Debian faces firmware furore from FOSS freedom fighters
Convenience or purity? You can only choose one
A painful issue for Linux distros that are built on free software is firmware. This especially affects Debian, as outlined by former project head Steve Mcintyre here, and it's getting worse with time.
Firmware is only called that for historical reasons now, which we'll go into below. It's no longer "firm" at all, it's just files on a disk, like the rest of the OS – but it's unlike OS code in two important ways.
Firstly, it doesn't execute on the CPU. It's uploaded into a peripheral device's RAM, and there it runs on the processors inside the graphics card, or network controller, or radio controller, or whatever.
The second difference is only important if the OS in question is built from open source. Most firmware is proprietary software, usually supplied by hardware vendors, in the form of binary large objects (blobs). Generally, hardware vendors provide it free of charge because you've already bought their device – they've made their money. But you need it for your hardware to function properly.
Open-source OSes are built from openly available source code, compiled with open-source compilers, and distributed under open-source licenses.
In principle, you could inspect all that source and make sure that it does nothing nefarious… if you have the time, budget, and labor force. But nobody has and nobody does; everyone just trusts it. What's more important is that this also means that you can distribute it freely, copy it, run from tens to millions of instances of it without paying, move it between countries and jurisdictions without a problem, and so on.
This is why open-source distros don't include proprietary apps such as Google Chrome, Skype, Adobe Reader, and so on – because they have terms and conditions attached, to which not everyone agrees, and not everyone is willing to just trust these black-box programs not to, for instance, phone home with usage information.
As above, so below
The snag is that this also applies to firmware blobs. They're not part of the OS. They come from third parties, pre-compiled, with no source code available. They can't be inspected or studied, so there's no knowing what they do or how they do it, and whether they have hidden extra functions you might not want.
If you're running an OS that is mostly or wholly proprietary, such as Windows or macOS, this isn't a big problem: the whole OS is a black box that you've decided to trust. Most computer users don't care, and that's a perfectly valid decision to make.
And because most people are not worried, there are many Linux distributions that take the same line and readily include drivers containing proprietary firmware blobs so that things like Wi-Fi and Bluetooth work immediately, even on the bootable ISO image.
Some people care a great deal about this, though. The GNU Project states why and provides a list of all-free-software distros – and a considerably longer list of disapproved ones. The kernel itself contains some firmware blobs, and there's a special fork of the kernel, Linux-libre, which removes them.
If you're specifying the hardware, you can omit devices which need such blobs. Puri.sm, vendor of all-FOSS PCs, does exactly that, as well as explaining why. The snag is that its high-end laptop comes with 2009-spec 802.11n Wi-Fi.
Some devices do have FOSS firmware, or include it on a ROM chip in the device itself, and Debian includes their firmware. The Debian project also produces separate installation images containing non-free firmware – but as the URL itself says, they are unofficial.
This situation has encouraged meta-distributions of Debian with additional non-free drivers, from simple projects with minimal alterations, such as the Debian Gotham Needs, up to full-fledged distros such as Linux Mint Debian Edition.
The other side of the coin is more extensively modified all-FOSS variants, such as Puri.sm's own PureOS.
- Raspberry Pi OS update beefs up security
- Chinese distro Deepin hits 20.5, complete with browser called Browser
- Rolling Rhino: A rolling-release remix of Ubuntu
- The wild world of non-C operating systems
Ubuntu itself began as a meta-distro of Debian. One description of the original mission of Ubuntu was that "their goal is to make it easier to consume Debian Sid."
All this distracts effort away from Debian itself – which some already argue has problems attracting enough developers and maintainers, even without other disagreements such as the one that led to the forking of Devuan.
There is no easy answer to this. The underlying differences are ideological. It's a fact of life that different people have different motivations. Some value purity over convenience, and will happily plug in a USB Wi-Fi adapter, or tolerate slow built-in Wi-Fi, rather than use non-FOSS drivers. Others, reasonably enough, just want to use all the hardware in their computers, even if that means using some proprietary code.
In theory, it would be ideal if there were some way to appease both the pragmatic and the purists, the systemd advocates and those who abhor it. It would be good for Debian, and that would be good for most desktop Linux users.
Favor either group, though, and you alienate the other.
Why it's called 'firm' and what changed
Decades ago, there was a clear distinction between hardware and software. Hardware meant you could kick it: material, physical kit. Software is just executable data, ones and zeros. You can store it on various media and transmit it to remote locations.
But hardware needs software in it to work at all. Sometimes, that software must be available as soon as the device is turned on. Decades ago, this was built into ROM chips inside the device. That made software tangible and concrete. You could hold in your hand, and kick it if so inclined. But unlike hardware, it can often be replaced. Rewrite the ROM and put a newer version in it. It's not exactly software, and it's not exactly hardware, so it was dubbed firmware.
The problem is that these days, if you don't need that software present the moment the computer is powered on, you can save a few cents per unit by omitting the ROM chips, and having the OS load the devices' firmware when they're initialized. It's still firmware, but now the OS on a different processor reads it from a file and uploads it into the device's onboard RAM.
A modern PC or phone isn't a single computer. It's a box containing an assortment of dozens of separate, different computers, networked together. This is true down to the level of chips. Modern Intel processors include a smaller x86 processor-management processor with its own OS (a version of Minix 3), while AMD chips have a System Management Unit (SMU) based on a Lattice Semiconductor Mico32 RISC core.
Probably the only real ROM in your computer is the main one on the motherboard – formerly the BIOS, and more recently UEFI – because without it, your computer won't boot. All the other firmware is loaded when it's needed. As ever, it's more work and causes problems, but it's cheaper that way. ®