> Subject: Re: [GNU-linux-libre] DSFG in perpetuity > Date: Mon, 26 Mar 2018 16:41:52 -0400 > From: bill-auger <bill-auger@peers.community> > Reply-To: Workgroup for fully free GNU/Linux distributions > <gnu-linux-libre@nongnu.org> > To: gnu-linux-libre@nongnu.org > > On 03/26/2018 03:27 PM, Donald Robertson wrote: >> and at this point we at the FSF need to bring some guidance. > > there has been a healthy flurry of activity on this list recently and i > think the will exists to forgot about any friction in the past and move > forward - but i must firmly say that "guidance" is too weak of a word > for what the FSF needs to do to in order to smooth over the past > wrinkles - as i understand, tensions have gotten high in the past and > many are still not at ease - there are at least 2 issues that the > community has argued over for years that only the FSF should decide > definitively - namely: > > * are the debian kernel blob error log messages acceptable or are they > unacceptable? *regardless of the distro* > > * what to do about chromium - now i think it is finally removed from all > FSDG distros - should we just let that dog lie? - i am happy to tell > users "forget it - she is a lost cause" (that probably is the case for > 'electron') - but i was told that RMS was interested in doing something > about it - so maybe the answer should be "not now - but maybe someday" - > even that distinction would make a difference - i happen to know we have > the co-operation of qt5-webengine - if only that library could be deemed > acceptable, it would have the greatest impact.
I would also be interested in where the FSF stands on Chromium, and how to proceed moving forward. Below is the article from last January which was apparently withheld from publishing. ------------------ -------- Forwarded Message -------- Subject: Re: Article: Chromium's subtle freedom flaws Date: Mon, 30 Jan 2017 23:33:15 +0000 From: Luke <g...@openmailbox.org> To: r...@gnu.org On 01/30/2017 02:49 AM, Richard Stallman wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > Would you like the FSF to publish your article? > If so, please send me the latest version. > Hello, You may publish it. Here is the latest text. HTML / formatting can also be adjusted as needed. Thank you. Sincerely, Luke Parabola GNU/Linux-libre Packager. --------------------------------------------------------------------------- Chromium's subtle freedom flaws As free software activists, we all enjoy using the latest and greatest in free software, but we need to make sure that the software we are using really does respect our freedom. Many users have expressed to us their desire to run Chromium web browser, since it appears to be fully free software, but it still fails in several ways. In our research, we discovered that the situation is improving. Just a few years ago, there were over one thousand unlicensed files which were considered to be non-free. Thanks to Debian's Lintian Reports and efforts, this number has come down to under 100 files as of this writing. Licensing the remaining code with GPL-compatible licensing is fairly trivial and is expected to be completed soon - the majority of it being minified javascript.[1] However, Chromium, by default, still has a number of issues that are of concern for free software users - even if all the source code is licensed properly. -What are the issues?- Queries to Google --- By default, Chromium source code still has many lines of code that makes direct internet connections to Google. When building the software unpatched, much of your browsing experience is under the control of Google's online web services. As mentioned in our article "Who does that server really serve?"[2], free software is only free when you are in control and should not be dependant on third-party web services. Some work has already been done to free Chromium from this problem, including the removal of "Google OK", a Google web service plugin used for voice recognition, after user outcry.[3] Pre-built Binaries --- By default, Chromium still includes some pre-built binaries to aid in faster compiling. In order to have fully free software, we require all software to be built from source. Packagers should not use "use_prebuilt" as a compile option. DRM and Proprietary Codecs --- Chromium supports the use of Widevine DRM, Adobe Pepper Flash, and third-party codecs which are non-free. Packagers must ensure that these are removed and disabled in the makefile options prior to compiling in order to be free software. Privacy problems --- While not specific to free software, we would like for users to have control over their private information. Chromium has a number of reported privacy concerns which made it ineligible for use with Tor. Issues include outstanding proxy bugs which leak a user's IP address, fingerprinting issues that leak the computers hostname and hardware, and timing issues that enable timing attacks even in the browser's "Incognitio" mode. Free software users should be aware of these issues and work to patch them upstream and in their packages as needed.[4] A work in progress --- There is work being done to remove queries to Google and pre-built binaries, as well as strengthen user-privacy. The patch-set called ungoogled-chromium, which itself is a combination of inox, iridium, and Debian patches is one such effort.[5] Free software advocates are advised to use these patchsets and help contribute to their maintenance, while pushing for a self-contained version of Chromium with these fixes built-in. With each consecutive Chromium release a new patchset must be created to remove Google specific code and binaries which affect your freedom. Having a self-contained version ensures that no one will be forced to accidentally use non-free software during these updates. -The Bigger Picture- Chromium is also being used as an embedded framework in various projects. Users should be aware that QTWebengine is based on Chromium and therefore contains many of the same flaws. Proprietary codecs and other anti-features must be disabled at compile time to ensure user's freedom is respected.[6] Due to QT being a primary component of KDE and many applications, ensuring it is compiled correctly and removing non-free software is of even greater importance to the free software movement. For our freedom's sake, free software projects should take care about all kinds of freedom issues when deciding what components to depend on. We are hopeful that the various projects currently working with Chromium source code will make Chromium fully respect both users' freedom and users' privacy, making the internet safer, as well as more freedom respecting, for everyone. 1. https://lintian.debian.org/maintainer/pkg-chromium-ma...@lists.alioth.debian.org.html#chromium-browser 2. https://www.gnu.org/philosophy/who-does-that-server-really-serve.html 3. http://www.pcworld.com/article/2940499/ok-google-hotword-detection-yanked-from-chromium-after-user-revolt.html 4. https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs 5. https://github.com/Eloston/ungoogled-chromium 6. http://doc.qt.io/qt-5/qtwebengine-features.html#audio-and-video-codecs This is Free work, you can redistribute it and/or modify it under the terms of either: The Creative Commons Attribution-ShareAlike 4.0 International License as published by Creative Commons; either version 4.0, or (at your option) any later version, or The GNU Free Documentation License as published by the Free Software Foundation; either version 1.3, or (at your option) any later version; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts ------------------------- Sincerely, Luke
signature.asc
Description: OpenPGP digital signature