[Battlemesh] Forced firmware lockdown in EU already passed

Dave Taht dave.taht at gmail.com
Mon Sep 7 16:24:21 CEST 2015


to me the simplest and best requirement the eu and us could have is
that the firmware and driver source be fully available and audited.
This, rather than a "promise of compliance" by the fly-by-night
vendor, would ensure that the regulations be adhered to. The amount of
actual code we are talking about is very, very small, compared to the
rest of the system.

On Mon, Sep 7, 2015 at 7:20 AM, Laurent GUERBY <laurent at guerby.net> wrote:
> On Sun, 2015-09-06 at 10:50 -0700, Mitar wrote:
>> Hi!
>>
>> > This is not that clear cut in EU: enforcement of Article 3 (3) list
>> > "essential requirements" is delegated to proposals of which equipment
>> > will affected by the EU Commission, and these proposals can be blocked
>> > either by the council or the parliament. Also in the preamble (19)
>> > states clearly that software verification should not be abused to
>> > prevent third party software. See below for quotes.
>>
>> But preamble is not a directive, no? And directive does not contain any
>> such language.
>>
>> Also, how do you see in practice that both Article 3 (3) and preamble
>> (19) would be possible? The only way I see it for a manufacturer to do
>> that is to accept firmware images signed by a key from EU Commission.
>> And then it leaves to EU Commission to decide which 3rd party software
>> is still compliant.
>
>> The other options are just to prevent 3rd party firmware images. Or to
>> require binary blob drivers for WiFi. None of those we really want. So
>> how exactly do you see that the wording in current directive is not
>> problematic? How would you in an ideal world implement this in practice
>> for WiFi devices? If I understand you correctly, what you are saying is
>> that we should hope this applies only to SDRs and not WiFi?
>
> Hi,
>
> First the EU commission could just decide that the list of devices
> subjected to (i) will stay empty, which it is until the commission
> writes a list of devices subjected to (i) and that list is not
> opposed by council nor parliament.
>
> It could say that "compliance" is automatically "demonstrated" for free
> software firmware with an up to date regulatory domain file. File which
> could be provided in open format in open data at the EU level somewhere.
>
> It might decide to waive the requirement for all SDR type devices
> (pretty hard to have a SDR market if you don't do that).
>
> Same for devices unable to reach more than 1 Watt conducted power
> (about all OpenWRT hardware, mos tubiquity does 23-27 dBm conducted).
>
> Competition laws are quite strong in the EU, that's why there's
> preamble (19), a measure killing competition might not be liked
> by courts in the end.
>
> Another thing is that up to now I've never heard about a compliance
> case linked to free software firmware use (as most proprietary firmware
> offer the user plenty of ways to bypass local regulations anyway).
> So the case to ban it is pretty weak.
>
> And you can create a powerful radio generator on most frequencies
> with less than $10 of non radio specific hardware, random URL:
> http://www.instructables.com/id/The-Ultimate-FM-Transmitter/
>
> We just have to make sure that the EU commission and politicians
> are aware that there are concerned citizens and industry and academia
> about what the commission will do with Article 3 (3) (i).
>
> Sincerely,
>
> Laurent
>
>
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh



-- 
Dave Täht
endo is a terrible disease: http://www.gofundme.com/SummerVsEndo



More information about the Battlemesh mailing list