> Guix System is an advanced distribution of the GNU operating system. It uses the Linux-libre kernel

It's worth pointing out that the linux-libre kernel is developed under the FSF doctrine that "binary blobs are bad unless you can't see them". This has been taken to its logical extreme here, where this Linux fork actively removes security warnings informing users that they need to update their CPU microcode, because microcode in ROM is fine but dynamically loaded microcode updates are not, in this school of thought.

https://lists.gnu.org/archive/html/info-gnu/2018-04/msg00002...

I have no interest in software that uses arbitrary religious dogma (that doesn't help users' freedom, as those users' CPUs have proprietary microcode whether they know about it or not) to justify censoring critical security vulnerability notifications for users. I regard this as actively evil anti-user behavior.

Huh? I've never updated my CPU microcode in other distros, nor did I receive warnings about it.

Do you have a better example?

Yes you have, it's done automatically.

serious question: why is something that is updated without you knowing about it ok?

Same way that it's ok that if you update your distro it fetches newer drivers, a new kernel and patched versions of all the software you installed? Microcode is loaded at runtime, it's not permanently modifying your system.

The question is still: are "magic incantations" in packages ok, considering that they allow the issuer to control your hardware more than if the code was baked into firmware just once?

Also, these packages allow vendors to keep quiet about security issues, because they can silently fix them in the next update.

Is it any more of a "magic incantation" than the linux-image-XYZ package which controls which OS kernel is installed? Or the linux-firmware package which controls what firmware gets loaded on various devices?

If you want to see when Intel issues new microcode updates, it is all available on their GitHub: https://github.com/intel/Intel-Linux-Processor-Microcode-Dat...