Re: [Fsfe-uk] Re: BBC TV: Click: Free=beer and facebook-flaming

[Chris Croughton]

On Sun, May 18, 2008 at 12:42:46PM +0200, Florian Weimer wrote:
> * Ben Finney:
> 
> > Florian Weimer <address@hidden> writes:
> >
> >> * MJ Ray:
> >> 
> >> > didn't mention how free (as in freedom) software allows any random
> >> > end-user to check or have it checked.
> >> 
> >> How is this different from proprietary software?
> >
> > Either this is obvious, or I'm not understanding the question.
> >
> > Software that doesn't give the user freedom to inspect the source code
> > and pass it on to others, doesn't allow the user to check the software
> > themselves or have someone else check it and pass it along to them.
> > This is distinct from free software, which allows all of this.
> 
> These days, there's hardly any widely used piece of proprietary software
> for which you can't get the source code.  You can't make modifications,
> and there might be restrictions with whom you can share your results,
> but security reviews based on source code are definitely possible.

I can think of a very large amount of proprietary software of which you
can't get the source code legally, and even more where if you do get it
legally you (a) have to pay a lot and (b) get so tied up in licence
conditions that you daren't write anything of your own for fear of
getting sued because you may have copied something.

> It's also not clear if source code availability is that helpful for
> uncovering security bugs.

It is very helpful indeed if that software is reviewed by people who
know what they are doing.  However, you have a partial point in that it
is not useful /to the average user/, because they are likely to have
little or no knowledge of programming, and even less of what to look for
in terms of security (I am continually appalled at the lack of clue of
most programmers about even the simplest of coding security -- the
number who don't bother checking whether memory allocation succeeded, or
for buffer sizes, for instance -- and the number of vunerabilities even
in well checked projects like the Linux kernel and Firefox leads me to
conclude that this is endemic to software writers).

/To the average user/, there are few benefits they see of having source
code available.  Even the benefits provided by other people, like the
rapid fixing of bugs, are likely to be seen as "Oh god, Firefox is
updating itself /again/".  The only benefit they do see, and in most
cases understand, is "free as in beer", and even that goes away if they
have to pay someone else to modify it to their requirements.

(And let's be honest, out of all the millions of lines of source code
available for the software on our Gnu+Linux machines, how many of us
have looked at more than a few hundred lines of it?  I certainly don't
have time to check every program I install (I use Gentoo so it's all
built from source).  We take almost all of it on trust, just as users of
proprietary software do.  We have to, we can't even sue them to get our
money back...)

Chris C