[cjbprime]

This sounds pretty good. But just to finish exploring this:

> But on the other hand, System76 customers are trusting that System76 hasn't been hacked or coerced to ship malicious firmware from the factory in the first place

I think it's reasonable to feel differently about those two risks.

Most notably, you only get one chance to load malware at the factory, whereas you have an infinite number of chances to push malware as a software update after that. It's harder for you to avoid being compromised forever than to avoid it at one specific moment. One person on your team could probably get malware signed and distributed as an targeted update without anyone else knowing, whereas doing it in the factory might take more coordination.

It's also tidier from an attacker's perspective to deliver malware just-in-time to a specific user, rather than to everyone, or to a machine that you hope will end up in the hands of the target weeks/months later. It's less detectable.

If you have a way to avoid being able to infer (e.g. by their IP address, correlated with other records) which human is asking for a firmware update file (or any update file) at the time it's downloaded, I recommend taking steps to deny yourself that knowledge.