Free software is not trusted software

Free software is not trusted software

[Lyberta]

[-- Attachment #1.1: Type: text/plain, Size: 128 bytes --]

Today the Internet is filled with malware that is free software:

https://lyberta.net/articles/tech/free_sw_untrusted.html


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Todd Weaver]

[-- Attachment #1.1: Type: text/plain, Size: 608 bytes --]

Based on the conclusion of the page you link, I would suggest you
evaluate and look to get involved in Reproducible Builds:

https://reproducible-builds.org/
https://wiki.debian.org/ReproducibleBuilds/History

Todd.

On Wed, 2019-01-16 at 14:09 +0000, Lyberta wrote:
> Today the Internet is filled with malware that is free software:
> 
> https://lyberta.net/articles/tech/free_sw_untrusted.html
> 
> _______________________________________________
> libreplanet-discuss mailing list
> libreplanet-discuss@libreplanet.org
> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Caleb Herbert]

Guix and GuixSD also does Reproducible Builds.  (Although Debian is
probably the more usable option right now.)

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Wed, 16 Jan 2019 14:07:42 -0600 Caleb wrote:
> Guix and GuixSD also does Reproducible Builds.  (Although Debian is
> probably the more usable option right now.)

"usable" is not the best word there - debian is the one that has the
highest percentage of reproducible packages; but in fact, most distros
are fully "usable" and are actively working toward the goal of
reproducibility - in time, it will probably be the norm

https://reproducible-builds.org/who/

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Wed, 16 Jan 2019 14:09:00 +0000 Lyberta wrote:
> https://lyberta.net/articles/tech/free_sw_untrusted.html

i think you are quite mistaken about JUCE - it does indeed contain
a phone "home feature"; which caused a huge fuss within the community,
which lasted for about 2 days, until everyone realized how harmless and
un-intrusive it actually was

that anti-feature is a restriction only on those who opt in for the
free tier of the commercial license; in order to write proprietary
software with JUCE without a licensing fee - so any JUCE-based program
with that feature enable is almost certainly not "free software"

but JUCE may also be taken as GPL, which naturally gives the developer
and all users the option to disable that feature (and any other
undesirable ones) - those features are fully disclosed and simple to
disable with a single #define

  #define JUCER_ENABLE_GPL_MODE 1

doing so, will disable the new anti-features by default in any program
you create with your copy of JUCE, including the one in question here:

  #define JUCE_REPORT_APP_USAGE 0

that is done in the same way and in the same file as where all JUCE
sub-features have been enabled/disabled all along, along with others
such as:

  #define JUCE_USE_FLAC 1
  #define JUCE_USE_OGGVORBIS 1

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Leah Rowe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

i would argue that use of open core software in and of itself is bad
anyway, because it encourages and promotes this practise of having
proprietary versions of software

On 16/01/2019 22:57, bill-auger wrote:
> On Wed, 16 Jan 2019 14:09:00 +0000 Lyberta wrote:
>> https://lyberta.net/articles/tech/free_sw_untrusted.html
> 
> i think you are quite mistaken about JUCE - it does indeed contain 
> a phone "home feature"; which caused a huge fuss within the
> community, which lasted for about 2 days, until everyone realized
> how harmless and un-intrusive it actually was
> 
> that anti-feature is a restriction only on those who opt in for
> the free tier of the commercial license; in order to write
> proprietary software with JUCE without a licensing fee - so any
> JUCE-based program with that feature enable is almost certainly not
> "free software"
> 
> but JUCE may also be taken as GPL, which naturally gives the
> developer and all users the option to disable that feature (and any
> other undesirable ones) - those features are fully disclosed and
> simple to disable with a single #define
> 
> #define JUCER_ENABLE_GPL_MODE 1
> 
> doing so, will disable the new anti-features by default in any
> program you create with your copy of JUCE, including the one in
> question here:
> 
> #define JUCE_REPORT_APP_USAGE 0
> 
> that is done in the same way and in the same file as where all
> JUCE sub-features have been enabled/disabled all along, along with
> others such as:
> 
> #define JUCE_USE_FLAC 1 #define JUCE_USE_OGGVORBIS 1
> 
> _______________________________________________ libreplanet-discuss
> mailing list libreplanet-discuss@libreplanet.org 
> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
> 

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://sfconservancy.org/
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmMzd+OVgR/R1wES90MYkZPqLSFYFAlw/umsACgkQ0MYkZPqL
SFZLQxAAhKsJBmbekCIz8kxnlCRXaDaPVlR6c1dsBXoxWAFLLHZgLgD0SCMk0AOm
OrAd1x8s4mPhzMkXU7Md5kxOtiADb2/Nw2goVpuuXq/7No2qGo5lYIbCkAsh44Ra
6a6z1z3QaVDtE445bZT3zRlA3gEluFpsSlfOdlH+YYshJNoThC1ICQIK2H5WyyJf
Z6Oy4vcemi4OjMO7fqYIfpdhOFifkanzPKo8ehOo3gggiLaFnGvIJEtmZCJVaP/j
BR6N5WCM58FSqXAvJ+BM+QC//2o1mI0JPsGZbTQQZW9SMEZ7LKmWS1eMkH1/pHI6
U5fSD3hbpyj5BYwNegZaHcw/t58WZFz6SjBc3eF2OJQO52icYKkWbC4m7jN6VHUX
5AbcqG6p7rsOj3VphAb6zdIgkL524jIos55RYRTKkltFjndlW0ND76vB3p89ZAvq
WiJk8fiGlMF/ZahubLsa02yzScrHJaSGZSIQh/iV92CnUFud01/EKsLwy9pg1P7b
C6S567PocrJCwrPITQdfIxpL+UTMh1HOuaxtui3E0FB118Rhqc2+E2h8IEB2C8ve
gUp6IY3Ro6RJpYpRwb33I3+7waC7s5jEJdjtWZ5CQ7C/auoJOq7k9Q71t09iCfh+
eq5bhXb3e1WlODq10CJYuvMmWeNKD8elwQq+b66TpKdZbN3dZiM=
=CCJz
-----END PGP SIGNATURE-----

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Wed, 16 Jan 2019 23:12:44 +0000 Leah wrote:
> it encourages and promotes this practise of having
> proprietary versions of software  

sure, but the OP was not suggesting anything of that sort - the
explicit claim was that JUCE is un-trustable malware - the
open-core concern is not really applicable to JUCE either, as there are
no premium-only features withheld from the GPL version - it is exactly
the same software offered with multiple licensing options

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[J.B. Nicholson]

Lyberta wrote:
> Today the Internet is filled with malware that is free software:
> 
> https://lyberta.net/articles/tech/free_sw_untrusted.html

The article doesn't make it clear to me what is malware in any of the 
listed software. It seems to me that the saving grace of free software is 
that one can remove the malware, run and distribute the rest of the code, 
and retain full control over their computer. This takes effort but at least 
we're allowed to do it.

The article points out that auditing matters and I concur -- there's no 
substitute for auditing by someone one trusts. There's too much free 
software for anyone to do this alone but collectively we can get more of 
this done.

This is also why open source is not the enemy. Proprietary software is the 
enemy. In fact the FSF has long published this in their older article on 
how free software differs from open source:

 From https://www.gnu.org/philosophy/free-software-for-freedom.html
> We don't think of the Open Source movement as an enemy. The enemy is
> proprietary software.

Proprietary software denies one the freedom to do the vetting that needs to 
be done. Open source may make some indefensible claims about how effective 
the open source development methodology is at reducing bugs and improving 
software, but that's nowhere near distributing malware.

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Thomas Harding]

Nothing would prevent an LGPL code to be modified "almost silently" by a proprietary software author in order to obtain that kind of anti-features generally needed by proprietary software authors.

Moreover, proprietary software authors, including firt the largest companies, /will use copyright infringement if sufficient licence weaks are not found, as seen in the numerous patents suits and other battles regarding intellectual property.

