Re: Truth matters when writing software and selecting leaders

[Jean Louis]

* Martin <smartin@disroot.org> [2021-03-30 19:58]:
> > Instead of open source, we say, free software or free (libre)
> > software.

> This is absurd, I would never use only "free software" term for the exactly
> same reason I'm not using only the word "open-source".

You may, but we don't, as it is vague term. On GNU website, we never
use "open source" to refer to free software, as we have to promote
freedom.

Anyway, you cannot change it, I have mentioned already various
Spanish, Italian, German speaking countries, free software movement is
there, it will not change, people of free software movement use "free
software" in their speech. Those who like software but do not
understand importance of freedom may call it as they want, but that is
not helping new people.

You maybe deal with all kinds of software, sorry I cannot know what
you do. I have asked what software you relate to, to show me some
hyperlinks.

> For me both cases are not precise and lead to misinterpretations. I
> don't see the reason to limit my vocabulary from the words you and
> your organizations simply don't like.

But nobody asks you to limit, it is recommendation for every human to
be precise how they express themselves.

In general, free software is free as in freedom.

Open source in general may be proprietary software, see non-free
Debian open source repository, it is full of proprietary software that
is open source. It is vague.

It is thus obvious that people use non-free software under umbrella of
free software. GNU Free Software OS-es do not use vague
terminology. It is how it is, it is decision of the group and
individuals in the group to make things straight.

> If you don't understand the context of using terms like "open" or
> "open-source" you can just ask for more details.

I probably have more years than you, so I am aware of the movement
called "open source" and licking asses of corporations.

> What if any freeware vendors start to use "free software" term to
> promote their commercial products, how you plan to stop them from
> doing it?

I could not care less. People are free to make their new terms in new
contexts. We use it in the context of freedom. There is no need to
discuss hypothetical situations, they are not real.

> Does the GNU "free software" definition is protected under some
> trademark laws? If not than why you blindly assume that everyone
> should use it as it only please you?

I don't. I said in this GNU environment, on mailing lists, in
contributions, in publishing, designations and similar, we strive to
use proper terminology to express the purposes of free software
philosophy better, it is voluntarily. 

> > Those who install their systems themselves are for me advanced
> > users. They will hardly go for reproducible builds. If somebody is
> > downloading few gigabytes of binaries to install on computer, that
> > somebody will most probably, in the majority of this group of advanced
> > users, never verify any sources. Hashes and PGP signatures may be
> > verified automatically by the system package manager.
> > 
> > There will be those who are responsible for security of data and may
> > like to verify distributions or make their own, those will be doing
> > verification checks. This group does not belong to group of end users.

> Not so long time ago a person who was able to use text editor or any simple
> applications in the first computers were considered as advanced
> user.

Actually, the other way around. First micro computer users were
assembling their micro computer at home, later programming it as there
was no software available. Using editors and if not editors, then
interactive editing environments such as BASIC shell, LOGO shell,
including assembly, machine language, that was daily routine for the
end users back then.

Today, end users mostly using computers for multi-media, and some of
them edit text, that is now, not back then, considered advanced. We
are underdeveloped in 2021.

> In the early internet years people were putting in their Resume
> abilities of using web browsers, etc. Nowadays almost every end user
> is verifying PGP signatures, it's not a rocket science
> anymore. People are sand-boxing many layers of their working
> environments, using chroots, jails, containers, various
> virtualization, etc.

You speak of developers, they are now many, but not proportionally
many as in early years of micro computing era, since about begin of
1980. Number of developers is today so much less proportionally to
number of computers - we are under developed in 2021. Sorry, what you
mention is not what end users are. I meet end users every day, they
use computers for DVD, movies and music, sharing files by using USB,
some of them know how to write a letter, and some will even make a
presentation. That is largest majority of computer end users.

> There is a devops profession that fully automate complex pipelines
> and craft a fully transparent recipes so the end user can just click
> a button to trigger reproducible-builds, bootstrappability,
> verification, testing, fuzzing, sanitazing and many other features
> for their software in some nice CI/CD fashion.  > No.

Sorry, I do not share opinion that end user is triggering
reproducible-builds, and if it is just by click of a button, that end
user, without knowledge of underlying software, does not need
reproducible build -- as that requires serious knowledge to verify
what is going on really.

We are all advanced users, so in that term of end user how you
mentioned it, I understood it as majority of common computer
users. But you speak of developers.

> > I said that terms like "bootstrapping" or "reproducible" do not fall
> > into definition of free software, those are technical methods of
> > creation and verification of software.

> Yes because your "free software" term is also dedicated mainly for technical
> methods of modifying and compiling the software.

There is nothing that relates to compiling. People may use scripts
which may be compiled at run time, like Perl, and may not know what is
going on inside of Perl, and their script may be quite
transparent. Free software definition is not related directly to
technical stuff. You could get software written on paper, as that is
how it was distributed back in time, you would write the BASIC program
in your computer and by typing RUN it would execute, there need not be
any knowledge of compiling anything, it is not related to definition
directly. 

> > I have already given few examples that "reproducible" does not mean
> > secure. You have to compare your reproducible build it with some
> > original build, and you still have to trust the original build to be
> > safe. It does not speak of safety, it just speaks of reproducibility
> > of software as compared to the previous distributor.
> > 
> > For end user it means nothing. End users are majority of user base. If
> > they trust enough to online distributor to download gigabytes of
> > software and boot the system, at that moment reproducible builds are
> > of no importance, as user already expressed the trust to online
> > distributor. Why now reproduce it oneself?!
> > 
> > Reproducible builds only make sure that software was not tampered as
> > compared to original build and its repository to the local build.

> You are wrong again reproducible-builds is assuring that every end user of
> the software is able to produce exactly the same binaries from the
> source-code.

And?

Does it practically help me? I am advanced user, at least every day I
program something new and my programs are good enough to make me money
without selling them. They are programs that make money. Back in 2000
I have made first GNU/Linux distribution that fit on 2 diskettes, it
was prepared for my needs and used by many people in Eastern Europe on
the go. It was a mobile distribution that used mutt for email,
connected to Internet from any computer, including from Internet
points or cafes. People were downloading it heavily and asking for
support. It provided 2 alphabets for various groups of people, Latin
and Cyrillic, and out of the box. Kernel was compiled with modified
ISO system to show the alphabets by default from its boot. Later I was
compiling and building distributions, and I could repeat it again. So
from there I have some experience.

And again I tell you, to make reproducible build, is not practical
neither useful. I need software that works, and would not like at this
moment spending time in verification of it for weeks. But why not, one
day.

For majority of users reproducible builds are useless. For developers
and researchers, programmers who need more security, they may enjoy
the illusion of security.

> So whenever someone would like to temper the official binaries
> it would be immediately detected by the software community, i.e.:
> https://github.com/bitcoin-core/gitian.sigs/

It would not be detected, and you have got the example below.

> > Example of malicious intent easily to be placed online:
> > 
> > 1. Insert various malicious code into GCC, that is to place backdoor
> >     shells in all kinds of network services.
> > 
> > 2. Build GCC.
> > 
> > 3. Make new GNU/Linux distribution.
> > 
> > 4. Publish it as fully free software, promote it as you wish.
> > 
> > 5. Provide hashes of binaries, packages, PGP signatures.
> > 
> > 6. Provide reproducibility for all binaries, except of few compilers.
> > 
> > 7. Let people install software and verify the reproducible builds.
> > 
> > 8. After some time, ping on some servers, like ping the port 7801 and
> >     then 5 times 7802, knock on the door, and open up the root
> >     shell.

> Have you ever tried to contribute into GCC or GNU/Linux? Have you ever heard
> about Diverse Double-Compiling https://dwheeler.com/trusting-trust/
> ?

Why? No need to contribute to GCC to take GCC and change or modify it
as you wish and make a malicious distribution how you wish. I know
D. Wheeler's website, very interesting. I guess you brushed off the
plain example of malicious distribution where you or other person
would not be able to determine if it is reproducible or not. Thus what
is reproducible has to be compared to something what is trusted. If
users are misled to trust the malicious server, their reproducible
build will be correct, alright, compared with data published on
malicious server. 

> > Definition is fine, as definition does not speak of reproducibility,
> > or bootstrapping, neither of hardware, it is general
> > definition.

> Your official definition is too general, hence it's useless in practice now.
> It's a shame for all RMS/FSF/GNU/Free organizations that for so many years
> even Guix is not yet fully bootstrappable.

  ___               _     _         _     ___  _     _ 
 / _ \ _ __   ___  | |__ (_) __ _  | |   / _ \| |   | |
| | | | '_ \ / _ \ | '_ \| |/ _` | | |  | | | | |   | |
| |_| | | | |  __/ | |_) | | (_| | | |__| |_| | |___|_|
 \___/|_| |_|\___| |_.__/|_|\__, | |_____\___/|_____(_)
                            |___/                      

> > Definition alone cannot help anybody to get free software in their
> > hardware, that is maybe matter of laws, personal preferences,
> > lobbying, campaigning for it. Nobody points that out in public. That
> > is serious problem. Nobody complains to their parliaments.

> Obfuscated and pathological free software like GNAT are much bigger problem,
> because their ridiculous lack of reproducibility and bootstrappability are
> officially endorsed by the GNU organization.

You are free to contribute and make it better.


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns