#Zigbee bulbs firmware update - Safe? Where do they come from?

Hi, recently started putting together my smart home and connected a bunch of Zigbee bulbs and devices through Z2M to my Home Asisstant instance. Today I received the notification of available firmware update for some of my Philips Hue bulbs.
Where do those come from? Are they original Philips firmware update or do they pose a safety concern? I tried to search a bunch on the internet but I didn't manage to find where do these firmware come from and if I should just ignore the updates or not.

Where they come from depends. The files are provides by other users.
https://www.zigbee2mqtt.io/guide/usage/ota_updates.html

I saw that page, but it didn't say anything about where the update files come from and if they're verified or not. I don't have a way to look for the updates served to me. Do you have other sources?

new additions in zigbee-OTA Releases
If you go there you can see the pull requests adding new firmware: https://github.com/Koenkk/zigbee-OTA/pulls?q=is%3Apr

Also see originalUrl here: https://github.com/Koenkk/zigbee-OTA/blob/master/index.json

From what I can tell there is only so much you can verify but feel free to look into the firmware file 😄

I eventually found this page and was combing through it but there's no trace of Hue firmwares so I guess they manage to capture the link and download straight from Philips

I would, if only I could find the firmware (cue Fairly Odd Parents meme)

Here's a philips example:

• https://github.com/Koenkk/zigbee-OTA/pull/544
• https://github.com/Koenkk/zigbee-OTA/pull/544/files

So yeah, referencing a device to its firmware update file via human eyes sucks. You also don't often know what even changed.
The general recommendation is to leave it alone unless you have an issue to fix.

Thanks for going through the list and helping me out, I really appreciate it. Maybe I'm paranoid. I think I should just leave them alone too, even if I'd like to know more. I'm having to issue with the bulbs. Maybe could be something related to security? Are there "holes" in these devices that could prove to be troublesome?

I don't know. They don't have direct internet/network access, for example, but there could be other ways to potentially cause trouble. I don't know of any though.

Yeah, I'm asking a little too much. I guess everything is still in the air and we'll never know. Maybe I'll just try and see what happens, for science!

I doubt anything would change honestly. I'm using Hue White bulbs so it's not like I got effects to get going

The firmwares are directly from Philips, they got their hands on direct links. I was checking the registrars for the domain and all that and I traced them back to Philips

All the other firmware comes from the vendors too but since they don't all provide it publicly people have to resort to this: https://www.zigbee2mqtt.io/advanced/more/tuya_xiaomi_ota_url.html

Oh well, I'll made sure to never use Tuya or Xiaomi products in my home. So far I've found my peace with Philips and Ikea. We'll see what the future holds.
Thanks again for the help, you've been great. Have a nice rest of the day!

(not being dismissive, just don't want to waste any more of your time)

No problem. Same to you. No one's forcing us to answer and others can chime in as well. If you have a question just ask.