B43 Firmware package - security

Kernels & Hardware, configuring network, installing services

B43 Firmware package - security

Postby AWA » 2017-11-04 16:59

Hello

I've noticed that while installing the needed contrib package b43 (firmware for the Broadcom wifi card) the package is downloading some stuff from an external website
http://www.lwfinger.com/b43-firmware/in ... _5.100.138

I'm a bit surprised... Does it pose any risk to the system security? Actually it is something beyond the control of the community... but using wi fi connection is something that cannot be avoided when using a laptop.

Is installing b43 100% safe?
If it cannot be considered 100% safe, there is any working alternative?

Thanks
Best regards

AWA
AWA
 
Posts: 3
Joined: 2017-11-04 16:50

Re: B43 Firmware package - security

Postby stevepusser » 2017-11-04 18:55

It has to download the firmware from Broadcom, since the company won't reply to repeated requests as to whether it's permitted to redistribute their firmware in a package. It's the best Debian can do under the circumstances.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Krita 3.3.2.1, Pale Moon 27.6.0, Audacity 2.2.0, mpv 0.27.0, Corebird 1.7.1, Firefox 57.0, SMPlayer 17.11.2
User avatar
stevepusser
 
Posts: 8903
Joined: 2009-10-06 05:53

Re: B43 Firmware package - security

Postby Head_on_a_Stick » 2017-11-04 19:26

AWA wrote:Is installing b43 100% safe?

No, Broadcom do not supply the source code for the firmware so we have no idea what it does.

If it cannot be considered 100% safe, there is any working alternative?

Not at the moment — even the hardware which does not require the firmware to be loaded from the operating system has the blobs installed at the factory anyway so this problem applies to _all_ hardware, even that covered by the main repositories in Debian :(

The only real solution is true open-source hardware and we don't have anything like that.

Yet.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6669
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: B43 Firmware package - security

Postby AWA » 2017-11-05 07:55

Head_on_a_Stick wrote:
AWA wrote:Is installing b43 100% safe?

No, Broadcom do not supply the source code for the firmware so we have no idea what it does.

If it cannot be considered 100% safe, there is any working alternative?

Not at the moment — even the hardware which does not require the firmware to be loaded from the operating system has the blobs installed at the factory anyway so this problem applies to _all_ hardware, even that covered by the main repositories in Debian :(

The only real solution is true open-source hardware and we don't have anything like that.

Yet.


Thank you!
A further question. Assuming that the proprietary Broadcom drivers don't contain any harmful software, is the package itself safe? I mean, it points to an external website. How can be sure that they have been not compromised?
I've done a bit of research and read that all packages are digitally signed, but although it's clear to me that it works with "main repo", I cannot figure out how it can work with a package of "contrib repo" that points to an external website.

I'm really a newbie of Debian, sorry if it is a silly question...
AWA
 
Posts: 3
Joined: 2017-11-04 16:50

Re: B43 Firmware package - security

Postby debiman » 2017-11-05 08:34

that's an interesting point:
is the package downloaded from broadcom checksummed, i.e. does apt make sure that it is/contains what is expected?
i'd say yes, it must be, but i honestly don't know.
User avatar
debiman
 
Posts: 1528
Joined: 2013-03-12 07:18

Re: B43 Firmware package - security

Postby Head_on_a_Stick » 2017-11-05 08:48

AWA wrote:A further question. Assuming that the proprietary Broadcom drivers don't contain any harmful software, is the package itself safe? I mean, it points to an external website. How can be sure that they have been not compromised?
I've done a bit of research and read that all packages are digitally signed, but although it's clear to me that it works with "main repo", I cannot figure out how it can work with a package of "contrib repo" that points to an external website.

I've never needed to install the Broadcom packages but APT usually checksums any downloaded third party software, I know that it does that for ttf-mscorefonts-installer and that seems to be a similar arrangement.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6669
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: B43 Firmware package - security

Postby AWA » 2017-11-05 14:26

If APT makes the checksum, with what other checksum can compare the value? As far as I've understood til now there isn't any “whatsoever” support by Broadcom.

By the way, do you think that installing the unofficial Debian Image already containing the firmware is at the end a safer choice?

Thank you very much for your help :)
AWA
 
Posts: 3
Joined: 2017-11-04 16:50

Re: B43 Firmware package - security

Postby shep » 2017-11-05 17:58

The firmware is the same whether it runs on Windows, OS/X or Linux.

It is possible to extract firmware from windows files with cabextract.

So if your Broadcom device came with a CD of windows drivers or if the manufacturer provides secure downloads of the drivers, in theory, you can bypass questionable download sites.

F/U: I ran a quick search on extracting broadcom firmware and there is a utility, fwcutter, in the Debian, package system, that can extract said firmware.
shep
 
Posts: 130
Joined: 2011-03-15 15:22

Re: B43 Firmware package - security

Postby debiman » 2017-11-05 18:07

you pose interesting questions and i commend your interest.
but from what you're writing i can also see that you lack a little basic knowledge as far as these things are concerned. maybe just try some reading, here on the forums, debian wiki, various blogs (but make sure they talk about actual debian, and not some derivate like ubuntu or raspbian or kali)...
User avatar
debiman
 
Posts: 1528
Joined: 2013-03-12 07:18


Return to System configuration

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable