Re: Truth matters when writing software and selecting leaders

[Martin]

On 3/30/21 7:10 PM, Jean Louis wrote:
> * Martin <smartin@disroot.org> [2021-03-30 19:58]:
> You may, but we don't, as it is vague term. On GNU website, we never
> use "open source" to refer to free software, as we have to promote
> freedom.
what's your definition of freedom then?
> > For me both cases are not precise and lead to misinterpretations. I
> > don't see the reason to limit my vocabulary from the words you and
> > your organizations simply don't like.
> But nobody asks you to limit, it is recommendation for every human to
> be precise how they express themselves.
>
> In general, free software is free as in freedom.
>
> Open source in general may be proprietary software, see non-free
> Debian open source repository, it is full of proprietary software that
> is open source. It is vague.
What kind of free in freedom you see in GNU binary seeds that are not 
bootstrappable? Is it really better than Debian open-source drivers for 
commercial blobs that are isolated in different repository disabled by 
default to fulfill the DFSG requirements?
> I probably have more years than you, so I am aware of the movement
> called "open source" and licking asses of corporations.
"free software" movement is actively endorsing a lot of projects that 
are not bootstrappable for many years. This is like a gift for 
corporations who can freely exploit your resources.
> > Does the GNU "free software" definition is protected under some
> > trademark laws? If not than why you blindly assume that everyone
> > should use it as it only please you?
> I don't. I said in this GNU environment, on mailing lists, in
> contributions, in publishing, designations and similar, we strive to
> use proper terminology to express the purposes of free software
> philosophy better, it is voluntarily.
And how you protect your self from internal manipulations?
> > Not so long time ago a person who was able to use text editor or any simple
> > applications in the first computers were considered as advanced
> > user.
> Actually, the other way around. First micro computer users were
> assembling their micro computer at home, later programming it as there
> was no software available. Using editors and if not editors, then
> interactive editing environments such as BASIC shell, LOGO shell,
> including assembly, machine language, that was daily routine for the
> end users back then.
It's good that you mentioned that, because in the beginning actually 
everything was bootstrappable, and nowadays almost nothing - how bizarre 
is our evolution of freedom.
> > In the early internet years people were putting in their Resume
> > abilities of using web browsers, etc. Nowadays almost every end user
> > is verifying PGP signatures, it's not a rocket science
> > anymore. People are sand-boxing many layers of their working
> > environments, using chroots, jails, containers, various
> > virtualization, etc.
> You speak of developers, they are now many, but not proportionally
> many as in early years of micro computing era, since about begin of
> 1980. Number of developers is today so much less proportionally to
> number of computers - we are under developed in 2021. Sorry, what you
> mention is not what end users are. I meet end users every day, they
> use computers for DVD, movies and music, sharing files by using USB,
> some of them know how to write a letter, and some will even make a
> presentation. That is largest majority of computer end users.
What you are talking about? No one is using DVD anymore. DVD has died 
like floppy disks many years ago. Today end users mostly are sharing and 
casting complex streams of media. To setup recording environments people 
are using very advanced tools for editing, encoding/decoding, 
encrypting, data synchronizations, backups, etc. Moreover thanks to 
fintec and cryptocurrency more and more people are paranoic about 
security, using some external crypto hardware devices, complex signing 
procedures, etc. Don't forget about IoT gadgets, electric cars, drones, 
smart homes, 5G, etc.
> > There is a devops profession that fully automate complex pipelines
> > and craft a fully transparent recipes so the end user can just click
> > a button to trigger reproducible-builds, bootstrappability,
> > verification, testing, fuzzing, sanitazing and many other features
> > for their software in some nice CI/CD fashion.  > No.
> Sorry, I do not share opinion that end user is triggering
> reproducible-builds, and if it is just by click of a button, that end
> user, without knowledge of underlying software, does not need
> reproducible build -- as that requires serious knowledge to verify
> what is going on really.
>
> We are all advanced users, so in that term of end user how you
> mentioned it, I understood it as majority of common computer
> users. But you speak of developers.
Bitcoin HOLDers are more gamblers than advanced users, but yet even they 
are able to compile from scratch their nodes and verify its reproducible 
in order to keep as safe as possible their investments. The is a reason 
why BTC blockchain is considered as the safest public ledger in the 
world, and why so many people want to be involved in it.
