The LVFS project
The LVFS is a simple Flask web service using a MySQL database and the code is available for review at GitLab. This is also the place to file vendor feature requests and also where you can request existing vendors on the LVFS update specific models of hardware. You can run your own test instance by doing:
$ git clone https://gitlab.com/fwupd/lvfs-website.git $ ./app.wsgi
There is a low-volume
lvfs-announce mailing list for the Linux Vendor
Firmware Service, which will only be used to make announcements about new
features and planned downtime.
If you are interested in what’s happening with the LVFS you can
The fwupd project
$ git clone https://github.com/fwupd/fwupd.git
Various plugins are included to update devices, which includes native support for UEFI, DFU, Unifying, ThunderBolt and ColorHug.
Is updating firmware secure?
In both the LVFS and fwupd, GPG crypto is being performed using GnuPG and PKCS#7 crypto is using GnuTLS. The fwupd daemon has no network access and only acts as the mechanism for clients using D-DBus and PolicyKit. Some devices also have additional hardware signature verification schemes implemented by the device manufacturer.
The LVFS and fwupd codebases have had several independent security audits. The LVFS has a huge number of tests run for each commit, and fwupd has a comprehensive test suite, and is regularly scanned using both clang and Coverity.