[lwip-devel] [bug #64010] oss-fuzz integration

[Ineiev]

Follow-up Comment #10, bug #64010 (project lwip):


> According to the requirements [1], the use of non-free software is
prohibited. Even just talking about it here is forbidden.

This isn't correct.  The requirement is to work on free platforms better or as
well as on nonfree ones.   It doesn't go as long as prohibiting support for
proprietary software, to say nothing of using it.  Proprietary software
[//www.gnu.org/proprietary/ mistreats its users], that's why they shouldn't
use it.

> RMS tries to specify the boundary between SaaSS and renting (virtual)
hardware [3] and he does not consider renting virtual hardware as bad.

He says that without prejudice.  Virtual hardware renting
[//www.gnu.org/philosophy/judge-internet-usage.html may turn out wrong for
other reasons].

> But, unless you own the whole datacenter, the line between proprietary SaaSS
and renting virtual hardware is so blurry.

The free vs. proprietary distinction
[//www.gnu.org/philosophy/network-services-arent-free-or-nonfree.html doesn't
apply to services].

> Is renting a virtual server with a virtual disk in proprietary
infrastructure ok? Is renting a container with blob storage in proprietary
infrastructure ok?

Likewise, the GNU Project doesn't maintain the concept of proprietary
infrastructure.  You may introduce it yourself, but you shouldn't make any
assumptions about approval or disapproval of such things by the GNU Project.

> The reason why am I talking about it is, that it is exactly what is
happening here. Free software (OSS-Fuzz) is running in a free software
container in a proprietary container manager (Cloud Build [8]) and proprietary
infrastructure behind it.

Do the users have a superuser access to their container? Can they modify their
OSS-Fuzz instance in it?  Can they replace or combine their instance with
something unrelated they want to use, like aerial imagery processing?

If not, the service is certainly on the wrong side, no matter how blurry the
border is.

> Here is also at least one precedent: GNU Coreutils.

Such precedents are not binding for our purpose.  People make mistakes, and
GNU maintainers are no exception.

>  - Official repository of one of the core GNU projects [5]
>  - Official GitHub (nonfree service) mirror [6]

First, it's questionable whether that mirror is really official.  Coreutils
only mention it as a way to browse its sources, I failed to find an explicit
statement that it's an official mirror.

Then, mirroring a repository is definitely *not* a SaaSS, even though GitHub
is well-known for its
[//www.gnu.org/software/repo-criteria-evaluation.html#github-com hostility to
free software].

>  - OSS-Fuzz usage [7]

I couldn't find any references of OSS-Fuzz in Coreutils; since it's free
software, its users may do whatever they wish with it, including submitting it
to third-party services.


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?64010>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/