Hacker News new | past | comments | ask | show | jobs | submit login

I asked David Jordan, the engineer working on the firmware updater.

>Not only aren't updates initiated without permission, I wrote the code to make that literally impossible without changes to the installed python code.

The code is available at https://github.com/pop-os/system76-driver and https://github.com/system76/firmware-update




Thanks for the reply! So you can push an update to the python code that allows you to push an update to the firmware without prompting? Sounds like we still rely on the security of your systems to prevent malicious firmware from being pushed.


Well... yeah? They're the OS vendor; there is literally no way for them to do their job without having the ability to update the system.


Yes they have to be able to update the system but in this case they are also able to update the firmware without asking which means anyone who can impersonate or coerce them can also update the firmware.


If you control the OS, you also control the firmware (if you want a way to install new firmware from the OS). No way around.


Since the firmware updater is a Python program, you can audit the source code by looking at the relevant directory in site-packages before you accept. If you're really paranoid you can set up a periodic script that sends you an email if the contents of that directory change.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: