Newer #fwupd versions take the redirect from the LVFS and download firmware from the CDN, but older (and unsupported) fwupd clients don't handle the client-side redirect, so we just deliver the content directly.
It's expensive to supply firmware without the CDN. This mainly affects Debian, which never uprevs fwupd, which means lots of devices are missing firmware updates.
Unsupported fwupd versions download ~6% of all firmware updates but account for over 40% of the daily bandwidth. Ideas?
@hughsie I am assuming that this issue you have is with debian stable (bullseye) right?
There is going to be a new Debian release in the next few months. The freeze of the testing version is starting now, to prepare a new debian release.
Won't your problem solve it self out this quarter with the release of the next debian version?
@joao bullseye has 1.5.7 which isn't even the latest version from the 1.5.X branch -- but that's not my problem. Debian *stretch* users are downloading updates.
@hughsie just as a nitpick; Bookworm has. 1.8.8-1
But your answer gives more context to your problem. It was that missing that part, that you where referring to stretch users.
@hughsie Well I am going to avoid going into that debate _today_ by quoting Debian ;)
https://www.debian.org/releases/stretch/
"stretch benefits from Long Term Support (LTS) until the end of June 2022."
LTS support from the Debian for Stretch has ended 6 months ago.
I would argue that no one should use for security sensitive stuff a version of _any_ distro that the version is effectively past EOL.
@hughsie Stretch is under Extended LTS support which is maintained by an external company as a service, so please contact them if you want them to disable fwupd or so: https://wiki.debian.org/LTS/Extended
Please do not add scary warnings or other such things, that's just toxic and doesn't really help to foster collaboration
@bluca collaboration is a two way street; it doesn't mean "upstream maintainer has to do free work for benefit of private company" -- not sure I appreciate being called toxic either.
@hughsie if they don't even know there's a problem, how can there be a two-way street? Freeaxian is an employer of FOSS devs (as it can be seen on status reports such as https://www.freexian.com/blog/debian-lts-report-2022-12/ ), and publishes all the ELTS work it does on commission for free for anybody to use as explained in that link. Their contact details can be found at https://www.freexian.com/contact/
@joao is it fair to say that nobody should be using oldoldstable for anything security sensitive?