Updating firmware - risks

carlosgonz · January 18, 2025, 7:05pm

Knowing how dangerous blobs are, i get very nervous when i need to update a blob to fix a bug, most it is better to stay with the bug. i.m.h.o

irvinewade · January 20, 2025, 6:16am

Why is the old blob less dangerous than the new blob? A blob is a blob and you really can’t say how dangerous either blob is.

tracy · January 20, 2025, 2:27pm

The old blob was left frozen in the arctic in 1958. Must be a new meteor.

raenrfm · January 20, 2025, 4:16pm

Meet the new Blob, same as the old blob.

j_s · January 20, 2025, 7:02pm

Some general entropy principle for corporation written software?

carlosgonz · January 20, 2025, 7:37pm

Due to the darkness on the BLOBs, theys may make a fancy feature or bug fixes to force you to update to introduce a backdoor, or to update a backdoor, or to introduce another bug to slow down controller, or to update the signature, there are a lot of thing may happen. So in this sense we may not trust on blobs even with a humble changelog. Of course bad things will never on changelog file. Natually this happen on newer version of blobs.
Opensource dont care this hole as Opensource work for Vendor rather for User.

irvinewade · January 20, 2025, 11:00pm

Perhaps. In reality, there are many considerations e.g. societal standards, or e.g. legislation, or e.g. corporate restructuring. If you are really worried about corporate entropy then it could make sense to look at the build or release dates on the two blobs (if available).

I just wouldn’t always assume that a new blob is more dangerous.

Most importantly though, if you are experiencing a major problem and the release notes for the new blob say that it fixes that problem, most people will just accept that all blobs are dangerous, so you might as well have the blob that actually works.

irvinewade · January 20, 2025, 11:07pm

These are all possibilities too.

In particular, if “introduce a backdoor” coincides with a government requirement to have a backdoor then it would be a no-brainer to keep the old blob if that is a choice.

On the upside … if it is updating a backdoor with a complete reimplementation, it is possible that the new backdoor has a serious defect that allows you to disable the backdoor. So you can always roll the dice.

As perhaps you are suggesting, the changelog is relatively useless for this purpose. If there are intentional dangers, they simple won’t be included in the changelog and you will be none the wiser.