On Thu, Apr 11, 2013 at 2:02 PM, Martin Koegler
On Thu, Apr 11, 2013 at 11:55:52AM -0300, Claudio Freire wrote:
On Thu, Apr 11, 2013 at 7:29 AM, "Stefan Brüns"
wrote: Am 11.04.13, schrieb Claudio Freire
: A nightmare for the security team though.
This firmware is run on the Cypress FX2 USB/FPGA bridge and the FPGA softcore. It is just uploaded to the USRP, and has no access to the host memory (USB can not issue DMA from the device side). I do not see any security issues here.
The security team would have to make sure the binaries in those packages are indeed restricted to that usage. And they would have to understand pretty well what that device's capabilities are to be able to judge risk levels. That's the nightmare.
How is different from kernel-firmware?
I guess it's not. I don't know how's the review process for kernel firmware, I've never submitted it, but it must be quite extensive and laborious. Just pointing it out. When there are no sources, you have no choice. When there are sources, you do. Even if building the toolchain will probably be hard, it might be easier than going through such a laborious review process every time a submission is needed. Building the toolchain is a one-time task, whereas reviewing the binary is not. If it's impossible because it includes proprietary tools... well... no choice either. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org