* Free software is not trusted software @ 2019-01-16 14:09 Lyberta 2019-01-16 17:00 ` Todd Weaver ` (2 more replies) 0 siblings, 3 replies; 35+ messages in thread From: Lyberta @ 2019-01-16 14:09 UTC (permalink / raw) To: Libreplanet Discuss [-- Attachment #1.1: Type: text/plain, Size: 128 bytes --] Today the Internet is filled with malware that is free software: https://lyberta.net/articles/tech/free_sw_untrusted.html [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 14:09 Free software is not trusted software Lyberta @ 2019-01-16 17:00 ` Todd Weaver 2019-01-16 20:07 ` Caleb Herbert 2019-01-16 22:57 ` bill-auger 2019-01-17 3:44 ` J.B. Nicholson 2 siblings, 1 reply; 35+ messages in thread From: Todd Weaver @ 2019-01-16 17:00 UTC (permalink / raw) To: Lyberta, Libreplanet Discuss [-- Attachment #1.1: Type: text/plain, Size: 608 bytes --] Based on the conclusion of the page you link, I would suggest you evaluate and look to get involved in Reproducible Builds: https://reproducible-builds.org/ https://wiki.debian.org/ReproducibleBuilds/History Todd. On Wed, 2019-01-16 at 14:09 +0000, Lyberta wrote: > Today the Internet is filled with malware that is free software: > > https://lyberta.net/articles/tech/free_sw_untrusted.html > > _______________________________________________ > libreplanet-discuss mailing list > libreplanet-discuss@libreplanet.org > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss [-- Attachment #1.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 17:00 ` Todd Weaver @ 2019-01-16 20:07 ` Caleb Herbert 2019-01-16 22:21 ` bill-auger 0 siblings, 1 reply; 35+ messages in thread From: Caleb Herbert @ 2019-01-16 20:07 UTC (permalink / raw) To: Todd Weaver, Lyberta, Libreplanet Discuss Guix and GuixSD also does Reproducible Builds. (Although Debian is probably the more usable option right now.) _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 20:07 ` Caleb Herbert @ 2019-01-16 22:21 ` bill-auger 0 siblings, 0 replies; 35+ messages in thread From: bill-auger @ 2019-01-16 22:21 UTC (permalink / raw) To: libreplanet-discuss On Wed, 16 Jan 2019 14:07:42 -0600 Caleb wrote: > Guix and GuixSD also does Reproducible Builds. (Although Debian is > probably the more usable option right now.) "usable" is not the best word there - debian is the one that has the highest percentage of reproducible packages; but in fact, most distros are fully "usable" and are actively working toward the goal of reproducibility - in time, it will probably be the norm https://reproducible-builds.org/who/ _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 14:09 Free software is not trusted software Lyberta 2019-01-16 17:00 ` Todd Weaver @ 2019-01-16 22:57 ` bill-auger 2019-01-16 23:12 ` Leah Rowe 2019-01-17 3:44 ` J.B. Nicholson 2 siblings, 1 reply; 35+ messages in thread From: bill-auger @ 2019-01-16 22:57 UTC (permalink / raw) To: libreplanet-discuss On Wed, 16 Jan 2019 14:09:00 +0000 Lyberta wrote: > https://lyberta.net/articles/tech/free_sw_untrusted.html i think you are quite mistaken about JUCE - it does indeed contain a phone "home feature"; which caused a huge fuss within the community, which lasted for about 2 days, until everyone realized how harmless and un-intrusive it actually was that anti-feature is a restriction only on those who opt in for the free tier of the commercial license; in order to write proprietary software with JUCE without a licensing fee - so any JUCE-based program with that feature enable is almost certainly not "free software" but JUCE may also be taken as GPL, which naturally gives the developer and all users the option to disable that feature (and any other undesirable ones) - those features are fully disclosed and simple to disable with a single #define #define JUCER_ENABLE_GPL_MODE 1 doing so, will disable the new anti-features by default in any program you create with your copy of JUCE, including the one in question here: #define JUCE_REPORT_APP_USAGE 0 that is done in the same way and in the same file as where all JUCE sub-features have been enabled/disabled all along, along with others such as: #define JUCE_USE_FLAC 1 #define JUCE_USE_OGGVORBIS 1 _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 22:57 ` bill-auger @ 2019-01-16 23:12 ` Leah Rowe 2019-01-17 1:01 ` bill-auger ` (2 more replies) 0 siblings, 3 replies; 35+ messages in thread From: Leah Rowe @ 2019-01-16 23:12 UTC (permalink / raw) To: bill-auger, libreplanet-discuss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 i would argue that use of open core software in and of itself is bad anyway, because it encourages and promotes this practise of having proprietary versions of software On 16/01/2019 22:57, bill-auger wrote: > On Wed, 16 Jan 2019 14:09:00 +0000 Lyberta wrote: >> https://lyberta.net/articles/tech/free_sw_untrusted.html > > i think you are quite mistaken about JUCE - it does indeed contain > a phone "home feature"; which caused a huge fuss within the > community, which lasted for about 2 days, until everyone realized > how harmless and un-intrusive it actually was > > that anti-feature is a restriction only on those who opt in for > the free tier of the commercial license; in order to write > proprietary software with JUCE without a licensing fee - so any > JUCE-based program with that feature enable is almost certainly not > "free software" > > but JUCE may also be taken as GPL, which naturally gives the > developer and all users the option to disable that feature (and any > other undesirable ones) - those features are fully disclosed and > simple to disable with a single #define > > #define JUCER_ENABLE_GPL_MODE 1 > > doing so, will disable the new anti-features by default in any > program you create with your copy of JUCE, including the one in > question here: > > #define JUCE_REPORT_APP_USAGE 0 > > that is done in the same way and in the same file as where all > JUCE sub-features have been enabled/disabled all along, along with > others such as: > > #define JUCE_USE_FLAC 1 #define JUCE_USE_OGGVORBIS 1 > > _______________________________________________ libreplanet-discuss > mailing list libreplanet-discuss@libreplanet.org > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss > - -- Leah Rowe Libreboot developer and project founder. Use free software. Free as in freedom. https://www.gnu.org/philosophy/free-sw.html Use a free BIOS - https://libreboot.org/ Use a free operating system, GNU+Linux. Support computer user freedom https://sfconservancy.org/ https://fsf.org/ - https://gnu.org/ Minifree Ltd, trading as Ministry of Freedom | Registered in England, No. 9361826 | VAT No. GB202190462 Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK | Web: https://minifree.org/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEmMzd+OVgR/R1wES90MYkZPqLSFYFAlw/umsACgkQ0MYkZPqL SFZLQxAAhKsJBmbekCIz8kxnlCRXaDaPVlR6c1dsBXoxWAFLLHZgLgD0SCMk0AOm OrAd1x8s4mPhzMkXU7Md5kxOtiADb2/Nw2goVpuuXq/7No2qGo5lYIbCkAsh44Ra 6a6z1z3QaVDtE445bZT3zRlA3gEluFpsSlfOdlH+YYshJNoThC1ICQIK2H5WyyJf Z6Oy4vcemi4OjMO7fqYIfpdhOFifkanzPKo8ehOo3gggiLaFnGvIJEtmZCJVaP/j BR6N5WCM58FSqXAvJ+BM+QC//2o1mI0JPsGZbTQQZW9SMEZ7LKmWS1eMkH1/pHI6 U5fSD3hbpyj5BYwNegZaHcw/t58WZFz6SjBc3eF2OJQO52icYKkWbC4m7jN6VHUX 5AbcqG6p7rsOj3VphAb6zdIgkL524jIos55RYRTKkltFjndlW0ND76vB3p89ZAvq WiJk8fiGlMF/ZahubLsa02yzScrHJaSGZSIQh/iV92CnUFud01/EKsLwy9pg1P7b C6S567PocrJCwrPITQdfIxpL+UTMh1HOuaxtui3E0FB118Rhqc2+E2h8IEB2C8ve gUp6IY3Ro6RJpYpRwb33I3+7waC7s5jEJdjtWZ5CQ7C/auoJOq7k9Q71t09iCfh+ eq5bhXb3e1WlODq10CJYuvMmWeNKD8elwQq+b66TpKdZbN3dZiM= =CCJz -----END PGP SIGNATURE----- _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 23:12 ` Leah Rowe @ 2019-01-17 1:01 ` bill-auger 2019-01-17 10:52 ` Thomas Harding 2019-02-25 20:44 ` Taiidan 2 siblings, 0 replies; 35+ messages in thread From: bill-auger @ 2019-01-17 1:01 UTC (permalink / raw) To: libreplanet-discuss On Wed, 16 Jan 2019 23:12:44 +0000 Leah wrote: > it encourages and promotes this practise of having > proprietary versions of software sure, but the OP was not suggesting anything of that sort - the explicit claim was that JUCE is un-trustable malware - the open-core concern is not really applicable to JUCE either, as there are no premium-only features withheld from the GPL version - it is exactly the same software offered with multiple licensing options _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 23:12 ` Leah Rowe 2019-01-17 1:01 ` bill-auger @ 2019-01-17 10:52 ` Thomas Harding 2019-02-25 20:44 ` Taiidan 2 siblings, 0 replies; 35+ messages in thread From: Thomas Harding @ 2019-01-17 10:52 UTC (permalink / raw) To: libreplanet-discuss Nothing would prevent an LGPL code to be modified "almost silently" by a proprietary software author in order to obtain that kind of anti-features generally needed by proprietary software authors. Moreover, proprietary software authors, including firt the largest companies, /will use copyright infringement if sufficient licence weaks are not found, as seen in the numerous patents suits and other battles regarding intellectual property. So, maybe Free Software authors should use a more convenient flag, such as "ENABLE_FN_PROPRIETARY_STUFF", in order to keep a minimal control on unfair functionnalities writing, especially by ensuring their peer review in order to keep the whole stuff mostly harmless, while releasing it to proprietary software authors and companies despite of any strong or not Free Software Licence. /sorry for my terrible English, Tsfh Le 17 janvier 2019 00:12:44 GMT+01:00, Leah Rowe <info@minifree.org> a écrit : >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >i would argue that use of open core software in and of itself is bad >anyway, because it encourages and promotes this practise of having >proprietary versions of software > >On 16/01/2019 22:57, bill-auger wrote: >> On Wed, 16 Jan 2019 14:09:00 +0000 Lyberta wrote: >>> https://lyberta.net/articles/tech/free_sw_untrusted.html >> >> i think you are quite mistaken about JUCE - it does indeed contain >> a phone "home feature"; which caused a huge fuss within the >> community, which lasted for about 2 days, until everyone realized >> how harmless and un-intrusive it actually was >> >> that anti-feature is a restriction only on those who opt in for >> the free tier of the commercial license; in order to write >> proprietary software with JUCE without a licensing fee - so any >> JUCE-based program with that feature enable is almost certainly not >> "free software" >> >> but JUCE may also be taken as GPL, which naturally gives the >> developer and all users the option to disable that feature (and any >> other undesirable ones) - those features are fully disclosed and >> simple to disable with a single #define >> >> #define JUCER_ENABLE_GPL_MODE 1 >> >> doing so, will disable the new anti-features by default in any >> program you create with your copy of JUCE, including the one in >> question here: >> >> #define JUCE_REPORT_APP_USAGE 0 >> >> that is done in the same way and in the same file as where all >> JUCE sub-features have been enabled/disabled all along, along with >> others such as: >> >> #define JUCE_USE_FLAC 1 #define JUCE_USE_OGGVORBIS 1 >> >> _______________________________________________ libreplanet-discuss >> mailing list libreplanet-discuss@libreplanet.org >> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss >> > >- -- >Leah Rowe > >Libreboot developer and project founder. > >Use free software. Free as in freedom. >https://www.gnu.org/philosophy/free-sw.html > >Use a free BIOS - https://libreboot.org/ >Use a free operating system, GNU+Linux. > >Support computer user freedom >https://sfconservancy.org/ >https://fsf.org/ - https://gnu.org/ > >Minifree Ltd, trading as Ministry of Freedom | Registered in England, >No. 9361826 | VAT No. GB202190462 >Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK | >Web: https://minifree.org/ >-----BEGIN PGP SIGNATURE----- > >iQIzBAEBCAAdFiEEmMzd+OVgR/R1wES90MYkZPqLSFYFAlw/umsACgkQ0MYkZPqL >SFZLQxAAhKsJBmbekCIz8kxnlCRXaDaPVlR6c1dsBXoxWAFLLHZgLgD0SCMk0AOm >OrAd1x8s4mPhzMkXU7Md5kxOtiADb2/Nw2goVpuuXq/7No2qGo5lYIbCkAsh44Ra >6a6z1z3QaVDtE445bZT3zRlA3gEluFpsSlfOdlH+YYshJNoThC1ICQIK2H5WyyJf >Z6Oy4vcemi4OjMO7fqYIfpdhOFifkanzPKo8ehOo3gggiLaFnGvIJEtmZCJVaP/j >BR6N5WCM58FSqXAvJ+BM+QC//2o1mI0JPsGZbTQQZW9SMEZ7LKmWS1eMkH1/pHI6 >U5fSD3hbpyj5BYwNegZaHcw/t58WZFz6SjBc3eF2OJQO52icYKkWbC4m7jN6VHUX >5AbcqG6p7rsOj3VphAb6zdIgkL524jIos55RYRTKkltFjndlW0ND76vB3p89ZAvq >WiJk8fiGlMF/ZahubLsa02yzScrHJaSGZSIQh/iV92CnUFud01/EKsLwy9pg1P7b >C6S567PocrJCwrPITQdfIxpL+UTMh1HOuaxtui3E0FB118Rhqc2+E2h8IEB2C8ve >gUp6IY3Ro6RJpYpRwb33I3+7waC7s5jEJdjtWZ5CQ7C/auoJOq7k9Q71t09iCfh+ >eq5bhXb3e1WlODq10CJYuvMmWeNKD8elwQq+b66TpKdZbN3dZiM= >=CCJz >-----END PGP SIGNATURE----- > >_______________________________________________ >libreplanet-discuss mailing list >libreplanet-discuss@libreplanet.org >https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss -- Je suis née pour partager, non la haine, mais l'amour. Sophocle, /Antigone, 442 av. JC _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 23:12 ` Leah Rowe 2019-01-17 1:01 ` bill-auger 2019-01-17 10:52 ` Thomas Harding @ 2019-02-25 20:44 ` Taiidan 2019-02-26 0:15 ` overthefalls 2 siblings, 1 reply; 35+ messages in thread From: Taiidan @ 2019-02-25 20:44 UTC (permalink / raw) To: libreplanet-discuss I don't care if something is "harmless" I don't want anything phoning home no matter what - this is my computer and my network not anyone elses. _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-02-25 20:44 ` Taiidan @ 2019-02-26 0:15 ` overthefalls 0 siblings, 0 replies; 35+ messages in thread From: overthefalls @ 2019-02-26 0:15 UTC (permalink / raw) To: Taiidan; +Cc: libreplanet-discuss On 2019-02-25 21:44, Taiidan@gmx.com wrote: > I don't care if something is "harmless" I don't want anything phoning > home no matter what - this is my computer and my network not anyone > elses. > > _______________________________________________ > libreplanet-discuss mailing list > libreplanet-discuss@libreplanet.org > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss Hear hear _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-16 14:09 Free software is not trusted software Lyberta 2019-01-16 17:00 ` Todd Weaver 2019-01-16 22:57 ` bill-auger @ 2019-01-17 3:44 ` J.B. Nicholson 2019-01-19 10:41 ` Nicolás Ortega Froysa 2 siblings, 1 reply; 35+ messages in thread From: J.B. Nicholson @ 2019-01-17 3:44 UTC (permalink / raw) To: libreplanet-discuss Lyberta wrote: > Today the Internet is filled with malware that is free software: > > https://lyberta.net/articles/tech/free_sw_untrusted.html The article doesn't make it clear to me what is malware in any of the listed software. It seems to me that the saving grace of free software is that one can remove the malware, run and distribute the rest of the code, and retain full control over their computer. This takes effort but at least we're allowed to do it. The article points out that auditing matters and I concur -- there's no substitute for auditing by someone one trusts. There's too much free software for anyone to do this alone but collectively we can get more of this done. This is also why open source is not the enemy. Proprietary software is the enemy. In fact the FSF has long published this in their older article on how free software differs from open source: From https://www.gnu.org/philosophy/free-software-for-freedom.html > We don't think of the Open Source movement as an enemy. The enemy is > proprietary software. Proprietary software denies one the freedom to do the vetting that needs to be done. Open source may make some indefensible claims about how effective the open source development methodology is at reducing bugs and improving software, but that's nowhere near distributing malware. _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-17 3:44 ` J.B. Nicholson @ 2019-01-19 10:41 ` Nicolás Ortega Froysa 2019-01-19 14:34 ` Julian Daich ` (3 more replies) 0 siblings, 4 replies; 35+ messages in thread From: Nicolás Ortega Froysa @ 2019-01-19 10:41 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 2312 bytes --] On Wed, Jan 16, 2019 at 09:44:43PM -0600, J.B. Nicholson wrote: > Lyberta wrote: > > Today the Internet is filled with malware that is free software: > > > > https://lyberta.net/articles/tech/free_sw_untrusted.html > > The article points out that auditing matters and I concur -- there's no > substitute for auditing by someone one trusts. There's too much free > software for anyone to do this alone but collectively we can get more of > this done. > Considering that this is an issue that would affect nearly all distros, it may be a good idea to setup a central collective group for auditing software. This would help in various regards: 1. With various people manually auditing software packages, it increases the probability that these kinds of malware will be caught. 2. The members of this group will most likely be either already known members of the free software community, whom we can trust, or new members that, although not immediately trustworthy, will become more commonly known members soon after joining. 3. It gives people who are looking for ways to contribute to free software another way to contribute without necessarily having to code or write documentation. It could also be a gateway for these individuals to learn about these projects and contribute to them later. 4. Having a central and transparent intelligence on which kinds of projects tend to have malware in them would help us to optimize the auditing process, even automating certain elements of it, and know which kinds of software are more prone to contain malware. 5. It would greatly help the free distros, which are always working very hard to weed out software packages with non-free blobs. Proper auditing with a standard protocol would help to weed out these non-free packages in a more efficient and just manner. Certain conditions would be needed to make sure that the effort is as distribution-agnostic as possible, but I believe such an effort would greatly benefit the free software community. -- Nicolás Ortega Froysa Vivu lante, vivu feliĉe! https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 10:41 ` Nicolás Ortega Froysa @ 2019-01-19 14:34 ` Julian Daich 2019-01-20 18:01 ` Nicolás Ortega Froysa 2019-01-19 22:01 ` bill-auger ` (2 subsequent siblings) 3 siblings, 1 reply; 35+ messages in thread From: Julian Daich @ 2019-01-19 14:34 UTC (permalink / raw) To: libreplanet-discuss El 19/1/19 a las 11:41, Nicolás Ortega Froysa escribió: > 1. With various people manually auditing software packages, it increases > the probability that these kinds of malware will be caught. > > 2. The members of this group will most likely be either already known > members of the free software community, whom we can trust, or new > members that, although not immediately trustworthy, will become more > commonly known members soon after joining. Hi, Who will pay this people, who will take responsability of their work and in what extend it is different in what we have today? Best, Julian -- Julian Daich julian.daich@freecomputerlabs.org FCL www.freecomputerlabs.org _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 14:34 ` Julian Daich @ 2019-01-20 18:01 ` Nicolás Ortega Froysa 2019-01-20 20:36 ` bill-auger ` (2 more replies) 0 siblings, 3 replies; 35+ messages in thread From: Nicolás Ortega Froysa @ 2019-01-20 18:01 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 2166 bytes --] On Sat, Jan 19, 2019 at 03:34:50PM +0100, Julian Daich wrote: > El 19/1/19 a las 11:41, Nicolás Ortega Froysa escribió: > > 1. With various people manually auditing software packages, it increases > > the probability that these kinds of malware will be caught. > > > > 2. The members of this group will most likely be either already known > > members of the free software community, whom we can trust, or new > > members that, although not immediately trustworthy, will become more > > commonly known members soon after joining. > > Who will pay this people, who will take responsability of their work and > in what extend it is different in what we have today? > To answer your first question, the group would consist of vulunteers. That being said, like with most FLOSS projects, if such a group were to attract the attention of companies using free software, it may receive full-time paid efforts, but we shouldn't count on this. As for the contrast between what this would be and what we currently have, correct me if I'm wrong (I very well may be), but most of today's security auditing takes place on a per-project basis and mostly relies on people looking for security bugs within a project. However, this isn't really what we're talking about with this thread, but rather projects whose maintainers are actively inserting malware into their projects (that being said, I think we should make a distinction here between malware, features that could have potentially malicious consequences, and anti-features that can be disabled). The purpose would be to take a look at such projects that do not have proper security auditing and putting efforts of volunteers to audit this. It's also worth noting that this would make for another outlet for people who are interested in security and free software to enter the field and get their foot in the door. -- Nicolás Ortega Froysa Vivu lante, vivu feliĉe! https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-20 18:01 ` Nicolás Ortega Froysa @ 2019-01-20 20:36 ` bill-auger 2019-01-20 22:54 ` Julian Daich 2019-01-21 8:05 ` Andrew Luke Nesbit 2 siblings, 0 replies; 35+ messages in thread From: bill-auger @ 2019-01-20 20:36 UTC (permalink / raw) To: libreplanet-discuss On Sun, 20 Jan 2019 19:01:02 +0100 Nicolás wrote: > I think we should make a distinction here > between malware, features that could have potentially malicious > consequences, and anti-features that can be disabled). there is one other distinction lurking in that statement that many tend to conflate as one and the same - that is the distinction between malware that is malicious in the sense of what is more commonly called "spyware" which is entirely a subjective privacy concern, and the sort of malware that actually does objective physical damage to your system, or data - it should be obvious to everyone that many people (perhaps the majority) have little or no concern for online privacy; but surely no one wants their data stolen or their OS broken for the overwhelming majority of computer users, regardless of how adamant or indifferent one is about online privacy, there is a huge demonstrable difference in the actual severity of the "consequences" of those two forms of malware - they should not be so readily conflated, as i often see _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-20 18:01 ` Nicolás Ortega Froysa 2019-01-20 20:36 ` bill-auger @ 2019-01-20 22:54 ` Julian Daich 2019-01-21 3:02 ` bill-auger 2019-01-21 8:05 ` Andrew Luke Nesbit 2 siblings, 1 reply; 35+ messages in thread From: Julian Daich @ 2019-01-20 22:54 UTC (permalink / raw) To: libreplanet-discuss El 20/1/19 a las 19:01, Nicolás Ortega Froysa escribió: > On Sat, Jan 19, 2019 at 03:34:50PM +0100, Julian Daich wrote: >> El 19/1/19 a las 11:41, Nicolás Ortega Froysa escribió: >>> 1. With various people manually auditing software packages, it increases >>> the probability that these kinds of malware will be caught. >>> >>> 2. The members of this group will most likely be either already known >>> members of the free software community, whom we can trust, or new >>> members that, although not immediately trustworthy, will become more >>> commonly known members soon after joining. >> >> Who will pay this people, who will take responsability of their work and >> in what extend it is different in what we have today? >> > > To answer your first question, the group would consist of vulunteers. > That being said, like with most FLOSS projects, if such a group were to > attract the attention of companies using free software, it may receive > full-time paid efforts, but we shouldn't count on this. > Hi, I paste an answer I just replayed to some folk in private. Who will be the reviewers? If you cannot solve this question for the maintainers you hardy will solve it for the reviewers. It will not be simpler and eventually more effective just to rank the trustability of the software according to the ratio of reviewers/ maintainers? Best, Julian > As for the contrast between what this would be and what we currently > have, correct me if I'm wrong (I very well may be), but most of today's > security auditing takes place on a per-project basis and mostly relies > on people looking for security bugs within a project. However, this > isn't really what we're talking about with this thread, but rather > projects whose maintainers are actively inserting malware into their > projects (that being said, I think we should make a distinction here > between malware, features that could have potentially malicious > consequences, and anti-features that can be disabled). The purpose would > be to take a look at such projects that do not have proper security > auditing and putting efforts of volunteers to audit this. > > It's also worth noting that this would make for another outlet for > people who are interested in security and free software to enter the > field and get their foot in the door. > > > _______________________________________________ > libreplanet-discuss mailing list > libreplanet-discuss@libreplanet.org > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss > -- Julian Daich julian.daich@freecomputerlabs.org FCL www.freecomputerlabs.org _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-20 22:54 ` Julian Daich @ 2019-01-21 3:02 ` bill-auger 2019-01-22 10:07 ` Nicolás Ortega Froysa 2019-01-26 21:17 ` Julian Daich 0 siblings, 2 replies; 35+ messages in thread From: bill-auger @ 2019-01-21 3:02 UTC (permalink / raw) To: libreplanet-discuss as much as i hate to be a web blanket :) - i must say that my suggestion to elect Nicolás the chief of this operation was entirely sarcastic - this discussion is all well intentioned, of course, but not very realistic take this as one representative example (i.e. food for thought) - the chromium web browser has been under suspicion for improper licensing since it was released about 10 years ago - in that time, no one has audited it comprehensively, not even it's own developers were able to reach a conclusion (it appears they they honestly did try), and probably no one ever will be able to; not because of disinterest, but because of the sheer magnitude of the task it would probably take a reasonably sized team working full time for about six months to audit that behemoth for licensing compliance alone, then who knows how much longer to actually read all of the source code; and that does not imply that any of the reviews would have a thorough understanding of what they have read - it is probably safe to assume that not one developer of that program actually understands all of the complex inter-workings of the many many parts of such a large code-base - to expect a team of volunteers to accomplish that super-human feat is ... ok, i will say it ... a pipe dream - and that is only considering one single software project - the proposal in this thread is literally to audit every bit of source code that has ever been written and ever will be written - it should be obvious that would be many orders of magnitude more difficult and by the way, i don't recall anyone suggesting that proper licensing should be among the goals of this committee - that would actually be best as the first thing audited; because it is a significantly simpler task, and if the program is indeed improperly licensed, then the evaluation can stop there, because no one has any right to use it anyways - this is essentially the position of the FSDG distros by not distributing chromium; and users are generally advised not to use any software that the distro does not provide, regardless of any reasons *why* the distro does not provide it On Sun, 20 Jan 2019 23:54:16 +0100 Julian wrote: > It will not be simpler and eventually more effective just to rank the > trustability of the software according to the ratio of reviewers/ > maintainers? so, call me a negative nancy if you will, but i suggest that an optimistic estimation of that ratio would be on the order of one reviewer for each 10,000 to 100,000 software projects; so those rankings would differ only beyond the fifth decimal place, and the vast majority would be forever marked: "pending evaluation - please help!" - again, that's not because it is a bad idea, nor because no one is interested; the scale of the endeavor itself renders it's success dubious at best - it is probably safe to assume that it would require at least as many reviewers perpetually reviewing, as the number of developers that are actively developing - BTW this is already in common practice under the name "code review" - of course, not all projects do it, but they should and ideally would if only they had the peoples-power to do so just for a grounding in reality here: there is probably more software published, to github alone, every day, than a team of a thousand reviewers could audit in a year - simple math would indicate that this would require a team of millions, just to keep on top of all the new software that is published, and work slowly toward scratching the surface of the back-log of existing software - if anyone wants to take this proposal seriously, you may be better off playing the lottery in hopes of being able to fund this effort for the first year and just in case anyone is thinking: "automation! that's the solution!"; i suggest that you would probably need to solve "the halting problem" before that fantastic "malware detector" program could be written if you like (or even if you don't), you could consider the world of free software (and the internet, and all software, really) not much at all as alike to your grandmothers cozy, safe living room; but more realistically like the wild outback - it contains all sorts of savages, bandits and wolves, that have been there since the beginning and are not likely to go away anytime in the foreseeable future - free software is not to blame for that; it is a fact of life - free software is actually the only hope in reducing whatever damage to society of which such "bad neighbors" possess the potential to inflict i would be sorry if that portrait frightens anyone away from using free software, but it is the very price you pay for freedom in this, the only universe we have to explore: everyone must be willing to accept the risks associated with their own actions, and learn how to avoid the activities which they consider to be dangerous; or else that person is not responsible enough to competently manage themselves with that particular level of freedom - there is a word for such people; they are usually called: "children" - as a mature adult, no one else will, should, or can accept those risks for you the best that helpful shepherds can hope to do, is to warn Little Red Riding Hood not to talk to strange wolves, or to keep her locked in at home - the latter would be the metaphorical analog of turning your computer OFF, or trusting that purveyors of proprietary software (ala. MS/apple/google) can "protect" her for you - luckily, the moral of this story, is that the actual tangible "dangers" to this sort of activity are as mythical as the Big Bad Wolf himself - if one exercises basic common sense and restraint, then the worst "harm" those wolves can actually do, is to corrupt your data or to spy on your web browsing - they can not actually eat you, nor grandma - whew, now isn't that comforting and reassuring - let us rejoice :) perhaps this rant may sound hopelessly pessimistic to some, but i do hope that no one would see it as a validation of the OP's claim - my advice to anyone holding these concerns, is to trust your distro, use a FSDG endorsed distro and do not use any software that your distro has not provided - additionally, and as importantly: engage yourself with your distro's developers, file bug reports, ask the experts about your security concerns and for advice on how you can learn to manage them, and so on - that is how bugs are found and fixed, and how privacy concerns are identified and warned about or patched out; and that dialog between users and devs seems to have been working quite well these many years - because of that, i am not at all pessimistic nor frightened about anything i mentioned in this post :) that was fun - thanks for reading - if you made it this far down: you are awesome!! _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-21 3:02 ` bill-auger @ 2019-01-22 10:07 ` Nicolás Ortega Froysa 2019-01-23 3:48 ` bill-auger 2019-01-26 21:17 ` Julian Daich 1 sibling, 1 reply; 35+ messages in thread From: Nicolás Ortega Froysa @ 2019-01-22 10:07 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 5393 bytes --] On Sun, Jan 20, 2019 at 10:02:53PM -0500, bill-auger wrote: > as much as i hate to be a web blanket :) - i must say that my > suggestion to elect Nicolás the chief of this operation was entirely > sarcastic - this discussion is all well intentioned, of course, but > not very realistic > I will admit that I did not notice your sarcasm, but that aside, what I'm trying to do is brainstorm ideas to solve the problem that was brought about by this thread. In a brainstorm we come up with a multitude of ideas, expand on them, and if they don't work we reject them. Obviously, this one has been rejected, not only be how infeasible it would be to audit that multitude of packages, but because such projects already exist (as you pointed out in the other subthread). Therefore the most productive topic of conversation at this point would be narrowing down our brainstorming to how we could improve the already existing process for auditing software. > and by the way, i don't recall anyone suggesting that proper licensing > should be among the goals of this committee - that would actually be > best as the first thing audited; because it is a significantly simpler > task, and if the program is indeed improperly licensed, then the > evaluation can stop there, because no one has any right to use it > anyways - this is essentially the position of the FSDG distros by not > distributing chromium; and users are generally advised not to use any > software that the distro does not provide, regardless of any reasons > *why* the distro does not provide it > In my original reply I responded with the following statement (#5): 5. It would greatly help the free distros, which are always working very hard to weed out software packages with non-free blobs. Proper auditing with a standard protocol would help to weed out these non-free packages in a more efficient and just manner. Tying this back to my response to another subthread, if Debian Security (or other security distro projects) don't already, it may be a good idea to ask them to do so (if not only for their own sake). Of course, in the case of the Debian project which has different repositories for non-free software, I'm fairly certain that if they were to find non-free software within a given package in the `main' repository they would notify the maintainers to move it elsewhere. > if you like (or even if you don't), you could consider the world of > free software (and the internet, and all software, really) not > much at all as alike to your grandmothers cozy, safe living room; but > more realistically like the wild outback - it contains all sorts of > savages, bandits and wolves, that have been there since the beginning > and are not likely to go away anytime in the foreseeable future - free > software is not to blame for that; it is a fact of life - free > software is actually the only hope in reducing whatever damage to > society of which such "bad neighbors" possess the potential to inflict > > i would be sorry if that portrait frightens anyone away from using free > software, but it is the very price you pay for freedom in this, the only > universe we have to explore: everyone must be willing to accept the > risks associated with their own actions, and learn how to avoid the > activities which they consider to be dangerous; or else that person is > not responsible enough to competently manage themselves with that > particular level of freedom - there is a word for such people; they are > usually called: "children" - as a mature adult, no one else will, > should, or can accept those risks for you > > the best that helpful shepherds can hope to do, is to warn Little Red > Riding Hood not to talk to strange wolves, or to keep her locked in at > home - the latter would be the metaphorical analog of turning your > computer OFF, or trusting that purveyors of proprietary software (ala. > MS/apple/google) can "protect" her for you - luckily, the moral of > this story, is that the actual tangible "dangers" to this sort of > activity are as mythical as the Big Bad Wolf himself - if one exercises > basic common sense and restraint, then the worst "harm" those wolves can > actually do, is to corrupt your data or to spy on your web browsing - > they can not actually eat you, nor grandma - whew, now isn't that > comforting and reassuring - let us rejoice :) > Having freedom is certainly a resposibility, but that's one of the reasons society exists in the first place. By distributing and specializing different responsibilities between different members of the community we achieve a much higher feat than if we were to simply act as lone egoistic individuals. Relating this to free software, yes, we should all know that our software could always contain some kind of malicious code, or even code that accidentally does something horrible to our machines. This is why most free software licenses come with a no warranty clause. However we should still try to help one another to prevent harm to those less prepared. -- Nicolás Ortega Froysa Vivu lante, vivu feliĉe! https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-22 10:07 ` Nicolás Ortega Froysa @ 2019-01-23 3:48 ` bill-auger 0 siblings, 0 replies; 35+ messages in thread From: bill-auger @ 2019-01-23 3:48 UTC (permalink / raw) To: libreplanet-discuss frankly, i think that if this discussion is to be continued with any sincerity, then it begs for a new "subject" heading; because the present one is less indicative of a constructive discussion topic than ignominious click-bait On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote: > Therefore the most productive topic of conversation at > this point would be narrowing down our brainstorming to how we could > improve the already existing process for auditing software. i do think that the most notable deficiency is lack of involvement from users, and resources in general; but i dont think anything is currently being done improperly, suggesting any specific improvements - most software projects, from the smallest to the largest, are under-staffed at their roots, almost characteristically so; but most responsible dev teams would do, and indeed do, these sort of self-evaluations themselves, if and when they can manage the well established, routine "best-practice" task of code-review that was not to indicate any particular failure of any party - i would say it's just a case of too few cooks trying to feed a disproportionate number of passive customers who give nothing in return (and i dont mean cash - bug reports and discussions are far more valuable) - perhaps many do not "feel" empowered to help; but that would be entirely unfounded, and not any fault of the developers - absolutely everyone can and should participate, and no explicit invitation is required; because participation generally is the default expectation upon users of free software On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote: > 5. It would greatly help the free distros, which are always working > very hard to weed out software packages with non-free blobs. Proper > auditing with a standard protocol would help to weed out these > non-free packages in a more efficient and just manner. > > if Debian > Security (or other security distro projects) don't already, it may be > a good idea to ask them to do so your point #5 is nearly the same as all that i suggested; only the perspective is inverted - for the most part, there is no other, new "it" that would be needed to help distros to do anything that they are not already doing - all distros want their software to be bug-free, and to varying degrees: privacy-respecting and audit-able; and they already do as well as they possibly can to ensure that - they may not all have a formal "security team", but there is probably nothing new to ask of any of them other than "how can i help you to acquire more people-power or educate software users?" On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote: > I'm fairly certain that if they > were to find non-free software within a given package in the `main' > repository they would notify the maintainers to move it elsewhere. i am too - i think non-free software can be safely ignored for the sake of this discussion On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote: > yes, we should all know that our software could always contain some > kind of malicious code, or even code that accidentally does something > horrible to our machines. However we should still try to help > one another to prevent harm to those less prepared. again, i think we are in perfect agreement already - the wording of that indicates something is being added that i neglected to mention - i literally offered that particular "however" as the only real remedy there is - little red riding hood must be aware of the risks that she takes by venturing from the safely of grandma's living room, out into the wild wilderness; or she would be wiser to stay home - forest rangers are not needed when some common-sense survival skills will suffice, and are standard equipment that every explorer is wise to possess before leaving home perhaps more wise and conscientious shepherds are needed to offer such advice; but people generally do not respect advice if forced upon them by some authority - everyone is responsible for educating themselves, especially about topics that are subjective and otherwise outside the scope of a general school education; and i do think that most people prefer it that way - that is, for example, non-essential, leisure, luxury, entertainment activities such as goofing off on the internet; which is the reality of that for which people, who are the most in need of such advice, actually do "need" their computers and pocket-phones - this is no more essential nor mandatory than say: swimming lessons or bicycle safety advice for those who choose to swim or ride a bicycle, plus the extremely tiny sliver of the population who truly must engage in such