So, maybe Free Software authors should use a more convenient flag, such as "ENABLE_FN_PROPRIETARY_STUFF", in order to keep a minimal control on unfair functionnalities writing, especially by ensuring their peer review in order to keep the whole stuff mostly harmless, while releasing it to proprietary software authors and companies despite of any strong or not Free Software Licence.

/sorry for my terrible English,
Tsfh

Le 17 janvier 2019 00:12:44 GMT+01:00, Leah Rowe <info@minifree.org> a écrit :
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>i would argue that use of open core software in and of itself is bad
>anyway, because it encourages and promotes this practise of having
>proprietary versions of software
>
>On 16/01/2019 22:57, bill-auger wrote:
>> On Wed, 16 Jan 2019 14:09:00 +0000 Lyberta wrote:
>>> https://lyberta.net/articles/tech/free_sw_untrusted.html
>> 
>> i think you are quite mistaken about JUCE - it does indeed contain 
>> a phone "home feature"; which caused a huge fuss within the
>> community, which lasted for about 2 days, until everyone realized
>> how harmless and un-intrusive it actually was
>> 
>> that anti-feature is a restriction only on those who opt in for
>> the free tier of the commercial license; in order to write
>> proprietary software with JUCE without a licensing fee - so any
>> JUCE-based program with that feature enable is almost certainly not
>> "free software"
>> 
>> but JUCE may also be taken as GPL, which naturally gives the
>> developer and all users the option to disable that feature (and any
>> other undesirable ones) - those features are fully disclosed and
>> simple to disable with a single #define
>> 
>> #define JUCER_ENABLE_GPL_MODE 1
>> 
>> doing so, will disable the new anti-features by default in any
>> program you create with your copy of JUCE, including the one in
>> question here:
>> 
>> #define JUCE_REPORT_APP_USAGE 0
>> 
>> that is done in the same way and in the same file as where all
>> JUCE sub-features have been enabled/disabled all along, along with
>> others such as:
>> 
>> #define JUCE_USE_FLAC 1 #define JUCE_USE_OGGVORBIS 1
>> 
>> _______________________________________________ libreplanet-discuss
>> mailing list libreplanet-discuss@libreplanet.org 
>> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
>> 
>
>- -- 
>Leah Rowe
>
>Libreboot developer and project founder.
>
>Use free software. Free as in freedom.
>https://www.gnu.org/philosophy/free-sw.html
>
>Use a free BIOS - https://libreboot.org/
>Use a free operating system, GNU+Linux.
>
>Support computer user freedom
>https://sfconservancy.org/
>https://fsf.org/ - https://gnu.org/
>
>Minifree Ltd, trading as Ministry of Freedom | Registered in England,
>No. 9361826 | VAT No. GB202190462
>Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
>Web: https://minifree.org/
>-----BEGIN PGP SIGNATURE-----
>
>iQIzBAEBCAAdFiEEmMzd+OVgR/R1wES90MYkZPqLSFYFAlw/umsACgkQ0MYkZPqL
>SFZLQxAAhKsJBmbekCIz8kxnlCRXaDaPVlR6c1dsBXoxWAFLLHZgLgD0SCMk0AOm
>OrAd1x8s4mPhzMkXU7Md5kxOtiADb2/Nw2goVpuuXq/7No2qGo5lYIbCkAsh44Ra
>6a6z1z3QaVDtE445bZT3zRlA3gEluFpsSlfOdlH+YYshJNoThC1ICQIK2H5WyyJf
>Z6Oy4vcemi4OjMO7fqYIfpdhOFifkanzPKo8ehOo3gggiLaFnGvIJEtmZCJVaP/j
>BR6N5WCM58FSqXAvJ+BM+QC//2o1mI0JPsGZbTQQZW9SMEZ7LKmWS1eMkH1/pHI6
>U5fSD3hbpyj5BYwNegZaHcw/t58WZFz6SjBc3eF2OJQO52icYKkWbC4m7jN6VHUX
>5AbcqG6p7rsOj3VphAb6zdIgkL524jIos55RYRTKkltFjndlW0ND76vB3p89ZAvq
>WiJk8fiGlMF/ZahubLsa02yzScrHJaSGZSIQh/iV92CnUFud01/EKsLwy9pg1P7b
>C6S567PocrJCwrPITQdfIxpL+UTMh1HOuaxtui3E0FB118Rhqc2+E2h8IEB2C8ve
>gUp6IY3Ro6RJpYpRwb33I3+7waC7s5jEJdjtWZ5CQ7C/auoJOq7k9Q71t09iCfh+
>eq5bhXb3e1WlODq10CJYuvMmWeNKD8elwQq+b66TpKdZbN3dZiM=
>=CCJz
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>libreplanet-discuss mailing list
>libreplanet-discuss@libreplanet.org
>https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

-- 
Je suis née pour partager, non la haine, mais l'amour.
Sophocle, /Antigone, 442 av. JC

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Nicolás Ortega Froysa]

[-- Attachment #1.1: Type: text/plain, Size: 2312 bytes --]

On Wed, Jan 16, 2019 at 09:44:43PM -0600, J.B. Nicholson wrote:
> Lyberta wrote:
> > Today the Internet is filled with malware that is free software:
> > 
> > https://lyberta.net/articles/tech/free_sw_untrusted.html
> 
> The article points out that auditing matters and I concur -- there's no
> substitute for auditing by someone one trusts. There's too much free
> software for anyone to do this alone but collectively we can get more of
> this done.
> 

Considering that this is an issue that would affect nearly all distros,
it may be a good idea to setup a central collective group for auditing
software. This would help in various regards:

1. With various people manually auditing software packages, it increases
the probability that these kinds of malware will be caught.

2. The members of this group will most likely be either already known
members of the free software community, whom we can trust, or new
members that, although not immediately trustworthy, will become more
commonly known members soon after joining.

3. It gives people who are looking for ways to contribute to free
software another way to contribute without necessarily having to code or
write documentation. It could also be a gateway for these individuals to
learn about these projects and contribute to them later.

4. Having a central and transparent intelligence on which kinds of
projects tend to have malware in them would help us to optimize the
auditing process, even automating certain elements of it, and know which
kinds of software are more prone to contain malware.

5. It would greatly help the free distros, which are always working very
hard to weed out software packages with non-free blobs. Proper auditing
with a standard protocol would help to weed out these non-free packages
in a more efficient and just manner.

Certain conditions would be needed to make sure that the effort is as
distribution-agnostic as possible, but I believe such an effort would
greatly benefit the free software community.

-- 
Nicolás Ortega Froysa
Vivu lante, vivu feliĉe!
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Julian Daich]

El 19/1/19 a las 11:41, Nicolás Ortega Froysa escribió:
> 1. With various people manually auditing software packages, it increases
> the probability that these kinds of malware will be caught.
> 
> 2. The members of this group will most likely be either already known
> members of the free software community, whom we can trust, or new
> members that, although not immediately trustworthy, will become more
> commonly known members soon after joining.


Hi,

Who will pay this people, who will take responsability of their work and
in what extend it is different in what we have today?

Best,

Julian

-- 
Julian Daich

julian.daich@freecomputerlabs.org

FCL
www.freecomputerlabs.org

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

awesome idea - i nominate Nicolás to oversee this effort

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[al3xu5 / dotcommon]

Il giorno sabato 19/01/2019 11:41:43 +0100
Nicolás Ortega Froysa <nortega@themusicinnoise.net> ha scritto:

> On Wed, Jan 16, 2019 at 09:44:43PM -0600, J.B. Nicholson wrote:
> > Lyberta wrote:  
> > > Today the Internet is filled with malware that is free software:
> > > 
> > > https://lyberta.net/articles/tech/free_sw_untrusted.html  
> > 
> > The article points out that auditing matters and I concur -- there's no
> > substitute for auditing by someone one trusts. There's too much free
> > software for anyone to do this alone but collectively we can get more of
> > this done.
> >   
> 
> Considering that this is an issue that would affect nearly all distros,
> it may be a good idea to setup a central collective group for auditing
> software. This would help in various regards:

[...]

> Certain conditions would be needed to make sure that the effort is as
> distribution-agnostic as possible, but I believe such an effort would
> greatly benefit the free software community.

It would be a very big effort, but probably useless because it would remain a
couple of big problems:

- "cleaning" software do not "clean" hardware, that is closed (and almost
  certainly will remain so) and is where the most dangerous malware resides

- in my (heretic) opinion, free software have two "big" bugs: allows commercial
  use (which attracts the worst "intentions") and has the LGPL (which allows
  any non-free software -- including malware -- to fall through the back door)

Regards



-- 
al3xu5 / dotcommon
Say NO to copyright, patents, trademarks and any industrial design restrictions.
______________________________________________________________________

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Lyberta]

[-- Attachment #1.1: Type: text/plain, Size: 147 bytes --]

Hi.

Just wanted to say that I'm a bit busy right now and I can't respond but
I did read all of your replies and will respond to them later.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Nicolás Ortega Froysa]

[-- Attachment #1.1: Type: text/plain, Size: 2166 bytes --]

On Sat, Jan 19, 2019 at 03:34:50PM +0100, Julian Daich wrote:
> El 19/1/19 a las 11:41, Nicolás Ortega Froysa escribió:
> > 1. With various people manually auditing software packages, it increases
> > the probability that these kinds of malware will be caught.
> > 
> > 2. The members of this group will most likely be either already known
> > members of the free software community, whom we can trust, or new
> > members that, although not immediately trustworthy, will become more
> > commonly known members soon after joining.
> 
> Who will pay this people, who will take responsability of their work and
> in what extend it is different in what we have today?
> 

To answer your first question, the group would consist of vulunteers.
That being said, like with most FLOSS projects, if such a group were to
attract the attention of companies using free software, it may receive
full-time paid efforts, but we shouldn't count on this.

As for the contrast between what this would be and what we currently
have, correct me if I'm wrong (I very well may be), but most of today's
security auditing takes place on a per-project basis and mostly relies
on people looking for security bugs within a project. However, this
isn't really what we're talking about with this thread, but rather
projects whose maintainers are actively inserting malware into their
projects (that being said, I think we should make a distinction here
between malware, features that could have potentially malicious
consequences, and anti-features that can be disabled). The purpose would
be to take a look at such projects that do not have proper security
auditing and putting efforts of volunteers to audit this.

It's also worth noting that this would make for another outlet for
people who are interested in security and free software to enter the
field and get their foot in the door.

-- 
Nicolás Ortega Froysa
Vivu lante, vivu feliĉe!
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Nicolás Ortega Froysa]

[-- Attachment #1.1: Type: text/plain, Size: 853 bytes --]

On Sat, Jan 19, 2019 at 05:01:05PM -0500, bill-auger wrote:
> awesome idea - i nominate Nicolás to oversee this effort
> 

It's nice to see that my idea has some support, although I must say that
it is not at all fleshed out, and would require more people to help and
for a more fleshed out standard in protocol. I'd be willing to aid this
effort, but I'd require others to help. Anyone interested, my e-mail is
in the e-mail header.

As for fleshing out the idea, I think that currently this subthread is
helping to do just that, so all critiques are very much welcome.

-- 
Nicolás Ortega Froysa
Vivu lante, vivu feliĉe!
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Nicolás Ortega Froysa]

[-- Attachment #1.1: Type: text/plain, Size: 3157 bytes --]

On Sat, Jan 19, 2019 at 11:37:24PM +0100, al3xu5 / dotcommon wrote:
> Il giorno sabato 19/01/2019 11:41:43 +0100
> Nicolás Ortega Froysa <nortega@themusicinnoise.net> ha scritto:
> 
> > On Wed, Jan 16, 2019 at 09:44:43PM -0600, J.B. Nicholson wrote:
> > > Lyberta wrote:  
> > > > Today the Internet is filled with malware that is free software:
> > > > 
> > > > https://lyberta.net/articles/tech/free_sw_untrusted.html  
> > > 
> > > The article points out that auditing matters and I concur -- there's no
> > > substitute for auditing by someone one trusts. There's too much free
> > > software for anyone to do this alone but collectively we can get more of
> > > this done.
> > >   
> > 
> > Considering that this is an issue that would affect nearly all distros,
> > it may be a good idea to setup a central collective group for auditing
> > software. This would help in various regards:
> 
> [...]
> 
> > Certain conditions would be needed to make sure that the effort is as
> > distribution-agnostic as possible, but I believe such an effort would
> > greatly benefit the free software community.
> 
> It would be a very big effort, but probably useless because it would remain a
> couple of big problems:
> 
> - "cleaning" software do not "clean" hardware, that is closed (and almost
>   certainly will remain so) and is where the most dangerous malware resides
> 

This process wouldn't be about cleaning the software itself (at least
that wasn't my initial proposal), but to identify malicious software so
it may be removed from distro repositories. As for hardware, as you
said, it's not an easy issue to solve. However, using hardware that
fully respects your freedom is a good way to make it easier for such a
group to audit said hardware as well as its drivers and firmware
(although we should really take this a step at a time). Therefore, my
argument is that simply because we lack the means to solve the entire
problem doesn't mean we can't start solving a part of it.

> - in my (heretic) opinion, free software have two "big" bugs: allows commercial
>   use (which attracts the worst "intentions") and has the LGPL (which allows
>   any non-free software -- including malware -- to fall through the back door)
> 

These two issues seem to be irrelevant to the proposal being made at the
moment, but are rather critiques of free software itself. In which case
it may be a good idea to bring it up in a new thread. It's also worth
noting that your critique seems to come from a perspective of someone
who doesn't use exclusively free software (as seen by your critique of
the LGPL), which is past the point where we can do anything. If someone
is using non-free software, unless we want to invest an astronomically
larger amount of time in reverse-engineering these non-free programs,
they should know the risks.

-- 
Nicolás Ortega Froysa
Vivu lante, vivu feliĉe!
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Sun, 20 Jan 2019 19:01:02 +0100 Nicolás wrote:
> I think we should make a distinction here
> between malware, features that could have potentially malicious
> consequences, and anti-features that can be disabled).

there is one other distinction lurking in that statement that many tend
to conflate as one and the same - that is the distinction between
malware that is malicious in the sense of what is more commonly called
"spyware" which is entirely a subjective privacy concern, and the sort
of malware that actually does objective physical damage to your system,
or data - it should be obvious to everyone that many people (perhaps
the majority) have little or no concern for online privacy; but surely
no one wants their data stolen or their OS broken

for the overwhelming majority of computer users, regardless of how
adamant or indifferent one is about online privacy, there is a huge
demonstrable difference in the actual severity of the "consequences" of
those two forms of malware - they should not be so readily conflated,
as i often see

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Julian Daich]

El 20/1/19 a las 19:01, Nicolás Ortega Froysa escribió:
> On Sat, Jan 19, 2019 at 03:34:50PM +0100, Julian Daich wrote:
>> El 19/1/19 a las 11:41, Nicolás Ortega Froysa escribió:
>>> 1. With various people manually auditing software packages, it increases
>>> the probability that these kinds of malware will be caught.
>>>
>>> 2. The members of this group will most likely be either already known
>>> members of the free software community, whom we can trust, or new
>>> members that, although not immediately trustworthy, will become more
>>> commonly known members soon after joining.
>>
>> Who will pay this people, who will take responsability of their work and
>> in what extend it is different in what we have today?
>>
> 
> To answer your first question, the group would consist of vulunteers.
> That being said, like with most FLOSS projects, if such a group were to
> attract the attention of companies using free software, it may receive
> full-time paid efforts, but we shouldn't count on this.
> 

Hi,

I paste an answer I just replayed to some folk in private.

Who will be the reviewers? If you cannot solve this question for the
maintainers you hardy will solve it for the reviewers.

It will not be simpler and eventually more effective just to rank the
trustability of the software according to the ratio of reviewers/
maintainers?

Best,

Julian

> As for the contrast between what this would be and what we currently
> have, correct me if I'm wrong (I very well may be), but most of today's
> security auditing takes place on a per-project basis and mostly relies
> on people looking for security bugs within a project. However, this
> isn't really what we're talking about with this thread, but rather
> projects whose maintainers are actively inserting malware into their
> projects (that being said, I think we should make a distinction here
> between malware, features that could have potentially malicious
> consequences, and anti-features that can be disabled). The purpose would
> be to take a look at such projects that do not have proper security
> auditing and putting efforts of volunteers to audit this.
> 
> It's also worth noting that this would make for another outlet for
> people who are interested in security and free software to enter the
> field and get their foot in the door.
> 
> 
> _______________________________________________
> libreplanet-discuss mailing list
> libreplanet-discuss@libreplanet.org
> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
> 

-- 
Julian Daich

julian.daich@freecomputerlabs.org

FCL
www.freecomputerlabs.org

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

as much as i hate to be a web blanket :) - i must say that my
suggestion to elect Nicolás the chief of this operation was entirely
sarcastic - this discussion is all well intentioned, of course, but
not very realistic

take this as one representative example (i.e. food for thought) - the
chromium web browser has been under suspicion for improper licensing
since it was released about 10 years ago - in that time, no one has
audited it comprehensively, not even it's own developers were able to
reach a conclusion (it appears they they honestly did try), and probably
no one ever will be able to; not because of disinterest, but because of
the sheer magnitude of the task

it would probably take a reasonably sized team working full time for
about six months to audit that behemoth for licensing compliance alone,
then who knows how much longer to actually read all of the source code;
and that does not imply that any of the reviews would have a thorough
understanding of what they have read - it is probably safe to assume
that not one developer of that program actually understands all of the
complex inter-workings of the many many parts of such a large code-base
- to expect a team of volunteers to accomplish that super-human feat
is ... ok, i will say it ... a pipe dream - and that is only considering
one single software project - the proposal in this thread is literally
to audit every bit of source code that has ever been written and ever
will be written - it should be obvious that would be many orders of
magnitude more difficult

and by the way, i don't recall anyone suggesting that proper licensing
should be among the goals of this committee - that would actually be
best as the first thing audited; because it is a significantly simpler
task, and if the program is indeed improperly licensed, then the
evaluation can stop there, because no one has any right to use it
anyways - this is essentially the position of the FSDG distros by not
distributing chromium; and users are generally advised not to use any
software that the distro does not provide, regardless of any reasons
*why* the distro does not provide it


On Sun, 20 Jan 2019 23:54:16 +0100 Julian wrote:
> It will not be simpler and eventually more effective just to rank the
> trustability of the software according to the ratio of reviewers/
> maintainers?

so, call me a negative nancy if you will, but i suggest that an
optimistic estimation of that ratio would be on the order of one
reviewer for each 10,000 to 100,000 software projects; so those
rankings would differ only beyond the fifth decimal place, and the vast
majority would be forever marked: "pending evaluation - please help!" -
again, that's not because it is a bad idea, nor because no one is
interested; the scale of the endeavor itself renders it's success
dubious at best - it is probably safe to assume that it would require
at least as many reviewers perpetually reviewing, as the number of
developers that are actively developing - BTW this is already in common
practice under the name "code review" - of course, not all projects do
it, but they should and ideally would if only they had the peoples-power
to do so

just for a grounding in reality here: there is probably more software
published, to github alone, every day, than a team of a thousand
reviewers could audit in a year - simple math would indicate that this
would require a team of millions, just to keep on top of all the new
software that is published, and work slowly toward scratching the
surface of the back-log of existing software - if anyone wants to take
this proposal seriously, you may be better off playing the lottery in
hopes of being able to fund this effort for the first year

and just in case anyone is thinking: "automation! that's the solution!";
i suggest that you would probably need to solve "the halting problem"
before that fantastic "malware detector" program could be written

if you like (or even if you don't), you could consider the world of
free software (and the internet, and all software, really) not
much at all as alike to your grandmothers cozy, safe living room; but
more realistically like the wild outback - it contains all sorts of
savages, bandits and wolves, that have been there since the beginning
and are not likely to go away anytime in the foreseeable future - free
software is not to blame for that; it is a fact of life - free
software is actually the only hope in reducing whatever damage to
society of which such "bad neighbors" possess the potential to inflict

i would be sorry if that portrait frightens anyone away from using free
software, but it is the very price you pay for freedom in this, the only
universe we have to explore: everyone must be willing to accept the
risks associated with their own actions, and learn how to avoid the
activities which they consider to be dangerous; or else that person is
not responsible enough to competently manage themselves with that
particular level of freedom - there is a word for such people; they are
usually called: "children" - as a mature adult, no one else will,
should, or can accept those risks for you

the best that helpful shepherds can hope to do, is to warn Little Red
Riding Hood not to talk to strange wolves, or to keep her locked in at
home - the latter would be the metaphorical analog of turning your
computer OFF, or trusting that purveyors of proprietary software (ala.
MS/apple/google) can "protect" her for you - luckily, the moral of
this story, is that the actual tangible "dangers" to this sort of
activity are as mythical as the Big Bad Wolf himself - if one exercises
basic common sense and restraint, then the worst "harm" those wolves can
actually do, is to corrupt your data or to spy on your web browsing -
they can not actually eat you, nor grandma - whew, now isn't that
comforting and reassuring - let us rejoice :)

perhaps this rant may sound hopelessly pessimistic to some, but i do
hope that no one would see it as a validation of the OP's claim - my
advice to anyone holding these concerns, is to trust your distro, use a
FSDG endorsed distro and do not use any software that your distro has
not provided - additionally, and as importantly: engage yourself with
your distro's developers, file bug reports, ask the experts about your
security concerns and for advice on how you can learn to manage them,
and so on - that is how bugs are found and fixed, and how privacy
concerns are identified and warned about or patched out; and that dialog
between users and devs seems to have been working quite well these many
years - because of that, i am not at all pessimistic nor frightened
about anything i mentioned in this post

:) that was fun - thanks for reading - if you made it this far down:
you are awesome!!

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Andrew Luke Nesbit]

On 20/01/2019 18:01, Nicolás Ortega Froysa wrote:
> It's also worth noting that this would make for another outlet for
> people who are interested in security and free software to enter the
> field and get their foot in the door.

This is an excellent motivation.

Andrew
-- 
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Mon, 21 Jan 2019 08:05:23 +0000 Andrew wrote:
> On 20/01/2019 18:01, Nicolás Ortega Froysa wrote:
> > It's also worth noting that this would make for another outlet for
> > people who are interested in security and free software to enter the
> > field and get their foot in the door.  
> 
> This is an excellent motivation.

more committees are rarely, if ever, desirable - splintering of efforts
leads to redundant efforts, and therefore wasted time - a far better
approach would be for the community to focus more on the existing
"outlets", that are already equipped and experienced in this very task,
because they have been doing it for many years (such as their distro
maintainers - for example: https://www.debian.org/security/audit/) -
some of them have been doing exactly what is being proposed here for
more time than some people reading this have existed in this planet -
no one needs a new invitation to put their foot into any new doors -
those doors already exist and are already encouraging everyone to
involve themselves - please do feel free to put your foot into one of
those existing doors today - to conclude that a brand new separate
committee would somehow do a better job is very myopic, uninformed, and
and therefore not sincerely motivated

note this quote from the debian security team wiki page:

  Due to the sheer size of the current Debian release it is infeasible
  for a small team to be able to audit all the packages, so there is a
  system of prioritizing packages which are more security sensitive.

