[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Informing users that the directory doesn't review binaries. Was: [GN
Denis 'GNUtoo' Carikli
Re: Informing users that the directory doesn't review binaries. Was: [GNU-linux-libre] Criteria for Android applications
Thu, 11 Nov 2021 17:30:46 +0100
On Tue, 2 Nov 2021 15:27:39 -0400
bill-auger <email@example.com> wrote:
> On Tue, 2 Nov 2021 02:43:02 +0100 Denis wrote:
> > I propose changing it to:
> > > we don't review any of the binaries releases ; For instance
> > > if an application is also available on Apple's Appstore, the
> > > binary distributed through it will not be free software
> thats an improvement; but its a weak disclaimer, as to why the
> FSD can not relate to binaries - the strongest one would be:
> > > Although the source code has been determined to be libre, it is
> > > prohibitively difficult to determine whether or not any binary
> > > was actually produced from those libre sources exactly and
> > > exclusively.
> presumably, everyone would agree that a binary from libre
> sources plus an injected virus, is worse than an "app store"
> binary, which is actually clean (harmless), but is non-free -
> especially when it is non-free only because of hardware/system
> limitations or some third-party distributor's policies, not
> because of any property of the software or it's upstream license
The two are very different issues.
Here I think that indicating that not all binaries are free software is
very important because it's something that most users will not know
about and instead they would instead expect all the official binaries to
always be free software.
I guess that many people (me included) would expect it to do some
freedom audit on the source code at least. And so if we consider
project A free, it's not far fetched for users download binaries and
think they are also free without thinking at how they were made or
distributed, especially for users that don't know how binaries are
made. So it's a good idea to include a well known example of issue here.
For me at least, it's clear that the directory isn't a project that
conducts security audit on the source code so if it doesn't do that on
the source code I don't see why users would expect it to do that on the
binaries. Since that is also a concern (malware is something the free
software community also fight against), it could be fixed by adding an
extra note about it.
Assuming that the problem is relevant here, the question would be how to
formulate it in a way that is relevant to freedom and doesn't simply
consider the security aspect.
For instance there are cases where nonfree software can be more secure
than free software (at least for some threat models) but in theses
cases the security tend to turn against the users (freedom) as well.
The example is the devices running Apple's iOS where you can't run the
software you want without Apple approval, and given the interest in
Jailbreaking we can safely assume that not all users want or benefit
from that kind of security.
And generally speaking, while Guix is very advanced on the topic of
reproducible builds, boostrapability and so on, several FSDG compliant
have known security issues or security issues that are really easy to
find and are not reproducible at all.
The most famous examples are Replicant (the last releases are based on
Replicant 6 and LineageOS 13 isn't maintained anymore, and it's not
reproducible, and we still have Replicant 4.2 users too), and Dyne:bolic
which according to the free distros page it does not "receive
security updates" so "it should be used offline".
So if warning users about the security of binaries (and source code) is
really a concern, you could add something like that at the end:
> The Free Software Directory also doesn't do any security audit of the
> code or the binaries.
But here I don't see anything that would make users looking the
directory automatically draw false conclusions, because of the
directory, on the security of the software other than common
misconceptions about free software and security (like when people think
that because the software is free it is automatically secure).
Though I may be wrong about it and you might have another point of view
In contrast the directory clearly states that a project is free
software by reviewing its source code, so I think it's safe to assume
that many users will assume that "VLC" is free software because they
found it in the directory.
Some could also assume that because a project is listed there, and that
the licenses have been reviewed, that it is also fit for FSDG compliant
distributions, without any modifications.
Here pointing to the FSDG compliant distributions should also take care
of that even if that very specific problem isn't mentioned as it is
definitely part of the bigger distribution problem being mentioned with
"we don't review any of the binaries releases". Though the distinction
becomes blurred with source distributions like Gentoo that are not FSDG
compliant, so it could be improved.
Alternatively we could find a more generic sentence to state that the
free software directory is only concerned about cataloging free
software, and as such it doesn't do security audits, it doesn't check
in which jurisdictions the software is legal (for software to remove
DRM for instance), it doesn't check if the software looks nice or not or
if it has problematic bugs, or if it has a tux mascot and no GNU
mascot, or if it's a game, if the game promotes problematic views on
violence, patriarchy, etc.
If we want to go this route I think that we would need to find a generic
enough sentence without listing all the things it doesn't do (which is
probably infinite, and we might miss a lot of things as well).
Description: OpenPGP digital signature