* Martin <smar...@disroot.org> [2021-03-30 15:51]: > This kind of stories also have some pros. That time Jabber/XMPP network was > getting big "free" promotion from Facebook, Google, etc. Nowadays I'm still > using Jabber/XMPP and I have zero interest of having fb, g+, etc.
I don't remember that neither Google nor Facebook advertised XMPP, they did not use directly that term. It was a hidden feature to a degree. I would be definitely contacting Google and Facebook users would they have XMPP today. So I would not contribute promotion of XMPP to them, and I am not sure if XMPP became more popular due to them. > Facebook has also big impact of the web evolution in > general. Together with Google, MS, Amazon, etc they are creating web > prisons heavily obfuscated with their JavaScript trash. It's almost > impossible to browse modern websites (their "free" applications) in > pure GNU "free software" environments. How I see that impact, governments took about 10-15 years delay to act on abuses of people's information. Today US courts are heavily punishing Facebook, maybe other similar too, for past abuses and tracking of user information without consent. Europe has enacted similar laws and Facebook and Google are pretty much protesting. Following that observation it will be quite possible to enslave half of the world digitally but also medically, until governments start reacting and observing that human rights are in danger. That is why right time for outcries and protests is now. Not later. > > You are free to introduce any new words into English or any other > > language. Why not? Is there a law forbidding that? Languages are > > changing throughout the centuries, the word "Libre" is today English > > word and it has its special definition for software. > To really face the modern threats I would just use a term like: "clean > open-source, reproducible, bootrstrappable, secure and free software". It's > long but at least it explicitly describe what it is about without any > confusion. In that sense you minimize the meaning of "free software", as if you use "open source" it means that maybe it is open source, but also free of charge -- so there is no definite information that you actually deal with free software as in liberty. What would mean "Clean"? I don't know. If you wish to avoid confusion simple refer by hyperlink to definition of free software: https://www.gnu.org/philosophy/free-sw.html Open source definition misses the point: https://www.gnu.org/philosophy/open-source-misses-the-point.en.html Please avoid using the term “open” or “open source” as a substitute for “free software.” https://www.gnu.org/philosophy/words-to-avoid.html#Open Please avoid using the term “open” or “open source” as a substitute for “free software.” Those terms refer to a different set of views based on different values. The free software movement campaigns for your freedom in your computing, as a matter of justice. The open source non-movement does not campaign for anything in this way. When referring to the open source views, it's correct to use that name, but please do not use that term when talking about us, our software, or our views—that leads people to suppose our views are similar to theirs. Instead of open source, we say, free software or free (libre) software. Me, as user of fully free software distribution, I will install exclusively those which are FSF endorsed, as there is good and better certainty that my environment is free software. https://www.gnu.org/distros/free-distros.html What software is the software you have to distribute? > > > The problem I mentioned above is that "free software" unfortunately > > > could also mean freeware for too many people who are not > > > professional English linguists nor IT specialists. > > That is right, for people on lower literacy level it can mean > > anything, including "freeze". For children it may mean just > > nothing. The word "free" is definitely one of most common words in > > English. As I said, if there is any confusion, that means person did > > not verify the context where word is used. > You could say exactly the same about the word "open-source". It's very > common nowadays and "...if there is any confusion, that means person did not > verify the context where word is used." Yes, that was ironical. Any word may be misunderstood, but we shall not change our words to accommodate people who lack certain levels of education. > The precursor and the current leader of reproducible-builds efforts is still > the Debian project. It's not hypothetical effort anymore, there are more and > more serious and big projects where this concept is used in practice, i.e.: > Bitcoin, Guix, Coreboot, etc. The biggest benefit for the end user is the > possibility to easily reproduce their source code and verify its compiled > binaries with the whole community who is using it. This is so far the only > way to fight against "Volkswagen emissions scandal" cases, where compromised > dev environments could inject any malicious code to our "free > software". I do understand the purpose of it, but I do not see how it is relevant for end users. It is relevant for security officers. End users purchase computers and they may choose computer with GNU/Linux -- they could care less if it is free software or not -- end users are satisfied if they can watch videos, play music and do some fundamental computer work like letter writing and similar. On that level, end users will not verify anything, neither the licenses, neither where software comes from, they may not know differences. Those who install their systems themselves are for me advanced users. They will hardly go for reproducible builds. If somebody is downloading few gigabytes of binaries to install on computer, that somebody will most probably, in the majority of this group of advanced users, never verify any sources. Hashes and PGP signatures may be verified automatically by the system package manager. There will be those who are responsible for security of data and may like to verify distributions or make their own, those will be doing verification checks. This group does not belong to group of end users. > > Yes, GNU Guix has solution to fully bootstrap system, it will come > > there, if it is not yet there, and I hope that solution will be useful > > for other distributions. Bootstrapping does not belong into definition > > of free software. But what cannot be said to be free software is a > > compiler that cannot be compiled or bootstrapped itself. Again, > > practically, the bootstrapping technique means something only to people > > skilled in security, it means little to end users. I just hope that we > > get boostrappable systems. > Using similar argumentation you could also say that "free software" in > general means nothing to end users who are not skilled in security. No. I said that terms like "bootstrapping" or "reproducible" do not fall into definition of free software, those are technical methods of creation and verification of software. I have already given few examples that "reproducible" does not mean secure. You have to compare your reproducible build it with some original build, and you still have to trust the original build to be safe. It does not speak of safety, it just speaks of reproducibility of software as compared to the previous distributor. For end user it means nothing. End users are majority of user base. If they trust enough to online distributor to download gigabytes of software and boot the system, at that moment reproducible builds are of no importance, as user already expressed the trust to online distributor. Why now reproduce it oneself?! Reproducible builds only make sure that software was not tampered as compared to original build and its repository to the local build. Example of malicious intent easily to be placed online: 1. Insert various malicious code into GCC, that is to place backdoor shells in all kinds of network services. 2. Build GCC. 3. Make new GNU/Linux distribution. 4. Publish it as fully free software, promote it as you wish. 5. Provide hashes of binaries, packages, PGP signatures. 6. Provide reproducibility for all binaries, except of few compilers. 7. Let people install software and verify the reproducible builds. 8. After some time, ping on some servers, like ping the port 7801 and then 5 times 7802, knock on the door, and open up the root shell. > Thompson attack is a real issue: > https://nitter.namazso.eu/_markel___/status/1373059797155778562 , you > cannot trust your "free software" if you don't trust your > compiler. I agree fully, so Guix, Debian, Nix are working in that direction. I hope that Guix becomes prime distribution to bootstrap other distributions. > You cannot trust your compiler if you don't trust your hardware. That is right. > You cannot trust your hardware if you cannot validate the full > fabrication process of it. The design of the whole system and chain > of trust should be fully auditable be default. Yes, I agree. That requires stronger campaign, maybe in 20-30 days, provided we start campaigning now. > Worth to highlight is also the fact that most of the software we are using > nowadays is highly overpowered, they are able to create full blown computers > inside of your own computer, inside your font, MMU chip, etc: > https://www.gwern.net/Turing-complete . Conclusions are still the same: the > definition of "free software" is outdated and it doesn't scale to protect > the whole philosophy of software freedom from the arising real technological > threats. Definition is fine, as definition does not speak of reproducibility, or bootstrapping, neither of hardware, it is general definition. Definition alone cannot help anybody to get free software in their hardware, that is maybe matter of laws, personal preferences, lobbying, campaigning for it. Nobody points that out in public. That is serious problem. Nobody complains to their parliaments. Back in time all micro computer chips were well defined, their instruction sets and internals were defined and transparent. Today it is not so any more. We are in agreement, but we have to act. The way to go is to convert number of users' machines from proprietary Windoze to free software OS. Then it will create an impact. Thus contributing to FSF campaigns will make the actual change. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns