Re: Truth matters when writing software and selecting leaders
On 4/4/21 11:38 PM, Jacob Bachmeyer wrote: Martin wrote: In a perfect world if everything is reproducible than all the compilations are deterministic. It means that for a given environment your source code will always produce the same binaries. Briefly DDC method is using mix of different environments in order to analyze the binary patterns of the same source code. The downside of this is that we are right back to a binary monoculture, and an exploit that works on one machine would be trivially guaranteed to work everywhere. We really need some kind of controlled randomization that allows provably equivalent executables to be produced, but such that exploits relying on hardcoded offsets will only work on a limited subset. I don't understand what you mean by "binary monoculture" in this context can you elaborate more about it pls? Besides reproducibile-builds is not designed to solve all type of exploits. It's just hardening dev environment requirements to face the trusting trust issue https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf . In general it doesn't make sens to make any "free software" development if you cannot trust your compiler. You cannot trust your source code if it produce different binaries in the same dev environment. This is the basic and once it's established than you can play with any "controlled randomization" ideas on top of it.
Re: Truth matters when writing software and selecting leaders
On 3/30/21 1:38 PM, Jean Louis wrote: * Martin [2021-03-30 15:51]: This kind of stories also have some pros. That time Jabber/XMPP network was getting big "free" promotion from Facebook, Google, etc. Nowadays I'm still using Jabber/XMPP and I have zero interest of having fb, g+, etc. I don't remember that neither Google nor Facebook advertised XMPP, they did not use directly that term. It was a hidden feature to a degree. I would be definitely contacting Google and Facebook users would they have XMPP today. So I would not contribute promotion of XMPP to them, and I am not sure if XMPP became more popular due to them. The promotion of XMPP was not coming only from the official advertising campaigns but also from many technical blogs, podcasts and various other media noises partially sponsored by Google/Facebook. You cannot just ignore that facts but anyway for me XMPP is really one of the best p2p communication system till these days. To really face the modern threats I would just use a term like: "clean open-source, reproducible, bootrstrappable, secure and free software". It's long but at least it explicitly describe what it is about without any confusion. In that sense you minimize the meaning of "free software", as if you use "open source" it means that maybe it is open source, but also free of charge -- so there is no definite information that you actually deal with free software as in liberty. I don't agree with you. For me still "free software" doesn't explicitly state that the source should be open and even the hidden "freedom" element included in the definition is not precise enough to strictly require from the code to be open as I've explained multiple times in my previous mails. I agree though that open-source code could be released under many non ethical licenses vulnerable to patent trolling, etc but together with "free" word it actually maximize the meaning of my proposed long new term. What would mean "Clean"? I don't know. If you wish to avoid confusion simple refer by hyperlink to definition of free software: https://www.gnu.org/philosophy/free-sw.html Open source definition misses the point: https://www.gnu.org/philosophy/open-source-misses-the-point.en.html Please avoid using the term “open” or “open source” as a substitute for “free software.” https://www.gnu.org/philosophy/words-to-avoid.html#Open The above links are the main source of confusion. Instead of redefine basic words, creating blacklist of common synonyms and brainwashing people from their intuitions it would be better to CLEAN finally that mess and Keep It Simple S...? Please avoid using the term “open” or “open source” as a substitute for “free software.” Those terms refer to a different set of views based on different values. The free software movement campaigns for your freedom in your computing, as a matter of justice. The open source non-movement does not campaign for anything in this way. When referring to the open source views, it's correct to use that name, but please do not use that term when talking about us, our software, or our views—that leads people to suppose our views are similar to theirs. Instead of open source, we say, free software or free (libre) software. This is absurd, I would never use only "free software" term for the exactly same reason I'm not using only the word "open-source". For me both cases are not precise and lead to misinterpretations. I don't see the reason to limit my vocabulary from the words you and your organizations simply don't like. If you don't understand the context of using terms like "open" or "open-source" you can just ask for more details. What if any freeware vendors start to use "free software" term to promote their commercial products, how you plan to stop them from doing it? Does the GNU "free software" definition is protected under some trademark laws? If not than why you blindly assume that everyone should use it as it only please you? Yes, that was ironical. Any word may be misunderstood, but we shall not change our words to accommodate people who lack certain levels of education. Are you saying that the inventor of "free software" term was badly educated?. Those who install their systems themselves are for me advanced users. They will hardly go for reproducible builds. If somebody is downloading few gigabytes of binaries to install on computer, that somebody will most probably, in the majority of this group of advanced users, never verify any sources. Hashes and PGP signatures may be verified automatically by the system package manager. There will be those who are responsible for security of data and may like to verify distributions or make their own, those will be doing verification checks. This group does not belong to group of end users. Not so long time ago a pe
Re: Truth matters when writing software and selecting leaders
On 3/30/21 9:10 AM, Jean Louis wrote: * Martin [2021-03-30 11:07]: On 3/29/21 12:26 PM, Jean Louis wrote: I do not think that Facebook is freeware software, it is cloud service provider. There are Facebook applications and messengers, maybe you mean those? See: https://en.wikipedia.org/wiki/Freeware Look, even a prison gives you some kind of a freedom to sit in the cell and associate with other prisoners, within specific boundaries. So the freedom in Facebook is there, it is just within prison walls. For example, if you wish to get contacted by somebody who is not FB-prisoner, you must invite free citizen to become FB-prisoner to enter prison walls, as only from inside you can talk to each other. Exactly this is also one of the reason why the world "freedom" is not any better than "free". Even if we would decide to use "freedom software" instead of "free software" the core issue would be similar. Both terms are very not precise for nowadays realities. Back in past, it was possible, and I remember doing so. I have been using Jabber network and I could freely contact Google Plus users through Jabber network and I could freely contact Facebook users through Jabber/XMPP network. It was possible to send email to Facebook friend without being Facebook user or having Facebook account, they would answer in their inbox to such email, and you would get reply. Today it is not possible. This kind of stories also have some pros. That time Jabber/XMPP network was getting big "free" promotion from Facebook, Google, etc. Nowadays I'm still using Jabber/XMPP and I have zero interest of having fb, g+, etc. I get it, that is how you misinterpreted it. Well, Facebook is not free software, it is online service, and social network. Applications made by Facebook are free software. Facebook has also big impact of the web evolution in general. Together with Google, MS, Amazon, etc they are creating web prisons heavily obfuscated with their javascript trash. It's almost impossible to browse modern websites (their "free" applications) in pure GNU "free software" environments. You are free to introduce any new words into English or any other language. Why not? Is there a law forbidding that? Languages are changing throughout the centuries, the word "Libre" is today English word and it has its special definition for software. To really face the modern threats I would just use a term like: "clean open-source, reproducible, bootrstrappable, secure and free software". It's long but at least it explicitly describe what it is about without any confusion. The problem I mentioned above is that "free software" unfortunately could also mean freeware for too many people who are not professional English linguists nor IT specialists. That is right, for people on lower literacy level it can mean anything, including "freeze". For children it may mean just nothing. The word "free" is definitely one of most common words in English. As I said, if there is any confusion, that means person did not verify the context where word is used. You could say exactly the same about the word "open-source". It's very common nowadays and "...if there is any confusion, that means person did not verify the context where word is used." Reproducible build of software is not related to class of software. While it does seem important, it is more hypothetical rather than practical. End user usually does not have enough knowledge to verify software, regardless of all the PGP keys and hashes. Verification is more for group of people skilled in security. Even they will make grave mistakes. For example they could be downloading software from a mirror and verify PGP signatures and hashes that have been published on a mirror, but would not maybe verify original PGP signatures and original hashes. Some people may be tricked with domain names. Reproducible builds are far far from practical users' data security. Guix is doing well in that direction. All that is not related to free software definition. The precursor and the current leader of reproducible-builds efforts is still the Debian project. It's not hypothetical effort anymore, there are more and more serious and big projects where this concept is used in practice, i.e.: Bitcoin, Guix, Coreboot, etc. The biggest benefit for the end user is the possibility to easily reproduce their source code and verify its compiled binaries with the whole community who is using it. This is so far the only way to fight against "Volkswagen emissions scandal" cases, where compromised dev environments could inject any malicious code to our "free software". I agree that software should be boostrappable from software that one can understand and inspect. But that is for many software today not so. Example is Haskell compiler that can only be compiled
Re: Truth matters when writing software and selecting leaders
On 3/29/21 12:26 PM, Jean Louis wrote: * Martin [2021-03-29 13:57]: From the paragraph above, I can see you did not get the difference between the free software and open souce. And your analogy is not right. You mentioned price not freedom. I know that gnu definition and in general I'm on your site here, but unfortunately besides us and other small groups of geeks the "free software" term just sounds too general in my opinion. People in supermarkets while choosing some free stuffs in promotions usually are not thinking about freedom. Besides freeware software like facebook (with all its network, cloud services, etc) gives you also some kind of freedom of socializing with other ppl in their platform. In general facebook is not only about price, they control almost every aspect of human lives around the globe including people who are not using their apps directly. Some random person by just reading the gnu header that "free software is better than open-source" could easily misinterpret it as facebook being not so bad only because it's not open-source. We use the word "free software" to clearly refer to freedom, we may use words such as libre software to refer to freedom. Libre is just more blurred spanish, french,... translation of the word "free" redefined by GNU. So the core issue with this confusing term is still not resolved. We do not use "open source" as that is vague term, and does not necessarily mean "free software". The distinction is more and more important today. Ironically the word "free" is much more vague then "open-source". The problem I mentioned above is that "free software" unfortunately could also mean freeware for too many people who are not professional English linguists nor IT specialists. Moreover definition of "free software" is not mentioning about importance of https://reproducible-builds.org/ nor http://bootstrappable.org/ which should be in the highest priority for any RMS/FSF/GNU/Free organization to finally address pathological issues like: https://gcc.gnu.org/legacy-ml/gcc/2007-11/msg00091.html
Re: Truth matters when writing software and selecting leaders
On 3/28/21 6:47 AM, Jean Louis wrote: * shulie [2021-03-27 21:28]: On 3/24/21 10:55 PM, Jacob Bachmeyer wrote: As I understand, RMS always thought that proprietary software companies would make some kind of large legal attack on the GNU project, no - this is just how the extreme left works now. They scream until you agree with them. We are here together because of free software, that is where we can agree upon that we like it, promote it, it is useful, helps people, preserves users freedom and control of their data. The problem is that everyone define the term "free software" in many different ways. Controversial statements like https://www.gnu.org/philosophy/free-software-for-freedom.en.html making this issue even more confusing. There are many non ethical open-source licenses and obfuscated codes but saying that free software is better than open-source in general is like saying that official facebook app (binary blob available for free) is better than telegram app (open source client available only with commercial and centralized backend https://en.wikipedia.org/wiki/Telegram_(software)#Security ). We need updated, clearer and more explicit definition (not just better or worst intuitions) of the perfect free, open-source, secure, reproducible and bootstrappable hardware/software/system that could unite us again. If RMS/FSF/GNU/Free Software go down now, we are defeated and we let those corporations control every single citizen on this planet. This organizations and individuals are helpful but not crucial. Control of resources never last forever https://www.youtube.com/watch?v=NKkvPxYNh9A
Re: Truth matters when writing software and selecting leaders
On 3/30/21 7:10 PM, Jean Louis wrote: * Martin [2021-03-30 19:58]: You may, but we don't, as it is vague term. On GNU website, we never use "open source" to refer to free software, as we have to promote freedom. what's your definition of freedom then? For me both cases are not precise and lead to misinterpretations. I don't see the reason to limit my vocabulary from the words you and your organizations simply don't like. But nobody asks you to limit, it is recommendation for every human to be precise how they express themselves. In general, free software is free as in freedom. Open source in general may be proprietary software, see non-free Debian open source repository, it is full of proprietary software that is open source. It is vague. What kind of free in freedom you see in GNU binary seeds that are not bootstrappable? Is it really better than Debian open-source drivers for commercial blobs that are isolated in different repository disabled by default to fulfill the DFSG requirements? I probably have more years than you, so I am aware of the movement called "open source" and licking asses of corporations. "free software" movement is actively endorsing a lot of projects that are not bootstrappable for many years. This is like a gift for corporations who can freely exploit your resources. Does the GNU "free software" definition is protected under some trademark laws? If not than why you blindly assume that everyone should use it as it only please you? I don't. I said in this GNU environment, on mailing lists, in contributions, in publishing, designations and similar, we strive to use proper terminology to express the purposes of free software philosophy better, it is voluntarily. And how you protect your self from internal manipulations? Not so long time ago a person who was able to use text editor or any simple applications in the first computers were considered as advanced user. Actually, the other way around. First micro computer users were assembling their micro computer at home, later programming it as there was no software available. Using editors and if not editors, then interactive editing environments such as BASIC shell, LOGO shell, including assembly, machine language, that was daily routine for the end users back then. It's good that you mentioned that, because in the beginning actually everything was bootstrappable, and nowadays almost nothing - how bizarre is our evolution of freedom. In the early internet years people were putting in their Resume abilities of using web browsers, etc. Nowadays almost every end user is verifying PGP signatures, it's not a rocket science anymore. People are sand-boxing many layers of their working environments, using chroots, jails, containers, various virtualization, etc. You speak of developers, they are now many, but not proportionally many as in early years of micro computing era, since about begin of 1980. Number of developers is today so much less proportionally to number of computers - we are under developed in 2021. Sorry, what you mention is not what end users are. I meet end users every day, they use computers for DVD, movies and music, sharing files by using USB, some of them know how to write a letter, and some will even make a presentation. That is largest majority of computer end users. What you are talking about? No one is using DVD anymore. DVD has died like floppy disks many years ago. Today end users mostly are sharing and casting complex streams of media. To setup recording environments people are using very advanced tools for editing, encoding/decoding, encrypting, data synchronizations, backups, etc. Moreover thanks to fintec and cryptocurrency more and more people are paranoic about security, using some external crypto hardware devices, complex signing procedures, etc. Don't forget about IoT gadgets, electric cars, drones, smart homes, 5G, etc. There is a devops profession that fully automate complex pipelines and craft a fully transparent recipes so the end user can just click a button to trigger reproducible-builds, bootstrappability, verification, testing, fuzzing, sanitazing and many other features for their software in some nice CI/CD fashion. > No. Sorry, I do not share opinion that end user is triggering reproducible-builds, and if it is just by click of a button, that end user, without knowledge of underlying software, does not need reproducible build -- as that requires serious knowledge to verify what is going on really. We are all advanced users, so in that term of end user how you mentioned it, I understood it as majority of common computer users. But you speak of developers. Bitcoin HOLDers are more gamblers than advanced users, but yet even they are able to compile from scratch their nodes and verify its reproducible in order to keep as safe as possible their investments. The is a reason why BTC blockchain is considered as the safest public l
Re: Truth matters when writing software and selecting leaders
On 4/13/21 8:20 PM, Jean Louis wrote: * Martin [2021-04-13 20:41]: Live-bootstrap (still under early development state at the moment) is a pure bare metal project aiming to be used before involving any OS. Kernel blobs are out of scope for them, because linux-kernel in general is not capable to operate on 8bit processor with 300bytes of ROM and a single 4bits of RAM - the hardware requirements for hex0 you can build from scratch i.e.: https://www.nand2tetris.org/ . But yes if you really want you could also setup it on some over-complicated hypocritical Cloud environment based on Microsoft Windows Guest Virtual Machines powered by Guix linux-libre KVM Hosts (another not fixable freedom bug in "free software"^tm). Do I understand it well: - there must be some computer with a chip that is programmed by which method? Maybe physical switches? Then the chip spit the first binary which is used to create programming languags? - or is there maybe some editor, so when small 8 bit CPU starts, user can enter some information and file is generated? Basically it's about reinventing the wheel https://web.archive.org/web/20120127144927/http://www.cs.ncl.ac.uk/research/pubs/books/papers/133.pdf . But nowadays we have many different computer architectures, designs, tools, development boards, fpga implementations, virtual machines, blockchain technologies, etc https://en.wikipedia.org/wiki/Comparison_of_instruction_set_architectures . You have a full freedom of choosing your best CPU and how to speak with it. For now most of the attention is focused on the mainstream x86, arm and RISCV hardware but it could be also ported to any other exotic arch, i.e.: https://b1391bd6-da3d-477d-8c01-38cdf774495a.filesusr.com/ugd/56440f_96cbb9c6b8b84760a04c369453b62908.pdf I don't think someone would like to repeat the https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal even though some corrupted VW cars are still on the streets. You said it there in a good example. People driving will not necessarily get informed of security issues. Drivers in this context are not the main target of this VW scandal. It's just a top global politics and their dirty games with CO2 emission speculative trading, which is basically a brute-force way to enforce additional tax for the car manufactures and any other big industries. Btw. it looks like the recent SolarWinds big scandal could be also prevented by bootstrappability and reproducible-builds: https://arxiv.org/abs/2104.06020 as that is exactly how Telegram is doing it, but currently FSF endorses distributions with software that interacts with Skype, Telegram, Twitter, etc. On the other hand campaign is there, money is paid for decentralization of Internet, but FSF endorsed distributions still partially work to centralize Internet. It's the main reason why I started to write in this thread. In my opinion FSF needs some serious internal refactoring, fresh global view of all the current and possible future threats and a serious new strategy how to effectively counter-measure it.
Re: Risks of deterministic builds (was: Re: Truth matters when writing software and selecting leaders)
On 4/6/21 7:40 AM, Jean Louis wrote: * Jacob Bachmeyer [2021-04-06 05:39]: Exploits are easier to develop when hardcoded offsets, virtual addresses, etc. can be used. In a "binary monoculture" environment, that is possible. This contributes to and worsens security problems in proprietary software, which is almost always distributed as a single identical set of binaries. If you have a source code that types of exploits are also easier to detect. Besides you can always compile your software with different flags then the one used by default. Reproducible-builds just gives you information that for a fixed environment you have the fixed binaries but usually the combinations of settings are very wide and it's only up to you how your binaries are distributed in the end. Reproducible builds are useful for validating the compiler, but there is a potential downside in that they make any exploit that can be found in the reproducibly built program much more reliable, since everyone will have exactly identical binaries. Note that this is an identical risk with binary distributions: if you simply install the binaries form Debian, an exploit can be tuned to Debian's version of that binary and it will work on your machine. So far debian is still one of the safest linux distribution in the world. Anyway even debian is giving you the option to compile all their software from source codes and again you can tune it as you like in your custom dev environment producing completely different binaries than others do. That is right. From practical viewpoint, among milions and millions of users, when it comes to validating compiler, they would have to validate the reproducible build with comparison to something. Benefits of reproducible builds thus depend of number of people validating it and reporting problems. It depends of publicity of problems and research. Small group of people may do the work, but they cannot possibly make sure to do the work for ALL distributions and for all people. Thus practically for an individual it means nothing, unless individual is highly skilled to verify internals of the compiler, and we have plethora of compilers on every single GNU/Linux operating system. Thus whole countries may be converted into spying backdoor teams by using marketing of reproducible builds of packages that people cannot really verified. Reproducible build of system is not yet reality. We hope for it in future. Maybe freedom in "free software" shouldn't require from the code to be open neither. Let's just blindly trust some saint developers who cannot even control their own binaries. Actually today we are closer and closer to that sad scenario like never before in the history, because in fact most of the open-source and GNU "free software" nowadays base on blackboxed binary seeds that cannot be verified by the users not even by the core developers.
Re: Truth matters when writing software and selecting leaders
On 4/5/21 5:52 PM, Jean Louis wrote: I do understand the strive to perfectionism and there are projects like Guix which strive to reach the point you are talking. Maybe such projects can become bootstrapping distributions for other distributions which cannot or did not reach that far yet. Guix is nice but at the moment it requires Guile(approx 20mb of binaries) to bootstrap itself. Better solution is https://github.com/fosslinux/live-bootstrap - there are even plans to integrate it with Guix directly, Debian and many other projects. What means "to trust" compiler? We already trust our compilers, obviously. We have confidence, faith in compilers and people making it. Free software is insecure and we trust people behind distributions. We have only freedom to verify it though largest majority of users including programmers cannot possibly verify free software on a system as it would take a life time. OpenBSD people are verifying the system for decades they still did not finish. It is never ending story. Well I don't trust compilers like any other software and I don't trust any people behind them. The biggest advantage of open-source, gnu freedom "free software", etc in general is just the ability to verify the code itself. There are still many difficulties and limited ways to do it but it doesn't mean the verification effort is pointless. I believe in the future where all the basic computer hardware/software/systems could be formally verified and audited by anyone and in any time. People should be able to build from very scratch, from nand logical gates and below to complex linux riscv machines and above to have full control in all that process. Small simple concepts like transparency, reproducible-builds, bootstrappability, simplicity, minimalism, etc are very essential to reach that perfect goal. Maybe you wish to say we have to control compiler, but compiler is huge, not even compiler developers can know what is everything inside, they always find some new problems to solve. Hopefully there are still alternatives, and if GCC won't fix itself on time than it gonna die by natural selection.
Re: Truth matters when writing software and selecting leaders
On 4/12/21 4:53 PM, Jean Louis wrote: Guix is nice but at the moment it requires Guile(approx 20mb of binaries) to bootstrap itself. Better solution is https://github.com/fosslinux/live-bootstrap - there are even plans to integrate it with Guix directly, Debian and many other projects. That is great. Yet, that project does not support fully free OS, as if they accept kernel blobs, that defeats the purpose of bootstrapping and reproducing. Comparison table says that Guix version would run with Linux-libre kernel only, while their version runs with any kernel. Which means introducing blobs for some reason. Unknown for now. Live-bootstrap (still under early development state at the moment) is a pure bare metal project aiming to be used before involving any OS. Kernel blobs are out of scope for them, because linux-kernel in general is not capable to operate on 8bit processor with 300bytes of ROM and a single 4bits of RAM - the hardware requirements for hex0 you can build from scratch i.e.: https://www.nand2tetris.org/ . But yes if you really want you could also setup it on some over-complicated hypocritical Cloud environment based on Microsoft Windows Guest Virtual Machines powered by Guix linux-libre KVM Hosts (another not fixable freedom bug in "free software"^tm). Well I don't trust compilers like any other software and I don't trust any people behind them. I do, as I am forced to do so. It is one type of lock-in. Practically it means little as software security does not depend on compilers only. Whole chain has to be verified. Making an automated process to compile one from each other does not make it enough safe IMHO. Even if whole chain is verified, who is to guarantee that it was verified? So for users, those verifications mostly do not matter. There is NO WARRANTY whatsoever for most or all of free software, most of times. For users thus practically, it does not matter. Those efforts are though much appreciated. I like practical solutions, but I do welcome all boostraping and reproducible build efforts. Sadly I would not know how to contribute to it, other but building it and verifying small portions of the process myself. Machine language I have used to create games, it requires some patience, but not more patience than learning any programming language. I would like to verify the first binary that is entered and to know how it is entered. It is not large, it may be verified and better described. Scientific papers are also full of hidden or disclosure errors, but it doesn't mean theoretical studies are bad because of this inevitable side effects. In fact perfect abstractions are very useful in practice even though you will never rich them directly. In real world there is no such think like 100% security, but still we always want to be as close as possible to that imaginary point. Besides machine code could be really fun as well http://tom7.org/abc/ The biggest advantage of open-source, gnu freedom "free software", etc in general is just the ability to verify the code itself. We can do that for all source packages, but not for easy for the compiler chain and not easy for binaries created by the compiler chain. easy problems are boring There are still many difficulties and limited ways to do it but it doesn't mean the verification effort is pointless. I believe in the future where all the basic computer hardware/software/systems could be formally verified and audited by anyone and in any time. Let us say they are audited by entities, or persons A, B, C. What true security does it mean for users? I say none. It just increases illusion of safety to a certain degree, but it is far from trusting it. There are millions of users. They have to trust their distributions, they have no control of verification. Now, what if verification finds something is wrong? Millions of users will still continue using malicious software, it is practically taking place every day millions of times. I don't think someone would like to repeat the https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal even though some corrupted VW cars are still on the streets. Besides reproducible-bulds and bootstrappability are not only about the security. These concepts can really help you to understand and control your computer system by eliminating any unnecessary random, obscure, dirty and undefined behaviors from your code. These kind of projects are easier to maintain, test, optimize, extend, etc. People should be able to build from very scratch, from nand logical gates and below to complex linux riscv machines and above to have full control in all that process. Small simple concepts like transparency, reproducible-builds, bootstrappability, simplicity, minimalism, etc are very essential to reach that perfect goal. That is pleasure in exercise in computing. Something that each student of CS should start with, I would include the hex0 initial stage as a lesson in every CS course. Just that goal is
Re: using GPL api to be used in a properietary software
Stefaan A Eeckels [EMAIL PROTECTED] writes: Here's the definition of a derivative work, taken (without permission, but fair use (still) applies :-) from 101 USC 17: | A derivative work is a work based upon one or more preexisting | works, such as a translation, musical arrangement, dramatization, | fictionalization, motion picture version, sound recording, art | reproduction, abridgment, condensation, or any other form in which a | work may be recast, transformed, or adapted. A work consisting of | editorial revisions, annotations, elaborations, or other | modifications which, as a whole, represent an original work of | authorship, is a derivative work. Here's the definition of such as, taken from 101 USC 17 as well: | The terms including and such as are illustrative and not | limitative. I find it unconvincing to argue that a program is not a derivative work of a dynamic library just because this case is not properly covered by a non-limitative list of illustrations. Martin ___ Gnu-misc-discuss mailing list Gnu-misc-discuss@gnu.org http://lists.gnu.org/mailman/listinfo/gnu-misc-discuss
Re: using GPL api to be used in a properietary software
Stefaan A Eeckels [EMAIL PROTECTED] writes: As I said earlier in this thread, it is _not_ a matter of law, but of morality. It is abundantly clear that the FSF considers any form of linking to a library as preparation of a derivative work, and as such, we all should simply honour the wishes of the copyright holders not to link non-Free software to GPLed libraries. It seems rather risky (if not foolish) to me to rely solely on morality when it comes to defending freedoms. And I don't see a need for that. To the best of my knowledge, none of the few who have seriously tried to circumvent the GPL have prevailed in court. Martin ___ Gnu-misc-discuss mailing list Gnu-misc-discuss@gnu.org http://lists.gnu.org/mailman/listinfo/gnu-misc-discuss
Re: using GPL api to be used in a properietary software
Alexander Terekhov [EMAIL PROTECTED] writes: it went for EURO 6.50 on ebay a couple of weeks ago. http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItemitem=7133325141 A few years ago, I crossed a street at a red traffic light. Nothing happend; I wasn't punished in any way. Therefore, it is now clearly proven that pedestrians are allowed to ignore traffic lights at will, right? Martin ___ Gnu-misc-discuss mailing list Gnu-misc-discuss@gnu.org http://lists.gnu.org/mailman/listinfo/gnu-misc-discuss
Re: using GPL api to be used in a properietary software
Alexander Terekhov [EMAIL PROTECTED] writes: Case closed. You really seem to believe that your statements somehow become correct if you try to behave like a judge. Martin ___ Gnu-misc-discuss mailing list Gnu-misc-discuss@gnu.org http://lists.gnu.org/mailman/listinfo/gnu-misc-discuss
Re: Web versions
w do YOU determine if your emacs is actually compiled from a free software source?). But the reasoning behind the necessity for a mechanism in the case of web applications (JS/WA or otherwise) is well explained in the article. Seeing the OP, initially I thought it was completely uncontroversial to add a compilation target such as WA to a gnu package if there is a use case for it. Especially since the platform is conceivably free software (a browser) -- unlike, say, the M1 platform. But apparently not. The reasoning behind it is, however, unclear to me. - Martin signature.asc Description: Message signed with OpenPGP
Re: Web versions
> On 13. Mar 2021, at 16:48, Alfred M. Szmidt wrote: > > Sounds like multi-user UNIX-like system, or modern GNU/Linux > multi-user system. > > On a multi-user system you can keep your own files in our home > directory. You can decide to copy a program you like from one > location to your home directory. > The same is true for JS/Webassembly. In fact, one could argue that this is a significant part of the value offering (offline use of the web application). You can copy the whole site offline and continue using it. Yes, there MAY be interaction with a REST API, but that is a completely different story not directly related to webassembly at all. > With Webassembly / Javascript (specifically in the form of SaSS) you > are at the mercy of whoever is hosting the program to run it. This issue is completely unrelated to the technology. You are at the mercy of the (HTTP!) hoster of the software repos you use in your distro. It is simply by the fact that the distro project (may!) state that you receive free software. The same can be and is done for web applications. Reproducible builds may help a savvy user to confirm if trust is not enough. But the same could be done for WA. The application it self may rely on communication with a remote systems. But I though this is what AGPL is for. > Maybe > even depending on that site for storing your data. The issue is > _intent_ of how these things are to be used -- depriving users of how > they can run their programs. Have you tried running emacs on a C64 recently? You will have to modify the source to compile it to the platform. You can do the same even if the source also happens to compile and run as webassembly or ELF. > > The suggestion in this thread was to make GNU port to webassembly, and > then be run in a web browser, from someone elses machine. > No, it was not: " ince WebAssembly is now a reality, maybe you guys should get to making the browser versions of LL your software? " A browser version can be a webextension. It can also be provided through a webserver (see distribution repository). As it happens, if it were to be provided as a web extension it would likely be possible to provide it through the distribution repositories as well. Which shows how bizzare the argument is. In fact, a "browser version" can even be a full browser including the application! (e.g. mattermost) Yes, ugly, but that is not the point. > In my opinion question is if that all is free software. Not if it runs > remotely. > > That it is free software is a side issue. Sometimes the issues of > software freedom are not just about the four freedoms. Yes, but it is completely unclear from this thread what the issue actually is. "You are not sufficiently in control" is not it. BR signature.asc Description: Message signed with OpenPGP
Re: Web versions
> On 14. Mar 2021, at 12:57, Schanzenbach, Martin > wrote: > > > >> On 13. Mar 2021, at 16:48, Alfred M. Szmidt wrote: >> >> Sounds like multi-user UNIX-like system, or modern GNU/Linux >> multi-user system. >> >> On a multi-user system you can keep your own files in our home >> directory. You can decide to copy a program you like from one >> location to your home directory. >> > > The same is true for JS/Webassembly. In fact, one could argue that this > is a significant part of the value offering (offline use of the web > application). > You can copy the whole site offline and continue using it. > Yes, there MAY be interaction with a REST API, but that is a completely > different > story not directly related to webassembly at all. > >> With Webassembly / Javascript (specifically in the form of SaSS) you >> are at the mercy of whoever is hosting the program to run it. > > This issue is completely unrelated to the technology. > You are at the mercy of the (HTTP!) hoster of the software repos you use in > your > distro. It is simply by the fact that the distro project (may!) state that you > receive free software. The same can be and is done for web applications. > Reproducible builds may help a savvy user to confirm if trust is not enough. > But the same could be done for WA. > The application it self may rely on communication with a remote systems. But > I though this > is what AGPL is for. > Maybe here is where we can actually untie the knot. The issue is the software architecture. It can be abused by having the local application heavily depend on the backend. Sometimes this is necessary (see email). But I guess you could formulate guidelines in this regard. But I think it is important to look at such technology without prejudice. The current reality includes much more than SaaS. And implementing a GNU package probably would not result in such an architecture anyway. It (Webassembly) would be an organic compilation target. As mentioned having GNU tools available on machines you do not have control over (i.e. your friends machine) makes this infinitely valuable IMO. >> Maybe >> even depending on that site for storing your data. The issue is >> _intent_ of how these things are to be used -- depriving users of how >> they can run their programs. > > Have you tried running emacs on a C64 recently? You will have to modify the > source to compile it to the platform. You can do the same even if the source > also happens to > compile and run as webassembly or ELF. > >> >> The suggestion in this thread was to make GNU port to webassembly, and >> then be run in a web browser, from someone elses machine. >> > > No, it was not: > > " > ince WebAssembly is now a reality, maybe you guys should get to making the > browser versions of LL your software? > " > > A browser version can be a webextension. It can also be provided through a > webserver (see distribution repository). > As it happens, if it were to be provided as a web extension it would likely > be possible to provide > it through the distribution repositories as well. Which shows how bizzare the > argument is. > > In fact, a "browser version" can even be a full browser including the > application! (e.g. mattermost) > Yes, ugly, but that is not the point. > >> In my opinion question is if that all is free software. Not if it runs >> remotely. >> >> That it is free software is a side issue. Sometimes the issues of >> software freedom are not just about the four freedoms. > > Yes, but it is completely unclear from this thread what the issue actually is. > "You are not sufficiently in control" is not it. > > BR > signature.asc Description: Message signed with OpenPGP
Re: Web versions
> On 16. Mar 2021, at 06:07, Jacob Bachmeyer wrote: > > Colby Russell wrote: >> On 3/15/21 9:02 PM, Jacob Bachmeyer wrote: > [...] >> > One of the rationales presented to me (off-list) for this was that a >> > WebAssembly port of GNU could be run as a web app and therefore be >> > "always up-to-date" >> >> Despite quoting the salient parts from The JavaScript Trap, you have >> regressed to committing the same error of critiquing the computing model >> of traditional web apps, which is, once again, totally irrelevant. It >> is neither here nor there. Here you do it again: >> >> > Web apps stored on "the cloud" are bad [...] Porting to "the Web" is >> > simply not practical or appropriate >> >> Please, please stop using this kind of sleight of hand to redirect the >> context to web apps and "the cloud". "The cloud" and "the Web" are >> _simply_not_relevant_ to the computing model described above, which >> treats the browser as a runtime which can be targeted during compilation >> and which you happen to get "for free" on upwards of 90% of personal >> computing devices, *NOT* as a thin client that you all keep insisting >> on. > > The original poster who started this discussion (and does not seem to have > actually replied to the list even once afterwards...) directly told me (and > possibly others) off-list that avoiding package management tasks (which "the > cloud" is well-known to promise to "magically" handle for you) was one of his > goals. > >> It's as if there's a short-circuit in at least half of respondents' >> brains that prevents them from engaging in any way without at some point >> insisting that this *MUST* involve cloud architecture and SaaS-like web >> apps being the central focus. It is _absurd_ that it takes this much >> energy to continually refute this over and over. Ideally, it shouldn't >> have to occur even a single time, but failing that, once should suffice. >> At this point, I have to wonder how many times this has to be pointed >> out? Is there any number which would be sufficient? > > We are in violent agreement here, but the original poster clarified > (off-list) that SaaS-like services were exactly what he wanted. > > > I am beginning to suspect that we have all been trolled, especially since > giving those extra details to only some participants would be likely to cause > violent discussion between those (including me) who were told (off-list) what > the original poster was actually requesting and those (presumably including > you) who are still thinking of the general case, where Free software *can* be > packaged using the "Web platform" as a portable runtime. Mozilla's XULRunner > was a closely-related example, and I believe that there are similar current > "Web app on local storage as desktop app" runtimes currently maintained. > > If this was a troll, it has been quite successful -- just look at all the > vitriol and hot air in this thread. We all seem to have been had. > Obviously the OP was a tongue-in-cheek kind of question. But this should not prevent us from lucidly reflecting on the topic and find truth in the joke; to then find common ground. However, from my (brief) experience here in this ML, this discussion is a disaster. It is not even a discussion. Some replies here a display of ignorance combined with superstition and outright hostility. No effort is made to understand the issue and preconceived talking points are thrown out seemingly at random. A magnificent display of what goes wrong when you religiously believe and are unable to actually apply your values to developments in the world. Which is why I stopped replying. It was a disappointing experience and I see no basis for discourse. > > On a side note, at what point does it become appropriate to forward replies > received off-list to the list when bad faith is suspected? > > > -- Jacob > signature.asc Description: Message signed with OpenPGP
Re: Web versions
Hi, I am confused regarding the issues raised here against "porting" a GNU package to WebAssembly and would very much welcome clarification. As Jacob pointed out, WA can be considered (mostly) a compilation target from my experience. I have used emscripten (LLVM) before to do this IIRC for C programs. So a Free Software browser offering a WebAssembly API and offering support for GNU packages is a problem how? Saying that webassembly is "even more obfuscated" than javascript does not make sense to me either, as a compiled program is always "obfuscated" to a user. So how is a Debian package of a webextension which includes a GNU package compiled to WebAssembly different from the same Debian package of the GNU package compiled against the native libc? Isn't webassembly in contrast an opportunity to bring GNU packages as webextensions into the browser without falling into the JS trap?? BR Martin > On 9. Mar 2021, at 15:01, Taylan Kammer wrote: > > On 08.03.2021 18:59, Jacob Bachmeyer wrote: >> Taylan Kammer wrote: >>> On 06.03.2021 22:30, Jacob Bachmeyer wrote: >>> In times like that, I wish I had quick >>> access to some Unix-like environment with helpful tools like netcat and >>> nmap on the client's end. >>> >>> If I could just open a browser on the client's PC and visit a website >>> that boots up a GNU/Linux with useful tools like that, it would be >>> pretty amazing. >> >> The problem is that to be able to implement tools like that, the browser >> would need to offer access to the local network at a level that would be >> a serious security risk. While nmap and netcat/socat can be great for >> development and troubleshooting, they are also great for an intruder's >> recon efforts to prepare further intrusions. 8-| Do you want ad >> companies routinely port-scanning your LAN? > > Browsers already offer websites the ability to access your microphone, > camera, GPS location, and even *screen contents* (!). Any sane browser > of course asks the user on a per-website basis whether the user would > like to allow this. > > From a quick web search I found out that there's already a draft for a > filesystem API that allows write access and working with directories: > > https://wicg.github.io/file-system-access/ > > I'm not really happy at *all* with the state of the WWW, but it mostly > has to do with the choices website developers make rather than what > browsers are capable of. > > In principle I see little difference between trusting Debian's package > database so much that I never have second thoughts while running > "apt-get update && apt-get upgrade", and trusting a specific website so > much that I have no second thoughts about them changing the "source > code" of a browser-based application they host. > > Preferably of course, such an application would be released under the > AGPL, with a clear indication of what version one is using, and a way > for the browser to checksum the whole application to rule out "sneaky" > changes that aren't reflected in the version number. > > With the way the web continues to evolve I wouldn't be surprised if this > becomes a major way of rolling out arbitrary cross-platform software in > the future. If that happens, I would definitely want to see GNU and the > larger free software community be a part of that future. > > > - Taylan > signature.asc Description: Message signed with OpenPGP
