[Bug 1867813] Re: [MIR] linux-firmware-raspi2 to restricted

[Christian Ehrhardt ]

I gave this a review from the MIR POV under the constraint that this
would likely be handled similar to the other firmware/microcode
packages.

It is important to note that just looking at the source this would be a clear nack:
- precompiled kernel modules in ./modules
- precompiled shared objects in ./opt/vc
- many unsused source in ./hadfp/opt/
- GPU bins for 1001 drivers
...

This is Ubuntu only anyway and we use the code from
https://github.com/raspberrypi/firmware/releases

If we could define a trivial but very effective source path filter and repackage this into a -dfsg like tarball with subtrees we don't need removed that would be awesoem.
After all MIR approvals are given on Source, and me (as well as likely the security Team later) probably would love to see a much much smaller source (since you only use so few of it).

It generally seems well maintained upstream and as a package. So yeah once this i trimmed down I'd give it a MIR ack and we can move it to the security-team.
If they ack as well then the Archive-Admins can make the final call of "yeah lets support it despite being blobs, like the other such cases".

For now re-assigning to Dave to come up with the reduced source (or to
convince otherwise).

** Changed in: linux-firmware-raspi2 (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => Dave Jones (waveform)

** Changed in: linux-firmware-raspi2 (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to linux-firmware-raspi2 in
Ubuntu.
https://bugs.launchpad.net/bugs/1867813

Title:
  [MIR] linux-firmware-raspi2 to restricted

Status in linux-firmware-raspi2 package in Ubuntu:
  Incomplete

Bug description:
  1. Availability: The package is already available in multiverse and is
  already used on all of our Ubuntu Raspberry Pi images.

  2. Rationale: As mentioned above, the package is already used on all
  of our Ubuntu Raspberry Pi preinstalled images (raspi) - and has been
  used there since the first raspi2 images have been supported. It is
  essentially a mistake that the package is still in multiverse, as we
  should not build images using packages outside of main and restricted.

  3. Security: So far there has been no CVE or any security
  vulnerability reported for our package. Generally the package consists
  of binary blobs coming from the Raspberry Pi foundation.

  4. Quality assurance: The package is easy to test and verify, as this
  is an essential package to the operation of Ubuntu on Raspberry Pi. It
  is maintained by Ubuntu Foundations, along with extensive QA on
  various Pi platforms.

  5. Dependencies: The package has no dependencies (only shipping binary
  blobs).

  6. Standards compliance: The licensing of the binaries is a bit ugly,
  but all the proprietary bits are well documented in debian/copyright.

  7. Maintenance: The package is actively maintained by the Ubuntu
  Foundations team.

  8. Background information:

  As mentioned, this package is already used for all our images, so we
  are already treating it as a package from restricted per-se. So moving
  the package to restricted should only be a formality. All the hosted
  binary blobs are essential to our Ubuntu raspi experience, so we can't
  really do much without them.

  Another important note: this package is not part of any seed right
  now, but instead pulled in via livecd-rootfs directly when building
  raspi images (we'll figure something better for the future).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-firmware-raspi2/+bug/1867813/+subscriptions