Now that both Red Hat and Canonical (among other enterprise distributions) will be using this for firmware updates, I'm increasingly optimistic about more vendors joining in. LVFS is still a fairly young project, so I see the size of that list as encouraging.
Good for me that I read HN otherwise I wouldn't have know this vulnerability.
What is really worrying is that this is 1 year old yet the unifying receiver which came with 2 products I bought a month ago from a larger retailer (AMZ DE) had an older FW. And while it is understandable that the stock AMZ has might be older than a year, what is unacceptable is that they don't integrate a warning in their software eg. Logitech Options, which should inform you to update the vulnerable FW on the unifying receiver.
This is great work! Simple tasks such as managing peripheral devices is still a source of a lot of friction for Linux desktop. I am gladdened by Logitech's purported support for this.
Maybe it's time to see if we can get vendors to adopt fwupd, or something which can rely on the same dataset, as a standard cross-platform mechanism for updating firmware on devices which can conceivably be supported.
I imagine it would take a considerable burden off of those vendors; marketing it as such has a decent chance of success. Not sure if Richard Hughes (thanks for assembling my ColorHUG by the way, if I go back to work in the next month or two I'll definitely get a ColorHug+, since I'm interested in verifying open source scanner calibration workflows) wants to make a living maintaining a firmware updater, though. It'd probably have to be somebody else.
Am I missing something? From what I read, the author was frustrated by the lack of correct handling of the breach, and wanted to fix it himself. Logitech sent him a bunch of info on how the protocol works, but the author did all the hard work of writing the Linux firmware updater and patch, no?
Yes and no. Officially, Linux isn't supported, so Logitech could have just sent a link to the Supported Systems page and been done with it.
Instead, they sent documentation and got the Dev in touch with Logitech's internal dev team, and a Linux solution was born.
Would it have been cool if Logitech just did it from the get-go? Sure, but I think there is an element of "Cool" from Logitech's willingness to be a resource for the Linux community.
While i welcome the openness from Logitech, there are some elements that irks me.
First off i do not like the trend of giving every damn vulnerability found a cute name and logo.
Second, the tool presented here seems overly reliant on the presence of the Freedesktop permissions model.
Rather than having a tool that root can run to do the firmware update and leave it at that, there is talk of daemons and d-bus interfaces to schedule updates and whatsnot.
Maybe all this makes sense once one has 1000s of computers one wants to manage from a central UI. But for individual desktops it seems massively overdesigned.
Superb! We need more of this! I love my Logitech kit as it always seemed more reliable than the generic 2.4ghz stuff, this will make it better - thank you.
I'm not sure if you're implying they should have used incomplete, unstable reverse engineered verion, or just used Windows to do the update, but if its the latter:
For people running Linux exclusively, like a lot of Red Hat’s customers
Some devices are plugged in behind racks of computers forgotten, or even hot-glued into place and unremovable
Hardly seems like ideology was the limiting factor.
It's been a long journey but bit by bit, we're getting out of second class status.