Updating Logitech Hardware on Linux
blogs.gnome.orgThis is awesome. I've used Logitech hardware for the past 15 years and Linux for the past 12. Thank you Logitech and thank you Richard.
It's been a long journey but bit by bit, we're getting out of second class status.
This is super great. Impressed by Logitech as well for providing all the raw details to make this happen.
I hadn't heard about LVFS until now.
Shame to see list of supported/supporting vendors is so short: https://secure-lvfs.rhcloud.com/lvfs/devicelist
Now that both Red Hat and Canonical (among other enterprise distributions) will be using this for firmware updates, I'm increasingly optimistic about more vendors joining in. LVFS is still a fairly young project, so I see the size of that list as encouraging.
Good for me that I read HN otherwise I wouldn't have know this vulnerability.
What is really worrying is that this is 1 year old yet the unifying receiver which came with 2 products I bought a month ago from a larger retailer (AMZ DE) had an older FW. And while it is understandable that the stock AMZ has might be older than a year, what is unacceptable is that they don't integrate a warning in their software eg. Logitech Options, which should inform you to update the vulnerable FW on the unifying receiver.
This is great work! Simple tasks such as managing peripheral devices is still a source of a lot of friction for Linux desktop. I am gladdened by Logitech's purported support for this.
Maybe it's time to see if we can get vendors to adopt fwupd, or something which can rely on the same dataset, as a standard cross-platform mechanism for updating firmware on devices which can conceivably be supported. I imagine it would take a considerable burden off of those vendors; marketing it as such has a decent chance of success. Not sure if Richard Hughes (thanks for assembling my ColorHUG by the way, if I go back to work in the next month or two I'll definitely get a ColorHug+, since I'm interested in verifying open source scanner calibration workflows) wants to make a living maintaining a firmware updater, though. It'd probably have to be somebody else.
For once, somebody is handling a security breach correctly. Yay, Logitech!
Am I missing something? From what I read, the author was frustrated by the lack of correct handling of the breach, and wanted to fix it himself. Logitech sent him a bunch of info on how the protocol works, but the author did all the hard work of writing the Linux firmware updater and patch, no?
Yes and no. Officially, Linux isn't supported, so Logitech could have just sent a link to the Supported Systems page and been done with it.
Instead, they sent documentation and got the Dev in touch with Logitech's internal dev team, and a Linux solution was born.
Would it have been cool if Logitech just did it from the get-go? Sure, but I think there is an element of "Cool" from Logitech's willingness to be a resource for the Linux community.
I'm more happy with the way this turned out than even if Logitech just released a closed-source Linux updater.
Props to Logitech. The more info out there about a device, the more likely I am to buy it.
Yeah I wouldn't underestimate the documentation part. It's surprisingly hard to get documentation or any help at all much of the time from vendors.
Yeah, and that's great. Most companies wouldn't do that. Most companies would just not do anything to help support Linux at all.
Logitech would get a much bigger warm fuzzy if they did this work themselves, but this is the next best thing.
Sure, that's true, I just think that most of the props should go to the person who actually implemented the fix.
I'm just impressed they got through the support barrier to someone who had the authority to make the right decision.
While i welcome the openness from Logitech, there are some elements that irks me.
First off i do not like the trend of giving every damn vulnerability found a cute name and logo.
Second, the tool presented here seems overly reliant on the presence of the Freedesktop permissions model.
Rather than having a tool that root can run to do the firmware update and leave it at that, there is talk of daemons and d-bus interfaces to schedule updates and whatsnot.
Maybe all this makes sense once one has 1000s of computers one wants to manage from a central UI. But for individual desktops it seems massively overdesigned.
Superb! We need more of this! I love my Logitech kit as it always seemed more reliable than the generic 2.4ghz stuff, this will make it better - thank you.
nice.. the OSS pairing stuff is great (solaar), now it will be better.. will continue to recommend logitech items to everyone I know..
TL;DR: using free software to ease the process of downloading and running binary blobs.
f/loss is starting to look like religion as long as we have these arbitrary boundaries.
I'm not sure if you're implying they should have used incomplete, unstable reverse engineered verion, or just used Windows to do the update, but if its the latter:
Hardly seems like ideology was the limiting factor.For people running Linux exclusively, like a lot of Red Hat’s customers Some devices are plugged in behind racks of computers forgotten, or even hot-glued into place and unremovableI'm talking about the software actually being updated; i.e. not the stuff running on the CPU.