I am at the point where I need to replace my phone and I want to get a librem 5 but I’m concerned about driver updates. I’ve read that some important modules (such as wifi) don’t get updates (in particular security fixes) which is concerning; but also, there’s a lot of FUD about purism so I’m not sure if this claim is actually true.
Does anybody know of a reliable source I can use to check whether librem 5 gets driver updates? I don’t consider “it seems to be working on my device” to be a reliable source. I have a similar concern about firmware updates.
For all default software and packages, see Repositories & Suites - PureOS Software (version byzantium and byzantium updates is current [based on Debian 10], crimson is in the works).
Just to understand your question better, how well versed are you with linux? Your concerns are warranted but the operating system works in pretty different ways (not t mention L5 specific technical structure regarding the wifi and modem cards) making the risks a bit different than with Windows, IOS and Android, to some extent. I’d also direct you towards the community wiki which has some of the answers to pertinent questions: Frequently Asked Questions · Wiki · Librem5 / Librem 5 Community Wiki · GitLab
As I’ve said before, L5 is definitely an adventure, you will need to do and learn stuff yourself, and there is a distinct possibility that updates and improvements won’t materialize like you might expect from some global behemoth of a company. You are welcome to browse the forum - current and historical/developing topics to get more info.
I would say I’m an advanced linux user but not a kernel or hardware developer. In a past life I had a job assessing the impact of security bugs on specific linux machines.
Yeah I’m fine with that, if I get a librem 5 I see it as investing brainspace in the pureos software stack not just buying a product. I just want to make sure that CVEs get patched.
Which I am totally fine with as long as the firmware is getting security patches on a reasonable timeframe.
Well, my automatic reply says that there is a backlog and the threads on this forum about support delays are not encouraging. They are understandable - Purism is a relatively small company whose purchases scaled quickly - but my current phone recently broke so my purchasing decision became more urgent.
I think I can trust the Debian project. Not that they will always be perfect - nobody will - but that they will generally handle things responsibly and in a manner that is timely relative to the severity of the issue.
I’m a little more concerned about the hardware though. The tech specs state that the current WiFi chip comes from SparkLan and I don’t see any mention of this company in the CVE repository. I find it difficult to believe that their hardware has never had a single security issue worth mentioning, so I am left to assume that this manufacturer either lacks responsible security practices internally or is not transparent about their security issues. Neither possibility inspires confidence.
I did email their support team asking about their security policy, but I’m not optimistic about hearing back because their online form is only for business contact, not consumer contact.
There is also the possibility that vulnerabilities have not been found - possibly because there hasn’t been enough research at all or enough, or nothing has been found, or nothing has been revealed.
As I wrote in the other thread about CVEs and BOMs, the various sub parts need to be checked too. The card uses Synaptics chip and apparently those do not show up in databases either but . Same possibilities as with Sparklan there, though. However their fingerprint readers are there.
It should be noted that CVEs are not limited to manufacturers. Other entities, even rival companies may issue the - for instance Google has made several of their competitor (and their own products). So, it we should expect at least some CVEs, if there were any to be found. More likely, the software side gets more research and smaller products get less scrutiny, resulting in less CVEs. So, no proof either way - just observations.