| by Arround The Web | No comments

gnuboot @ Savannah: Nonfree software found in GNU Boot releases again, many distros affected.

The GNU Boot project previously found nonfree microcode in the first

RC1 release (in gnuboot-0.1-rc1_src.tar.xz to be exact).

This was announced in the "GNU Boot December 2023 News"

(https://lists.gnu.org/archive/html/gnuboot-announce/2023-12/msg00000.html). It

was fixed by re-making the affected tarball by hand with the nonfree

software removed and by contacting Canoeboot that had the same issue,

and by bug reporting and proposing patches to fix the issue in Guix as

well (they are still pending as we need to find a reviewer familiar

with Coreboot).

But recently we found a more problematic issue that also affects many

more distributions and all the previous GNU Boot release candidates.

The vboot source code used in Coreboot and in the vboot-utils package

available in many GNU/Linux distributions contains nonfree code in

their test data in tests/futility/data (nonfree microcode, nonfree

BIOS, nonfree Management Engine firmwares, etc).

So we had to re-release all the affected tarballs (like

gnuboot-0.1-rc1_src.tar.xz, gnuboot-0.1-rc2_src.tar.xz, etc).

We made and we improved the process along the way (we now store the

changes in tag inside our git repository and simply regenerate the

tarballs with the build system that is available for a given tag).

We are also in the process of contacting distributions and/or

coordinating with them and we also need help as there are many

distributions to contact.

To do that we started contacting the free GNU/Linux distros

(https://www.gnu.org/distros/free-distros.html) that ship the vboot

source code. We also contacted Replicant that is a free Android distro

that also ships vboot source code.

We also started to contact common distros that require certain

repositories to only have free software (so far we only contacted

Debian as that will help Trisquel fix the issue, but we also need to

contact Fedora for instance). Finding which distro to contact is made

much easier thanks to GNU's review of common distros policies

(https://www.gnu.org/distros/common-distros.html).

We coordinate that work on our bug report system at Savannah,

especially in the bug #66246

(https://savannah.gnu.org/bugs/index.php?66246).

Share Button

no related pages

Source: Planet GNU

Leave a Reply