[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU-linux-libre] Good practices for removing nonfree code found in
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code. |
|
Date: |
Wed, 6 Oct 2021 13:58:13 +0200 |
On Tue, 5 Oct 2021 23:05:19 +0300
Jean Louis <bugs@gnu.support> wrote:
> * Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> [2021-10-05
> 18:59]:
> > On Tue, 5 Oct 2021 11:05:58 +0300
> > Jean Louis <bugs@gnu.support> wrote:
> > > Let us say somebody provides Windows source under GPL on Internet,
> > > that does not make Windows source legally licensed under GPL,
> > > because author or copyright holders never licensed it so. It
> > > should be very clear to businessmen, but is not clear to
> > > programmers.
> > As I understand it it all depends on who is this somebody. If this
> > somebody is Microsoft, it would look legit.
> >
> > If not, it's crucial for most project to stay as away from leaked
> > source code as much as possible, because as I understand, just
> > reading it increases the legal risks too much when the person
> > having read it contribute to project that are too similar.
>
> Maybe the example was not good enough.
>
> Imagine company ABC provides Windows source code under GPL.
If the full source code of Windows was released, I would expect
Microsoft to do it, and to have press releases about it and so on. So
here I would stay away from the source code released by ABC unless it's
some form of joke and that the GPL source code is legit source code that
has nothing to do with Microsoft Windows.
> Distributions don't conduct enough due diligence, and users or
> downloaders even less.
I guess it depends on the distributions. Do you have ideas to increase
the quality of the checks in systemic ways?
> We are just lucky due to large number of free software being on one
> heap, it is not intentional that we don't get too many problems with
> it. Though such court cases are there.
>
> > It's also up to the distributions to choose how they deal with legal
> > issues. For instance different distributions dealt differently
> > with software patents.
>
> And it is also up to the user to verify it.
Or to trust or not trust distributions. It would also be a good idea to
ask distributions how it's done.
> > As with the DMCA, the issue is also how to verify the claims that
> > are inside. For instance youtube-dl that as far as I know is fully
> > free software also got a DMCA takedown notice.
>
> Personally I am unable to verify if software is free. Time does not
> allow it. There is no mechanism to ensure it. It is all based on
> trust to people that I by large don't even know. It is same type of
> trust just as users of non-free software.
It's mostly trust in systems. And in both cases the systems are
different.
And that's how huge societies can and do functions. You have to
interact with many people that you don't know so you end up trusting
systems instead.
And here I'm not saying that it's necessarily a good thing in general as
it also has a lot of extremely catastrophic consequences for big human
societies but it would probably be way out of topic to discuss that
here.
The book Liars and Outliars[1] explores that in more details.
In any case even if it's far from perfect I think that it works
mostly fine for free software, and that for nonfree software it is
mostly catastrophic (many builtin malware, spyware, backdoors, etc).
> But what in case of allegation, you cannot anymore prove where you got
> it from?!
That's precisely why I'm advocating for archiving source code released
by hardware vendors.
Unfortunately in the case of Samsung, it's probably almost impossible
to backup that code without writing code[2], so I hope that one day a
volunteer would show up for doing that.
Though all the source code that we rely on in Replicant is probably
already gone from opensource.smasung.com.
As for examples of known problematic software, the FreeCalypso[3]
project was based on leaked source code that it rebranded as free
software.
So here I try to stay away as much as possible from that project and
instead try to push people to work on porting osmocomBB[3] to some
microcontroller OS instead, and port the layer 2 and 3 on the modem so
that we would get a really free software equivalent.
As they also manufactured hardware, FreeCalypso probably still has
written code themselves that is in no way based on the leaked Calypso
source code, and they might also have written from scratch some
unrelated software (like tools for instance), so if I needed to package
software like that I'd still try to verify that it has been written
from scratch and/or by reusing known free software.
The neat thing is also that the free software community usually has
different coding style than the people working on nonfree software like
Microsoft Windows. You see that code style a lot in legit free
software source code releases from some hardware manufacturers (like
the dhd driver from Broadcom for instance), from ReactOS,
probably from Microsoft too, from TianoCore (a free software UEFI
implementation), etc.
So reading the source code (of the FreeCalypso tools for instance) will
also gives you some clues, and enable you to ask questions if there are
some suspicious code.
Knowing the background also helps. For instance in Replicant I also
ask how the source code was written, for contributions bigger than
patches to existing code, and sometimes it enables us to track the
origin to some other free software source code. And when it's written
from scratch, it's also very useful as we can learn how to find the
documentation needed to write similar source code in the future. And in
cases like that even if we never meet the people physically, we tend to
know them on IRC.
And Linux also has a developer certificate of origin[5] that we also use
in Replicant, not necessarily to track the origin of code, but rather to
be compatible with upstream projects requirements.
References:
-----------
[1]https://en.wikipedia.org/wiki/Liars_and_Outliers
[2]https://forge.softwareheritage.org/T2523
[3]https://www.freecalypso.org/
[4]https://osmocom.org/projects/baseband/wiki
[5]https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst#n363
Denis.
pgpDYEMSfVsK6.pgp
Description: OpenPGP digital signature
- [GNU-linux-libre] Good practices for removing nonfree code found in source code., Denis 'GNUtoo' Carikli, 2021/10/01
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., bill-auger, 2021/10/02
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Jean Louis, 2021/10/02
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Denis 'GNUtoo' Carikli, 2021/10/03
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., bill-auger, 2021/10/04
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Jean Louis, 2021/10/05
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Denis 'GNUtoo' Carikli, 2021/10/05
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Jean Louis, 2021/10/05
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code.,
Denis 'GNUtoo' Carikli <=
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Jean Louis, 2021/10/06
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Denis 'GNUtoo' Carikli, 2021/10/06
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Jean Louis, 2021/10/10
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Denis 'GNUtoo' Carikli, 2021/10/11
- Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Denis 'GNUtoo' Carikli, 2021/10/05
Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code., Alexandre Oliva, 2021/10/02