware is available), which is actively harmful for users overall security, but also their freedom (no way to replace proprietary firmware with free alternative, when one become available).