debian has the largest team of maintainers of any distro in existence
and that has been true for more time than most of its software has
existed - if they are conceding that they do not have enough help to
comprehensively audit all of the software that debian distributes, how
could any reasonable person presume that it would be more effective to
create a new separate team from zero, with the goal of auditing all
software in existence?

such efforts, when focused around your software distribution of choice,
are better organized and tailored to your system, and so optimally
effective; even if only because the decisions made in that committee,
directly determine which software is available in the distro's repos and
which is plainly unavailable - as long as users are well-advised to
avoid software that is not provided by their distrro, then users who
are not interested in, or qualified for, auditing software, or
participating in the security discussions, can casually and confidently
use whatever software that exists in their distro's repos, and
effortlessly ignore what is not there

the only rational arguments that i can foresee that could oppose
anything i just wrote are of this sort:

* i refuse to use a free software operating system
* i do not trust the maintainers of my distro
* i routinely use software that my distro does not endorse

anyone with any such objection is intentionally creating an avoidable
problem for themselves (aka. a false dilemma); a self-imposed problem
that is no reflection of the state of free software nor free software
distros, but indicative of one's lack of faith in and/or dedication to
the merits and principals of free software

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Nicolás Ortega Froysa]

[-- Attachment #1.1: Type: text/plain, Size: 2193 bytes --]

On Mon, Jan 21, 2019 at 05:45:57PM -0500, bill-auger wrote:
> On Mon, 21 Jan 2019 08:05:23 +0000 Andrew wrote:
> > On 20/01/2019 18:01, Nicolás Ortega Froysa wrote:
> > > It's also worth noting that this would make for another outlet for
> > > people who are interested in security and free software to enter the
> > > field and get their foot in the door.  
> > 
> > This is an excellent motivation.
> 
> more committees are rarely, if ever, desirable - splintering of efforts
> leads to redundant efforts, and therefore wasted time - a far better
> approach would be for the community to focus more on the existing
> "outlets", that are already equipped and experienced in this very task,
> because they have been doing it for many years (such as their distro
> maintainers - for example: https://www.debian.org/security/audit/) -
> some of them have been doing exactly what is being proposed here for
> more time than some people reading this have existed in this planet -
> no one needs a new invitation to put their foot into any new doors -
> those doors already exist and are already encouraging everyone to
> involve themselves - please do feel free to put your foot into one of
> those existing doors today - to conclude that a brand new separate
> committee would somehow do a better job is very myopic, uninformed, and
> and therefore not sincerely motivated
> 

I was not aware of the existence of this project, I was simply
brainstorming an idea. Considering this, I agree that it is much more
efficient for people to join an already existing project (that would not
have to waste time on organization, as a new one would) such as
Debian's. What's more, despite this being distro-specific, their
announcements are public, and therefore communication between multiple
distros would not be an issue and double-work between them can be easily
avoided. Thanks for the catch, Bill.

-- 
Nicolás Ortega Froysa
Vivu lante, vivu feliĉe!
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Nicolás Ortega Froysa]

[-- Attachment #1.1: Type: text/plain, Size: 5393 bytes --]

On Sun, Jan 20, 2019 at 10:02:53PM -0500, bill-auger wrote:
> as much as i hate to be a web blanket :) - i must say that my
> suggestion to elect Nicolás the chief of this operation was entirely
> sarcastic - this discussion is all well intentioned, of course, but
> not very realistic
> 

I will admit that I did not notice your sarcasm, but that aside, what
I'm trying to do is brainstorm ideas to solve the problem that was
brought about by this thread. In a brainstorm we come up with a
multitude of ideas, expand on them, and if they don't work we reject
them. Obviously, this one has been rejected, not only be how infeasible
it would be to audit that multitude of packages, but because such
projects already exist (as you pointed out in the other subthread).
Therefore the most productive topic of conversation at this point would
be narrowing down our brainstorming to how we could improve the already
existing process for auditing software.

> and by the way, i don't recall anyone suggesting that proper licensing
> should be among the goals of this committee - that would actually be
> best as the first thing audited; because it is a significantly simpler
> task, and if the program is indeed improperly licensed, then the
> evaluation can stop there, because no one has any right to use it
> anyways - this is essentially the position of the FSDG distros by not
> distributing chromium; and users are generally advised not to use any
> software that the distro does not provide, regardless of any reasons
> *why* the distro does not provide it
> 

In my original reply I responded with the following statement (#5):

  5. It would greatly help the free distros, which are always working
  very hard to weed out software packages with non-free blobs. Proper
  auditing with a standard protocol would help to weed out these
  non-free packages in a more efficient and just manner.

Tying this back to my response to another subthread, if Debian Security
(or other security distro projects) don't already, it may be a good idea
to ask them to do so (if not only for their own sake). Of course, in the
case of the Debian project which has different repositories for non-free
software, I'm fairly certain that if they were to find non-free software
within a given package in the `main' repository they would notify the
maintainers to move it elsewhere.

> if you like (or even if you don't), you could consider the world of
> free software (and the internet, and all software, really) not
> much at all as alike to your grandmothers cozy, safe living room; but
> more realistically like the wild outback - it contains all sorts of
> savages, bandits and wolves, that have been there since the beginning
> and are not likely to go away anytime in the foreseeable future - free
> software is not to blame for that; it is a fact of life - free
> software is actually the only hope in reducing whatever damage to
> society of which such "bad neighbors" possess the potential to inflict
> 
> i would be sorry if that portrait frightens anyone away from using free
> software, but it is the very price you pay for freedom in this, the only
> universe we have to explore: everyone must be willing to accept the
> risks associated with their own actions, and learn how to avoid the
> activities which they consider to be dangerous; or else that person is
> not responsible enough to competently manage themselves with that
> particular level of freedom - there is a word for such people; they are
> usually called: "children" - as a mature adult, no one else will,
> should, or can accept those risks for you
> 
> the best that helpful shepherds can hope to do, is to warn Little Red
> Riding Hood not to talk to strange wolves, or to keep her locked in at
> home - the latter would be the metaphorical analog of turning your
> computer OFF, or trusting that purveyors of proprietary software (ala.
> MS/apple/google) can "protect" her for you - luckily, the moral of
> this story, is that the actual tangible "dangers" to this sort of
> activity are as mythical as the Big Bad Wolf himself - if one exercises
> basic common sense and restraint, then the worst "harm" those wolves can
> actually do, is to corrupt your data or to spy on your web browsing -
> they can not actually eat you, nor grandma - whew, now isn't that
> comforting and reassuring - let us rejoice :)
> 

Having freedom is certainly a resposibility, but that's one of the
reasons society exists in the first place. By distributing and
specializing different responsibilities between different members of the
community we achieve a much higher feat than if we were to simply act as
lone egoistic individuals. Relating this to free software, yes, we
should all know that our software could always contain some kind of
malicious code, or even code that accidentally does something horrible
to our machines. This is why most free software licenses come with a no
warranty clause. However we should still try to help one another to
prevent harm to those less prepared.

-- 
Nicolás Ortega Froysa
Vivu lante, vivu feliĉe!
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/nortega@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/nortega@themusicinnoise.net_pub.asc

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

frankly, i think that if this discussion is to be continued with any
sincerity, then it begs for a new "subject" heading; because the present
one is less indicative of a constructive discussion topic than
ignominious click-bait 


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
> Therefore the most productive topic of conversation at
> this point would be narrowing down our brainstorming to how we could
> improve the already existing process for auditing software.

i do think that the most notable deficiency is lack of involvement from
users, and resources in general; but i dont think anything is currently
being done improperly, suggesting any specific improvements - most
software projects, from the smallest to the largest, are under-staffed
at their roots, almost characteristically so; but most responsible dev
teams would do, and indeed do, these sort of self-evaluations
themselves, if and when they can manage the well established, routine
"best-practice" task of code-review

that was not to indicate any particular failure of any party - i would
say it's just a case of too few cooks trying to feed a disproportionate
number of passive customers who give nothing in return (and i dont mean
cash - bug reports and discussions are far more valuable) - perhaps
many do not "feel" empowered to help; but that would be entirely
unfounded, and not any fault of the developers - absolutely everyone
can and should participate, and no explicit invitation is required;
because participation generally is the default expectation upon users of
free software


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
>   5. It would greatly help the free distros, which are always working
>   very hard to weed out software packages with non-free blobs. Proper
>   auditing with a standard protocol would help to weed out these
>   non-free packages in a more efficient and just manner.
> 
> if Debian
> Security (or other security distro projects) don't already, it may be
> a good idea to ask them to do so

your point #5 is nearly the same as all that i suggested; only the
perspective is inverted - for the most part, there is no other, new
"it" that would be needed to help distros to do anything that they are
not already doing - all distros want their software to be bug-free, and
to varying degrees: privacy-respecting and audit-able; and they already
do as well as they possibly can to ensure that - they may not all have a
formal "security team", but there is probably nothing new to ask of any
of them other than "how can i help you to acquire more people-power or
educate software users?"


