Hello
I've noticed that while installing the needed contrib package b43 (firmware for the Broadcom wifi card) the package is downloading some stuff from an external website
http://www.lwfinger.com/b43-firmware/in ... _5.100.138
I'm a bit surprised... Does it pose any risk to the system security? Actually it is something beyond the control of the community... but using wi fi connection is something that cannot be avoided when using a laptop.
Is installing b43 100% safe?
If it cannot be considered 100% safe, there is any working alternative?
Thanks
Best regards
AWA
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
B43 Firmware package - security
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: B43 Firmware package - security
It has to download the firmware from Broadcom, since the company won't reply to repeated requests as to whether it's permitted to redistribute their firmware in a package. It's the best Debian can do under the circumstances.
MX Linux packager and developer
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: B43 Firmware package - security
No, Broadcom do not supply the source code for the firmware so we have no idea what it does.AWA wrote:Is installing b43 100% safe?
Not at the moment — even the hardware which does not require the firmware to be loaded from the operating system has the blobs installed at the factory anyway so this problem applies to _all_ hardware, even that covered by the main repositories in DebianIf it cannot be considered 100% safe, there is any working alternative?
The only real solution is true open-source hardware and we don't have anything like that.
Yet.
deadbang
Re: B43 Firmware package - security
Thank you!Head_on_a_Stick wrote:No, Broadcom do not supply the source code for the firmware so we have no idea what it does.AWA wrote:Is installing b43 100% safe?
Not at the moment — even the hardware which does not require the firmware to be loaded from the operating system has the blobs installed at the factory anyway so this problem applies to _all_ hardware, even that covered by the main repositories in DebianIf it cannot be considered 100% safe, there is any working alternative?
The only real solution is true open-source hardware and we don't have anything like that.
Yet.
A further question. Assuming that the proprietary Broadcom drivers don't contain any harmful software, is the package itself safe? I mean, it points to an external website. How can be sure that they have been not compromised?
I've done a bit of research and read that all packages are digitally signed, but although it's clear to me that it works with "main repo", I cannot figure out how it can work with a package of "contrib repo" that points to an external website.
I'm really a newbie of Debian, sorry if it is a silly question...
Re: B43 Firmware package - security
that's an interesting point:
is the package downloaded from broadcom checksummed, i.e. does apt make sure that it is/contains what is expected?
i'd say yes, it must be, but i honestly don't know.
is the package downloaded from broadcom checksummed, i.e. does apt make sure that it is/contains what is expected?
i'd say yes, it must be, but i honestly don't know.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: B43 Firmware package - security
I've never needed to install the Broadcom packages but APT usually checksums any downloaded third party software, I know that it does that for ttf-mscorefonts-installer and that seems to be a similar arrangement.AWA wrote:A further question. Assuming that the proprietary Broadcom drivers don't contain any harmful software, is the package itself safe? I mean, it points to an external website. How can be sure that they have been not compromised?
I've done a bit of research and read that all packages are digitally signed, but although it's clear to me that it works with "main repo", I cannot figure out how it can work with a package of "contrib repo" that points to an external website.
deadbang
Re: B43 Firmware package - security
If APT makes the checksum, with what other checksum can compare the value? As far as I've understood til now there isn't any “whatsoever” support by Broadcom.
By the way, do you think that installing the unofficial Debian Image already containing the firmware is at the end a safer choice?
Thank you very much for your help
By the way, do you think that installing the unofficial Debian Image already containing the firmware is at the end a safer choice?
Thank you very much for your help
Re: B43 Firmware package - security
The firmware is the same whether it runs on Windows, OS/X or Linux.
It is possible to extract firmware from windows files with cabextract.
So if your Broadcom device came with a CD of windows drivers or if the manufacturer provides secure downloads of the drivers, in theory, you can bypass questionable download sites.
F/U: I ran a quick search on extracting broadcom firmware and there is a utility, fwcutter, in the Debian, package system, that can extract said firmware.
It is possible to extract firmware from windows files with cabextract.
So if your Broadcom device came with a CD of windows drivers or if the manufacturer provides secure downloads of the drivers, in theory, you can bypass questionable download sites.
F/U: I ran a quick search on extracting broadcom firmware and there is a utility, fwcutter, in the Debian, package system, that can extract said firmware.
Re: B43 Firmware package - security
you pose interesting questions and i commend your interest.
but from what you're writing i can also see that you lack a little basic knowledge as far as these things are concerned. maybe just try some reading, here on the forums, debian wiki, various blogs (but make sure they talk about actual debian, and not some derivate like ubuntu or raspbian or kali)...
but from what you're writing i can also see that you lack a little basic knowledge as far as these things are concerned. maybe just try some reading, here on the forums, debian wiki, various blogs (but make sure they talk about actual debian, and not some derivate like ubuntu or raspbian or kali)...