[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Informing users that the directory doesn't review binaries. Was: [GN
|
From: |
bill-auger |
|
Subject: |
Re: Informing users that the directory doesn't review binaries. Was: [GNU-linux-libre] Criteria for Android applications |
|
Date: |
Thu, 11 Nov 2021 22:06:25 -0500 |
my wording specifically is more educational, and (i believe)
more relevant to the typical libre OS user; because it warns of
all binaries, as inherently subject to doubt (pending only
each's personal endorsement, which mere use satisfies
implicitly), and that the reviewers looked at only source code,
which is not necessarily related to _any_ binaries from _any_
distributor
if/when reproducibility is the norm, that caveat could be
removed, or become a warning to prefer reproducibility (and help
by submitting your results)
a note WRT "app-stores" libre-hostile policies could be added
also; but i would avoid mentioning brand names
the simple fact i was illuminating, was/is this:
in practice, once someone explains to people that unsigned
binaries can not be trusted, reproducibility/authenticity is
generally taken as more important to/by those people, than
hackability or licensing - understandably so, as it presents the
highest risk factor
o/c the FSDG goes well beyond licensing (eg: if reproducibility
was the norm, that could be considered as justification for a
new FSDG requirement) - until then, i suggest warning about it -
if i wrote it, i would likely be thinking to also suggest that
people learn how to verify signatures, as the solution (trust
only your distro's signatures)
i see a missed opportunity for essential education here - that
education would benefit distros especially, because the
"take-away" message of a hypothetical libre-101 course, is:
"learn how to trust your distro (your upstreams/supply-chain)
and get involved, learn how to file good BRs, maybe even learn to
triage and hack" - reproducibility offers a uniquely fruitful
conversation starter, leading to those lessons; because it's
accuracy/usefulness depends on user-participation, and improves
as: n_peers
jen, how about:
> Although the source code has been determined to be libre,
> binaries distributed through some "app-stores" will not be free software.
>
> Furthermore, unsigned binaries are inherently untrustworthy.
> It is prohibitively difficult to determine whether or not
> any binary was actually produced, exactly and exclusively,
> from any specific sources (or from which).
>
> The Free Software Directory reviewers also do not audit the security
> of source code (certainly not binaries).