otherwise optional activities (such as carrying a pocket-phone), *and* who are also actually interested in such "hand-holding" forms of instruction as long as good advice is available for the curious to find, responsible people will seek it and find it - if they are also wise, they may even heed it; but in the end, it is not actually anyone's responsibility to provide that advice - it would be nothing more compulsory or authoritative than a voluntary, neighborly, community service, to be appreciated or ignored, at each one's own personal discretion and/or peril the suggestion of a ratings system, for example, is a step quite out of line with friendly advice, suggesting a self-proclaimed authority - i dont think the world needs that - your distro is already that authority and your "shepherd", by the nature that they are the ones who are curating the software on behalf of the majority of free software users - that is precisely and entirely what distros exists for - the way that most distros advise against acquiring software from third-parties, and how debian separates non-free software from the main repos, and parabola's privacy repo, for examples, are sufficiently adequate as such guides for anyone curious enough to learn what those general distinctions are seriously let us start a new thread if this discussion is to continue - i would have, but personally, i can not think of anything more that needs discussing - how about: "Free Software Swimming Lessons" _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-21 3:02 ` bill-auger 2019-01-22 10:07 ` Nicolás Ortega Froysa @ 2019-01-26 21:17 ` Julian Daich 2019-01-26 23:35 ` bill-auger 1 sibling, 1 reply; 35+ messages in thread From: Julian Daich @ 2019-01-26 21:17 UTC (permalink / raw) To: libreplanet-discuss El 21/1/19 a las 4:02, bill-auger escribió: > On Sun, 20 Jan 2019 23:54:16 +0100 Julian wrote: >> It will not be simpler and eventually more effective just to rank the >> trustability of the software according to the ratio of reviewers/ >> maintainers? > so, call me a negative nancy if you will, but i suggest that an > optimistic estimation of that ratio would be on the order of one > reviewer for each 10,000 to 100,000 software projects; So it will be worth to advice users. The ratio I mentioned was only an example. There can be many ways to rank software trustability. > > just for a grounding in reality here: there is probably more software > published, to github Software can be defined as not trustable by default unless is reviewed. Specially in these bug repositories. It will benefit the big project/ users( Cannonical, IBM, Intel, Google, GNU, etc.) these entities/ people not only care about the quality of the software they include in their proyects, but also in the potential problems caused by the interaction with other programs. > everyone must be willing to accept the > risks associated with their own actions, and learn how to avoid the > activities which they consider to be dangerous; or else that person is > not responsible enough to competently manage themselves with that > particular level of freedom Free Software, in special under the GPL, is under the user's risk. No warranties. > > my > advice to anyone holding these concerns, is to trust your distro, use a > FSDG endorsed distro and do not use any software that your distro has > not provided - additionally, and as importantly: engage yourself with > your distro's developers, file bug reports, ask the experts about your > security concerns and for advice on how you can learn to manage them, > and so on - that is how bugs are found and fixed, and how privacy > concerns are identified and warned about or patched out; and that dialog > between users and devs seems to have been working quite well these many > years - There is aonther point. Many Free Software users often confuse libre with gratis. Having Free Software does not mean that less skilled userd can ask the more skilled ones to add features or fix bugs for free. I mentioned the ranking solution because it is worth for me and also for other big and skilled parties. What we can do is starting to raise the alert. Best, Julian -- Julian Daich julian.daich@freecomputerlabs.org FCL www.freecomputerlabs.org _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-26 21:17 ` Julian Daich @ 2019-01-26 23:35 ` bill-auger 2019-01-27 1:07 ` bill-auger 2019-01-27 19:40 ` Julian Daich 0 siblings, 2 replies; 35+ messages in thread From: bill-auger @ 2019-01-26 23:35 UTC (permalink / raw) To: libreplanet-discuss On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: > El 21/1/19 a las 4:02, bill-auger escribió: > > one reviewer for each 10,000 to 100,000 software projects; > > So it will be worth to advice users. > There can be many ways to rank software trustability. that is missing my point - regardless of how you score the rankings, no ranking could be assigned to any project until someone has actually audited the code, and each reviewer would still have about 100,000 projects to review which would probably take each reviewer about 10,000 years to complete - so only a tiny portion of projects would ever be assigned the ranking, unless there are literally millions of reviewers working on the task, indefinitely forever On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: > Software can be defined as not trustable by default unless is > reviewed. how did you write that email? - has anyone audited your email client? - your web browser? - your operating system? i think we all know, that no one has comprehensively audited all of the software that you are using for trustworthiness (or *any* of it really) - so by your definition, none of the software that you, or i, or anyone is using right now is "trust-worthy" - so why are you using any software at all, if you are so convinced that people must trust all software that they use, but that none of it can actually be trusted? - apparently, the criteria of trustworthiness is not as important as people are pretending that it is; or else none would be reading nor replying to any of these messages in order to express that opinion it should also not go without saying that the word "trust" is really not applicable to software - computers merely execute the instructions they are given - for the most part, you can "trust" that they will do exactly what the codes specify, consistently, reliably, without deviation - the word "trust" can only be sincerely used to refer to the people who write the software - to say that you do not trust the software itself is saying no more that: "i do not know how it works" - even if some very smart person reviews it and gives it her "thumbs-up", you still "do not know how it works" unless you read it yourself; therefore it is still "untrustworthy" software by that same inappropriate description On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: > Having Free Software does not mean that less skilled > userd can ask the more skilled ones to add features or fix bugs for > free. that is exactly what can, and does happen - and when it does not happen "for free", it often happens because a user commissions someone to do the work - of course, there is no guarantee that unskilled users will get all of their wishes fulfilled (cest la vie); but it most certainly is a general possibility that proprietary software generally does not offer - and that is not to mention the general possibility that unskilled users can become skilled users if they choose to the main point of that quoted message was that it is not reasonable in this universe to expect anyone else to do anything for you, not for gratis, nor for hire, unless you are a child - we are incredibly fortunate that so much "free as in freedom" software exists for gratis - yet that is not good enough for some people, and they expect it to also be perfect, and perpetually decorated with novelties On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: > I mentioned the ranking solution because it is worth for me and also > for other big and skilled parties. i find the idea of ranking software to be inappropriate and counter-productive to any common goal - unless that goal is to shame people - software development is not a sport - no one needs to keep score - such rankings could only lead to some projects optimizing for the "score" as to snowball it into the "leader" position; while others who behave more sincerely by focusing on the work rather than the vague prescriptions of some external committee, and perhaps ranking lower for that reason, would be starved for the attention that they deserve; because everyone who puts their faith in the ranking system would view them as hopelessly untrustworthy, simply for not playing "the game" as the committee prescribes _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-26 23:35 ` bill-auger @ 2019-01-27 1:07 ` bill-auger 2019-01-27 19:51 ` Julian Daich 2019-01-27 19:40 ` Julian Daich 1 sibling, 1 reply; 35+ messages in thread From: bill-auger @ 2019-01-27 1:07 UTC (permalink / raw) To: libreplanet-discuss On Sat, 26 Jan 2019 18:35:15 -0500 bill-auger wrote: > such rankings could only lead to some projects optimizing > for the "score" as to snowball it into the "leader" position; allow me to elaborate on that a bit - that was not merely a vague prediction - it already happens - i have experienced it directly and it is disturbing recently, i was informed that one of my scripts had been added to a a popular software repo (i do not care to promote it by name) - i looked at it's entry on the web and noticed that every package is assigned automated "scores" for quality, maintenance, popularity, and so on - my script was assigned an extremely low score in all categories, so i looked into their criteria out of curiosity - here are some of the more ridiculous example of where my script fails so miserably: * if the project does not have at least 4 "badges" in its README file on github, it loses points for "code quality" * if the project does not use travis-ci, it loses points for "code quality" - (IIRC, some points can be earned only by using premium proprietary web services) * if the project does not create an official "release" on github at least once each month, it loses points in the "well maintained" category * and IIRC, it actually loses points for not having their specific packaging metadata file prominently the root of the repo master branch (precisely named with their corporate brand, of course); where it is actually just pollution, as packaging metadata serves no purpose in the release tarballs (aka. the git master branch) to put that into context, my script has been full-featured and stable for probably a longer amount of time than that company has existed - my script would not benefit from any of those "essential" prescribed webby adornments; and we should hope that no one would be compelled to add them, merely to achieve a better score on some gamified "leader-board" it should be obvious that any developer who puts stock in such rankings is going to spend a disproportionate amount of time catering to the scoring system rather than getting any real work done; but if people treat software development like a game, and put popularity as a priority goal, then that is exactly what will happen, and it is actually counter-productive to the goal of quality that is not to mention how insulting it is to an experienced developer to be labeled with such badges of shame, when they know damn well that their software is not poor quality; but that ignorant readers of such a website which claims to be the authority on the topic are given exactly that misleading impression so i would say that for the sake of being responsible net-izens, it would actually be preferable not to want your favorite software featured on such a website at all, and to recommend that no one accepts such rankings at face value - it certainly does no favor for otherwise responsible developers, and misleads users into valuing only those prescribed generic quality criteria - most disturbingly, it rewards developers for treating their craft as a game, and punishes the ones who take they work more seriously, and who avoid adding unnecessary baggage for frivolous "populous" reasons _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-27 1:07 ` bill-auger @ 2019-01-27 19:51 ` Julian Daich 2019-01-28 3:15 ` bill-auger 0 siblings, 1 reply; 35+ messages in thread From: Julian Daich @ 2019-01-27 19:51 UTC (permalink / raw) To: libreplanet-discuss El 27/1/19 a las 2:07, bill-auger escribió: > On Sat, 26 Jan 2019 18:35:15 -0500 bill-auger wrote: >> such rankings could only lead to some projects optimizing >> for the "score" as to snowball it into the "leader" position; > > allow me to elaborate on that a bit - that was not merely a vague > prediction - it already happens - i have experienced it directly and > it is disturbing > Trustability ranks can be adjusting for not trolling people. Deffining/ ranking software" quality" and user safety are different things. Quality can be very arbitrary. > recently, i was informed that one of my scripts had been added to a > a popular software repo (i do not care to promote it by name) - i looked > at it's entry on the web and noticed that every package is assigned > automated "scores" for quality, maintenance, popularity, and so on - my > script was assigned an extremely low score in all categories, so i > looked into their criteria out of curiosity - here are some of the more > ridiculous example of where my script fails so miserably: > > * if the project does not have at least 4 "badges" in its README file > on github, it loses points for "code quality" > * if the project does not use travis-ci, it loses points for "code > quality" - (IIRC, some points can be earned only by using premium > proprietary web services) > * if the project does not create an official "release" on github at > least once each month, it loses points in the "well maintained" > category > * and IIRC, it actually loses points for not having their specific > packaging metadata file prominently the root of the repo master branch > (precisely named with their corporate brand, of course); where it is > actually just pollution, as packaging metadata serves no purpose in > the release tarballs (aka. the git master branch) > > to put that into context, my script has been full-featured and stable > for probably a longer amount of time than that company has existed > - my script would not benefit from any of those "essential" prescribed > webby adornments; and we should hope that no one would be compelled to > add them, merely to achieve a better score on some gamified > "leader-board" > > it should be obvious that any developer who puts stock in such rankings > is going to spend a disproportionate amount of time catering to the > scoring system rather than getting any real work done; but if people > treat software development like a game, and put popularity as a priority > goal, then that is exactly what will happen, and it is actually > counter-productive to the goal of quality > > that is not to mention how insulting it is to an experienced developer > to be labeled with such badges of shame, when they know damn well that > their software is not poor quality; but that ignorant readers of such a > website which claims to be the authority on the topic are given exactly > that misleading impression > > so i would say that for the sake of being responsible net-izens, it > would actually be preferable not to want your favorite software featured > on such a website at all, and to recommend that no one accepts such > rankings at face value - it certainly does no favor for otherwise > responsible developers, and misleads users into valuing only those > prescribed generic quality criteria - most disturbingly, it rewards > developers for treating their craft as a game, and punishes the ones > who take they work more seriously, and who avoid adding unnecessary > baggage for frivolous "populous" reasons > > _______________________________________________ > libreplanet-discuss mailing list > libreplanet-discuss@libreplanet.org > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss > -- Julian Daich julian.daich@freecomputerlabs.org FCL www.freecomputerlabs.org _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-27 19:51 ` Julian Daich @ 2019-01-28 3:15 ` bill-auger 0 siblings, 0 replies; 35+ messages in thread From: bill-auger @ 2019-01-28 3:15 UTC (permalink / raw) To: libreplanet-discuss On Sun, 27 Jan 2019 20:51:59 +0100 Julian wrote: > Trustability ranks can be adjusting for not trolling people. > Deffining/ ranking software" quality" and user safety are different > things. Quality can be very arbitrary. that was not to say that the rankings can only be intended for shaming (and shaming is not the same as "trolling", BTW) - it was only to say that shaming is the only common goal that it could be used for successfully; and i dont think that is anyone's goal - as you pointed out yourself, the common goal of "quality" is arbitrary; but then you seem to be indicating that "trustworthiness" is not arbitrary - "trustworthiness" and "safety" are not only arbitrary, but so totally subjective as to be barely definable - i will say it again for clarity, the word "trustworthiness" is applicable only to people, but not inanimate objects such as computers - merely the use of that word in this context is arbitrary and imprecise on the face of it - likewise, i dont see how the word "safety" could be used sincerely to describe the sorts of everyday computing activities that most people engage in i have no doubt that the intentions here are sincere; but the words you are using are so vague as to be dubious and nearly inapplicable to the discussion - if the proposed methods or intentions are just as vague and inapplicable, this would be a fatally misguided misadventure - so please let us use appropriate words to describe those plans and intentions for example, you could "trust" (or mistrust) a person to respect your "privacy"; but *only* if that person had previously promised to do so - no such promises are the default condition or obligation; just a common courtesy, by convention, in some societies - when you interact with a web server, that is someone else's computer, and that person is free to do as they wish with the data you give them, as far as copyright and patent laws permit - the owner of that computer alone, sets the behavioral norms in the context of that computer's usage and any remote users of it - they have no obligation to protect "your" data, nor to keep that data, or your interactions with their service, a secret (except for certain very specific data mandated by specific laws, such as banking and medical records) - therefore it is completely unreasonable to hold the opinion that one should be able, by default, to "trust" every other computer operator in the world (who is, in reality, a total stranger, BTW) to do these things of which they are not obligated, and may not even be the norm of their culture - in some cases, that computer operator will make some "community promises" in the form of formal "privacy statements" - only then could words like "trust" be applicable - that trust would only be applicable to what is explicitly promised in the formal document (as expressed by that computer's owner, not the desires of any remote user); and it is arbitrary and different for every service on the internet - there simply is no way to define nor hold any party to any universal standard of "trustworthiness" the word "safety" implies "danger"; as in: "a hungry lion is chasing you" - "safety" does not mean: "there is no one spying on you" - the correct word for that is: "privacy" - nor does it mean: "no one will use your credit card numbers to buy a lady gaga CD without your permission" - the correct word for that is: "fraud" - neither of those bear any resemblance to being eaten by a lion - i think most people can agree what "safety" means in the context of power tools, weapons, and wild animals - with those tangible objects, there are objectively verifiable consequences to their untrained misuse, that most sane people would readily agree upon without argument; but regarding computer use, there simply is no objective criteria that would be important to everyone - whatever "safety" means to you in the context of computers, it is not likely to mean the same thing to any other person - again, it should be obvious that the majority of computer users do not see them as "dangerous" and are not "afraid" of them in any way - that is not because they are blind or ignorant - it is because computing is not actually "dangerous" by any realistic definition - therefore, any standards of "safety" that such a committee draws is arbitrary, fitting only the personal concerns of its authors, possibly omitting the concerns of some users, and not generally applicable to any program, service, or user it is simply not possible to accurately guage such subjective concerns with a pre-defined, one-size-fits-all criteria; but if such a ranking system was to be applied at any scale, it could be only feasible with some pre-defined, one-size-fits-all criteria, and applied by some automated mechanism (such as that goofy system i described yesterday) - there would be hardly enough time to apply those criteria automatically to a small percentage of projects in existence; the problem is completely intractable if each