> > > I said that terms like "bootstrapping" or "reproducible" do not fall
> > > into definition of free software, those are technical methods of
> > > creation and verification of software.
> > Yes because your "free software" term is also dedicated mainly for technical
> > methods of modifying and compiling the software.
> There is nothing that relates to compiling. People may use scripts
> which may be compiled at run time, like Perl, and may not know what is
> going on inside of Perl, and their script may be quite
> transparent. Free software definition is not related directly to
> technical stuff. You could get software written on paper, as that is
> how it was distributed back in time, you would write the BASIC program
> in your computer and by typing RUN it would execute, there need not be
> any knowledge of compiling anything, it is not related to definition
> directly.
It should be related directly to the definition in order to protect your 
freedom. Reproducibility and bootstrappability can be also used from 
transparent scripts in run time. Moreover you can implement this 
concepts in many different ways.
> For majority of users reproducible builds are useless. For developers
> and researchers, programmers who need more security, they may enjoy
> the illusion of security.
From this kind of ignorance I see only illusion of freedom in your 
definition of "free software"
> > So whenever someone would like to temper the official binaries
> > it would be immediately detected by the software community, i.e.:
> > https://github.com/bitcoin-core/gitian.sigs/
> It would not be detected, and you have got the example below.
Below I've just smashed your very naive and completely not realistic in 
practice example
> > > Example of malicious intent easily to be placed online:
> > >
> > > 1. Insert various malicious code into GCC, that is to place backdoor
> > >      shells in all kinds of network services.
Every user usually has it's own version of GCC from various distros that 
by default care about reproducibility so the malicious code doesn't 
affect them. If the attacker decide to pollute the upstream source than 
most probably the code will be immediately rejected or disclosed by the 
global army of bounty hunters. Anyway the attacker, revisers, 
maintainers and core developers who just touch this malicious code are 
risking their reputation.
> > > 2. Build GCC.
usually you can do it in various different architectures and your bug 
could not be so portable or it could be also easily detected in this stage.
> > > 3. Make new GNU/Linux distribution.
what about Debian, RedHat, FreeBSD, MacOSX, Solaris, GNU/Hurd and other 
OSes?
> > > 4. Publish it as fully free software, promote it as you wish.
> > >
> > > 5. Provide hashes of binaries, packages, PGP signatures.
> > >
> > > 6. Provide reproducibility for all binaries, except of few compilers.
Uff are you really planning to design your own compiler and linux 
distribution in this attack?
> > > 7. Let people install software and verify the reproducible builds.
> > >
> > > 8. After some time, ping on some servers, like ping the port 7801 and
> > >      then 5 times 7802, knock on the door, and open up the root
> > >      shell.
Hehehe you don't need to be advanced user to see this kind of traffic on 
a wireshark  :)
> > Have you ever tried to contribute into GCC or GNU/Linux? Have you ever 
heard
> > about Diverse Double-Compiling https://dwheeler.com/trusting-trust/
> > ?
> Why? No need to contribute to GCC to take GCC and change or modify it
> as you wish and make a malicious distribution how you wish. I know
> D. Wheeler's website, very interesting. I guess you brushed off the
> plain example of malicious distribution where you or other person
> would not be able to determine if it is reproducible or not. Thus what
> is reproducible has to be compared to something what is trusted. If
> users are misled to trust the malicious server, their reproducible
> build will be correct, alright, compared with data published on
> malicious server.
No you completely miss the concept. In a perfect world if everything is 
reproducible than all the compilations are deterministic. It means that 
for a given environment your source code will always produce the same 
binaries. Briefly DDC method is using mix of different environments in 
order to analyze the binary patterns of the same source code.
> > Obfuscated and pathological free software like GNAT are much bigger problem,
> > because their ridiculous lack of reproducibility and bootstrappability 
are
> > officially endorsed by the GNU organization.
> You are free to contribute and make it better.
The problem in this particular case is that there was already 
contribution to create the usable version of GNAT that was 
bootstrappable. But some pseudo "free software" freedom fighters decided 
to remove that code and hide all the tracks of this crime. This binary 
seed can be full of malicious code just like any commercial binary blob 
you are so afraid of.