[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Truth matters when writing software and selecting leaders

From: Martin
Subject: Re: Truth matters when writing software and selecting leaders
Date: Wed, 31 Mar 2021 14:00:09 +0000

On 3/30/21 7:10 PM, Jean Louis wrote:
* Martin <> [2021-03-30 19:58]:
You may, but we don't, as it is vague term. On GNU website, we never
use "open source" to refer to free software, as we have to promote
what's your definition of freedom then?
For me both cases are not precise and lead to misinterpretations. I
don't see the reason to limit my vocabulary from the words you and
your organizations simply don't like.
But nobody asks you to limit, it is recommendation for every human to
be precise how they express themselves.

In general, free software is free as in freedom.

Open source in general may be proprietary software, see non-free
Debian open source repository, it is full of proprietary software that
is open source. It is vague.
What kind of free in freedom you see in GNU binary seeds that are not bootstrappable? Is it really better than Debian open-source drivers for commercial blobs that are isolated in different repository disabled by default to fulfill the DFSG requirements?

I probably have more years than you, so I am aware of the movement
called "open source" and licking asses of corporations.
"free software" movement is actively endorsing a lot of projects that are not bootstrappable for many years. This is like a gift for corporations who can freely exploit your resources.
Does the GNU "free software" definition is protected under some
trademark laws? If not than why you blindly assume that everyone
should use it as it only please you?
I don't. I said in this GNU environment, on mailing lists, in
contributions, in publishing, designations and similar, we strive to
use proper terminology to express the purposes of free software
philosophy better, it is voluntarily.
And how you protect your self from internal manipulations?
Not so long time ago a person who was able to use text editor or any simple
applications in the first computers were considered as advanced
Actually, the other way around. First micro computer users were
assembling their micro computer at home, later programming it as there
was no software available. Using editors and if not editors, then
interactive editing environments such as BASIC shell, LOGO shell,
including assembly, machine language, that was daily routine for the
end users back then.
It's good that you mentioned that, because in the beginning actually everything was bootstrappable, and nowadays almost nothing - how bizarre is our evolution of freedom.
In the early internet years people were putting in their Resume
abilities of using web browsers, etc. Nowadays almost every end user
is verifying PGP signatures, it's not a rocket science
anymore. People are sand-boxing many layers of their working
environments, using chroots, jails, containers, various
virtualization, etc.
You speak of developers, they are now many, but not proportionally
many as in early years of micro computing era, since about begin of
1980. Number of developers is today so much less proportionally to
number of computers - we are under developed in 2021. Sorry, what you
mention is not what end users are. I meet end users every day, they
use computers for DVD, movies and music, sharing files by using USB,
some of them know how to write a letter, and some will even make a
presentation. That is largest majority of computer end users.
What you are talking about? No one is using DVD anymore. DVD has died like floppy disks many years ago. Today end users mostly are sharing and casting complex streams of media. To setup recording environments people are using very advanced tools for editing, encoding/decoding, encrypting, data synchronizations, backups, etc. Moreover thanks to fintec and cryptocurrency more and more people are paranoic about security, using some external crypto hardware devices, complex signing procedures, etc. Don't forget about IoT gadgets, electric cars, drones, smart homes, 5G, etc.
There is a devops profession that fully automate complex pipelines
and craft a fully transparent recipes so the end user can just click
a button to trigger reproducible-builds, bootstrappability,
verification, testing, fuzzing, sanitazing and many other features
for their software in some nice CI/CD fashion.  > No.
Sorry, I do not share opinion that end user is triggering
reproducible-builds, and if it is just by click of a button, that end
user, without knowledge of underlying software, does not need
reproducible build -- as that requires serious knowledge to verify
what is going on really.

We are all advanced users, so in that term of end user how you
mentioned it, I understood it as majority of common computer
users. But you speak of developers.
Bitcoin HOLDers are more gamblers than advanced users, but yet even they are able to compile from scratch their nodes and verify its reproducible in order to keep as safe as possible their investments. The is a reason why BTC blockchain is considered as the safest public ledger in the world, and why so many people want to be involved in it.
I said that terms like "bootstrapping" or "reproducible" do not fall
into definition of free software, those are technical methods of
creation and verification of software.
Yes because your "free software" term is also dedicated mainly for technical
methods of modifying and compiling the software.
There is nothing that relates to compiling. People may use scripts
which may be compiled at run time, like Perl, and may not know what is
going on inside of Perl, and their script may be quite
transparent. Free software definition is not related directly to
technical stuff. You could get software written on paper, as that is
how it was distributed back in time, you would write the BASIC program
in your computer and by typing RUN it would execute, there need not be
any knowledge of compiling anything, it is not related to definition
It should be related directly to the definition in order to protect your freedom. Reproducibility and bootstrappability can be also used from transparent scripts in run time. Moreover you can implement this concepts in many different ways.
For majority of users reproducible builds are useless. For developers
and researchers, programmers who need more security, they may enjoy
the illusion of security.
From this kind of ignorance I see only illusion of freedom in your definition of "free software"
So whenever someone would like to temper the official binaries
it would be immediately detected by the software community, i.e.:
It would not be detected, and you have got the example below.
Below I've just smashed your very naive and completely not realistic in practice example
Example of malicious intent easily to be placed online:

1. Insert various malicious code into GCC, that is to place backdoor
     shells in all kinds of network services.
Every user usually has it's own version of GCC from various distros that by default care about reproducibility so the malicious code doesn't affect them. If the attacker decide to pollute the upstream source than most probably the code will be immediately rejected or disclosed by the global army of bounty hunters. Anyway the attacker, revisers, maintainers and core developers who just touch this malicious code are risking their reputation.
2. Build GCC.
usually you can do it in various different architectures and your bug could not be so portable or it could be also easily detected in this stage.
3. Make new GNU/Linux distribution.
what about Debian, RedHat, FreeBSD, MacOSX, Solaris, GNU/Hurd and other OSes?
4. Publish it as fully free software, promote it as you wish.

5. Provide hashes of binaries, packages, PGP signatures.

6. Provide reproducibility for all binaries, except of few compilers.
Uff are you really planning to design your own compiler and linux distribution in this attack?
7. Let people install software and verify the reproducible builds.

8. After some time, ping on some servers, like ping the port 7801 and
     then 5 times 7802, knock on the door, and open up the root
Hehehe you don't need to be advanced user to see this kind of traffic on a wireshark  :)

Have you ever tried to contribute into GCC or GNU/Linux? Have you ever
about Diverse Double-Compiling
Why? No need to contribute to GCC to take GCC and change or modify it
as you wish and make a malicious distribution how you wish. I know
D. Wheeler's website, very interesting. I guess you brushed off the
plain example of malicious distribution where you or other person
would not be able to determine if it is reproducible or not. Thus what
is reproducible has to be compared to something what is trusted. If
users are misled to trust the malicious server, their reproducible
build will be correct, alright, compared with data published on
malicious server.
No you completely miss the concept. In a perfect world if everything is reproducible than all the compilations are deterministic. It means that for a given environment your source code will always produce the same binaries. Briefly DDC method is using mix of different environments in order to analyze the binary patterns of the same source code.
Obfuscated and pathological free software like GNAT are much bigger problem,
because their ridiculous lack of reproducibility and bootstrappability
officially endorsed by the GNU organization.
You are free to contribute and make it better.
The problem in this particular case is that there was already contribution to create the usable version of GNAT that was bootstrappable. But some pseudo "free software" freedom fighters decided to remove that code and hide all the tracks of this crime. This binary seed can be full of malicious code just like any commercial binary blob you are so afraid of.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]