Per this Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907585 the file liquidio/lio_23xx_vsw.bin contains an entire Linux kernel (which explains why it's so huge), but no proper license file or source for that kernel appears to be available anywhere. I think this is against Fedora policies just as it's against Debian's, and we should not ship that file. Filed against 35, but actually valid for all supported Fedora releases.
Gonna propose this as an FE for F35, as if we decide we shouldn't be shipping this it'd be good to take it out of our pending release. As a bonus it'd probably help with netinsts being oversize.
Josh: I'm going to assign this to you as I suspect you know more of the details from it's acceptance into linux-firmware
> it'd probably help with netinsts being oversize. It was split out into it's own sub package, at the same time as netronome-firmware, explicitly so it didn't need to be included in those things. Both of these are SmartNICs, they generally aren't supported by HTTP/PXE style installs as their firmware isn't running that early on so all those sorts of hosts have "admin/OOB" or similar style NICs for provisioning, that is why I went through the process of splitting them out in the first place. If they're getting pulled back in again (I'm sure we've solved this before) it's a separate bug to this and we can still potentially ship these firmware so I think the oversize netinst issue is a separate issue to this and shouldn't be conflated together.
Adding adamw as needinfo for the last point
yeah, they're not conflated, it's just a sidebar. I already sent a PR to drop it from the netinst on non-aarch64, if it's also useless on aarch64 (which I suspected but wasn't sure of) we can drop it entirely. that's over in https://github.com/weldr/lorax/pull/1175 and the size bugs (https://bugzilla.redhat.com/show_bug.cgi?id=2009730 and https://bugzilla.redhat.com/show_bug.cgi?id=2009731 ). Regardless of that it does feel like a problem to be shipping an entire sourceless kernel as "firmware", though.
also, would it make sense to similarly carve out the mrvl/prestera firmwares? My PR cuts them out at runtime-cleanup stage, but if they're in the same category, might make sense to treat them similarly.
(In reply to Adam Williamson from comment #6) > also, would it make sense to similarly carve out the mrvl/prestera > firmwares? My PR cuts them out at runtime-cleanup stage, but if they're in > the same category, might make sense to treat them similarly. Quite probably but they were added after I did the other splits and there's other mrvl bits thrown into that directory structure so they hadn't shown up widely. They're also not widely available as yet and they're only enabled in Fedora since 5.10.
*** Bug 2011661 has been marked as a duplicate of this bug. ***
(In reply to Adam Williamson from comment #0) > Per this Debian bug: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907585 > > the file liquidio/lio_23xx_vsw.bin contains an entire Linux kernel (which > explains why it's so huge), but no proper license file or source for that > kernel appears to be available anywhere. > > I think this is against Fedora policies just as it's against Debian's, and > we should not ship that file. > > Filed against 35, but actually valid for all supported Fedora releases. That bug is from 2018. From an upstream perspective, they corrected this with: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=d87753369b82c5f362250c197d04a1e1ef5bf698 which provides the normal GPL boilerplate, notably an offer for source on request. They don't have to publish sources publicly to meet GPL compliance, despite that being common practice. Also, the offer only has to be good for 3 years. 3 years will be up on Oct 18. It's up the various distributions to determine if they are comfortable with that. RHEL does not ship this firmware or any drivers that require it, for example. Personally, I wouldn't block the F35 release on this. If you want to drop the firmware package, that should be easy enough to do.
Thanks for the details, Josh. I think, based on https://fedoraproject.org/wiki/Licensing:Main#Binary_Firmware , since the license statement is now there, it's probably OK for us to ship the file after all. I think it meets the requirements of being "firmware" per that page, and the license seems to meet the requirements. So I think I'll go ahead and close this as NOTABUG. Sorry for the false alarm, I missed that the license had been added.