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
> I'm fairly certain that if they
> were to find non-free software within a given package in the `main'
> repository they would notify the maintainers to move it elsewhere.

i am too - i think non-free software can be safely ignored for the sake
of this discussion


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
> yes, we should all know that our software could always contain some
> kind of malicious code, or even code that accidentally does something
> horrible to our machines. However we should still try to help
> one another to prevent harm to those less prepared.

again, i think we are in perfect agreement already - the wording of
that indicates something is being added that i neglected to mention - i
literally offered that particular "however" as the only real remedy
there is - little red riding hood must be aware of the risks that she
takes by venturing from the safely of grandma's living room, out into
the wild wilderness; or she would be wiser to stay home - forest rangers
are not needed when some common-sense survival skills will suffice, and
are standard equipment that every explorer is wise to possess before
leaving home

perhaps more wise and conscientious shepherds are needed to offer such
advice; but people generally do not respect advice if forced upon
them by some authority - everyone is responsible for educating
themselves, especially about topics that are subjective and otherwise
outside the scope of a general school education; and i do think that
most people prefer it that way - that is, for example, non-essential,
leisure, luxury, entertainment activities such as goofing off on the
internet; which is the reality of that for which people, who are the
most in need of such advice, actually do "need" their computers and
pocket-phones - this is no more essential nor mandatory than say:
swimming lessons or bicycle safety advice for those who choose to swim
or ride a bicycle, plus the extremely tiny sliver of the population who
truly must engage in such otherwise optional activities (such as
carrying a pocket-phone), *and* who are also actually interested in such
"hand-holding" forms of instruction

as long as good advice is available for the curious to find,
responsible people will seek it and find it - if they are also wise,
they may even heed it; but in the end, it is not actually anyone's
responsibility to provide that advice - it would be nothing more
compulsory or authoritative than a voluntary, neighborly, community
service, to be appreciated or ignored, at each one's own personal
discretion and/or peril

the suggestion of a ratings system, for example, is a step quite out of
line with friendly advice, suggesting a self-proclaimed authority - i
dont think the world needs that - your distro is already that authority
and your "shepherd", by the nature that they are the ones who are
curating the software on behalf of the majority of free software users
- that is precisely and entirely what distros exists for - the way that
most distros advise against acquiring software from third-parties, and
how debian separates non-free software from the main repos, and
parabola's privacy repo, for examples, are sufficiently adequate as
such guides for anyone curious enough to learn what those general
distinctions are

seriously let us start a new thread if this discussion is to continue -
i would have, but personally, i can not think of anything more that
needs discussing - how about: "Free Software Swimming Lessons"

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Adonay Felipe Nogueira]

[-- Attachment #1.1: Type: text/plain, Size: 1267 bytes --]

Em 19/01/2019 08:41, Nicolás Ortega Froysa escreveu:
> Considering that this is an issue that would affect nearly all distros,
> it may be a good idea to setup a central collective group for auditing
> software. This would help in various regards:

There is the Antifeatures Project Team[1] in the Free Software
Directory[2], it's still being built and the set of items that will be
reviewed are still being made.

It's a subgroup of the whole Free Software Directory review community.
And having an antifeature doesn't mean that the software is non-free.

I don't participate in the group as I'm not that inclined to review
advanced security issues, but I do hope my suggestion is bookmarked. The
last thing I want is seeing two instances of the same effort. Also
considering that the help given to the Free Software Directory also
eases the lives of package maintainers in free/libre system
distributions (occasionally there is also some discussion on how to
unite the works of that directory with the ones made by the distribution
projects, if I'm not mistaken, bill-auger and Donald_Hedlund were
talking about this).


[1] https://directory.fsf.org/wiki/Free_Software_Directory:Antifeatures
[2] https://directory.fsf.org/wiki/Main_Page


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Julian Daich]

El 21/1/19 a las 4:02, bill-auger escribió:
> On Sun, 20 Jan 2019 23:54:16 +0100 Julian wrote:
>> It will not be simpler and eventually more effective just to rank the
>> trustability of the software according to the ratio of reviewers/
>> maintainers?
> so, call me a negative nancy if you will, but i suggest that an
> optimistic estimation of that ratio would be on the order of one
> reviewer for each 10,000 to 100,000 software projects; 

So it will be worth to advice users. The ratio I mentioned was only an
example. There can be many ways to rank software trustability.

> 
> just for a grounding in reality here: there is probably more software
> published, to github 

Software can be defined as not trustable by default unless is reviewed.
Specially in these bug repositories. It will benefit the big project/
users( Cannonical, IBM, Intel, Google, GNU, etc.) these entities/ people
not only care about the quality of the software they include in their
proyects, but also in the potential problems caused by the interaction
with other programs.

>  everyone must be willing to accept the
> risks associated with their own actions, and learn how to avoid the
> activities which they consider to be dangerous; or else that person is
> not responsible enough to competently manage themselves with that
> particular level of freedom 

Free Software, in special under the GPL, is under the user's risk. No
warranties.

> 
> my
> advice to anyone holding these concerns, is to trust your distro, use a
> FSDG endorsed distro and do not use any software that your distro has
> not provided - additionally, and as importantly: engage yourself with
> your distro's developers, file bug reports, ask the experts about your
> security concerns and for advice on how you can learn to manage them,
> and so on - that is how bugs are found and fixed, and how privacy
> concerns are identified and warned about or patched out; and that dialog
> between users and devs seems to have been working quite well these many
> years - 

There is aonther point. Many Free Software users often confuse libre
with gratis. Having Free Software does not mean that less skilled userd
can ask the more skilled ones to add features or fix bugs for free.

I mentioned the ranking solution because it is worth for me and also for
other big and skilled parties.

What we can do is starting to raise the alert.

Best,

Julian


-- 
Julian Daich

julian.daich@freecomputerlabs.org

FCL
www.freecomputerlabs.org

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
> El 21/1/19 a las 4:02, bill-auger escribió:
> > one reviewer for each 10,000 to 100,000 software projects;   
> 
> So it will be worth to advice users.
> There can be many ways to rank software trustability.

that is missing my point - regardless of how you score the rankings, no
ranking could be assigned to any project until someone has actually
audited the code, and each reviewer would still have about 100,000
projects to review which would probably take each reviewer about 10,000
years to complete - so only a tiny portion of projects would ever be
assigned the ranking, unless there are literally millions of reviewers
working on the task, indefinitely forever 


On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
> Software can be defined as not trustable by default unless is
> reviewed. 

how did you write that email? - has anyone audited your email client?
- your web browser? - your operating system?

