gnu-misc-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Truth matters when writing software and selecting leaders


From: Jean Louis
Subject: Re: Truth matters when writing software and selecting leaders
Date: Tue, 30 Mar 2021 16:38:25 +0300
User-agent: Mutt/2.0.6 (2021-03-06)

* Martin <smartin@disroot.org> [2021-03-30 15:51]:
> This kind of stories also have some pros. That time Jabber/XMPP network was
> getting big "free" promotion from Facebook, Google, etc. Nowadays I'm still
> using Jabber/XMPP and I have zero interest of having fb, g+, etc.

I don't remember that neither Google nor Facebook advertised XMPP,
they did not use directly that term. It was a hidden feature to a
degree. I would be definitely contacting Google and Facebook users
would they have XMPP today.

So I would not contribute promotion of XMPP to them, and I am not sure
if XMPP became more popular due to them.

> Facebook has also big impact of the web evolution in
> general. Together with Google, MS, Amazon, etc they are creating web
> prisons heavily obfuscated with their JavaScript trash. It's almost
> impossible to browse modern websites (their "free" applications) in
> pure GNU "free software" environments.

How I see that impact, governments took about 10-15 years delay to act
on abuses of people's information. Today US courts are heavily
punishing Facebook, maybe other similar too, for past abuses and
tracking of user information without consent. Europe has enacted
similar laws and Facebook and Google are pretty much protesting.

Following that observation it will be quite possible to enslave half
of the world digitally but also medically, until governments start
reacting and observing that human rights are in danger.

That is why right time for outcries and protests is now. Not later.

> > You are free to introduce any new words into English or any other
> > language. Why not? Is there a law forbidding that? Languages are
> > changing throughout the centuries, the word "Libre" is today English
> > word and it has its special definition for software.

> To really face the modern threats I would just use a term like: "clean
> open-source, reproducible, bootrstrappable, secure and free software". It's
> long but at least it explicitly describe what it is about without any
> confusion.

In that sense you minimize the meaning of "free software", as if you
use "open source" it means that maybe it is open source, but also free
of charge -- so there is no definite information that you actually
deal with free software as in liberty.

What would mean "Clean"? I don't know.

If you wish to avoid confusion simple refer by hyperlink to definition
of free software: https://www.gnu.org/philosophy/free-sw.html

Open source definition misses the point:
https://www.gnu.org/philosophy/open-source-misses-the-point.en.html

Please avoid using the term “open” or “open source” as a substitute for “free 
software.”
https://www.gnu.org/philosophy/words-to-avoid.html#Open

Please avoid using the term “open” or “open source” as a substitute
for “free software.” Those terms refer to a different set of views
based on different values. The free software movement campaigns for
your freedom in your computing, as a matter of justice. The open
source non-movement does not campaign for anything in this way.

When referring to the open source views, it's correct to use that name, but 
please do not use that term when talking about us, our software, or our 
views—that leads people to suppose our views are similar to theirs.

Instead of open source, we say, free software or free (libre)
software.

Me, as user of fully free software distribution, I will install
exclusively those which are FSF endorsed, as there is good and better
certainty that my environment is free
software. https://www.gnu.org/distros/free-distros.html

What software is the software you have to distribute? 

> > > The problem I mentioned above is that "free software" unfortunately
> > > could also mean freeware for too many people who are not
> > > professional English linguists nor IT specialists.
> > That is right, for people on lower literacy level it can mean
> > anything, including "freeze". For children it may mean just
> > nothing. The word "free" is definitely one of most common words in
> > English. As I said, if there is any confusion, that means person did
> > not verify the context where word is used.

> You could say exactly the same about the word "open-source". It's very
> common nowadays and "...if there is any confusion, that means person did not
> verify the context where word is used."

Yes, that was ironical. Any word may be misunderstood, but we shall
not change our words to accommodate people who lack certain levels of
education. 

> The precursor and the current leader of reproducible-builds efforts is still
> the Debian project. It's not hypothetical effort anymore, there are more and
> more serious and big projects where this concept is used in practice, i.e.:
> Bitcoin, Guix, Coreboot, etc. The biggest benefit for the end user is the
> possibility to easily reproduce their source code and verify its compiled
> binaries with the whole community who is using it. This is so far the only
> way to fight against "Volkswagen emissions scandal" cases, where compromised
> dev environments could inject any malicious code to our "free
> software".

