<div dir="ltr">*sarcasmmodeon*<div><br></div><div>Oh my God, we cannot do this! This would enable EVIL hackers to penetrate the thick firewalls and security mechanisms of our firmware and let it do horrible things! Firmware must be secret!</div><div><br></div><div>*sarcasmmodeoff*</div><div><br></div><div>I would assume most companies would be ashamed about showing their firmware source code. ;)</div><div><br></div><div>Henning</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 7, 2015 at 4:24 PM, Dave Taht <span dir="ltr"><<a href="mailto:dave.taht@gmail.com" target="_blank">dave.taht@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">to me the simplest and best requirement the eu and us could have is<br>
that the firmware and driver source be fully available and audited.<br>
This, rather than a "promise of compliance" by the fly-by-night<br>
vendor, would ensure that the regulations be adhered to. The amount of<br>
actual code we are talking about is very, very small, compared to the<br>
rest of the system.<br>
<div class="HOEnZb"><div class="h5"><br>
On Mon, Sep 7, 2015 at 7:20 AM, Laurent GUERBY <<a href="mailto:laurent@guerby.net">laurent@guerby.net</a>> wrote:<br>
> On Sun, 2015-09-06 at 10:50 -0700, Mitar wrote:<br>
>> Hi!<br>
>><br>
>> > This is not that clear cut in EU: enforcement of Article 3 (3) list<br>
>> > "essential requirements" is delegated to proposals of which equipment<br>
>> > will affected by the EU Commission, and these proposals can be blocked<br>
>> > either by the council or the parliament. Also in the preamble (19)<br>
>> > states clearly that software verification should not be abused to<br>
>> > prevent third party software. See below for quotes.<br>
>><br>
>> But preamble is not a directive, no? And directive does not contain any<br>
>> such language.<br>
>><br>
>> Also, how do you see in practice that both Article 3 (3) and preamble<br>
>> (19) would be possible? The only way I see it for a manufacturer to do<br>
>> that is to accept firmware images signed by a key from EU Commission.<br>
>> And then it leaves to EU Commission to decide which 3rd party software<br>
>> is still compliant.<br>
><br>
>> The other options are just to prevent 3rd party firmware images. Or to<br>
>> require binary blob drivers for WiFi. None of those we really want. So<br>
>> how exactly do you see that the wording in current directive is not<br>
>> problematic? How would you in an ideal world implement this in practice<br>
>> for WiFi devices? If I understand you correctly, what you are saying is<br>
>> that we should hope this applies only to SDRs and not WiFi?<br>
><br>
> Hi,<br>
><br>
> First the EU commission could just decide that the list of devices<br>
> subjected to (i) will stay empty, which it is until the commission<br>
> writes a list of devices subjected to (i) and that list is not<br>
> opposed by council nor parliament.<br>
><br>
> It could say that "compliance" is automatically "demonstrated" for free<br>
> software firmware with an up to date regulatory domain file. File which<br>
> could be provided in open format in open data at the EU level somewhere.<br>
><br>
> It might decide to waive the requirement for all SDR type devices<br>
> (pretty hard to have a SDR market if you don't do that).<br>
><br>
> Same for devices unable to reach more than 1 Watt conducted power<br>
> (about all OpenWRT hardware, mos tubiquity does 23-27 dBm conducted).<br>
><br>
> Competition laws are quite strong in the EU, that's why there's<br>
> preamble (19), a measure killing competition might not be liked<br>
> by courts in the end.<br>
><br>
> Another thing is that up to now I've never heard about a compliance<br>
> case linked to free software firmware use (as most proprietary firmware<br>
> offer the user plenty of ways to bypass local regulations anyway).<br>
> So the case to ban it is pretty weak.<br>
><br>
> And you can create a powerful radio generator on most frequencies<br>
> with less than $10 of non radio specific hardware, random URL:<br>
> <a href="http://www.instructables.com/id/The-Ultimate-FM-Transmitter/" rel="noreferrer" target="_blank">http://www.instructables.com/id/The-Ultimate-FM-Transmitter/</a><br>
><br>
> We just have to make sure that the EU commission and politicians<br>
> are aware that there are concerned citizens and industry and academia<br>
> about what the commission will do with Article 3 (3) (i).<br>
><br>
> Sincerely,<br>
><br>
> Laurent<br>
><br>
><br>
> _______________________________________________<br>
> Battlemesh mailing list<br>
> <a href="mailto:Battlemesh@ml.ninux.org">Battlemesh@ml.ninux.org</a><br>
> <a href="http://ml.ninux.org/mailman/listinfo/battlemesh" rel="noreferrer" target="_blank">http://ml.ninux.org/mailman/listinfo/battlemesh</a><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Dave Täht<br>
endo is a terrible disease: <a href="http://www.gofundme.com/SummerVsEndo" rel="noreferrer" target="_blank">http://www.gofundme.com/SummerVsEndo</a><br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Battlemesh mailing list<br>
<a href="mailto:Battlemesh@ml.ninux.org">Battlemesh@ml.ninux.org</a><br>
<a href="http://ml.ninux.org/mailman/listinfo/battlemesh" rel="noreferrer" target="_blank">http://ml.ninux.org/mailman/listinfo/battlemesh</a><br>
</div></div></blockquote></div><br></div>