i think we all know, that no one has comprehensively audited all of
the software that you are using for trustworthiness (or *any* of it
really) - so by your definition, none of the software that you, or i,
or anyone is using right now is "trust-worthy" - so why are you using
any software at all, if you are so convinced that people must trust all
software that they use, but that none of it can actually be trusted? -
apparently, the criteria of trustworthiness is not as important as
people are pretending that it is; or else none would be reading nor
replying to any of these messages in order to express that opinion

it should also not go without saying that the word "trust" is really
not applicable to software - computers merely execute the instructions
they are given - for the most part, you can "trust" that they will do
exactly what the codes specify, consistently, reliably, without
deviation - the word "trust" can only be sincerely used to refer to the
people who write the software - to say that you do not trust the
software itself is saying no more that: "i do not know how it
works" - even if some very smart person reviews it and gives it her
"thumbs-up", you still "do not know how it works" unless you read
it yourself; therefore it is still "untrustworthy" software by that
same inappropriate description


On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
> Having Free Software does not mean that less skilled
> userd can ask the more skilled ones to add features or fix bugs for
> free.

that is exactly what can, and does happen - and when it does not happen
"for free", it often happens because a user commissions someone to
do the work - of course, there is no guarantee that unskilled users
will get all of their wishes fulfilled (cest la vie); but it most
certainly is a general possibility that proprietary software
generally does not offer - and that is not to mention the general
possibility that unskilled users can become skilled users if they
choose to

the main point of that quoted message was that it is not reasonable in
this universe to expect anyone else to do anything for you, not for
gratis, nor for hire, unless you are a child - we are incredibly
fortunate that so much "free as in freedom" software exists for gratis -
yet that is not good enough for some people, and they expect it to also
be perfect, and perpetually decorated with novelties


On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
> I mentioned the ranking solution because it is worth for me and also
> for other big and skilled parties.

i find the idea of ranking software to be inappropriate and
counter-productive to any common goal - unless that goal is to
shame people - software development is not a sport - no one needs to
keep score - such rankings could only lead to some projects optimizing
for the "score" as to snowball it into the "leader" position; while
others who behave more sincerely by focusing on the work rather than
the vague prescriptions of some external committee, and perhaps ranking
lower for that reason, would be starved for the attention that they
deserve; because everyone who puts their faith in the ranking system
would view them as hopelessly untrustworthy, simply for not playing
"the game" as the committee prescribes

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Sat, 26 Jan 2019 18:35:15 -0500 bill-auger wrote:
> such rankings could only lead to some projects optimizing
> for the "score" as to snowball it into the "leader" position; 

allow me to elaborate on that a bit - that was not merely a vague
prediction - it already happens - i have experienced it directly and
it is disturbing

recently, i was informed that one of my scripts had been added to a
a popular software repo (i do not care to promote it by name) - i looked
at it's entry on the web and noticed that every package is assigned
automated "scores" for quality, maintenance, popularity, and so on - my
script was assigned an extremely low score in all categories, so i
looked into their criteria out of curiosity - here are some of the more
ridiculous example of where my script fails so miserably:

* if the project does not have at least 4 "badges" in its README file
  on github, it loses points for "code quality"
* if the project does not use travis-ci, it loses points for "code
  quality" - (IIRC, some points can be earned only by using premium
  proprietary web services)
* if the project does not create an official "release" on github at
  least once each month, it loses points in the "well maintained"
  category
* and IIRC, it actually loses points for not having their specific
  packaging metadata file prominently the root of the repo master branch
  (precisely named with their corporate brand, of course); where it is
  actually just pollution, as packaging metadata serves no purpose in
  the release tarballs (aka. the git master branch)

to put that into context, my script has been full-featured and stable
for probably a longer amount of time than that company has existed
- my script would not benefit from any of those "essential" prescribed
webby adornments; and we should hope that no one would be compelled to
add them, merely to achieve a better score on some gamified
"leader-board"

it should be obvious that any developer who puts stock in such rankings
is going to spend a disproportionate amount of time catering to the
scoring system rather than getting any real work done; but if people
treat software development like a game, and put popularity as a priority
goal, then that is exactly what will happen, and it is actually
counter-productive to the goal of quality

that is not to mention how insulting it is to an experienced developer
to be labeled with such badges of shame, when they know damn well that
their software is not poor quality; but that ignorant readers of such a
website which claims to be the authority on the topic are given exactly
that misleading impression

so i would say that for the sake of being responsible net-izens, it
would actually be preferable not to want your favorite software featured
on such a website at all, and to recommend that no one accepts such
rankings at face value - it certainly does no favor for otherwise
responsible developers, and misleads users into valuing only those
prescribed generic quality criteria - most disturbingly, it rewards
developers for treating their craft as a game, and punishes the ones
who take they work more seriously, and who avoid adding unnecessary
baggage for frivolous "populous" reasons

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Julian Daich]

El 27/1/19 a las 0:35, bill-auger escribió:
> On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
>> El 21/1/19 a las 4:02, bill-auger escribió:
>>> one reviewer for each 10,000 to 100,000 software projects;   
>>
>> So it will be worth to advice users.
>> There can be many ways to rank software trustability.
> 
> that is missing my point 

It is just thinking different.

> 
> 
> On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
>> I mentioned the ranking solution because it is worth for me and also
>> for other big and skilled parties.
> 
> i find the idea of ranking software to be inappropriate and
> counter-productive to any common goal -

Wikipedia ranks pages all the time and they are doing well. As you
pointed before most of the software will not be reviewed unless there is
a real interect on checking it.

 Best,

Julian

 unless that goal is to
> shame people - software development is not a sport - no one needs to
> keep score - such rankings could only lead to some projects optimizing
> for the "score" as to snowball it into the "leader" position; while
> others who behave more sincerely by focusing on the work rather than
> the vague prescriptions of some external committee, and perhaps ranking
> lower for that reason, would be starved for the attention that they
> deserve; because everyone who puts their faith in the ranking system
> would view them as hopelessly untrustworthy, simply for not playing
> "the game" as the committee prescribes
> 
> _______________________________________________
> libreplanet-discuss mailing list
> libreplanet-discuss@libreplanet.org
> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
> 

-- 
Julian Daich

julian.daich@freecomputerlabs.org

FCL
www.freecomputerlabs.org

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Julian Daich]

El 27/1/19 a las 2:07, bill-auger escribió:
> On Sat, 26 Jan 2019 18:35:15 -0500 bill-auger wrote:
>> such rankings could only lead to some projects optimizing
>> for the "score" as to snowball it into the "leader" position; 
> 
> allow me to elaborate on that a bit - that was not merely a vague
> prediction - it already happens - i have experienced it directly and
> it is disturbing
> 

Trustability ranks can be adjusting for not trolling people. Deffining/
ranking software" quality" and user safety are different things. Quality
can be very arbitrary.


> recently, i was informed that one of my scripts had been added to a
> a popular software repo (i do not care to promote it by name) - i looked
> at it's entry on the web and noticed that every package is assigned
> automated "scores" for quality, maintenance, popularity, and so on - my
> script was assigned an extremely low score in all categories, so i
> looked into their criteria out of curiosity - here are some of the more
> ridiculous example of where my script fails so miserably:
> 
> * if the project does not have at least 4 "badges" in its README file
>   on github, it loses points for "code quality"
> * if the project does not use travis-ci, it loses points for "code
>   quality" - (IIRC, some points can be earned only by using premium
>   proprietary web services)
> * if the project does not create an official "release" on github at
>   least once each month, it loses points in the "well maintained"
>   category
> * and IIRC, it actually loses points for not having their specific
>   packaging metadata file prominently the root of the repo master branch
>   (precisely named with their corporate brand, of course); where it is
>   actually just pollution, as packaging metadata serves no purpose in
>   the release tarballs (aka. the git master branch)
> 
> to put that into context, my script has been full-featured and stable
> for probably a longer amount of time than that company has existed
> - my script would not benefit from any of those "essential" prescribed
> webby adornments; and we should hope that no one would be compelled to
> add them, merely to achieve a better score on some gamified
> "leader-board"
> 
> it should be obvious that any developer who puts stock in such rankings
> is going to spend a disproportionate amount of time catering to the
> scoring system rather than getting any real work done; but if people
> treat software development like a game, and put popularity as a priority
> goal, then that is exactly what will happen, and it is actually
> counter-productive to the goal of quality
> 
> that is not to mention how insulting it is to an experienced developer
> to be labeled with such badges of shame, when they know damn well that
> their software is not poor quality; but that ignorant readers of such a
> website which claims to be the authority on the topic are given exactly
> that misleading impression
> 
> so i would say that for the sake of being responsible net-izens, it
> would actually be preferable not to want your favorite software featured
> on such a website at all, and to recommend that no one accepts such
> rankings at face value - it certainly does no favor for otherwise
> responsible developers, and misleads users into valuing only those
> prescribed generic quality criteria - most disturbingly, it rewards
> developers for treating their craft as a game, and punishes the ones
> who take they work more seriously, and who avoid adding unnecessary
> baggage for frivolous "populous" reasons
> 
> _______________________________________________
> libreplanet-discuss mailing list
> libreplanet-discuss@libreplanet.org
> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
> 

