Bug 2011615 - liquidio/lio_23xx_vsw.bin contains a Linux kernel without license or source
Summary: liquidio/lio_23xx_vsw.bin contains a Linux kernel without license or source
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: linux-firmware
Version: 35
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Josh Boyer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-06 21:36 UTC by Adam Williamson
Modified: 2021-10-07 19:49 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-07 19:49:13 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2021-10-06 21:36:10 UTC
Per this Debian bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907585

the file liquidio/lio_23xx_vsw.bin contains an entire Linux kernel (which explains why it's so huge), but no proper license file or source for that kernel appears to be available anywhere.

I think this is against Fedora policies just as it's against Debian's, and we should not ship that file.

Filed against 35, but actually valid for all supported Fedora releases.

Comment 1 Adam Williamson 2021-10-06 21:37:38 UTC
Gonna propose this as an FE for F35, as if we decide we shouldn't be shipping this it'd be good to take it out of our pending release. As a bonus it'd probably help with netinsts being oversize.

Comment 2 Peter Robinson 2021-10-06 22:01:37 UTC
Josh: I'm going to assign this to you as I suspect you know more of the details from it's acceptance into linux-firmware

Comment 3 Peter Robinson 2021-10-06 22:07:00 UTC
> it'd probably help with netinsts being oversize.

It was split out into it's own sub package, at the same time as netronome-firmware, explicitly so it didn't need to be included in those things. Both of these are SmartNICs, they generally aren't supported by HTTP/PXE style installs as their firmware isn't running that early on so all those sorts of hosts have "admin/OOB" or similar style NICs for provisioning, that is why I went through the process of splitting them out in the first place. If they're getting pulled back in again (I'm sure we've solved this before) it's a separate bug to this and we can still potentially ship these firmware so I think the oversize netinst issue is a separate issue to this and shouldn't be conflated together.

Comment 4 Peter Robinson 2021-10-06 22:07:50 UTC
Adding adamw as needinfo for the last point

Comment 5 Adam Williamson 2021-10-06 22:40:51 UTC
yeah, they're not conflated, it's just a sidebar. I already sent a PR to drop it from the netinst on non-aarch64, if it's also useless on aarch64 (which I suspected but wasn't sure of) we can drop it entirely. that's over in https://github.com/weldr/lorax/pull/1175 and the size bugs (https://bugzilla.redhat.com/show_bug.cgi?id=2009730 and https://bugzilla.redhat.com/show_bug.cgi?id=2009731 ). Regardless of that it does feel like a problem to be shipping an entire sourceless kernel as "firmware", though.

Comment 6 Adam Williamson 2021-10-06 22:53:36 UTC
also, would it make sense to similarly carve out the mrvl/prestera firmwares? My PR cuts them out at runtime-cleanup stage, but if they're in the same category, might make sense to treat them similarly.

Comment 7 Peter Robinson 2021-10-07 08:22:48 UTC
(In reply to Adam Williamson from comment #6)
> also, would it make sense to similarly carve out the mrvl/prestera
> firmwares? My PR cuts them out at runtime-cleanup stage, but if they're in
> the same category, might make sense to treat them similarly.

Quite probably but they were added after I did the other splits and there's other mrvl bits thrown into that directory structure so they hadn't shown up widely. They're also not widely available as yet and they're only enabled in Fedora since 5.10.

Comment 8 Peter Robinson 2021-10-07 08:39:16 UTC
*** Bug 2011661 has been marked as a duplicate of this bug. ***

Comment 9 Josh Boyer 2021-10-07 11:32:21 UTC
(In reply to Adam Williamson from comment #0)
> Per this Debian bug:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907585
> 
> the file liquidio/lio_23xx_vsw.bin contains an entire Linux kernel (which
> explains why it's so huge), but no proper license file or source for that
> kernel appears to be available anywhere.
> 
> I think this is against Fedora policies just as it's against Debian's, and
> we should not ship that file.
> 
> Filed against 35, but actually valid for all supported Fedora releases.

That bug is from 2018.  From an upstream perspective, they corrected this with:

https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=d87753369b82c5f362250c197d04a1e1ef5bf698

which provides the normal GPL boilerplate, notably an offer for source on request.  They don't have to publish sources publicly to meet GPL compliance, despite that being common practice.  Also, the offer only has to be good for 3 years.  3 years will be up on Oct 18.

It's up the various distributions to determine if they are comfortable with that.  RHEL does not ship this firmware or any drivers that require it, for example.

Personally, I wouldn't block the F35 release on this.  If you want to drop the firmware package, that should be easy enough to do.

Comment 10 Adam Williamson 2021-10-07 19:49:13 UTC
Thanks for the details, Josh. I think, based on https://fedoraproject.org/wiki/Licensing:Main#Binary_Firmware , since the license statement is now there, it's probably OK for us to ship the file after all. I think it meets the requirements of being "firmware" per that page, and the license seems to meet the requirements. So I think I'll go ahead and close this as NOTABUG. Sorry for the false alarm, I missed that the license had been added.


Note You need to log in before you can comment on or make changes to this bug.