Re: Informing users that the directory doesn't review binaries. Was: [GNU-linux-libre] Criteria for Android applications

[Denis 'GNUtoo' Carikli]

On Thu, 11 Nov 2021 22:06:25 -0500
bill-auger <bill-auger@peers.community> wrote:

> my wording specifically is more educational, and (i believe)
> more relevant to the typical libre OS user; because it warns of
> all binaries, as inherently subject to doubt (pending only
> each's personal endorsement, which mere use satisfies
> implicitly), and that the reviewers looked at only source code,
> which is not necessarily related to _any_ binaries from _any_
> distributor
> 
> if/when reproducibility is the norm, that caveat could be
> removed, or become a warning to prefer reproducibility (and help
> by submitting your results)
> 
> a note WRT "app-stores" libre-hostile policies could be added
> also; but i would avoid mentioning brand names
The idea here was to point at a well know case to enable people to
understand better than using vague terms, and that case as I understand
is also covered by some of the FSF campaign(s).

> the simple fact i was illuminating, was/is this:
> 
> in practice, once someone explains to people that unsigned
> binaries can not be trusted, reproducibility/authenticity is
> generally taken as more important to/by those people, than
> hackability or licensing - understandably so, as it presents the
> highest risk factor
The thing here is that security is different from freedom. 

For instance if we have backdoors in our compilers (or in our
computers), we still get individual and collective control over our
computing: we can modify the way the software behaves and so on.

Though you have a point here as if the binary is modified, any kind of
modifications could be added, including changing the file format used
by the application and adding vendor-locking, DRM, and so on.

> o/c the FSDG goes well beyond licensing (eg: if reproducibility
> was the norm, that could be considered as justification for a
> new FSDG requirement) - until then, i suggest warning about it -
> if i wrote it, i would likely be thinking to also suggest that
> people learn how to verify signatures, as the solution (trust
> only your distro's signatures)
For a start we could for instance indicate which distributions do
support reproducible builds and at what level, for instance in a page
on the Libreplanet wiki.

> i see a missed opportunity for essential education here - that
> education would benefit distros especially, because the
> "take-away" message of a hypothetical libre-101 course, is:
> "learn how to trust your distro (your upstreams/supply-chain)
> and get involved, learn how to file good BRs, maybe even learn to
> triage and hack" - reproducibility offers a uniquely fruitful
> conversation starter, leading to those lessons; because it's
> accuracy/usefulness depends on user-participation, and improves
> as: n_peers
If we can find an easy and short way to do that it would indeed be a
good idea.

What about that:
> The Free Software Directory (FSD, or simply Directory) is a project
> of the Free Software Foundation (FSF). We catalog useful free
> software that runs under free GNU-like systems, not limited to the
> GNU operating system and its GNU/Linux variants. Many of those
> programs also runs on proprietary operating systems which can be used
> to replace nonfree software.
>
> While we do review the licenses of the source code of the software we
> catalog, we don't do any security audits, and we don't review the
> binary releases either.
>
> Some binary releases are nonfree (for instance all the applications
> distributed through Apple's Appstore are nonfree as Apple imposes
> restrictions imcompatible with free software), and not all
> distributions enable users to check if the binaries releases really
> correspond to the released source code (reproducible builds help
> ensure that).
>
> If you are looking for a full 100% free software operating system for
> your computer, or if you want to run free software applications,
> please see our list of free GNU/Linux distributions.

The issue in the version above is that some users might think that all
FSDG compliant distributions are reproducible, but it would be a bit
far fetched.

Denis.

pgpkd9LyRzdnU.pgp
Description: OpenPGP digital signature