* Martin <smar...@disroot.org> [2021-03-31 17:00]: > On 3/30/21 7:10 PM, Jean Louis wrote: > > * Martin <smar...@disroot.org> [2021-03-30 19:58]: > > You may, but we don't, as it is vague term. On GNU website, we never > > use "open source" to refer to free software, as we have to promote > > freedom.
> what's your definition of freedom then? When I say freedom, it is used in the context of free software how it is already well defined on the website, I gave you references. I am glad to receive that freedom with GNU and other free software, and I distribute to other people as well. When I say "to promote freedom" on this mailing list, it refers to free software as defined, and users' rights, which I say are basic human rights to be in charge of any actions done on their behalf. As a paralegal since almost 20 years, when a person wish to authorize somebody else to do some actions on person's behalf, then there are 2 different powers of attorney: - General Power of Attorney -- usually authorizes another person to do ANY kind of actions on person's behalf, for example to purchase house, website domain, open up bank accounts, demand money, and so on. - Specific Power of Attorney -- authorizes attorney or representative to do some specific actions, for example, it could authorize attorney or assigned person to purchase vehicle on somebody's behalf. Those legal documents have to be signed usually in front of a public notary who makes sure that person is aware of all details written in the document. Normally, we do not legally authorize people to read, listen, hear, record, process our data, and do other unauthorized actions with our data, our information, so much related to life. Software programs and authors conquered the legality and took their right to claim that "by downloading this software" or "by using this website" one receives some kind of a license and accept any kind of otherwise unauthorized actions, like sending personal information, tracking your behavior, researching your behavior, selling your face, your habits, your situation of posession of your devices, like if you are rich or poor, processing your information, doing actions on your compute which actions you have never authorized, and repeating same actions trillions of times. Person was not technically capable to understand such authorization given to proprietary software companies, and thus IMHO, all such authorizations are invalid, and should be persectued by criminal law, depending of the country. But countries think that software is some kind of a written deed, and treat is under copyrights, I would not. I would treat it as set of actions executed on user's computer, usually processing user's data, and conducted by author. As that is what it is. Unauthorized processing of actions with users' data is criminal. I do not think that authorization by click or blind acceptance of software is legally right. Neither I do not think that for free software. For any software, it has to be free software, as only so users can verify if actions are actually authorized or not. For any software, that is assumed to be free software in future, users should or could trust developers who verify the software and designate what such software does with users' data. If it only play files, it would be easily accepted, but if it can do potential harm to user's privacy, something like that would need to be looked from criminal view point. As if anybody ENTERS my room, and takes FEW papers from a table, regardless what is on those papers, that is so much criminal that deserves few years in prison. Computer software is used in the same way, to automate computers to send user's data, process, sell it, profit on it -- and people do not recognize it as crime. But majority of people did not really understand the impact of it, and did not consciously give their powers to software authors. > > I probably have more years than you, so I am aware of the movement > > called "open source" and licking asses of corporations. > "free software" movement is actively endorsing a lot of projects that are > not bootstrappable for many years. This is like a gift for corporations who > can freely exploit your resources. You are free to contribute your knowledge and report issues where appropriate. This list will not be read by them. > > > Does the GNU "free software" definition is protected under some > > > trademark laws? If not than why you blindly assume that everyone > > > should use it as it only please you? > > I don't. I said in this GNU environment, on mailing lists, in > > contributions, in publishing, designations and similar, we strive to > > use proper terminology to express the purposes of free software > > philosophy better, it is voluntarily. > And how you protect your self from internal manipulations? I would not know what is internal manipulation. I have been eating beans and polenta, and something is happening internally, what do you mean? > It's good that you mentioned that, because in the beginning actually > everything was bootstrappable, and nowadays almost nothing - how > bizarre is our evolution of freedom. I understand your devotion, but technically I cannot help on that. Guix does good job there, join there and file your issues. > > You speak of developers, they are now many, but not proportionally > > many as in early years of micro computing era, since about begin of > > 1980. Number of developers is today so much less proportionally to > > number of computers - we are under developed in 2021. Sorry, what you > > mention is not what end users are. I meet end users every day, they > > use computers for DVD, movies and music, sharing files by using USB, > > some of them know how to write a letter, and some will even make a > > presentation. That is largest majority of computer end users. > What you are talking about? No one is using DVD anymore. Judging on that statement, I can see you live in a small world. But planet is big. You have got confinements and you do not know what is planet. Travel around, go south wherever you are located, unless in NZ or AU. Research and see what people are doing. > DVD has died like floppy disks many years ago. In the small world, maybe. Outside, there is another world. > It should be related directly to the definition in order to protect > your freedom. Reproducibility and bootstrappability can be also used > from transparent scripts in run time. Moreover you can implement > this concepts in many different ways. I have already demonstrated that reproducibility will not mean nothing to majority of users, as there is no established chain of trust. Unless you wish to debunk me, but you have not made an attempt. GNU/Linux distributions have already been compromised by exact examples how I gave you. When speaking of reproducibility you cannot just raise focus on one single point in the chain, without verifying whole chain AND making sure that it is safe. But nobody so far can do that. All what you can do is get some final hash that build is same as how it was created at some other point. Because there is no established chain of trust, reproducibility is just one small very tiny, more or less unimportant piece of security in computing. Example for better understanding: what is the point of making sure that you reproduced the software from server X in the same way how server X has created it, if there were inclusions of malicious backdoors by the server X? You would not be able to verify the huge series of software not to have anything included as a backdoor. You cannot possibly verify larger number of remote servers from where upstream software have been obtained. In other words, it is not practical. As idea though is good, but we are late, and our society is corrupted with proprietary software. Bootstrappability will mean nothing to majority of end users. Same problem is here. You can boostrap some software, but you cannot possibly establish full chain of trust. So it is one small tiny piece of computer security. > Below I've just smashed your very naive and completely not realistic in > practice example Well let me see, forgive me, I comment on email as I read it. Old habit. > > > > Example of malicious intent easily to be placed online: > > > > > > > > 1. Insert various malicious code into GCC, that is to place backdoor > > > > shells in all kinds of network services. > Every user usually has it's own version of GCC from various distros that by > default care about reproducibility so the malicious code doesn't affect > them. I never heard of GNU/Linux distribution that cares of reproducibility by default. Can you give me some example? I know Guix and Nix that promote it, but I do not know others. > If the attacker decide to pollute the upstream source than most > probably the code will be immediately rejected or disclosed by the > global army of bounty hunters. Anyway the attacker, revisers, > maintainers and core developers who just touch this malicious code > are risking their reputation. I did not speak of attackers polluting upstream source, but that did happen in past and can happen any time. It happened to some major GNU/Linux distributions. Examples: https://nakedsecurity.sophos.com/2018/06/29/linux-distro-hacked-on-github-all-code-considered-compromised/ https://securityaffairs.co/wordpress/88047/hacking/canonical-github-account-hacked.html https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/ I have been speaking of creating new GNU/Linux distribution and promoting it as genuine. > > > > 2. Build GCC. > usually you can do it in various different architectures and your > bug could not be so portable or it could be also easily detected in > this stage. It would not be portable, nobody would know nothing about it. People would download disk images and install operating system. > > > > 3. Make new GNU/Linux distribution. > what about Debian, RedHat, FreeBSD, MacOSX, Solaris, GNU/Hurd and > other OSes? Any free software distribution may be impacted maliciously. For MacOSX and Solaris, I do not know if they are free. > > > > 4. Publish it as fully free software, promote it as you wish. > > > > > > > > 5. Provide hashes of binaries, packages, PGP signatures. > > > > > > > > 6. Provide reproducibility for all binaries, except of few > > > > compilers. > Uff are you really planning to design your own compiler and linux > distribution in this attack? Thank you, but I do not feel smashed. It is very easy to make GCC compiler that is malicious, it is created by script kiddies, not even hackers. Instructions are online. Including some of code from below links into all compiled binaries that support networking would be one way to go, I did not look into it, I am showing a model. https://github.com/raunvk/stealthware-backdoor https://github.com/droberson/icmp-backdoor Sorry, I don't feel smashed, the example still stands. > > > > 8. After some time, ping on some servers, like ping the port 7801 and > > > > then 5 times 7802, knock on the door, and open up the root > > > > shell. > Hehehe you don't need to be advanced user to see this kind of traffic on a > wireshark :) Now - why you think it is so? It is because there are backdoors on various ports, depending of devices. As maintainer of many dedicated servers and VPS-es since about 20 years, I have seen that intruders do intrude. My experience is with GNU/Linux, I did not keep BSD-variants online. > No you completely miss the concept. In a perfect world if everything is > reproducible than all the compilations are deterministic. It means that for > a given environment your source code will always produce the same > binaries. I understand the concept. Is it not obvious that I do understand. But it is just a tiny tinnie-minnie part of computer security. For majority of users, again, it means nothing in particular. It may mean for those Bitcoin miners or corporations. > > > officially endorsed by the GNU organization. > > You are free to contribute and make it better. > The problem in this particular case is that there was already contribution > to create the usable version of GNAT that was bootstrappable. But some > pseudo "free software" freedom fighters decided to remove that code and hide > all the tracks of this crime. This binary seed can be full of malicious code > just like any commercial binary blob you are so afraid of. Could you please be specific with it and report it on a right mailing list as a bug? -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns