Re: Sv: Rethinking the design of xwidgets

[Arthur Miller]

Jean Louis <bugs@gnu.support> writes:

> * arthur miller <arthur.miller@live.com> [2020-10-21 02:25]:
>> 
>> > You cannot know.
>> 
>> Exactly. That was a point I was making. One can not know. But we
>> have to;know. There is no way around knowing facts., and that iswhy
>> we can not have blobs​; and that is why I said RMS is completely
>> correct about that.
>
> When I started using GNU 1999, I first had to learn about free
> software, and later I found that Linux kernel does not work on every
> computer, because not all device drivers were written for those
> computers. So I have assumed that Linux developers are writing those
> device drivers, which is also true. I was not informed about
> proprietary non-free firmware files.
>
> That I found way too late in 2016, and then switched to FSF endorsed
> fully free distributions.
>
> A free software system should teach people about free software, it
> should designate:
>
> - that BIOS is not free, that OS does not replace non-free stuff in
>   BIOS, and that there are ways on specific devices to replace
>   such. This warning should come with every boot, if somebody would
>   ask me. Intel ME and MINIX inside have been huge security breach and
>   still is, there are problems with memory and that all could have
>   been as well intentional.
>
> - that some devices will not work, because for such do not exist free
>   software firmware files, that should also be made known to users
>   publicly and all those notices should be very very clear.
>
> - that users do not have control over computing on those devices or computers.
>
> It is not enough to say: if you wish that your device works, just load
> the non-free firmware.
>
> As such simple statement does not tell the user that user does not have
> control over his computing if such firmware is enabled.
>
>> There is big difference between a fact and trust. Facts are true because of 
>> their
>> intrinsic nature, regardless of our preferance; wether we like that thruth 
>> or not.
>> Trust is something one choose by preferance. It can (and should) be based on 
>> facts, but
>> it does not have to, it can be based on emotions, wishes and maybe other 
>> subjective
>> opinion.
Then we have started to use GNU/Linux around same time. My very first
distro was Red Hat 5.1, I think KDE was somewhere in 1.2 or something.
Got it from a magazine CD, and I had luck to read all that about drivers
and Free software before installation. Back than it was much harder to
get drivers to work and all that. I think my graphic card was TNT2 if
remember well. I got it that card so I could play Quake, AOE and
Starcraft. I also had to buy 128 meg of RAM extra.

> That is right, we do not and cannot decide for people to which group
> or which software to trust. It is developing socially. Obviously that
> is why there are various distributions.
Partially. There are also other issues with "trust" that I wasn't
touching on because of the lengthy mail, and I was at work typing from
the phone.

Short version: if trust worked we wouldn't need laws, and lawyers. There
wouldn't be hurt feelings and wars. If you wish we can discuss more
about trust, but I am not sure we need to.

Another problem with trust is the ignorance baked into it. We can be
lack information for some reason, we can trust on false premisse either
by an honest misstake or for a malicious reason, or it can be because of
incomplete information.

Yet another important issue is that trust based on previous experience,
as you described in your first response, does not leave space for people
to make misstakes.

Companies are just entities, dead things that made decisions. Decisions
are made of people, it is people that make misstakes. People fail for
various reasons. Amongs any population there will be certain amount of
geniouses, certain amount of people with some condition etc. It is
normal, people should be allowed to fail to. And they should be also
allowed to correct their misstakes and continues to become a part of
society. That makes for a batter society. It is also not a guarantee
they will not make a misstake in the future. Saying that company X has
history of this and company Y has history of that, means that people can
not change and are not allowed to correct themselves. Companies do hire
other people, people come and go etc.

>> Facts can be verified; trust does not have to. So no; trust is not
>> good enough.
>
> Users cannot verify facts in general, that is privilege only for small
> group of good programmers knowing it all, as nobody alone can verify
> what is going on in the system. There is no central authority to make
> sure of that, even in past there were various organizations, maybe
> also now, but they will not ensure of free software, for example Linux
> Foundation is probably run and sponsored by big companies who have
> slightly different interests.
Well, yes indeed. There is always a theory and there is a practice :-)
Philosophical discussion is often about theory, not about practice.
Anyway, if blob had source, and there was enough reason to look at it,
there would probably be someone to do it.

Company Y might be really honest about their intention, both companies
can be honest, why wouldn't they after all? I am of firm believe that
most people are actually good people. However, if company X believes
they need to protect their trade secret they have no choice but to give
an opaque blob. Unless they give company Y access to the source of the
blob, company Y can not know what is in the blob, they can just "trust"
the X, but despite all their honest intentions, there is not much more
they can do. There is also no guarantee that the blob is correct, i.e.
no bugs, and there is no way to know if there are other blobs hidden.
Maybe ME is just a honeypot, how do we know there are no other secrets
in there? We can't know unfortuantely because we don't have acces of the
source of CPU themselves either.

So blob does not really solve the problem; it isn't sustainable; it is
not a general solution, at least not good enough. Neither is holding
back to year 2006, since one day that strategy will wear out. The world
will be left without old CPUs. We need more sustainable solution. That
is why I asked if those things work without network. I am not so
knowledgable about ME extensions or security in general, but maybe there
are people who are.

Sorry for lengthy mails

Best regards and thanks for your understanding.

/arthur