project is to be guaged manually by the distinct, time-consuming, hand-picked, criteria that would be accurately suitable for that particular program or service so even if this were feasible, i think the end result would be, the qualifying of projects by criteria that is too generic to accurately describe any of them; and if people give any credibility to the rankings, developers would start spending valuable time fitting their software and development methodologies to satisfy those generic criteria, which may not be appropriate to their project - cargo-cult development, if you will, which is counter-productive toward any goal other than populous approval _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-26 23:35 ` bill-auger 2019-01-27 1:07 ` bill-auger @ 2019-01-27 19:40 ` Julian Daich 2019-02-17 5:34 ` overthefalls 1 sibling, 1 reply; 35+ messages in thread From: Julian Daich @ 2019-01-27 19:40 UTC (permalink / raw) To: libreplanet-discuss El 27/1/19 a las 0:35, bill-auger escribió: > On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: >> El 21/1/19 a las 4:02, bill-auger escribió: >>> one reviewer for each 10,000 to 100,000 software projects; >> >> So it will be worth to advice users. >> There can be many ways to rank software trustability. > > that is missing my point It is just thinking different. > > > On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: >> I mentioned the ranking solution because it is worth for me and also >> for other big and skilled parties. > > i find the idea of ranking software to be inappropriate and > counter-productive to any common goal - Wikipedia ranks pages all the time and they are doing well. As you pointed before most of the software will not be reviewed unless there is a real interect on checking it. Best, Julian unless that goal is to > shame people - software development is not a sport - no one needs to > keep score - such rankings could only lead to some projects optimizing > for the "score" as to snowball it into the "leader" position; while > others who behave more sincerely by focusing on the work rather than > the vague prescriptions of some external committee, and perhaps ranking > lower for that reason, would be starved for the attention that they > deserve; because everyone who puts their faith in the ranking system > would view them as hopelessly untrustworthy, simply for not playing > "the game" as the committee prescribes > > _______________________________________________ > libreplanet-discuss mailing list > libreplanet-discuss@libreplanet.org > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss > -- Julian Daich julian.daich@freecomputerlabs.org FCL www.freecomputerlabs.org _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-27 19:40 ` Julian Daich @ 2019-02-17 5:34 ` overthefalls 0 siblings, 0 replies; 35+ messages in thread From: overthefalls @ 2019-02-17 5:34 UTC (permalink / raw) To: Julian Daich; +Cc: libreplanet-discuss On 2019-01-27 12:40, Julian Daich wrote: > El 27/1/19 a las 0:35, bill-auger escribió: >> On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: >>> El 21/1/19 a las 4:02, bill-auger escribió: >>>> one reviewer for each 10,000 to 100,000 software projects; >>> >>> So it will be worth to advice users. >>> There can be many ways to rank software trustability. >> >> that is missing my point > > It is just thinking different. > >> >> >> On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote: >>> I mentioned the ranking solution because it is worth for me and also >>> for other big and skilled parties. >> >> i find the idea of ranking software to be inappropriate and >> counter-productive to any common goal - > > Wikipedia ranks pages all the time and they are doing well. As you > pointed before most of the software will not be reviewed unless there > is > a real interect on checking it. > > Best, > > Julian > > unless that goal is to >> shame people - software development is not a sport - no one needs to >> keep score - such rankings could only lead to some projects optimizing >> for the "score" as to snowball it into the "leader" position; while >> others who behave more sincerely by focusing on the work rather than >> the vague prescriptions of some external committee, and perhaps >> ranking >> lower for that reason, would be starved for the attention that they >> deserve; because everyone who puts their faith in the ranking system >> would view them as hopelessly untrustworthy, simply for not playing >> "the game" as the committee prescribes >> >> _______________________________________________ >> libreplanet-discuss mailing list >> libreplanet-discuss@libreplanet.org >> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss >> Sorry to butt in but, I don't know of anyone that looks at wikipedia page rankings to decide the security or privacy respecting attributes of that page, so I don't think that comparison has any merit or relevance here. _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-20 18:01 ` Nicolás Ortega Froysa 2019-01-20 20:36 ` bill-auger 2019-01-20 22:54 ` Julian Daich @ 2019-01-21 8:05 ` Andrew Luke Nesbit 2019-01-21 22:45 ` bill-auger 2 siblings, 1 reply; 35+ messages in thread From: Andrew Luke Nesbit @ 2019-01-21 8:05 UTC (permalink / raw) To: libreplanet-discuss, Nicolás Ortega Froysa On 20/01/2019 18:01, Nicolás Ortega Froysa wrote: > It's also worth noting that this would make for another outlet for > people who are interested in security and free software to enter the > field and get their foot in the door. This is an excellent motivation. Andrew -- OpenPGP key: EB28 0338 28B7 19DA DAB0 B193 D21D 996E 883B E5B9 _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-21 8:05 ` Andrew Luke Nesbit @ 2019-01-21 22:45 ` bill-auger 2019-01-22 9:34 ` Nicolás Ortega Froysa 0 siblings, 1 reply; 35+ messages in thread From: bill-auger @ 2019-01-21 22:45 UTC (permalink / raw) To: libreplanet-discuss On Mon, 21 Jan 2019 08:05:23 +0000 Andrew wrote: > On 20/01/2019 18:01, Nicolás Ortega Froysa wrote: > > It's also worth noting that this would make for another outlet for > > people who are interested in security and free software to enter the > > field and get their foot in the door. > > This is an excellent motivation. more committees are rarely, if ever, desirable - splintering of efforts leads to redundant efforts, and therefore wasted time - a far better approach would be for the community to focus more on the existing "outlets", that are already equipped and experienced in this very task, because they have been doing it for many years (such as their distro maintainers - for example: https://www.debian.org/security/audit/) - some of them have been doing exactly what is being proposed here for more time than some people reading this have existed in this planet - no one needs a new invitation to put their foot into any new doors - those doors already exist and are already encouraging everyone to involve themselves - please do feel free to put your foot into one of those existing doors today - to conclude that a brand new separate committee would somehow do a better job is very myopic, uninformed, and and therefore not sincerely motivated note this quote from the debian security team wiki page: Due to the sheer size of the current Debian release it is infeasible for a small team to be able to audit all the packages, so there is a system of prioritizing packages which are more security sensitive. debian has the largest team of maintainers of any distro in existence and that has been true for more time than most of its software has existed - if they are conceding that they do not have enough help to comprehensively audit all of the software that debian distributes, how could any reasonable person presume that it would be more effective to create a new separate team from zero, with the goal of auditing all software in existence? such efforts, when focused around your software distribution of choice, are better organized and tailored to your system, and so optimally effective; even if only because the decisions made in that committee, directly determine which software is available in the distro's repos and which is plainly unavailable - as long as users are well-advised to avoid software that is not provided by their distrro, then users who are not interested in, or qualified for, auditing software, or participating in the security discussions, can casually and confidently use whatever software that exists in their distro's repos, and effortlessly ignore what is not there the only rational arguments that i can foresee that could oppose anything i just wrote are of this sort: * i refuse to use a free software operating system * i do not trust the maintainers of my distro * i routinely use software that my distro does not endorse anyone with any such objection is intentionally creating an avoidable problem for themselves (aka. a false dilemma); a self-imposed problem that is no reflection of the state of free software nor free software distros, but indicative of one's lack of faith in and/or dedication to the merits and principals of free software _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-21 22:45 ` bill-auger @ 2019-01-22 9:34 ` Nicolás Ortega Froysa 0 siblings, 0 replies; 35+ messages in thread From: Nicolás Ortega Froysa @ 2019-01-22 9:34 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 2193 bytes --] On Mon, Jan 21, 2019 at 05:45:57PM -0500, bill-auger wrote: > On Mon, 21 Jan 2019 08:05:23 +0000 Andrew wrote: > > On 20/01/2019 18:01, Nicolás Ortega Froysa wrote: > > > It's also worth noting that this would make for another outlet for > > > people who are interested in security and free software to enter the > > > field and get their foot in the door. > > > > This is an excellent motivation. > > more committees are rarely, if ever, desirable - splintering of efforts > leads to redundant efforts, and therefore wasted time - a far better > approach would be for the community to focus more on the existing > "outlets", that are already equipped and experienced in this very task, > because they have been doing it for many years (such as their distro > maintainers - for example: https://www.debian.org/security/audit/) - > some of them have been doing exactly what is being proposed here for > more time than some people reading this have existed in this planet - > no one needs a new invitation to put their foot into any new doors - > those doors already exist and are already encouraging everyone to > involve themselves - please do feel free to put your foot into one of > those existing doors today - to conclude that a brand new separate > committee would somehow do a better job is very myopic, uninformed, and > and therefore not sincerely motivated > I