* Martin <smar...@disroot.org> [2021-03-30 19:58]: > > Instead of open source, we say, free software or free (libre) > > software.
> This is absurd, I would never use only "free software" term for the exactly > same reason I'm not using only the word "open-source". You may, but we don't, as it is vague term. On GNU website, we never use "open source" to refer to free software, as we have to promote freedom. Anyway, you cannot change it, I have mentioned already various Spanish, Italian, German speaking countries, free software movement is there, it will not change, people of free software movement use "free software" in their speech. Those who like software but do not understand importance of freedom may call it as they want, but that is not helping new people. You maybe deal with all kinds of software, sorry I cannot know what you do. I have asked what software you relate to, to show me some hyperlinks. > For me both cases are not precise and lead to misinterpretations. I > don't see the reason to limit my vocabulary from the words you and > your organizations simply don't like. But nobody asks you to limit, it is recommendation for every human to be precise how they express themselves. In general, free software is free as in freedom. Open source in general may be proprietary software, see non-free Debian open source repository, it is full of proprietary software that is open source. It is vague. It is thus obvious that people use non-free software under umbrella of free software. GNU Free Software OS-es do not use vague terminology. It is how it is, it is decision of the group and individuals in the group to make things straight. > If you don't understand the context of using terms like "open" or > "open-source" you can just ask for more details. I probably have more years than you, so I am aware of the movement called "open source" and licking asses of corporations. > What if any freeware vendors start to use "free software" term to > promote their commercial products, how you plan to stop them from > doing it? I could not care less. People are free to make their new terms in new contexts. We use it in the context of freedom. There is no need to discuss hypothetical situations, they are not real. > Does the GNU "free software" definition is protected under some > trademark laws? If not than why you blindly assume that everyone > should use it as it only please you? I don't. I said in this GNU environment, on mailing lists, in contributions, in publishing, designations and similar, we strive to use proper terminology to express the purposes of free software philosophy better, it is voluntarily. > > Those who install their systems themselves are for me advanced > > users. They will hardly go for reproducible builds. If somebody is > > downloading few gigabytes of binaries to install on computer, that > > somebody will most probably, in the majority of this group of advanced > > users, never verify any sources. Hashes and PGP signatures may be > > verified automatically by the system package manager. > > > > There will be those who are responsible for security of data and may > > like to verify distributions or make their own, those will be doing > > verification checks. This group does not belong to group of end users. > Not so long time ago a person who was able to use text editor or any simple > applications in the first computers were considered as advanced > user. Actually, the other way around. First micro computer users were assembling their micro computer at home, later programming it as there was no software available. Using editors and if not editors, then interactive editing environments such as BASIC shell, LOGO shell, including assembly, machine language, that was daily routine for the end users back then. Today, end users mostly using computers for multi-media, and some of them edit text, that is now, not back then, considered advanced. We are underdeveloped in 2021. > In the early internet years people were putting in their Resume > abilities of using web browsers, etc. Nowadays almost every end user > is verifying PGP signatures, it's not a rocket science > anymore. People are sand-boxing many layers of their working > environments, using chroots, jails, containers, various > virtualization, etc. You speak of developers, they are now many, but not proportionally many as in early years of micro computing era, since about begin of 1980. Number of developers is today so much less proportionally to number of computers - we are under developed in 2021. Sorry, what you mention is not what end users are. I meet end users every day, they use computers for DVD, movies and music, sharing files by using USB, some of them know how to write a letter, and some will even make a presentation. That is largest majority of computer end users. > There is a devops profession that fully automate complex pipelines > and craft a fully transparent recipes so the end user can just click > a button to trigger reproducible-builds, bootstrappability, > verification, testing, fuzzing, sanitazing and many other features > for their software in some nice CI/CD fashion. > No. Sorry, I do not share opinion that end user is triggering reproducible-builds, and if it is just by click of a button, that end user, without knowledge of underlying software, does not need reproducible build -- as that requires serious knowledge to verify what is going on really. We are all advanced users, so in that term of end user how you mentioned it, I understood it as majority of common computer users. But you speak of developers. > > I said that terms like "bootstrapping" or "reproducible" do not fall > > into definition of free software, those are technical methods of > > creation and verification of software. > Yes because your "free software" term is also dedicated mainly for technical > methods of modifying and compiling the software. There is nothing that relates to compiling. People may use scripts which may be compiled at run time, like Perl, and may not know what is going on inside of Perl, and their script may be quite transparent. Free software definition is not related directly to technical stuff. You could get software written on paper, as that is how it was distributed back in time, you would write the BASIC program in your computer and by typing RUN it would execute, there need not be any knowledge of compiling anything, it is not related to definition directly. > > I have already given few examples that "reproducible" does not mean > > secure. You have to compare your reproducible build it with some > > original build, and you still have to trust the original build to be > > safe. It does not speak of safety, it just speaks of reproducibility > > of software as compared to the previous distributor. > > > > For end user it means nothing. End users are majority of user base. If > > they trust enough to online distributor to download gigabytes of > > software and boot the system, at that moment reproducible builds are > > of no importance, as user already expressed the trust to online > > distributor. Why now reproduce it oneself?! > > > > Reproducible builds only make sure that software was not tampered as > > compared to original build and its repository to the local build. > You are wrong again reproducible-builds is assuring that every end user of > the software is able to produce exactly the same binaries from the > source-code. And? Does it practically help me? I am advanced user, at least every day I program something new and my programs are good enough to make me money without selling them. They are programs that make money. Back in 2000 I have made first GNU/Linux distribution that fit on 2 diskettes, it was prepared for my needs and used by many people in Eastern Europe on the go. It was a mobile distribution that used mutt for email, connected to Internet from any computer, including from Internet points or cafes. People were downloading it heavily and asking for support. It provided 2 alphabets for various groups of people, Latin and Cyrillic, and out of the box. Kernel was compiled with modified ISO system to show the alphabets by default from its boot. Later I was compiling and building distributions, and I could repeat it again. So from there I have some experience. And again I tell you, to make reproducible build, is not practical neither useful. I need software that works, and would not like at this moment spending time in verification of it for weeks. But why not, one day. For majority of users reproducible builds are useless. For developers and researchers, programmers who need more security, they may enjoy the illusion of security. > So whenever someone would like to temper the official binaries > it would be immediately detected by the software community, i.e.: > https://github.com/bitcoin-core/gitian.sigs/ It would not be detected, and you have got the example below. > > Example of malicious intent easily to be placed online: > > > > 1. Insert various malicious code into GCC, that is to place backdoor > > shells in all kinds of network services. > > > > 2. Build GCC. > > > > 3. Make new GNU/Linux distribution. > > > > 4. Publish it as fully free software, promote it as you wish. > > > > 5. Provide hashes of binaries, packages, PGP signatures. > > > > 6. Provide reproducibility for all binaries, except of few compilers. > > > > 7. Let people install software and verify the reproducible builds. > > > > 8. After some time, ping on some servers, like ping the port 7801 and > > then 5 times 7802, knock on the door, and open up the root > > shell. > Have you ever tried to contribute into GCC or GNU/Linux? Have you ever heard > about Diverse Double-Compiling https://dwheeler.com/trusting-trust/ > ? Why? No need to contribute to GCC to take GCC and change or modify it as you wish and make a malicious distribution how you wish. I know D. Wheeler's website, very interesting. I guess you brushed off the plain example of malicious distribution where you or other person would not be able to determine if it is reproducible or not. Thus what is reproducible has to be compared to something what is trusted. If users are misled to trust the malicious server, their reproducible build will be correct, alright, compared with data published on malicious server. > > Definition is fine, as definition does not speak of reproducibility, > > or bootstrapping, neither of hardware, it is general > > definition. > Your official definition is too general, hence it's useless in practice now. > It's a shame for all RMS/FSF/GNU/Free organizations that for so many years > even Guix is not yet fully bootstrappable. ___ _ _ _ ___ _ _ / _ \ _ __ ___ | |__ (_) __ _ | | / _ \| | | | | | | | '_ \ / _ \ | '_ \| |/ _` | | | | | | | | | | | |_| | | | | __/ | |_) | | (_| | | |__| |_| | |___|_| \___/|_| |_|\___| |_.__/|_|\__, | |_____\___/|_____(_) |___/ > > Definition alone cannot help anybody to get free software in their > > hardware, that is maybe matter of laws, personal preferences, > > lobbying, campaigning for it. Nobody points that out in public. That > > is serious problem. Nobody complains to their parliaments. > Obfuscated and pathological free software like GNAT are much bigger problem, > because their ridiculous lack of reproducibility and bootstrappability are > officially endorsed by the GNU organization. You are free to contribute and make it better. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns
