Re: Truth matters when writing software and selecting leaders

[Martin]

On 3/30/21 1:38 PM, Jean Louis wrote:
> * Martin <smartin@disroot.org> [2021-03-30 15:51]:
> > This kind of stories also have some pros. That time Jabber/XMPP network was
> > getting big "free" promotion from Facebook, Google, etc. Nowadays I'm still
> > using Jabber/XMPP and I have zero interest of having fb, g+, etc.
> I don't remember that neither Google nor Facebook advertised XMPP,
> they did not use directly that term. It was a hidden feature to a
> degree. I would be definitely contacting Google and Facebook users
> would they have XMPP today.
>
> So I would not contribute promotion of XMPP to them, and I am not sure
> if XMPP became more popular due to them.
The promotion of XMPP was not coming only from the official advertising 
campaigns but also from many technical blogs, podcasts and various other 
media noises partially sponsored by Google/Facebook. You cannot just 
ignore that facts but anyway for me XMPP is really one of the best p2p 
communication system till these days.
> > To really face the modern threats I would just use a term like: "clean
> > open-source, reproducible, bootrstrappable, secure and free software". 
It's
> > long but at least it explicitly describe what it is about without any
> > confusion.
> In that sense you minimize the meaning of "free software", as if you
> use "open source" it means that maybe it is open source, but also free
> of charge -- so there is no definite information that you actually
> deal with free software as in liberty.
I don't agree with you. For me still "free software" doesn't explicitly 
state that the source should be open and even the hidden "freedom" 
element included in the definition is not precise enough to strictly 
require from the code to be open as I've explained multiple times in my 
previous mails. I agree though that open-source code could be released 
under many non ethical licenses vulnerable to patent trolling, etc but 
together with "free" word it actually maximize the meaning of my 
proposed long new term.
> What would mean "Clean"? I don't know.
>
> If you wish to avoid confusion simple refer by hyperlink to definition
> of free software: https://www.gnu.org/philosophy/free-sw.html
>
> Open source definition misses the point:
> https://www.gnu.org/philosophy/open-source-misses-the-point.en.html
>
> Please avoid using the term “open” or “open source” as a substitute for “free 
> software.”
> https://www.gnu.org/philosophy/words-to-avoid.html#Open
The above links are the main source of confusion. Instead of redefine 
basic words, creating blacklist of common synonyms and brainwashing 
people from their intuitions it would be better to CLEAN finally that 
mess and Keep It Simple S...?
> Please avoid using the term “open” or “open source” as a substitute
> for “free software.” Those terms refer to a different set of views
> based on different values. The free software movement campaigns for
> your freedom in your computing, as a matter of justice. The open
> source non-movement does not campaign for anything in this way.
>
> When referring to the open source views, it's correct to use that name, 
but please do not use that term when talking about us, our software, or our 
views—that leads people to suppose our views are similar to theirs.
> Instead of open source, we say, free software or free (libre)
> software.
This is absurd, I would never use only "free software" term for the 
exactly same reason I'm not using only the word "open-source". For me 
both cases are not precise and lead to misinterpretations. I don't see 
the reason to limit my vocabulary from the words you and your 
organizations simply don't like. If you don't understand the context of 
using terms like "open" or "open-source" you can just ask for more 
details. What if any freeware vendors start to use "free software" term 
to promote their commercial products, how you plan to stop them from 
doing it? Does the GNU "free software" definition is protected under 
some trademark laws? If not than why you blindly assume that everyone 
should use it as it only please you?
> Yes, that was ironical. Any word may be misunderstood, but we shall
> not change our words to accommodate people who lack certain levels of
> education.
Are you saying that the inventor of "free software" term was badly 
educated?.
> Those who install their systems themselves are for me advanced
> users. They will hardly go for reproducible builds. If somebody is
> downloading few gigabytes of binaries to install on computer, that
> somebody will most probably, in the majority of this group of advanced
> users, never verify any sources. Hashes and PGP signatures may be
> verified automatically by the system package manager.
>
> There will be those who are responsible for security of data and may
> like to verify distributions or make their own, those will be doing
> verification checks. This group does not belong to group of end users.
Not so long time ago a person who was able to use text editor or any 
simple applications in the first computers were considered as advanced 
user. In the early internet years people were putting in their Resume 
abilities of using web browsers, etc. Nowadays almost every end user is 
verifying PGP signatures, it's not a rocket science anymore. People are 
sand-boxing many layers of their working environments, using chroots, 
jails, containers, various virtualization, etc. There is a devops 
profession that fully automate complex pipelines and craft a fully 
transparent recipes so the end user can just click a button to trigger 
reproducible-builds, bootstrappability, verification, testing, fuzzing, 
sanitazing and many other features for their software in some nice CI/CD 
fashion.
> No.
>
> I said that terms like "bootstrapping" or "reproducible" do not fall
> into definition of free software, those are technical methods of
> creation and verification of software.
Yes because your "free software" term is also dedicated mainly for 
technical methods of modifying and compiling the software.
> I have already given few examples that "reproducible" does not mean
> secure. You have to compare your reproducible build it with some
> original build, and you still have to trust the original build to be
> safe. It does not speak of safety, it just speaks of reproducibility
> of software as compared to the previous distributor.
>
> For end user it means nothing. End users are majority of user base. If
> they trust enough to online distributor to download gigabytes of
> software and boot the system, at that moment reproducible builds are
> of no importance, as user already expressed the trust to online
> distributor. Why now reproduce it oneself?!
>
> Reproducible builds only make sure that software was not tampered as
> compared to original build and its repository to the local build.
You are wrong again reproducible-builds is assuring that every end user 
of the software is able to produce exactly the same binaries from the 
source-code. So whenever someone would like to temper the official 
binaries it would be immediately detected by the software community, 
i.e.: https://github.com/bitcoin-core/gitian.sigs/
> Example of malicious intent easily to be placed online:
>
> 1. Insert various malicious code into GCC, that is to place backdoor
>     shells in all kinds of network services.
>
> 2. Build GCC.
>
> 3. Make new GNU/Linux distribution.
>
> 4. Publish it as fully free software, promote it as you wish.
>
> 5. Provide hashes of binaries, packages, PGP signatures.
>
> 6. Provide reproducibility for all binaries, except of few compilers.
>
> 7. Let people install software and verify the reproducible builds.
>
> 8. After some time, ping on some servers, like ping the port 7801 and
>     then 5 times 7802, knock on the door, and open up the root shell.
Have you ever tried to contribute into GCC or GNU/Linux? Have you ever 
heard about Diverse Double-Compiling https://dwheeler.com/trusting-trust/ 
?
> Definition is fine, as definition does not speak of reproducibility,
> or bootstrapping, neither of hardware, it is general
> definition.
Your official definition is too general, hence it's useless in practice 
now. It's a shame for all RMS/FSF/GNU/Free organizations that for so 
many years even Guix is not yet fully bootstrappable.
> Definition alone cannot help anybody to get free software in their
> hardware, that is maybe matter of laws, personal preferences,
> lobbying, campaigning for it. Nobody points that out in public. That
> is serious problem. Nobody complains to their parliaments.
Obfuscated and pathological free software like GNAT are much bigger 
problem, because their ridiculous lack of reproducibility and 
bootstrappability are officially endorsed by the GNU organization.
> Back in time all micro computer chips were well defined, their
> instruction sets and internals were defined and transparent. Today it
> is not so any more.
Today RISCV, OpenPOWER, MIPS, etc are getting more and more popular.
> We are in agreement, but we have to act.
>
> The way to go is to convert number of users' machines from proprietary
> Windoze to free software OS. Then it will create an impact. Thus
> contributing to FSF campaigns will make the actual change.
I don't like free software OS like MacOSX neither even though it's based 
on open source FreeBSD  ;)