Qubes Debian templates have non-free/contrib (apt) by default

Lace · February 29, 2024, 7:50pm

IMHO true

Isolator · March 2, 2024, 2:37am

Very interesting discussion.

In light of new information I have a couple of questions related to debian-minimal:

By default debian-minimal has the following components in sources.list: main contrib non-free non-free-firmware. Assuming debian-minimal is used as a template for service qubes with attached PCI devices, and if one just wants to keep firmware for those PCI devices up-to-date, is it enough to enable just main non-free-firmware?
Assuming that attached PCI device is an Intel ethernet controller, is it enough to install just firmware-linux --no-install-recommends metapackage that would pull firmware-amd-graphics firmware-linux-free firmware-linux-nonfree frimware-misc-nonfree as dependencies?

adrelanos · July 5, 2024, 4:44pm

Debian official image nowadays includes non-freedom firmware.

The Debian official media may include firmware that is otherwise not part of the Debian system to enable use of Debian with hardware that requires such firmware.

Source: General Resolution: non-free firmware

The winners
Option 5 “Change SC for non-free firmware in installer, one installer”

Source: General Resolution: non-free firmware

Note: SC stands for the Debian Social Contract.

Other sources stating the same:

Quote https://www.debian.org/

Debian is a complete Free Operating System!

Will you criticize Debian too and/or suggest a rewording of their homepage?

adw:

“Qubes OS is a free and open-source security-oriented operating system…”

How exactly is this not accurate? So far, I’ve seen several people in this thread say they agree that the statement isn’t accurate, but I haven’t seen anyone actually explain why they believe that. It obviously depends on how you define terms like “free” and “open-source.” The dispute seems to center on the term “free.” It’s clear that Debian, Fedora, and Qubes are not free (as in speech, aka libre) software according to some very restrictive definitions of “free” (namely, the FSF’s), but to claim that the statement in question is “inaccurate” seems to imply that Qubes is not free according to any common reasonable definition of free software, which sounds quite dubious to me. I’d like to hear a proper argument for that claim.

This is such a messy, confusing and geeky topic. I understand everyone’s point.

One of the biggest failures of the Open Source / Free Software movement is the terminology.

Open Source means OSI certified licenses for source code and binaries.
Free Software means FSF certified licences for soruce code and binaries.

Both terms are bad. Source code with a non-commercial clause that is available for non-commercial, review, modification, build must be called a “source-available license”. Quite a difficult and unpopular phrase. Using “open source” without the capical letters would also get criticized.

(This is just an example. I do not want to imply to push non-commercial licenses.)

I’ve met probably thousands of people in my life but it seems I am active in a tiny subculture. For “99%” of non-technical people I am talking to in real life, for them “Free Software” is understood as “free in price”. The capitalization does not make them perform a web search and look up the FSF definition either. However, on the internet I can find spirited discussions on the topic as if it is a huge deal, which it unfortunately, is not.

Hence people came up with other terms such as Libre Software, FOSS, FLOSS. Another suggestion Let's call it Freedom Software rather than Free Software or Open Source! - News - Whonix Forum has been made by me.

So what Qubes could do is say “we’re using the word free as understood by “99%” of non-technical people”? I mean, which word could Qubes legitimately use to imply it is free in price if not free? freeware, I guess, but that term will be misunderstood too by some because also defined differently.

It seems that a minority attempted to hijack the term “free” to mean “freedom” and so far failed with that.

Adding a gigantic footnote to the homepage, confuse, deter the majority of new users who have never heard about this controversy seems also wrong.

Even the FAQ might be the wrong place for extensive information on the topic? A short entry, OK but link to another dedicated page? The FAQ should contain frequently asked questions. Is this really frequently asked or was this rather added to the FAQ out of “convenience”? If not a FAQ, such type of design decisions / ideology would be better documented on a dedicated page?

fsflover · July 5, 2024, 7:59pm

And it is only installed if it’s necessary, unlike in Qubes. Also it allows to switch it off, unlike Qubes:

From Debian 12, the installer will automatically check for needed firmware blobs and add them as required. If you would prefer it not to, add

firmware=never

Debian is a free OS with non-free firmware included. Everything which Debian itself provides/develops is FLOSS, like with Qubes. Debian/Qubes do not develop the firmware and only add it on top of their work and distribute together, which means, one cannot call their .iso “free software” (it can’t be distributed with a FLOSS license).

I agree with you here.

Gratis? Free of charge? Actually, term FLOSS inludes both “free” and “libre”, which should clearly say that these words have different meanings.

I disagree. Whoever didn’t hear about this controversy should hear about it, because it concerns their own freedom and security (as you said yourself).

It is a frequently asked question about Qubes, including this topic. Ordinary people just didn’t hear about both FLOSS and Qubes. The question comes from advanced users. I believe it’s frequent enough at the moment, and even if it wasn’t, it should be in the FAQ for the reason I stated above.

adrelanos · July 5, 2024, 10:31pm

That is an interesting nuance to point out. Thank you.

Good. So they do have different meanings. In other words, by using the word FLOSS one admits that free and libre are different things?

Even on Free System Distribution Guidelines (GNU FSDG) they’re now writing:

free (libre)

Thereby in my opinion admitting that the meaning of “free” in this context is non-obvious. I wonder why they’re not replacing free (libre) with simply libre or freedom.

If these are different words, then why Qubes cannot use the word free?

But do they need to learn about the controversy on the Qubes homepage? I think no.

It’s a rabbit hole. And it’s not actionable for the user.

What should the user do instead? Forget about Qubes and use Free System Distribution Guidelines (GNU FSDG) approved distribution from the GNU FSDG GNU/Linux distributions list?

But the issue goes even deeper than that. Even some GNU FSDG listed distributions have issues. For example, PureOS ships Firefox. However, Firefox is clearly not GNU FSDG. This is why GNU IceCat exists. PureOS previuosly also acknowledged these issues by shipping PureBrowser, nowadays deprecated. Instead, PureOS nowadays ships Firefox but that comes with known software freedom issues:

Having a unresolved ticket since 2018 doesn’t fix software freedom issues.

And a lot more PureOS GNU FSDG issues can be found.

⚓ T991 [multiple issues] Feedback on "potential freedom issues in PureOS"

Even the GNU FSDG list is not well maintained. This rabbit hole isn’t useful for new users never having heard about this and wanting to get started with Qubes.

fsflover · July 6, 2024, 9:14am

No, I don’t think so. If you insist on telling the user that Qubes is free of charge, then you could use free and libre in “FLOSS” for that; I see no problem with that. However, AFAIK it wasn’t the intention. It’s just a consequence of the wrong term “free”, so it has to be explained. But why is the lack of payment so important anyway? If you say that, you will get a reply that “Qubes is only free if you don’t value your time”, which is not really wrong: It’s a steep curve to start using Qubes.

Again, it looks like an explanation of the ambiguous word “free”.

I agree. But providing a link is important, e.g., to Wikipedia. Answering the frequent question about Qubes is also important.

Of course it is. See how Debian implements it. Qubes should do it too, as evidenced by all the discussions I linked. Users want Qubes to list nonfree packages, so they can be easily identified and removed if possible. On my laptop, I do not need any proprietary packages at all (not even microcode: it’s in Pureboot), but it’s not easy to remove them all in Qubes.

We can start from a good documentation of the problem, as I explained above. Qubes has been too silent about it, as discussed in this topic. An Issue in PureOS about Firefox brings attention to the problem, as it should. It has never been an easy problem to solve. And too few people know about it.

It’s not deprecated. I have it on my Librem 5 and it receives regular updates. See this, which is still relevant AFAIK.

Most of the Qubes FAQ isn’t necessary to get started with Qubes, if not all of it. It doesn’t make it useless or unnecessary.

renehoj · July 6, 2024, 9:51am

You can use the minimal template, and install firmware-linux-nonfree or linux-firmware-free, it doesn’t come with firmware installed.

unman · July 6, 2024, 12:36pm

Thanks to @adrelanos for reviving this necro thread.

First, it’s not a Debian issue, so stop focussing on Debian. If it’s a
Qubes issue, then I welcome contributions that will fix it, rather
than repeated arguments and diversions off-topic.

@adw did a good job on the documentation, I think. If any one wants to
propose something that will improve it, then please either PM me with
proposal, or PR on GitHub.

On the Debian templates, the minimal should be fine. You can install
this, edit /etc/apt/sources.list to remove non-free-firmware, apt update and install what packages you want.

For the larger templates, these ship with non-free-firmware packages
installed. It is trivial to identify these and remove them - why
would any one say it is difficult?

apt install vrms
vrms -s |xargs apt remove -y

And before any one tells me that isnt trivial, I’d argue that any one
who cares enough about libre to make an issue of it, should be in control
of their system, and will find it trivial.
Edit /etc/apt/sources.list to remove non-free-firmware from the
repository list so you are not tainted by the presence of metadata from
that repository.
Done.

I’m assuming that purging from the Fedora templates is equally
straightforward.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

adrelanos · July 8, 2024, 1:47pm

Because free things (without a catch) are usually in short supply. Leading to users having the assumption that most things aren’t free by default.

Admission that “free” is the wrong word.

if Qubes implemented making installation of non-freedom packages optional (which would be a nice feature indeed), then it could still be argued that the ISO itself is still non-freedom. It might not be executing non-freedom code during the ISO runtime, might not install non-freedom to the hard drive but the the ISO would still contain (ship, physically present on the ISO) non-freedom code. (Unless it would be downloaded if needed, but that would destroy the capability of the installer to be used offline, which is a nice security, usability and reliability feature.)

So even if implemented as you said, the complaint about the ISO still containing or recommending non-freedom would remain. And rightly so. For Debian, some users reported still non-freedom code being touched. ([Solved] firmware=never doesn't seem to prevent firmware from being loaded in the Debian 12.1 Xfce Live Installer - Debian User Forums)

There only way to ensure this doesn’t happen would be a separate ISO that comes without any non-freedom packages.

According to the GNU FSDG this would still not be good enough and I understand why. Non-freedom code is still only 1 build script bug away. So total protection from non-freedom code can only be accomplished by not having any references to it in the source code.

Due to this messy state, I can imagine that developers are not motivated to work towards this.

Reference would be appreciated. Feel free to post in Pureboot / coreboot / purism related forum thread and tag me there.

fsflover · July 29, 2024, 9:31pm

“Without a catch” is the key here: Qubes requires quite a bit of effort to use, including adapting your habits. I wouldn’t promote the gratis nature of Qubes too much. Nowadays, there is enough free stuff on the Internet “without a catch”, so I don’t think it’s really so special. The ambiguous word “free” in “free software” however works well here

Sure, but this is a much lower degree of “non-freedom”. It wouldn’t win an FSF endorsement, but in certain cases it would make the installed Qubes OS technically free as defined by the license. Some people value this, too; not everyone is a complete purist.

One, two.

(I believe it’s not too much off-topic here, since it highlights that a completely free Qubes OS wouldn’t be useless as some posts imply here.)

AFAIK the whole point of making the software purely free (FSF-endorsed) by default is to help people from unknowingly using nonfree software. This implies that non-technical people also need to be able to avoid the blobs. But even the technical people usually prefer to avoid too many trivial configuration actions.

I guess it’s useful to discuss possible contributions before making them and confirm that developers aren’t against it.

skyvine · October 20, 2024, 2:27pm

To be fair, I think most of the extra effort required to use QubesOS has more to do with the complexity of the problems being solved rather than software deficiencies that can be attributed to funding levels. It’s going to be more complicated to maintain a system that has separate VMs for managing the network access of other VMs than it is to use a bare-metal OS no matter how much you polish the UX (UX polish is still appreciated though!).