1

Topic: Choosing how to trust software

Linux kernel is GNU GPL licensed yet it has proprietary blobs. Wasn't the whole point of GPL license that source code on asking should be available for the binary distributed if the person using asks for it.

It seems that copyright with GPL (copyleft) makes an exception for the person who created the software and he can do anything with it! Only the derivative softwares have to comply with source code distribution requirements.

My question is, what is your strategy to find which software you trust and which do you not?

Earlier I used to believe that GPL licensed code will be trustworthy but having proprietary blobs in a GPL licensed code totally misses the point. In a sufficiently big code, finding a needle in the haystack would be so difficult!

2 (edited by throgh 2020-08-04 17:21:24)

Re: Choosing how to trust software

Thanks for bringing up this point: I think we need to make differences between the current state of projects. Most of the firmware-blobs are in fact delivered within a seperate repository (Link) and the distributions using this to create packages for installation onto the kernel. While the kernel itself besides have references onto those firmware-blobs - otherwise many components won't even start functioning. Some of this is intentional as AMD and NVidia will never deliver really open firmware - perhaps someday for really legacy hardware but we should not count on that.

So "trust" is not so much from my side: First I don't even recognize most distributions being in respect for freedom of users, perhaps Debian and Devuan are nearest to that when looking onto the ones without GNU/Linux-libre. So the Linux-kernel itself is just a part for running and I only start with GNU/Linux-libre at minimum. Afterwards I take a look onto the distributed packages and their dependencies:

- systemd? pulseaudio? dbus? avahi?
- Java? Mono? Rust? NodeJS?

And after that the so-called bloated compromises made: Firefox comes up only with Rust. Electron anyone? Well, a bunch of security-holes included besides being not really a good choice freedom-wise. How many packages are marked with the named programming-languages? Do I have the possibility create independent ones or make the distribution itself independent from that? And also look onto flatpak and snap, being not my favorites in respect for "freedom". The last part: Are there proprietary software-packages in the base? Steam, Skype and most others named. Just no further mention: Slackware even distributes today "Flash" being preinstalled in some cases. roll

But we should also count in those "gifts" from companies coming up more and more, like Zstandard to compress kernel-images in the near future and the kernel itself getting components written in Rust. hmm

And speaking about the distributions with GNU/Linux-libre: Hyperbola, Parabola, Dragora. Trisquel is not into this list because of too much dependencies for systemd and other named components. Besides using "Ubuntu" as base, which I consider even more worse than anything else in the Linux-community - Canonical is just too arrogant and ignorant.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

3

Re: Choosing how to trust software

I still don't get why Mozilla also needed to trademark Rust... Actually, all their products, but specially Rust is one of the worse to trademark, as it is a programming language. So, any application that uses Rust is "dependent" also on the trademark.

I personally didn't know anything about Rust a year ago, but someone presented it to me and I kind of liked it, at least its current state, as I have read they are going to massively keep adding features, even faster than they do on C++, which I personally don't like, but it's just personal. However, I discovered that it has a trademark. I felt really sad in that moment. At that point it didn't really matter if they were going to add massively more features as in C++ or not, with that trademark it just disappointed me and I lost interest on that project.

4

Re: Choosing how to trust software

You're describing about choosing a system, I guess. I'm asking about a single software. So, I see that you have problems with Rust or say systemd. Let's assume these have open source code and I find a repository. How to find whether I can trust that software enough or not?

Linux has different drivers repo but not every piece of software will have that. Say I make a library which is GPLv3 licensed which has proprietary blobs here and there and there's tons of code such that people won't bother to find it!

I think maybe there's a need for another license. A license through which the creator of code will submit the ownership to public (everyone in this world) and every piece of code in it is not binary(not even the creator can have binary in it), and whose redistribution would be licensed under it again by force, be it on server or not. Creator on any committee like FSF can enforce it. So with such a license, if I find it for any software, I know it is absolutely trustworthy.

5 (edited by throgh 2020-08-04 20:40:53)

Re: Choosing how to trust software

Huh, thanks for correction and you are right: Wrong point of entry, sorry for misconception from my side. So I'll try again but this time with the points taken out from my initial posting. smile

So, I see that you have problems with Rust or say systemd. Let's assume these have open source code and I find a repository. How to find whether I can trust that software enough or not?

First I try to search for different viewpoints. There are different dimensions of one project or software-package itself. So at start it is needed for me to find out how "big" this software itself is. There is a difference between something like mpv and systemd itself. After this I'll try to find security-issues when I have some image of of the dimension "size" and with that also the dimension "dependencies" - because the more components needed the more possible security-holes can be found in general. Afterwards I'll go to find out more about the code itself, about conception and of the community behind some project. How is the treatment of issues, of security-handling itself and for being open of proposals? After the dimension "code" and "community", I'll go for the first tryout if the project has proven therefore being trustworthy enough for me and my usecases.

The dimensions mentioned:

- size means first the amount of code used for a possible compilation and also the possible understanding from my side doing modifications later on
- dependencies, means the needed libraries, the language built onto and therefore also a research for possible security-issues in the first place, and also about the "funding" behind some project
- code, means therefore the styleguide of code, the usage of libraries built onto, the versioning system, the repositories hosted, the built-environment for being curious
- community, means therefore the style to react onto issues, errors, corrections and proposals

Well that's a first starting point and I could write just more about, but most important thing is that this an iterative process also. Meaning: In the first place I'll go with what I've found and work myself through unknown fields, reading also more about common vulnerabilities and exposures. The more complex software itself becomes, the more possible problems with trust can start to exist.

Linux has different drivers repo but not every piece of software will have that. Say I make a library which is GPLv3 licensed which has proprietary blobs here and there and there's tons of code such that people won't bother to find it!

Yes, that's a big major problem I see myself into all the existing stuff but also the upcoming one. Today it seems just more important being more into everything instead of stepping aside and questioning the rules, the ethics and - even most important - the consequences!

I think maybe there's a need for another license. A license through which the creator of code will submit the ownership to public (everyone in this world) and every piece of code in it is not binary(not even the creator can have binary in it), and whose redistribution would be licensed under it again by force, be it on server or not. Creator on any committee like FSF can enforce it. So with such a license, if I find it for any software, I know it is absolutely trustworthy.

Absolutely okay with this, but the first problem is even the ignorance of groups and individuals into the "community" - when I should call that on this way. People start to yell very loud when somebody seems to restrict "something" these days. Well instead of looking onto the details it seems far more better reducing the facts (well not meant as "good" from me just the behavior I'm aware in general): The GPL itself is not bad, but it is also not as good as possible. The reasoning behind is that it fails the most needed regulation for proprietary and binary data merged into projects. So best example I can think of is the Mesa-stack itself. Even the newer revisions of integrated Intel-GPUs need a proprietary firmware-blob for best functioning and I remember many discussions of "just to accept that for computing". No this is absolutely not to accept when we talk about free, libre soft- and hardware! smile

EDIT: Well, just an absolutely actual example about failed dependencies is Blender: https://www.blender.org/press/microsoft … ment-fund/
That is an absolute NO-GO as no company on this planet just give some money for "charity". In fact in capitalism there is nothing being in the understanding of "companies" for something like "ethical choices", so it has always some payback. And that means that I can only refer to the other dimensions, trying to modify the software itself being free from unwanted dependencies or I just take one version being "free" within repositories. Well, older of course but better having no unwanted, proprietary dependencies as some "gifts". Nevertheless Blender lost therefore being more reasonable trustworthy and in fact is going the other way down like others before (yeah, I name you dear "Firefox"). Besides that: There are many parts for looking after a project being trustworthy: Technical aspects, ethical choices as funding behind, the community / the people developing and answering.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!