Re: [libreplanet-discuss] Free software is not trusted software

[bill-auger]

frankly, i think that if this discussion is to be continued with any
sincerity, then it begs for a new "subject" heading; because the present
one is less indicative of a constructive discussion topic than
ignominious click-bait 


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
> Therefore the most productive topic of conversation at
> this point would be narrowing down our brainstorming to how we could
> improve the already existing process for auditing software.

i do think that the most notable deficiency is lack of involvement from
users, and resources in general; but i dont think anything is currently
being done improperly, suggesting any specific improvements - most
software projects, from the smallest to the largest, are under-staffed
at their roots, almost characteristically so; but most responsible dev
teams would do, and indeed do, these sort of self-evaluations
themselves, if and when they can manage the well established, routine
"best-practice" task of code-review

that was not to indicate any particular failure of any party - i would
say it's just a case of too few cooks trying to feed a disproportionate
number of passive customers who give nothing in return (and i dont mean
cash - bug reports and discussions are far more valuable) - perhaps
many do not "feel" empowered to help; but that would be entirely
unfounded, and not any fault of the developers - absolutely everyone
can and should participate, and no explicit invitation is required;
because participation generally is the default expectation upon users of
free software


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
>   5. It would greatly help the free distros, which are always working
>   very hard to weed out software packages with non-free blobs. Proper
>   auditing with a standard protocol would help to weed out these
>   non-free packages in a more efficient and just manner.
> 
> if Debian
> Security (or other security distro projects) don't already, it may be
> a good idea to ask them to do so

your point #5 is nearly the same as all that i suggested; only the
perspective is inverted - for the most part, there is no other, new
"it" that would be needed to help distros to do anything that they are
not already doing - all distros want their software to be bug-free, and
to varying degrees: privacy-respecting and audit-able; and they already
do as well as they possibly can to ensure that - they may not all have a
formal "security team", but there is probably nothing new to ask of any
of them other than "how can i help you to acquire more people-power or
educate software users?"


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
> I'm fairly certain that if they
> were to find non-free software within a given package in the `main'
> repository they would notify the maintainers to move it elsewhere.

i am too - i think non-free software can be safely ignored for the sake
of this discussion


On Tue, 22 Jan 2019 11:07:48 +0100 Nicolás wrote:
> yes, we should all know that our software could always contain some
> kind of malicious code, or even code that accidentally does something
> horrible to our machines. However we should still try to help
> one another to prevent harm to those less prepared.

again, i think we are in perfect agreement already - the wording of
that indicates something is being added that i neglected to mention - i
literally offered that particular "however" as the only real remedy
there is - little red riding hood must be aware of the risks that she
takes by venturing from the safely of grandma's living room, out into
the wild wilderness; or she would be wiser to stay home - forest rangers
are not needed when some common-sense survival skills will suffice, and
are standard equipment that every explorer is wise to possess before
leaving home

perhaps more wise and conscientious shepherds are needed to offer such
advice; but people generally do not respect advice if forced upon
them by some authority - everyone is responsible for educating
themselves, especially about topics that are subjective and otherwise
outside the scope of a general school education; and i do think that
most people prefer it that way - that is, for example, non-essential,
leisure, luxury, entertainment activities such as goofing off on the
internet; which is the reality of that for which people, who are the
most in need of such advice, actually do "need" their computers and
pocket-phones - this is no more essential nor mandatory than say:
swimming lessons or bicycle safety advice for those who choose to swim
or ride a bicycle, plus the extremely tiny sliver of the population who
truly must engage in such otherwise optional activities (such as
carrying a pocket-phone), *and* who are also actually interested in such
"hand-holding" forms of instruction

as long as good advice is available for the curious to find,
responsible people will seek it and find it - if they are also wise,
they may even heed it; but in the end, it is not actually anyone's
responsibility to provide that advice - it would be nothing more
compulsory or authoritative than a voluntary, neighborly, community
service, to be appreciated or ignored, at each one's own personal
discretion and/or peril

the suggestion of a ratings system, for example, is a step quite out of
line with friendly advice, suggesting a self-proclaimed authority - i
dont think the world needs that - your distro is already that authority
and your "shepherd", by the nature that they are the ones who are
curating the software on behalf of the majority of free software users
- that is precisely and entirely what distros exists for - the way that
most distros advise against acquiring software from third-parties, and
how debian separates non-free software from the main repos, and
parabola's privacy repo, for examples, are sufficiently adequate as
such guides for anyone curious enough to learn what those general
distinctions are

seriously let us start a new thread if this discussion is to continue -
i would have, but personally, i can not think of anything more that
needs discussing - how about: "Free Software Swimming Lessons"