B43 Firmware package - security

[AWA]

Hello

I've noticed that while installing the needed contrib package b43 (firmware for the Broadcom wifi card) the package is downloading some stuff from an external website
http://www.lwfinger.com/b43-firmware/in ... _5.100.138

I'm a bit surprised... Does it pose any risk to the system security? Actually it is something beyond the control of the community... but using wi fi connection is something that cannot be avoided when using a laptop.

Is installing b43 100% safe?
If it cannot be considered 100% safe, there is any working alternative?

Thanks
Best regards

AWA

[stevepusser]

It has to download the firmware from Broadcom, since the company won't reply to repeated requests as to whether it's permitted to redistribute their firmware in a package. It's the best Debian can do under the circumstances.

[Head_on_a_Stick]

Is installing b43 100% safe?

No, Broadcom do not supply the source code for the firmware so we have no idea what it does.

If it cannot be considered 100% safe, there is any working alternative?

Not at the moment — even the hardware which does not require the firmware to be loaded from the operating system has the blobs installed at the factory anyway so this problem applies to _all_ hardware, even that covered by the main repositories in Debian

The only real solution is true open-source hardware and we don't have anything like that.

Yet.

[AWA]

Is installing b43 100% safe?

No, Broadcom do not supply the source code for the firmware so we have no idea what it does.

If it cannot be considered 100% safe, there is any working alternative?

Not at the moment — even the hardware which does not require the firmware to be loaded from the operating system has the blobs installed at the factory anyway so this problem applies to _all_ hardware, even that covered by the main repositories in Debian

The only real solution is true open-source hardware and we don't have anything like that.

Yet.

Thank you!
A further question. Assuming that the proprietary Broadcom drivers don't contain any harmful software, is the package itself safe? I mean, it points to an external website. How can be sure that they have been not compromised?
I've done a bit of research and read that all packages are digitally signed, but although it's clear to me that it works with "main repo", I cannot figure out how it can work with a package of "contrib repo" that points to an external website.

I'm really a newbie of Debian, sorry if it is a silly question...

[debiman]

that's an interesting point:
is the package downloaded from broadcom checksummed, i.e. does apt make sure that it is/contains what is expected?
i'd say yes, it must be, but i honestly don't know.

[Head_on_a_Stick]

A further question. Assuming that the proprietary Broadcom drivers don't contain any harmful software, is the package itself safe? I mean, it points to an external website. How can be sure that they have been not compromised?
I've done a bit of research and read that all packages are digitally signed, but although it's clear to me that it works with "main repo", I cannot figure out how it can work with a package of "contrib repo" that points to an external website.

I've never needed to install the Broadcom packages but APT usually checksums any downloaded third party software, I know that it does that for ttf-mscorefonts-installer and that seems to be a similar arrangement.

[AWA]

If APT makes the checksum, with what other checksum can compare the value? As far as I've understood til now there isn't any “whatsoever” support by Broadcom.

By the way, do you think that installing the unofficial Debian Image already containing the firmware is at the end a safer choice?

Thank you very much for your help

[shep]

The firmware is the same whether it runs on Windows, OS/X or Linux.

It is possible to extract firmware from windows files with cabextract.

So if your Broadcom device came with a CD of windows drivers or if the manufacturer provides secure downloads of the drivers, in theory, you can bypass questionable download sites.

F/U: I ran a quick search on extracting broadcom firmware and there is a utility, fwcutter, in the Debian, package system, that can extract said firmware.

[debiman]

you pose interesting questions and i commend your interest.
but from what you're writing i can also see that you lack a little basic knowledge as far as these things are concerned. maybe just try some reading, here on the forums, debian wiki, various blogs (but make sure they talk about actual debian, and not some derivate like ubuntu or raspbian or kali)...