I do understand the purpose of it, but I do not see how it is relevant
for end users. It is relevant for security officers.

End users purchase computers and they may choose computer with
GNU/Linux -- they could care less if it is free software or not -- end
users are satisfied if they can watch videos, play music and do some
fundamental computer work like letter writing and similar. On that
level, end users will not verify anything, neither the licenses,
neither where software comes from, they may not know
differences.

Those who install their systems themselves are for me advanced
users. They will hardly go for reproducible builds. If somebody is
downloading few gigabytes of binaries to install on computer, that
somebody will most probably, in the majority of this group of advanced
users, never verify any sources. Hashes and PGP signatures may be
verified automatically by the system package manager.

There will be those who are responsible for security of data and may
like to verify distributions or make their own, those will be doing
verification checks. This group does not belong to group of end users.

> > Yes, GNU Guix has solution to fully bootstrap system, it will come
> > there, if it is not yet there, and I hope that solution will be useful
> > for other distributions. Bootstrapping does not belong into definition
> > of free software. But what cannot be said to be free software is a
> > compiler that cannot be compiled or bootstrapped itself. Again,
> > practically, the bootstrapping technique means something only to people
> > skilled in security, it means little to end users. I just hope that we
> > get boostrappable systems.

> Using similar argumentation you could also say that "free software" in
> general means nothing to end users who are not skilled in security.

No.

I said that terms like "bootstrapping" or "reproducible" do not fall
into definition of free software, those are technical methods of
creation and verification of software.

I have already given few examples that "reproducible" does not mean
secure. You have to compare your reproducible build it with some
original build, and you still have to trust the original build to be
safe. It does not speak of safety, it just speaks of reproducibility
of software as compared to the previous distributor.

For end user it means nothing. End users are majority of user base. If
they trust enough to online distributor to download gigabytes of
software and boot the system, at that moment reproducible builds are
of no importance, as user already expressed the trust to online
distributor. Why now reproduce it oneself?!

Reproducible builds only make sure that software was not tampered as
compared to original build and its repository to the local build.

Example of malicious intent easily to be placed online:

1. Insert various malicious code into GCC, that is to place backdoor
   shells in all kinds of network services.

2. Build GCC.

3. Make new GNU/Linux distribution.

4. Publish it as fully free software, promote it as you wish.

5. Provide hashes of binaries, packages, PGP signatures.

6. Provide reproducibility for all binaries, except of few compilers.

7. Let people install software and verify the reproducible builds. 

8. After some time, ping on some servers, like ping the port 7801 and
   then 5 times 7802, knock on the door, and open up the root shell.

> Thompson attack is a real issue:
> https://nitter.namazso.eu/_markel___/status/1373059797155778562 , you
> cannot trust your "free software" if you don't trust your
> compiler.

I agree fully, so Guix, Debian, Nix are working in that direction. I
hope that Guix becomes prime distribution to bootstrap other
distributions. 

> You cannot trust your compiler if you don't trust your hardware.

That is right.

> You cannot trust your hardware if you cannot validate the full
> fabrication process of it. The design of the whole system and chain
> of trust should be fully auditable be default.

Yes, I agree. That requires stronger campaign, maybe in 20-30 days,
provided we start campaigning now.

> Worth to highlight is also the fact that most of the software we are using
> nowadays is highly overpowered, they are able to create full blown computers
> inside of your own computer, inside your font, MMU chip, etc:
> https://www.gwern.net/Turing-complete . Conclusions are still the same: the
> definition of "free software" is outdated and it doesn't scale to protect
> the whole philosophy of software freedom from the arising real technological
> threats.

Definition is fine, as definition does not speak of reproducibility,
or bootstrapping, neither of hardware, it is general
definition.

Definition alone cannot help anybody to get free software in their
hardware, that is maybe matter of laws, personal preferences,
lobbying, campaigning for it. Nobody points that out in public. That
is serious problem. Nobody complains to their parliaments.

Back in time all micro computer chips were well defined, their
instruction sets and internals were defined and transparent. Today it
is not so any more.

We are in agreement, but we have to act.

The way to go is to convert number of users' machines from proprietary
Windoze to free software OS. Then it will create an impact. Thus
contributing to FSF campaigns will make the actual change.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns



reply via email to

[Prev in Thread] Current Thread [Next in Thread]