The FSF will need to infer an intention to decide whether it’s an RYF device. And certainly they will base that on evidence just as I have. Remember that Debian isn’t an FSF approved distro simply because they have a non-Free repository available (even though it is disabled by default) and FSF judged that the availability implied their intention. And the RYF exception for embedded firmware is about intentionRespects Your Freedom (RYF) certification requirements | RYF .
However, there is one exception for secondary embedded processors. The exception applies to software delivered inside auxiliary and low-level processors and FPGAs, within which software installation is not intended after the user obtains the product. This can include, for instance, microcode inside a processor, firmware built into an I/O device, or the gate pattern of an FPGA. The software in such secondary processors does not count as product software.
Or I can personally decide that in my judgment it is not deserving of a RYF certification. I can do that regardless of the FSF’s decision … if they ever make one. As far as I know, the FSF already decided that it wasn’t RYF and neither Purism nor the FSF has revealed this. Questions about this have been around a long time: RYF certification L5 and IMO the long wait looks bad.
If interpreted literally and strictly, that would virtually rule out all even vaguely recent Intel x86 CPUs - and it is not clear that mandating ongoing security flaws in Intel CPUs is in the interests of the customer.
Regardless though, it may be that, if using PureOS, no matter how many times you do apt up* or anything else in PureOS, you will never get either Intel microcode updates or SparkLAN WiFi card firmware updates or firmware updates for the old WiFi card.
So you can say that the intention of PureOS is that none of these things will ever get updated i.e. as per the RYF wording. If the user does a sneaky behind the back of PureOS then PureOS doesn’t stop the user doing so because, after all, the user owns his or her own computer. This isn’t a walled garden where the manufacturer decides what you can and can’t do with your computer.
So, say, in respect of Intel CPU microcode, for mind-reading the intention, you first need to decide whether you want to mind-read
Intel, or
Purism (PureOS), or
the customer.
My mind-reading says that Intel’s intention is that you really do update the microcode after obtaining the product, as and when an update is available.
As a customer, no mind-reading required. My intention would be that if a microcode update became available, I would take the update - because the horrible bugs being fixed may have a cost that outweighs the benefits of not taking the update.
(Obviously Intel microcode has no relevance to the Librem 5.)
I’m not sure why you went into Intel CPU microcode. It’s worth noting how few latops ( Laptops | RYF ) and mainboards ( Mainboards | RYF ) are RYF certified. Basically, all of the laptops are based off of the Lenovo X200. I think it’s because they use GNU-boot which, while downstream of coreboot, does not facilitate the update of Intel microcode. https://www.phoronix.com/news/GNU-Boot-Second-Fail . Certainly I don’t see any Purism laptops with RYF.
… which raises the question as to what exactly is certified. The operating system? The hardware? The company? One/all employees and contractors of the company? The repo? Any combination thereof?
Well, “missing package” tells you all you need to know. Intentionally missing package. Intention.
If you look on my phone, you will find no such desktop file, no such deb file, no firmware file.
And it is still intentionallynot distributed even today (per the official documentation).
The “Respects Your Freedom” certification program encourages the creation and sale of hardware that will do as much as possible to respect your freedom and your privacy, and will ensure that you have control over your device.
and it is designed as a promotion for retailers who sell such devices
That is why the Free Software Foundation launched this certification program, to find retailers committed to providing users with devices they can truly own.
You misunderstood. My link was for the thread and especially the message where someone included an instructions from Purism support for updating the proprietary firmware.
And then you seemed to not grasp the intention behind the code and links in Purism’s software repository for flashing firmware Librem5 / firmware-tps6598x-nonfree · GitLab (that’s the PD controller). That is intention. They also have code for flashing your cellular firmware and links to it.
I’ll replace that with “contractors”. It doesn’t make too much different in my mind.
It is my understanding that everyone who works at Purism except for the officers are 1099s (i.e. independent contractors). I suppose we could get @JCS to verify his status. I’m assuming that he is a 1099 employee, but I believe he has said that he works for Purism.
… which they intentionally make difficult by not posting the link. It is true that a customer posted a link (which was very likely not supposed to happen).
Purism support specifically requested that I do not disclose the instructions for updating the modem firmware, so I have respected their wishes until @lakei’s post mentioned above was created and after most of the original Purism support employees have already left.
That appears to have been updated to: Actually, Purism doesn’t really mind if you distribute the instructions. You are just not allowed to distribute the underlying files without which the instructions are useless.
But the instructions I have seen have links to the files from the vendor. That makes the instruction not worthless. They wouldn’t distribute the instructions if they were worthless would they?
Purism is approved by the vendor to privately/individually provide firmware update packages to fix customer issues, but these resources are not intended for public dissemination.
The firmware update documentation itself is not controlled, so I added the instructions to the official documentation for convenience, and simply omitted the links to the protected files.
If you’re looking at the cellular modem link and presume I haven’t read that and see that the user who posted it a moderator blacked out the URL after the fact, it’s a bad presumption. But I will point out that support certainly gave the instructions with the URL. And it doesn’t take a genius (only google-fu) to find that the link is <<censored by moderator - seriously, dude!>> which if you unzip it has the nonfree firmware. Distributed from puri.sm. Intention.
Or one could simply look at the BroadMobi operations manual and go right to the section entitled “Updating Firmware” where they describe how to upgrade the firmware from windows. It’s in their FCC documents. So, at least BroadMobi had the intention that people would need to update firmware after delivery. Of course their instructions require Windows … which is a bigger obstruction to Purism customers than most
I’m not sure if it wasn’t originally blacked out by the poster. I am confident, though, that when Purism support gave that user the instructions, it included a non-blacked out URL for the download. That said, the link to the Purism hosted zip file that contains the non-free driver was still easy to find.
No good deed goes unpunished, I suppose. I’ll take the action to secure those files on Nextcloud. Sharing links to protected files hosted on Purism servers is a quick way to have those files locked down. It’s a matter of a business agreement/relationship with the product vendor; we must be careful to not bite the hand that feeds. I’m an advocate of sharing as much as possible, but it’s not worth a cease-and-desist and/or losing future access.