was not aware of the existence of this project, I was simply brainstorming an idea. Considering this, I agree that it is much more efficient for people to join an already existing project (that would not have to waste time on organization, as a new one would) such as Debian's. What's more, despite this being distro-specific, their announcements are public, and therefore communication between multiple distros would not be an issue and double-work between them can be easily avoided. Thanks for the catch, Bill. -- Nicolás Ortega Froysa Vivu lante, vivu feliĉe! https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 10:41 ` Nicolás Ortega Froysa 2019-01-19 14:34 ` Julian Daich @ 2019-01-19 22:01 ` bill-auger 2019-01-20 18:06 ` Nicolás Ortega Froysa 2019-01-19 22:37 ` al3xu5 / dotcommon 2019-01-23 19:51 ` Adonay Felipe Nogueira 3 siblings, 1 reply; 35+ messages in thread From: bill-auger @ 2019-01-19 22:01 UTC (permalink / raw) To: libreplanet-discuss awesome idea - i nominate Nicolás to oversee this effort _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 22:01 ` bill-auger @ 2019-01-20 18:06 ` Nicolás Ortega Froysa 0 siblings, 0 replies; 35+ messages in thread From: Nicolás Ortega Froysa @ 2019-01-20 18:06 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 853 bytes --] On Sat, Jan 19, 2019 at 05:01:05PM -0500, bill-auger wrote: > awesome idea - i nominate Nicolás to oversee this effort > It's nice to see that my idea has some support, although I must say that it is not at all fleshed out, and would require more people to help and for a more fleshed out standard in protocol. I'd be willing to aid this effort, but I'd require others to help. Anyone interested, my e-mail is in the e-mail header. As for fleshing out the idea, I think that currently this subthread is helping to do just that, so all critiques are very much welcome. -- Nicolás Ortega Froysa Vivu lante, vivu feliĉe! https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 10:41 ` Nicolás Ortega Froysa 2019-01-19 14:34 ` Julian Daich 2019-01-19 22:01 ` bill-auger @ 2019-01-19 22:37 ` al3xu5 / dotcommon 2019-01-20 17:09 ` Lyberta 2019-01-20 18:16 ` Nicolás Ortega Froysa 2019-01-23 19:51 ` Adonay Felipe Nogueira 3 siblings, 2 replies; 35+ messages in thread From: al3xu5 / dotcommon @ 2019-01-19 22:37 UTC (permalink / raw) To: libreplanet-discuss Il giorno sabato 19/01/2019 11:41:43 +0100 Nicolás Ortega Froysa <nortega@themusicinnoise.net> ha scritto: > On Wed, Jan 16, 2019 at 09:44:43PM -0600, J.B. Nicholson wrote: > > Lyberta wrote: > > > Today the Internet is filled with malware that is free software: > > > > > > https://lyberta.net/articles/tech/free_sw_untrusted.html > > > > The article points out that auditing matters and I concur -- there's no > > substitute for auditing by someone one trusts. There's too much free > > software for anyone to do this alone but collectively we can get more of > > this done. > > > > Considering that this is an issue that would affect nearly all distros, > it may be a good idea to setup a central collective group for auditing > software. This would help in various regards: [...] > Certain conditions would be needed to make sure that the effort is as > distribution-agnostic as possible, but I believe such an effort would > greatly benefit the free software community. It would be a very big effort, but probably useless because it would remain a couple of big problems: - "cleaning" software do not "clean" hardware, that is closed (and almost certainly will remain so) and is where the most dangerous malware resides - in my (heretic) opinion, free software have two "big" bugs: allows commercial use (which attracts the worst "intentions") and has the LGPL (which allows any non-free software -- including malware -- to fall through the back door) Regards -- al3xu5 / dotcommon Say NO to copyright, patents, trademarks and any industrial design restrictions. ______________________________________________________________________ _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 22:37 ` al3xu5 / dotcommon @ 2019-01-20 17:09 ` Lyberta 2019-01-20 18:16 ` Nicolás Ortega Froysa 1 sibling, 0 replies; 35+ messages in thread From: Lyberta @ 2019-01-20 17:09 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 147 bytes --] Hi. Just wanted to say that I'm a bit busy right now and I can't respond but I did read all of your replies and will respond to them later. [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 22:37 ` al3xu5 / dotcommon 2019-01-20 17:09 ` Lyberta @ 2019-01-20 18:16 ` Nicolás Ortega Froysa 1 sibling, 0 replies; 35+ messages in thread From: Nicolás Ortega Froysa @ 2019-01-20 18:16 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 3157 bytes --] On Sat, Jan 19, 2019 at 11:37:24PM +0100, al3xu5 / dotcommon wrote: > Il giorno sabato 19/01/2019 11:41:43 +0100 > Nicolás Ortega Froysa <nortega@themusicinnoise.net> ha scritto: > > > On Wed, Jan 16, 2019 at 09:44:43PM -0600, J.B. Nicholson wrote: > > > Lyberta wrote: > > > > Today the Internet is filled with malware that is free software: > > > > > > > > https://lyberta.net/articles/tech/free_sw_untrusted.html > > > > > > The article points out that auditing matters and I concur -- there's no > > > substitute for auditing by someone one trusts. There's too much free > > > software for anyone to do this alone but collectively we can get more of > > > this done. > > > > > > > Considering that this is an issue that would affect nearly all distros, > > it may be a good idea to setup a central collective group for auditing > > software. This would help in various regards: > > [...] > > > Certain conditions would be needed to make sure that the effort is as > > distribution-agnostic as possible, but I believe such an effort would > > greatly benefit the free software community. > > It would be a very big effort, but probably useless because it would remain a > couple of big problems: > > - "cleaning" software do not "clean" hardware, that is closed (and almost > certainly will remain so) and is where the most dangerous malware resides > This process wouldn't be about cleaning the software itself (at least that wasn't my initial proposal), but to identify malicious software so it may be removed from distro repositories. As for hardware, as you said, it's not an easy issue to solve. However, using hardware that fully respects your freedom is a good way to make it easier for such a group to audit said hardware as well as its drivers and firmware (although we should really take this a step at a time). Therefore, my argument is that simply because we lack the means to solve the entire problem doesn't mean we can't start solving a part of it. > - in my (heretic) opinion, free software have two "big" bugs: allows commercial > use (which attracts the worst "intentions") and has the LGPL (which allows > any non-free software -- including malware -- to fall through the back door) > These two issues seem to be irrelevant to the proposal being made at the moment, but are rather critiques of free software itself. In which case it may be a good idea to bring it up in a new thread. It's also worth noting that your critique seems to come from a perspective of someone who doesn't use exclusively free software (as seen by your critique of the LGPL), which is past the point where we can do anything. If someone is using non-free software, unless we want to invest an astronomically larger amount of time in reverse-engineering these non-free programs, they should know the risks. -- Nicolás Ortega Froysa Vivu lante, vivu feliĉe! https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: Free software is not trusted software 2019-01-19 10:41 ` Nicolás Ortega Froysa ` (2 preceding siblings ...) 2019-01-19 22:37 ` al3xu5 / dotcommon @ 2019-01-23 19:51 ` Adonay Felipe Nogueira 3 siblings, 0 replies; 35+ messages in thread From: Adonay Felipe Nogueira @ 2019-01-23 19:51 UTC (permalink / raw) To: libreplanet-discuss [-- Attachment #1.1: Type: text/plain, Size: 1267 bytes --] Em 19/01/2019 08:41, Nicolás Ortega Froysa escreveu: > Considering that this is an issue that would affect nearly all distros, > it may be a good idea to setup a central collective group for auditing > software. This would help in various regards: There is the Antifeatures Project Team[1] in the Free Software Directory[2], it's still being built and the set of items that will be reviewed are still being made. It's a subgroup of the whole Free Software Directory review community. And having an antifeature doesn't mean that the software is non-free. I don't participate in the group as I'm not that inclined to review advanced security issues, but I do hope my suggestion is bookmarked. The last thing I want is seeing two instances of the same effort. Also considering that the help given to the Free Software Directory also eases the lives of package maintainers in free/libre system distributions (occasionally there is also some discussion on how to unite the works of that directory with the ones made by the distribution projects, if I'm not mistaken, bill-auger and Donald_Hedlund were talking about this). [1] https://directory.fsf.org/wiki/Free_Software_Directory:Antifeatures [2] https://directory.fsf.org/wiki/Main_Page [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 213 bytes --] [-- Attachment #2: Type: text/plain, Size: 183 bytes --] _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2019-02-26 0:15 UTC | newest] Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-01-16 14:09 Free software is not trusted software Lyberta 2019-01-16 17:00 ` Todd Weaver 2019-01-16 20:07 ` Caleb Herbert 2019-01-16 22:21 ` bill-auger 2019-01-16 22:57 ` bill-auger 2019-01-16 23:12 ` Leah Rowe 2019-01-17 1:01 ` bill-auger 2019-01-17 10:52 ` Thomas Harding 2019-02-25 20:44 ` Taiidan 2019-02-26 0:15 ` overthefalls 2019-01-17 3:44 ` J.B. Nicholson 2019-01-19 10:41 ` Nicolás Ortega Froysa 2019-01-19 14:34 ` Julian Daich 2019-01-20 18:01 ` Nicolás Ortega Froysa 2019-01-20 20:36 ` bill-auger 2019-01-20 22:54 ` Julian Daich 2019-01-21 3:02 ` bill-auger 2019-01-22 10:07 ` Nicolás Ortega Froysa 2019-01-23 3:48 ` bill-auger 2019-01-26 21:17 ` Julian Daich 2019-01-26 23:35 ` bill-auger 2019-01-27 1:07 ` bill-auger 2019-01-27 19:51 ` Julian Daich 2019-01-28 3:15 ` bill-auger 2019-01-27 19:40 ` Julian Daich 2019-02-17 5:34 ` overthefalls 2019-01-21 8:05 ` Andrew Luke Nesbit 2019-01-21 22:45 ` bill-auger 2019-01-22 9:34 ` Nicolás Ortega Froysa 2019-01-19 22:01 ` bill-auger 2019-01-20 18:06 ` Nicolás Ortega Froysa 2019-01-19 22:37 ` al3xu5 / dotcommon 2019-01-20 17:09 ` Lyberta 2019-01-20 18:16 ` Nicolás Ortega Froysa 2019-01-23 19:51 ` Adonay Felipe Nogueira
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).