-- 
Julian Daich

julian.daich@freecomputerlabs.org

FCL
www.freecomputerlabs.org

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[bill-auger]

On Sun, 27 Jan 2019 20:51:59 +0100 Julian wrote:
> Trustability ranks can be adjusting for not trolling people.
> Deffining/ ranking software" quality" and user safety are different
> things. Quality can be very arbitrary.

that was not to say that the rankings can only be intended for shaming
(and shaming is not the same as "trolling", BTW) - it was only to say
that shaming is the only common goal that it could be used for
successfully; and i dont think that is anyone's goal - as you pointed
out yourself, the common goal of "quality" is arbitrary; but then you
seem to be indicating that "trustworthiness" is not arbitrary -
"trustworthiness" and "safety" are not only arbitrary, but so totally
subjective as to be barely definable - i will say it again for clarity,
the word "trustworthiness" is applicable only to people, but not
inanimate objects such as computers - merely the use of that word in
this context is arbitrary and imprecise on the face of it - likewise, i
dont see how the word "safety" could be used sincerely to describe the
sorts of everyday computing activities that most people engage in

i have no doubt that the intentions here are sincere; but the words you
are using are so vague as to be dubious and nearly inapplicable to the
discussion - if the proposed methods or intentions are just as vague and
inapplicable, this would be a fatally misguided misadventure - so please
let us use appropriate words to describe those plans and intentions

for example, you could "trust" (or mistrust) a person to respect your
"privacy"; but *only* if that person had previously promised to do so -
no such promises are the default condition or obligation; just a common
courtesy, by convention, in some societies - when you interact with a
web server, that is someone else's computer, and that person is free
to do as they wish with the data you give them, as far as copyright and
patent laws permit - the owner of that computer alone, sets the
behavioral norms in the context of that computer's usage and any remote
users of it - they have no obligation to protect "your" data, nor to
keep that data, or your interactions with their service, a secret
(except for certain very specific data mandated by specific laws, such
as banking and medical records) - therefore it is completely
unreasonable to hold the opinion that one should be able, by default,
to "trust" every other computer operator in the world (who is, in
reality, a total stranger, BTW) to do these things of which they are
not obligated, and may not even be the norm of their culture - in some
cases, that computer operator will make some "community promises" in
the form of formal "privacy statements" - only then could words like
"trust" be applicable - that trust would only be applicable to what is
explicitly promised in the formal document (as expressed by that
computer's owner, not the desires of any remote user); and it is
arbitrary and different for every service on the internet - there
simply is no way to define nor hold any party to any universal standard
of "trustworthiness"

the word "safety" implies "danger"; as in: "a hungry lion is chasing
you" - "safety" does not mean: "there is no one spying on you" - the
correct word for that is: "privacy" - nor does it mean: "no one will
use your credit card numbers to buy a lady gaga CD without your
permission" - the correct word for that is: "fraud" - neither of those
bear any resemblance to being eaten by a lion - i think most people
can agree what "safety" means in the context of power tools, weapons,
and wild animals - with those tangible objects, there are objectively
verifiable consequences to their untrained misuse, that most sane
people would readily agree upon without argument; but regarding
computer use, there simply is no objective criteria that would be
important to everyone - whatever "safety" means to you in the context
of computers, it is not likely to mean the same thing to any other
person - again, it should be obvious that the majority of computer
users do not see them as "dangerous" and are not "afraid" of them in
any way - that is not because they are blind or ignorant - it is
because computing is not actually "dangerous" by any realistic
definition - therefore, any standards of "safety" that such a committee
draws is arbitrary, fitting only the personal concerns of its authors,
possibly omitting the concerns of some users, and not generally
applicable to any program, service, or user

it is simply not possible to accurately guage such subjective concerns
with a pre-defined, one-size-fits-all criteria; but if such a ranking
system was to be applied at any scale, it could be only feasible with
some pre-defined, one-size-fits-all criteria, and applied by some
automated mechanism (such as that goofy system i described yesterday) -
there would be hardly enough time to apply those criteria automatically
to a small percentage of projects in existence; the problem is
completely intractable if each project is to be guaged manually by the
distinct, time-consuming, hand-picked, criteria that would be
accurately suitable for that particular program or service

so even if this were feasible, i think the end result would be, the
qualifying of projects by criteria that is too generic to accurately
describe any of them; and if people give any credibility to the
rankings, developers would start spending valuable time fitting their
software and development methodologies to satisfy those generic
criteria, which may not be appropriate to their project - cargo-cult
development, if you will, which is counter-productive toward any goal
other than populous approval

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[overthefalls]

On 2019-01-27 12:40, Julian Daich wrote:
> El 27/1/19 a las 0:35, bill-auger escribió:
>> On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
>>> El 21/1/19 a las 4:02, bill-auger escribió:
>>>> one reviewer for each 10,000 to 100,000 software projects;
>>> 
>>> So it will be worth to advice users.
>>> There can be many ways to rank software trustability.
>> 
>> that is missing my point
> 
> It is just thinking different.
> 
>> 
>> 
>> On Sat, 26 Jan 2019 22:17:39 +0100 Julian wrote:
>>> I mentioned the ranking solution because it is worth for me and also
>>> for other big and skilled parties.
>> 
>> i find the idea of ranking software to be inappropriate and
>> counter-productive to any common goal -
> 
> Wikipedia ranks pages all the time and they are doing well. As you
> pointed before most of the software will not be reviewed unless there 
> is
> a real interect on checking it.
> 
>  Best,
> 
> Julian
> 
>  unless that goal is to
>> shame people - software development is not a sport - no one needs to
>> keep score - such rankings could only lead to some projects optimizing
>> for the "score" as to snowball it into the "leader" position; while
>> others who behave more sincerely by focusing on the work rather than
>> the vague prescriptions of some external committee, and perhaps 
>> ranking
>> lower for that reason, would be starved for the attention that they
>> deserve; because everyone who puts their faith in the ranking system
>> would view them as hopelessly untrustworthy, simply for not playing
>> "the game" as the committee prescribes
>> 
>> _______________________________________________
>> libreplanet-discuss mailing list
>> libreplanet-discuss@libreplanet.org
>> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
>> 
Sorry to butt in but, I don't know of anyone that looks at wikipedia 
page rankings to decide the security or privacy respecting attributes of 
that page, so I don't think that comparison has any merit or relevance 
here.

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[Taiidan]

I don't care if something is "harmless" I don't want anything phoning
home no matter what - this is my computer and my network not anyone elses.

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss

Re: Free software is not trusted software

[overthefalls]

On 2019-02-25 21:44, Taiidan@gmx.com wrote:
> I don't care if something is "harmless" I don't want anything phoning
> home no matter what - this is my computer and my network not anyone 
> elses.
> 
> _______________________________________________
> libreplanet-discuss mailing list
> libreplanet-discuss@libreplanet.org
> https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
Hear hear

_______________________________________________
libreplanet-discuss mailing list
libreplanet-discuss@libreplanet.org
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss