Linux Vendor Firmware Service (LVFS) is a portal that allows hardware vendors to upload firmware updates and users to update device firmware via the fwupd daemon.
Firmware/BIOS updates are automated.
DATA COLLECTION
IP address.
User-agent of client.
Machine ID.
Filename.
Distribution name and version.
Data is stored in the United States via a Amazon Web Services (AWS) data center.
Website: https://fwupd.org
@hughsie At work, we run in GCP and I know for a matter of practical fact that they have staff to deal with network abuse, so if they aren't responding to you it's a choice.
In your place, I'd seriously consider publishing a policy that any ASN that fails to meaningfully respond to abuse reports in a timely fashion will have the entire ASN blocked from accessing #LVFS at all.
The #LVFS went down for a few minutes last night because someone DDoS'd the LVFS login page with over 200k requests over a few seconds. The requesting IP was 35.222.250.134 which is from AS396982, from Google. I've reported this kind of thing before but *nothing* ever happens.
I'm guessing this is a "security scan" but it's effectively a DDoS. Running a webserver doing anything useful in 2025 is *exhausting*.
PSA: The #LVFS has been down from about 5AM this morning; the machine the database is running on appears to be OOMing. I've opened a ticket with the sysadmin team at the Linux Foundation and am trying some mitigations in the meantime.
No idea on the root cause yet -- debugging now. If you see error messages from fwupd or gnome-software when refreshing or downloading firmware then that's why. Some downloads may work, as AWS is starting and draining containers like crazy. Send hugs!
wellllll not the cleanest code I ever wrote, but all things considered I'm pretty happy with this. It enables capsule updates for all Qualcomm devices (supported in upstream), without needing a table of devices, and supporting multiple boot methods (since some devices can have run u-boot either as the first stage bootloader or chainloaded)
once this and some other bits are in, we can start the process of getting builds for some different smartphones onto #fwupd / #lvfs so you can not just have an EFI bootloader on your OnePlus 6, but it can get updates too regardless of which distro you're running :D
@corbet @LWN we've also had to put a IP block on firmware downloads from the #LVFS per day because of AI scrapers -- which makes everyone else's life a little harder.
The scraper useragent is completely wrong and dynamic (but plausible) and they seem to completely ignore robots.txt. Quite what AI robots want with GBs of firmware archives is quite beyond me.
@hughsie Since October 2024, new #EU regulation came into place to ensure cyber resilience. This could be a motivation for less known manufacturers that are very bad with firmware updates to join #lvfs.
You once asked which manufacturers we would like to be added to #lvfs. Is this still a relevant question? I guess reaching out to more of them would now be easier...
can anyone spot the cool logo there? #lvfs :)
Asked https://www.bee-link.com/ for #lvfs support :
```
root@fedora:~# fwupdmgr get-updates
Devices with no available firmware updates:
• CT500P3PSSD8
No updatable devices
```
#firmware
...and we're done, back from a Postgres 11 to 16 migration. We were down 13 minutes in total, in a planned outage window of 3h.
All the thanks should go to Ryan at the Linux Foundation for all his hard work on this. I'd be a terrible sysadmin. #lvfs
Fwupd 1.9.22 unterstützt Raspberry Pi 5 und Framework SD
https://linuxnews.de/fwupd-1-9-22-unterstuetzt-raspberry-pi-5-und-framework-sd/ #fwupd #lvfs
Fun fact am Rande: Der #LVFS (#Linux Vendor Firmware Service) warnt Hersteller, wenn diese ein BIOS hochladen, das solch einen ausdrücklich als nicht vertrauenswürdig markiertem Platform Key (PK) enthält. Seit 2019 schon[1].
https://www.heise.de/news/UEFI-Secure-Boot-Hunderte-Computer-haben-unsichere-Kryptoschluessel-9814730.html (CC @ciw)
[1] https://gitlab.com/fwupd/lvfs-website/-/commit/45c32d3d5498af80edcf4f833a1d9e80811e03ab bzw. https://better.boston/@vathpela/112848789069656270
Anyone got any better wording? This is the dialog I was going to add to gnome-firmware, asking users with updatable (but not supported) devices to upload the device list to the #LVFS so we can nag the vendor. The expander is default closed, but opens up to show the full JSON.
not sure if it was the #firmware update that came down last week via #lvfs, a routine #mesa update or a tweak to #proton - but the graphical glitches my #framework was experiencing playing #spiderman seems to be resolved!
tl;dr: fwupd is moving away from xz and will use zstd for future releases
https://blogs.gnome.org/hughsie/2024/04/03/fwupd-and-xz-metadata/
![Admin panel of the LVFS showing a [AI crawler?] client that got blocked for downloading the poison pill firmware.](https://files.mastodon.social/media_attachments/files/113/968/173/568/061/487/original/05abb59c1e12920a.png "Admin panel of the LVFS showing a [AI crawler?] client that got blocked for downloading the poison pill firmware.")
