Does Respects Your Freedom certification allow updating of proprietary firmware?

I believe that is correct.

The firmware update for the motherboard fails because that firmware, once uploaded, will run on the main CPU. This is the case even if the updater were libre.

The RAM timing fails because it requires running a closed source training program on the CPU.

The AMD GPUs come the closes to working, and would be fine if the card remembered the last firmware files supplied as that would put it in the same category as Crucial (it’s a PCIe data coppy, instead of DD, but still fully open). The problem here is that it must be run at every boot, which means the user cannot delete the closed source firmware files from their machine and have it continue working. You could stash the firmware files onto an embedded flash chip, and send them from that flash chip to the GPU. Less clearly acceptable, you could probably read them back from the embedded flash chip into system memory, and then copy them to the GPU. They’re still not executed on the CPU, but it’s unclear if that counts as the user being expected to update them after product delivery…

NVidia GPUs are actually the worst, requiring both magic code on the main CPU, and copying the firmware files on every boot.

Note that if the motherboard bios were itself open, but required a closed source updater program, that would also not qualify for the RYF certification, unless it were run on a separate microprocessor.

Another example to consider is Intel and AMD CPU/embedded GPU microcode. These are firmware files which are uploaded to the CPU microcode memory at runtime, and the protocol to do so is open source. The key point in this case is that these microcode updates are not required for the CPU/iGPU to function (but they can provide important security or performance fixes). They don’t disqualify the CPU (though the ME/PSP on recent CPUs do), but you must leave it to the user to set up microcode loading if they want it (because it must be done every boot).

Unfortunately, the FSF tends to have an all-or-nothing attitude about most things. It is the same attitude that lead to publishing the AGPL3, which is a terribly convoluted and awful license (which can be circumvented easily by putting a filtering proxy between the covered work and the edge of your network). The idea was to try to force software developers to open source things if they want to use the latest AGPL goodies. Instead it mostly leads to AGPL things being thrown in the dustbin for fear of lawsuits. The GPL in general is in that category, as it is actually less permissive than the LGPL. For something designed to be monolithic, like the Linux kernel, or for something designed to always be distributed in source form (like python scripts), it’s fine. But for anything else, there’s a reason it’s not a very popular license.

Fundamentally, this is the wrong approach. Instead of trying to force people to open source their stuff, with the threat of lawsuits if they don’t, encouraging the culture which leads to cooperation works better. Things like the no-patent-lawsuit reciprocity agreements are the way out of the present pickle where no one is willing to release their source code for fear of revealing that they are using someone else’s patented ideas.

I don’t mind if the FSF sets very strict goals, as long as they are strategically effective. I think that the FSF’s hard line on 100% free software worked, because we had two groups in the FSF and OSI that could appeal to different constituencies. The OSI could talk to Netscape, IBM, SUN, etc. and make the business case for open source, but the OSI never convinced me as a user, whereas FSF was very convincing to me as a user.

When I look at the reasons why free software was promoted by the governments of Brazil, Peru, Venezuela, Bolivia and Ecuador, the FSF made a more convincing argument for these governments than the OSI. In Bolivia (where I currently live), the FSF’s talk about user rights meshed well with Bolivia’s discourse about decolonization and Richard Stallman was invited 3 times to come to Bolivia, whereas the OSI has had little impact. When I go to Linux conferences in Bolivia and Peru, I hear the term “software libre” probably 3 times as much as I hear the term “código abierto”, even from my friends who run companies.

However, when we talk about convincing component manufacturers to release free drivers and free firmware, we simply have to speak a language that translates into business. The FSF has to convince users to value devices that can run free software of course, but it also needs to be able to make a convincing argument to businesses, and the RYF criteria isn’t doing much to move the needle, because it is a standard that almost no device maker can meet, so we need some intermediate strategy as well, such is what I was trying to suggest with the “Freedom Score”.

On the question of licenses, I agree that the AGPL is a cumbersome license, simply because it places too much of a burden on the people using it. Every time that you change even a single line of code, you are obligated to publish your changes under the AGPL, which is too much of a hassle for many people. In the real world, however, it is often very hard to know if a company has changed the source code when they are running it on their own servers and not distributing it, so most compliance is effectively voluntary anyway.

I used to work a company that produced AGPL software. I always told people using our software to not worry about publishing their changes to our code if they were only making minor tweaks and to publish their changes when it was convenient for them. The reality was that we didn’t get strict compliance, but its sole purpose was really to prevent competitors from extending our code without sharing their changes, but aside from a few community forks, no commercial competitors ever touched our code, so it never became an issue.

Whether you like the GPL or hate it, depends on your point of view. Because using a small piece of GPL code can “infect” the rest of the code, it isn’t a good license for widgets and libraries, which is part of the reason why MIT/BSD style licenses have taken over the web. However, I have used the GPL on code that I wrote, precisely because I wanted to guarantee that it stayed free.

Where I think that the GPL has been a very effective is in forced rival companies to work together. One of the reasons why so many rival companies contribute to the Linux kernel is because they know that no other company can take their work and privatize it. When Intel contributes USB 3 drivers to the Linux kernel, it knows that its competitors AMD and Qualcomm can’t ever privatize its work, so Linux becomes a common platform that everyone can contribute to without fear.

I believe that one of the reasons why BSD never had the commercial success of Linux, was precisely because the license encouraged each group to privatize the work of others, so there was less trust. The major flavors of BSD all develop their own kernels and don’t collaborate that much, partly because their license doesn’t encourage them to work together.

Of course, there are counterexamples, so the license isn’t the only factor. For example, competing companies collaborate to produce PostgreSQL under a BSD-style license, whereas MySQL and MariaDB don’t collaborate under the GPL, because each of the companies are claiming that their way of extending the database is better, and frankly Oracle doesn’t have a culture of FOSS in its DNA to facilitate collaboration. It also has an antagonistic relationship with Red Hat, and its management of OpenOffice.org and Virtualbox OSE were poor.

I guess that I see the ethics differently from you. I don’t want to force others to change a large code base to GPL, if all they want to do is incorporate a small piece of GPL code. On the other hand, the idea that someone can take a huge piece of FOSS code (like BSD or PostgreSQL) and privatize it really bothers me.

On one level, I basically agree with the tenet that the developer should decide on the license she wants for her work. However, when I think about my long-term future, I want to live in a world where everything I use is FOSS, and the GPL makes a lot of sense for promoting that strategic goal.

When I analyze why a company like Google hates the GPL, I find its reasons really problematic. I sort of agree with Google when it is afraid that a small piece of GPL code can “infect” it. However, Google also abuses the FOSS community when it takes huge amounts of work from the community, and makes its changes, and does not share back. For example, when Google took MySQL and turned it into BigTable or when Google took Debian and heavily modified it, Google’s refusal to share its changes weren’t ethical in my opinion, and that was exactly the reason why the AGPL was created.

Google takes advantage of large amounts of GPL software and then violates the spirit of the GPL by exploiting a loophole by claiming that it has no obligation to share its changes to code that serves up information to 3 billion people on the planet. I guess what really angers me is that Google then turns around and tells everyone not to use any of the FSF licenses, and actively tries to confuse users with the word “free”, by refusing to show people what is the license of the apps they are downloading in the Play Store.

This topic is right now being discussed on the libreplanet-discuss mailing list:

“RYF can, and should, be improved”: https://lists.gnu.org/archive/html/libreplanet-discuss/2022-01/msg00019.html – by Leah Rowe, linking to https://libreboot.org/news/policy.html and https://osboot.org/news/policy.html

Leah Rowe writes:

Both articles talk about binary blobs from coreboot; the libreboot one
talks about blob deletion, and osboot talks about blob reduction. The
purpose of both projects, is to provide as much software freedom as
possible to users, within those policies. The ultimate goal: free
software everyone, available to everyone, without the injustice that is
proprietary software. The projects differ in their approach, but have
that some underlying goal.

I call for discussion of the topics presented in these articles. The
articles also discuss flaws with the FSF’s “Respects Your Freedom”
program, and discusses ways to improve upon it, so as to encourage and
to facilitate more freedoms for computer users in the future.

Discussion welcome. Please, tell me your thoughts!

Now might be a good time to join that mailing list and take part in the discussion there, I think it’s the right place for it and FSF people will see it and are likely to respond. (one reply so far, agreeing with Leah)