https://bugzilla.novell.com/show_bug.cgi?id=830002 https://bugzilla.novell.com/show_bug.cgi?id=830002#c0 Summary: QEMU firmware not built from source Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 3 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: KVM AssignedTo: boyang@suse.com ReportedBy: brogers@suse.com QAContact: jdouglas@suse.com Found By: --- Blocker: --- Though there is a certain degree of trust in the firmware components provided in the upstream QEMU project, effort should be made to build that firmware from source, especially in the cases where it is readily known how to do so. At the risk of stating the obvious, when binary blobs are used, there is an insufficient audit trail from source code to executable. In the case of virtual machine firmware, where it executes with nearly complete ownership of the vm execution environment, the ability to prove that there are no security holes or malicious code present is even more important than for "normal software". Since we use a build service which allows leveraging various cpu architectures to be build on, we should use it to the full extent to build the firmware we use. If there is firmware needed for emulated architectures which can not be reasonably built for, including with cross-architecture development tools, we should at least identify clearly the source code used to build that firmware, and provide it, even if we have to trust that it was built correctly elsewhere. url on openSUSE policies for open source software: http://en.opensuse.org/Free_and_Open_Source_Software I can point out that an effort to correct this issue has been started. See: qemu, kvm, and virt-firmware packages in home:bfrogers in the openSUSE build service. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.