rando user here, but if firmware flashing would be relegated to an external media to be able to do, then could it not be possible to create an additional relaxed (current config) version of the locked down kernel as an addon?
Only interested users would bother installing it and it could be something they have to re-do each update since the core would overwrite /boot and /lib/modules and invalidate the previously installed addon by version requirement (the update providing a new version they would have to install if needed again).
This would minimize the footprint of 'insecure" installs since it would only be insecure on-demand each time the user updates and it should (afaik) not require any other changes to the dist to support without requiring external OS's for users. Unless pakfire's can't update the kernel for some specific reason.
On Sun, Jun 5, 2022 at 6:52 PM Tom Rymes tom@rymes.net wrote:
On Jun 5, 2022, at 11:58 AM, Peter Müller peter.mueller@ipfire.org
wrote:
[snip]
Following this principle, I would like to see things such as the
multimedia
stack we currently support in IPFire 2.x go in IPFire 3.x.
[snip]
Peter,
This should be an interesting discussion, but first I want to confirm that I am reading the above sentence correctly. Specifically, “go in” could be interpreted two different ways:
1.) be added to 2.) be removed from
I assume it’s the latter, based on the context, but I figured it was worth asking just to be certain.
As for your main question, I understand the impulse for users to want to have a single machine to host files, serve as a firewall, be a hypervisor, and so on, but I tend to agree with your assessment that the firewall should be as dedicated a machine as possible.
As for the firmware issue, is it not possible to boot from another medium to accomplish this goal?
Tom