[Trisquel-users] Re : Web Browser

[lcerf]

In some jurisdictions, they cannot be "public domain", unless their authors  
died at least 70 years ago, which I very much doubt.  They are probably  
distributed under a so-called "permissive license" (aka "lax license", aka  
"pushover license"), which lets anyone do anything they want with the work.   
Including changing its license for a proprietary software license.


The other category of free software licenses are copylefted licenses, such as  
the GNU GPL.  Using a copylefted license, your work cannot end up in  
proprietary software.  It is the whole point of the copyleft: preventing the  
middleman from stripping out the freedoms you want to give to whoever uses  
your work, modified or not.  See https://www.gnu.org/copyleft/


Now, if the programs you are referring to do not bear any license, they are  
"all rights reserves", hence proprietary, under the Berne convention.  See  
https://www.infoworld.com/article/2615869/open-source-software/github-needs-to-take-open-source-seriously.html  
for instance.  Here is an excerpt:


You don't have to include a copyright statement for your creative work to be  
under copyright. In any country that's a signatory to the Berne Convention,  
copyright -- or stronger -- is the default as soon as something is created.  
If you completely ignore the subject, all your work is copyrighted to you (or  
to your employer in many cases), and anyone who copies it to use or improve  
it is in breach of your copyright.


See https://www.gnu.org/licenses/license-list.html for a long list of  
licenses.  For free software licenses, the description usually tells whether  
the license is permissive or copylefted.  About "Public Domain", that page  
says:


If you want to release your work to the public domain, we encourage you to  
use formal tools to do so. We ask people who make small contributions to GNU  
to sign a disclaimer form; that's one solution. If you're working on a  
project that doesn't have formal contribution policies like that, CC0 is a  
good tool that anyone can use. It formally dedicates your work to the public  
domain, and provides a fallback license for cases where that is not legally  
possible.


And about CC0:

CC0 is a public domain dedication from Creative Commons. A work released  
under CC0 is dedicated to the public domain to the fullest extent permitted  
by law. If that is not possible for any reason, CC0 also provides a lax,  
permissive license as a fallback.

[Trisquel-users] Re : Web Browser

[lcerf]

This is sheer nonsense and yet another attempt to renew someone's favorite  
discussion about 4 freedoms and all the rest of it.


Everybody can observe that you are, once again, the one bringing back the  
four freedoms.


The GitHub repo I opened will use "The Unlicense" which means no copyright  
and restrictions/regulations.


No copyright would actually mean the classical copyright, under the Berne  
convention.


I will never accept anything from anyone who tells me "I can potentially  
help" and then imposes regulations on that "help" (however 'ethical' anyone  
may consider that).


Whatever.  Good luck with your GitHub repository that only contains a license  
file (where is the "software" the license is talking about?):  
https://github.com/anchev/user.js

[Trisquel-users] Re : Web Browser

[lcerf]

Without a © it is basically public domain, and cannot be subjected to a  
license.


If only that could be the case!  Unfortunately, under the Berne convention  
(signed by almost all the countries in the world), the copyright is  
automatic.  The "classical" copyright I mean.  Where you are basically free  
to do nothing.  That is why I wanted to add a copyright notice: to not be  
told I released proprietary software!


I do not think I am anonymous (there is a link to my Web page on my profile).  
 But anyway, you are right, there is no reason not to be clear.  So here are  
again the two scripts with copyright notices:


#!/bin/sh
# Copyright 2018 Loïc Cerf (lc...@dcc.ufmg.br)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
# See .
if [ -z "$1" ]
then
printf "Usage: $0 prefs1.js ...
"
exit
fi
printf '# key'
TMP=`mktemp -dt all_prefs.XX`
trap "rm -r $TMP 2>/dev/null" 0
keys=$TMP/$(seq -s " $TMP/" $#)
values=$TMP/$(seq -s ".val $TMP/" $#).val
mkfifo $TMP/keys $keys $values
# List, in alphabetic order, all keys in at least one input file
grep '^ *user_pref *( *"' "$@" | cut -d \" -f 2 | sort -u | tee $keys >  
$TMP/keys &

for k in $keys
do
printf "\t$1"
# List the value in "$1" associated with every key or "undef"
grep '^ *user_pref *( *"' "$1" | cut -d \" -f 2- | tr -d "$(printf \\t)"  
| sed -e 's/" *, */'"$(printf \\t)"/ -e 's/ *) *; *$//' -e 's, *) *;  
*//.*$,,' | sort -ut "$(printf \\t)" -k 1,1 | join -t "$(printf \\t)" -a 1 -e  
undef -o 2.2 $k - > $k.val &

shift
done
printf '
'
paste $TMP/keys $values
#!/usr/bin/awk -f
# Copyright 2018 Loïc Cerf (lc...@dcc.ufmg.br)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
# See .
BEGIN { FS = "\t" }
{
val = ""
for (i = 2; i = NF)
print "user_pref(\"" $1 "\", " val ");"
}

[Trisquel-users] Re : Web Browser

[lcerf]

Here is a small AWK program that processes the output of the previous script:
#!/usr/bin/awk -f
BEGIN { FS = "\t" }
{
val = ""
for (i = 2; i = NF) {
print "user_pref(\"" $1  "\", " val ");"
}
}

It does the same as https://github.com/jm42/compare-user.js, i.e., "adds a  
preference if there are >=50% [of the prefs.js/user.js files in argument of  
my previous script] with the same value and there no other value.  The output  
file is already a valid file to include in your profile directory".  Using  
the same four user.js files as earlier, only 60 keys satisfy the constraints:  
the output is attached.


By the way, all the software I write, including the two scripts in this  
thread, is under the terms of the GNU General Public License version 3 or any  
later version.

[Trisquel-users] Re : Web Browser

[lcerf]

I removed the tabs right before the sed call.  The end of the lines were not  
removed when there was a comment afterwards: the last sed substitution is for  
that.  Finally I was assuming the keys would be defined at most once per file  
but "ghacks" makes jokes with several definitions of a same "_user.js.parrot"  
key: I now just keep one of the definitions.


Here is the fixed script:
#!/bin/sh
if [ -z "$1" ]
then
printf "Usage: $0 prefs1.js ...
"
exit
fi
printf '# key'
TMP=`mktemp -dt all_prefs.XX`
trap "rm -r $TMP 2>/dev/null" 0
keys=$TMP/$(seq -s " $TMP/" $#)
values=$TMP/$(seq -s ".val $TMP/" $#).val
mkfifo $TMP/keys $keys $values
# List, in alphabetic order, all keys in at least one input file
grep '^ *user_pref *( *"' "$@" | cut -d \" -f 2 | sort -u | tee $keys >  
$TMP/keys &

for k in $keys
do
printf "\t$1"
# List the value in "$1" associated to every key or "undef"
grep '^ *user_pref *( *"' "$1" | cut -d \" -f 2- | tr -d "$(printf \\t)"  
| sed -e 's/" *, */'"$(printf \\t)"/ -e 's/ *) *; *$//' -e 's, *) *;  
*//.*$,,' | sort -ut "$(printf \\t)" -k 1,1 | join -t "$(printf \\t)" -a 1 -e  
undef -o 2.2 $k - > $k.val &

shift
done
printf '
'
paste $TMP/keys $values
Its output when given the four user.js files that  
https://github.com/jm42/compare-user.js considers is attached.


That's very nice of you but perhaps it would be better to refactor it so that  
it is self explanatory (comments etc).


I added two comments.  The script is like 20 lines long.  There is not much  
to refactor.


We could probably make an interface (a form) with default and recommended  
values and a column in which the user can enter values (or pick from  
existing). Then a simple 'Submit' button would be able to generate the  
user.js.


That would be a separate project that could take at input the output of this  
script (maybe to fill up a database).  I will not write any PHP.  I can write  
Shell command lines or AWK programs that process the table the above script  
outputs.

[Trisquel-users] Re : Web Browser

[lcerf]

Here is a Shell script that creates a table from as many user.js and prefs.js  
file as you want (the only arguments of the script):

#!/bin/sh
if [ -z "$1" ]
then
printf "Usage: $0 prefs1.js ...
"
exit
fi
printf '# key'
TMP=`mktemp -dt all_prefs.XX`
trap "rm -r $TMP 2>/dev/null" 0
keys=$TMP/$(seq -s " $TMP/" $#)
values=$TMP/$(seq -s ".val $TMP/" $#).val
mkfifo $TMP/keys $keys $values
grep '^ *user_pref *( *"' "$@" | cut -d \" -f 2 | sort -u | tee $keys >  
$TMP/keys &

for k in $keys
do
printf "\t$1"
grep '^ *user_pref *( *"' "$1" | cut -d \" -f 2- | sed -e 's/" *,  
*/'"$(printf \\t)"/ -e 's/ *) *; *$//' | sort -t "$(printf \\t)" -k 1,1 |  
join -t "$(printf \\t)" -a 1 -e undef -o 2.2 $k - > $k.val &

shift
done
printf '
'
paste $TMP/keys $values
After a header, the script outputs one row per key, ordered alphabetically in  
the first column.  There is one additional column per file (in the order they  
are given to the script).  In such a column, the value is "undef" if the file  
does not define the key (present in at least one other file).  Values are  
tab-separated.  The script will work as long as the input files do not  
include any tab (\011).  Supernumerary spaces anywhere in the input files  
should not raise any problem.


For the challenge (performance is not an issue here), I wrote the script  
above under a constraint: to not write anything to the disk.  Only to pipes  
(and the final output is to the standard output, that you can redirect).  As  
a consequence, all the commands executed in the two longest lines and the  
final 'paste' run in parallel.


If you (or somebody else) want(s) explanation about part of the script, I can  
answer.

[Trisquel-users] Re : Web Browser

[lcerf]

If you have any better idea let me know.

If you want scripts to handle the table, having tab-separated values (you may  
want to use commas in the cells) looks like a good idea.  What scripts are  
you considering?  I can potentially help with Shell or AWK scripts.


For visualization, a script can convert the table into a HTML table.

[Trisquel-users] Re : Web Browser

[lcerf]

This is nonsense.

There is sense: the telemetry component of Firefox sends anonimized data that  
help Firefox's development, safe search warns about phishing and malware,  
etc.


I am honestly tired of reading preaching about the 4 divine commandments  
which nobody cares to exercise in practice and just waits for the next listed  
recommendation.


Firefox used by anybody to browse any site is freedom 0 in practice.   
Administrations and companies customizing Firefox for their needs are  
exercising freedom 1.  Firefox in the repository of GNU/Linux distributions  
is freedom 2 in practice.  And, again, Firefox's forks are freedom 3 in  
practice.


Forks have arisen. Some claim they fix the issues. And they don't. And you  
still defend their bible.


What fork I defended?  I do not defend Firefox's default configuration  
either.  Even less its adoption of EME.  I defend the free software  
definition, which has nothing to do with what the software does but that you  
keep on blaming for not providing you the software you want.


You just sit and evaluate what another one does and whether it conforms to  
the 4 divine commandments or not. And although I have asked a question  
explicitly saying to leave for a moment these 4, you are back to all that.


You asked "Where is the community who has the 'freedoms' to modify things  
when such critical issue is found?" and I only replied to that.  Now you  
wrongly claim the four freedoms are not "exercised in practice".  So, you  
(not me) are the one "back to all that".  You blame the free software  
definition for not providing you the software you want.  If the community  
does not bring you the software you want, it probably is because it has  
different views than yours.  "Different views than yours" is what you call  
"nonsense".


Like I have said since the beginning of this thread, the privacy concerns you  
raise are interesting.  I hope your advocacy will lead to more  
privacy-respecting Web browsers.  Unfortunately, labeling every opinion  
different than yours as "nonsense" is not helping...


I also hope you will eventually understand that "privacy" and "freedoms" are  
orthogonal issues.  Imperfection (what includes privacy issues) is not the  
same as oppression.  In other words, imperfection is not a reason to blame  
the free software definition, which has nothing to do with what the software  
does.

[Trisquel-users] Re : Web Browser

[lcerf]

Where is the community who has the 'freedoms' to modify things when such  
critical issue is found?


There are many Firefox forks, what would be impossible without freedom 3.  If  
none fixes what you call "critical issues", it is because their communities  
do not see those as critical issues.  Thanks to freedom 3, another fork can  
arise to fix the "critical issues".  You can push in that direction or, like  
you do (and it is indeed better to not scatter the development effort), try  
to convince the developers of Firefox (or of one of the derivatives) that the  
issues you point are indeed critical and ought to be addressed, despite the  
associated loss in functionalities.

[Trisquel-users] Re : Web Browser

[lcerf]

Trisquel 7 now has Abrowser 58, based on the same version of Firefox,  
released two days ago.

[Trisquel-users] Re : Web Browser

[lcerf]

I think the effort should be concentrated on top management of Mozilla (how?  
I don't know).


As a developer yold heyjoe in his first bug report:

Bugzilla is not the place to discuss these topics; the governance mailing  
list might be the right place for it:

https://lists.mozilla.org/listinfo/governance
https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c14

[Trisquel-users] Re : Web Browser

[lcerf]

sloccount "only" finds 9.1 million lines of code in  
https://archive.mozilla.org/pub/firefox/releases/57.0.4/source/firefox-57.0.4.source.tar.xz  
:


$ sloccount firefox/
(...)
SLOCDirectory   SLOC-by-Language (Sorted)
1455904 media
cpp=721654,ansic=571438,asm=95277,python=40386,java=13344,

sh=9841,perl=2410,objc=895,xml=384,lisp=258,sed=17
1112010 gfx  
cpp=875484,ansic=186829,asm=43360,python=3053,yacc=1737,

lex=951,sh=329,objc=123,perl=112,xml=22,awk=10
890116  dom cpp=857389,python=27930,xml=4623,perl=89,sh=85
766429  security 
ansic=530818,cpp=155678,asm=48901,sh=17876,python=6211,

xml=4679,perl=1856,lex=306,yacc=79,sed=15,csh=10
699234  js   
cpp=625919,ansic=38409,asm=12643,sh=12341,python=9018,

exp=499,perl=376,xml=29
574349  third_party  
ansic=313892,python=83331,cpp=79774,xml=54230,asm=21179,


sh=15902,perl=2317,ada=1681,pascal=1138,cs=879,exp=22,awk=4
471389  modules cpp=269920,ansic=189121,python=6774,sh=3957,xml=1132,
perl=340,awk=142,sed=3
387225  layout  cpp=378933,python=4561,xml=2717,perl=513,sh=501
325043  mobile  java=296871,xml=26932,python=759,cpp=424,sh=57
324290  intlcpp=284757,ansic=30062,sh=3935,perl=3358,xml=1905,
python=255,sed=18
300401  testing  
python=196969,xml=75531,cpp=19160,ansic=4495,perl=2959,

sh=676,php=444,ruby=150,csh=17
299856  toolkit  
cpp=224818,xml=35203,ansic=21372,sh=11029,python=4056,

objc=2799,asm=372,perl=204,ruby=3
267014  netwerk cpp=182180,ansic=84551,python=257,sh=26
126832  db  ansic=126832
123144  xpcom   cpp=114588,python=4058,asm=3027,ansic=1429,perl=42
122439  widget  cpp=116317,ansic=6122
120401  nsprpub  
ansic=112756,sh=3474,cpp=2802,asm=826,perl=405,python=138

117148  ipc ansic=54399,cpp=53748,python=8466,sh=535
114541  browser cpp=85427,xml=23658,python=5402,sh=54
60582   parser  cpp=36285,java=12610,ansic=11668,xml=19
58302   accessible  cpp=57597,ansic=267,xml=255,python=183
52690   editor  cpp=48291,python=4382,sh=17
50635   python  python=49672,xml=895,sh=68
35605   image   cpp=35452,ansic=153
32536   mfbtcpp=29541,ansic=2915,sh=80
32214   tools   cpp=26016,python=3957,perl=1269,sh=972
28242   other-licenses  cpp=22434,ansic=3083,python=2612,pascal=113
25167   extensions  cpp=24951,sh=216
22581   build   python=8529,cpp=8380,sh=3710,java=1637,ansic=317,
perl=8
20683   docshellcpp=20660,perl=21,xml=2
18734   servo   python=17854,sh=531,java=256,xml=67,ansic=26
16720   taskcluster python=13477,sh=2866,xml=377
14779   uriloader   cpp=14779
10824   storage cpp=10824
10568   mozglue cpp=10251,ansic=303,python=14
9780memory  cpp=7647,ansic=1214,python=919
9417rdf cpp=9417
8646xpfecpp=7316,xml=1330
4197capscpp=4197
3952config  python=2852,ansic=659,perl=405,asm=34,xml=2
2980devtoolscpp=2883,python=78,sh=12,xml=7
2959hal cpp=2959
2214chrome  cpp=2214
2043viewcpp=2043
1070startupcachecpp=1070
751 servicescpp=471,xml=200,python=80
397 top_dir python=226,sh=171
130 embedding   objc=74,sh=37,cpp=19
9   probes  python=9
0   gradle  (none)
Totals grouped by language (dominant language first):
cpp:5434669 (59.48%)
ansic:  2293130 (25.10%)
python:  506468 (5.54%)
java:324718 (3.55%)
xml: 234199 (2.56%)
asm: 225619 (2.47%)
sh:   89298 (0.98%)
perl: 16684 (0.18%)
objc:  3891 (0.04%)
yacc:  1816 (0.02%)
ada:   1681 (0.02%)
lex:   1257 (0.01%)
pascal:1251 (0.01%)
cs: 879 (0.01%)
exp:521 (0.01%)
php:444 (0.00%)
lisp:   258 (0.00%)
awk:156 (0.00%)
ruby:   153 (0.00%)
sed: 53 (0.00%)
csh: 27 (0.00%)
Total Physical Source Lines of Code (SLOC)= 9,137,172
Development Effort Estimate, Person-Years (Person-Months) = 2,883.25  
(34,599.01)

 (Basic COCOMO model, Person-Months = 2.4 * (KSLOC**1.05))
Schedule Estimate, Years (Months) = 11.06 (132.67)
 (Basic COCOMO model, Months = 2.5 * (person-months**0.38))
Estimated Average Number of Developers (Effort/Schedule)  = 260.78
Total Estimated Cost to Develop   = $ 389,487,939
 (average salary = $56,286/year, overhead = 2.40).
SLOCCount, Copyright (C) 2001-2004 David A. Wheeler
SLOCCount is Open Source Software/Free Software, licensed under the GNU GPL.
SLOCCount comes with 

[Trisquel-users] Re : Web Browser

[lcerf]

I discuss _privacy_ issues.

In the excerpt I quoted,  
https://libreplanet.org/wiki/Libre_Browsers_Libre_Formats#Browsers_that_might_seem_free.2C_but_are_not  
is not about privacy.  At all.  Just a precision in my post: not all Firefox  
derivatives do not suffer from the freedom issues that the link points out.   
But Abrowser and IceCat are OK: 100% free as in freedom.

[Trisquel-users] Re : Web Browser

[lcerf]

Chromium seems just as non-free as Firefox considering the link shared by  
another poster  
(https://libreplanet.org/wiki/Libre_Browsers_Libre_Formats#Browsers_that_might_seem_free.2C_but_are_not)  
yet for some reason people mention it as free, prefer it, fork it and make  
browsers using the same flawed code which obviously leads to the same privacy  
issues in the forks.


The forks do not have the (real) *freedom* issues that the link points out.   
Privacy issues are not freedom issues.

[Trisquel-users] Re : Web Browser

[lcerf]

I don't know if you understand what I am saying.

I do not.  Since you are redefining words, it is not surprising.  The  
definition of freedom you list match the one I gave you.  They do not say  
"freedom means no limitation" (like you wrote).  That is fortunate because  
your definition is useless: since you can always made up things nobody can do  
(go back in time, turn into a tomato, etc.), nobody is and can ever be "free"  
by your definition!


Freedom has no opposite.

Yes, it has: slavery.  Freedom is having no master, "exempt from; not in  
bondage, acting of one's own will" (the definition you give!).  It is not  
"being unlimited".


It is the least worse for the moment.

So, you now recognize that there are "levels of privacy respects".  I mean if  
it was 0/1, like you pretended earlier, writing "the least worse for the  
moment" would make no sense.


And that is due to the poor design.

What?  Why is "the poor design" (of what?) the reason people are more at risk  
of being duped by phishing?


It is possible to have TOR-ed nodes which pull them and host them.

That is against the Terms of Service (see my reply to SuperTramp83).

Exactly. But nobody pulls the cord (except RMS perhaps).

Contrary to you, RMS trusts the free software community.  He believes in in  
the collective control of the software through freedom 3.  He neither reads  
nor wants to read all the source code of the programs he uses.


Still I don't claim to be no expert, technology moves too fast to follow  
every aspect of it.


That is true for everybody.  We are all limited, i.e., nobody is free and can  
be free by your useless definition of freedom.  Yet you want the source code  
of every program to be understandable by everybody, even non-programmers.  It  
is simply impossible.


Where is the source code?

In the hands of its only user, Google, that is in control, as it should:  
https://www.gnu.org/philosophy/network-services-arent-free-or-nonfree.html


I think services can be privacy respecting without having to trust a mid-man.

Yes, they can.  But being privacy-preserving has nothing to do with being  
free/proprietary.  They are two separate (and both important) issues.


Then I am waiting to see the lines of code with explanation proving that it  
is incorrect, so that everyone can understand it.


It is incorrect that "excercising the freedom 1 is a next to impossible  
effort which obviously nobody would waste time on" (as you wrote).  Take  
https://hg.mozilla.org/mozilla-central/file/tip/toolkit/components/telemetry/TelemetryScalar.cpp  
as a random example.  Many different people edited it (they need to study it  
before doing so!) and there are certainly many more users who read it without  
proposing changes:  
https://hg.mozilla.org/mozilla-central/log/tip/toolkit/components/telemetry/TelemetryScalar.cpp


You are mixing different things.

My sentence was not clear: airports that force you to enter a body scanner  
(where you almost appear naked) are *more* invasive than those only requiring  
your ID.  There are "levels of privacy respects".


Trying to justify these privacy violating things by evaluating them through  
FSF's 4 freedoms is meaningless.


Indeed.  I repeat that since the beginning: privacy is a feature, not a  
freedom.  That does not mean it is not important.  It is just a separate  
issue.  Software should always be free, controlled by its users.  Any piece  
of software can be free.  Its authors only have to distribute it under a free  
software license.  In contrast, we cannot expect the software to be 100%  
secure + 100% privacy-respectful + 100% efficient + 100% user-friendly + 100%  
accessible + 100% localized + 100% [add here your favorite feature].  Not  
only it requires a lot of work but it usually is impossible to have all that.  
 There are physical limitations.  There are trade-offs too.

[Trisquel-users] Re : Web Browser

[lcerf]

Like I wrote to heyjoe:

Distributing the lists is not the hard part. Creating them is. It involves  
crawling the Web and processing every page (Google does so in parallel  
virtual machines):  
https://www.usenix.org/legacy/events/hotbots07/tech/full_papers/provos/provos.pdf


You cannot just redistribute Google's data:

Unless expressly permitted by the content owner or by applicable law, you  
will not, and will not permit your end users or others acting on your behalf  
to, do the following with content returned from the APIs:


Scrape, build databases, or otherwise create permanent copies of such  
content, or keep cached copies longer than permitted by the cache header;


https://developers.google.com/terms/

[Trisquel-users] Re : Web Browser

[lcerf]

In any case, technically it is possible to get information without loosing  
privacy. Example: you turn on the radio and you listen to music.


For Safe Browsing that would mean continuously broadcasting to to all online  
systems hundreds of thousands of unsafe URLs:  
https://support.google.com/transparencyreport/answer/7381518/#size-of-blacklist


*That* (not adding noise) would be extremely inefficient.  And why stopping  
there?  By your logic, every website should continuously broadcast whatever  
they host to all online systems!


Freedom means no limitations.

No it does not.  You are not less free because you cannot fly, for instance.   
Freedom means "exemption from *external* control, interference, regulation,  
etc." (emphasis is mine): www.dictionary.com/browse/freedom


As I wrote: being in control of your *own* life.

Same here.

So you agree that the enhanced security your parents get is worth the privacy  
they give up?  Don't you think most users are like your parents and less like  
you?


The first thing that comes to mind - torrents, mirrors (like we have for  
FOSS). There are other means too perhaps. Example: encouraging ISPs to keep a  
local mirror on the gateways, proxies. It is possible.


Distributing the lists is not the hard part.  Creating them is.  It involves  
crawling the Web and processing every page (Google does so in parallel  
virtual machines):  
https://www.usenix.org/legacy/events/hotbots07/tech/full_papers/provos/provos.pdf


The problem is that trust implies faith which is not facts.

Trusting nobody, not even free software communities, and not being a  
programmer, you should stop using software.  All of it.


Google's servers are not less proprietary.

Google's server (the software they run on their side) is trivially free:  
there is one single user and it has all four freedoms.  On the contrary,  
Windows is distributed to many users that do not have the control they  
deserve on it.  Maybe you wanted to write "Google's services" but services  
cannot be said free/proprietary:  
https://www.gnu.org/philosophy/network-services-arent-free-or-nonfree.html


I would be happy to see that sending my IP address periodically with "noise"  
to Mozilla, Amazon or whoever is worth it.


You apparently think it is worth it on your parents' computer.

which means that nobody (except Mozilla) really knows what is going on (even  
they needed time to check). So excercising the freedom 1 is a next to  
impossible effort which obviously nobody would waste time on.


That is not correct.

Telemetry means remote measuring. Measuring means getting the value of a  
physical quantity and comparing it to a standard value.


You file a bug in the "telemetry" component of Firefox.  Whether you like it  
or not, "telemetry" means something precise in this context: it is the  
component that collects usage information and sent it to Mozilla, the source  
code in toolkit/components/telemetry/.  To argue for general policy changes,  
you were invited to write to https://lists.mozilla.org/listinfo/governance


They give new meaning to the words and argue over them just for the sake of  
argumentation.


How should Firefox's telemetry component be called?

Which implies that there are levels of privacy respect.

Of course there is.  You may agree to show your ID to take a plane but you  
would not accept nude pictures of you to be taken and published.  There are  
levels of security too.  And of ease of use.  And of performance.  Etc.   
Often, trade-offs between those features (again: they are not freedoms) must  
be sought.  100% privacy would mean not interacting with anybody.  Ever.


One of the biggest issues we face (and RMS will agree to that) is mass  
surveillence.


It is.  But RMS would not agree, not in 2014 and not now, that the free  
software definition has anything to do with what the software does or does  
not.  Neither that it should.


Today we have a system in which not only imperfections are used as backdoors  
but even more - we see how that system deliberately creates imperfections to  
infect the computers at hardware level which even the perfect FOSS cannot  
fix.


Free software developers are humans.  They make errors.  Sometimes bug that  
become security vulnerability.  We cannot promise you to write bug-free  
programs.  But we can respect your freedoms.  Letting you control,  
individually and collectively, the software you use.  Including to fix bugs.


Also Mozilla's programmer clearly said that what I raised is not documented  
publicly.


What matters for freedom 1 is access to the source code.  Anyway, even when  
there is documentation (such as in Safe Browsing's case), you are not happy.   
You want to understand the source code by yourself without being a  
programmer.  You want programmer to make bug-free program.  You want 100%  
privacy + 100% security + 100% ease of use + 100% performance + etc.  You  
want the impossible.


Unless you think 

[Trisquel-users] Re : Web Browser

[lcerf]

The problem with this statement is that you know (or rather can check) only  
what happens on the sending side.


That is correct.  But there is no magic: if you send little information, then  
little information is received on the other side.  If you add noise, the  
receiver can exploit it even less.


That is a basic test which shows if there is a communication or not.

Too basic.  Looking at what is communicated is relevant.

If there is communication and it is not anonymized through TOR (it is not) -  
that obviously is a privacy issue. That is quite simple.


If you consider that having the receiver know your Web browser is opened,  
then yes.  And you should be able to disable the service it provides to stop  
that communication... but if that service is useful and cannot be achieved on  
your own computer (it is not SaaSS), then it does require communication and  
you may decide it is worth giving the information required to get the  
service.


Are privacy and security 2 incompatible mutually exclusive concepts? Or  
rather because someone has designed a program in a way in which you must  
sacrifice one for the other?


It is physically impossible to request information from a third party without  
communication.  For example, you cannot ask whether a site is phishing  
without communication.  You have to either choose choose privacy (no  
communication) over security (no warning about phishing) or the opposite  
(communicating the relevant information to receive the warnings).  To make  
that choice, looking at what is actually communicated (how much privacy is  
sacrificed) is relevant to most users.  If you consider that no service is  
worth communicating your IP address, then, really, there is no need to look  
at what is communicated... and you should stay offline (when you access this  
forum, Trisquel knows about it, your ISP too).  Since you are online, you  
actually accept to send the relevant information (lose some privacy) to do  
whatever you do online.


If you seek for compromise what happens is giving up freedom in exchange for  
convenience?


You need not compromise on freedom.  You should always stay in control of  
your own life.  In computing, that means only using free software.  There is  
no physical impossibility here (whereas requesting information without  
communication is impossible): every piece of software can be and should be  
free software.


Meanwhile Intel ME can be sending data to organization X "User N, located ...  
is currently admiring the source code of Hello world".


Yes.  Intel ME, like any piece of software, can be and should be free  
software.


There are organizations which consider that censoring entire geographic  
regions from accessing particular websites is a useful feature for the safety  
of the region. Should we agree to that too?


No.  And that has absolutely nothing to do with our conversation.

There is enough evidence that the price people pay for using all kinds of  
"useful features" is pretty high.


"All kinds of useful features" is too general to state anything about them.   
Again: details matter.  I explained you the price of receiving warnings about  
phishing.  You can consider that price too high.  Other users, most users I  
believe, consider it is not.  I have Safe Browsing disabled because I do not  
think I need it.  However, I let it enabled on my parents' computer (that I  
administrate).


I disagree to the centralized nature of it held in the hands of a single  
entity which can control it.


There is a performance compromise too.  I do not think (I may be wrong)  
anybody knows how to have a distributed Safe Browsing system that would not  
significantly slow down page loading.  Do you know?


As long as we cannot check for ourselves what exactly is happening on the  
other side of the wire it is all wishful thinking.


There is no magic: if you send little information, then little information is  
received on the other side.  If you add noise (like Firefox does with Safe  
Browsing), the receiver can exploit it even less.


uppose I am the victim. I (a layman) don't know. I (a non-programmer) have  
not checked the source code. I (an average user) am forced to trust because  
there is a huge mountain of information which I need to dig in order to find  
out the truth, it is growing every day and a lifetime wouldn't suffice for  
it. But still I refuse to trust articles and want truth, not words, because I  
don't want to depend on another. I don't want my child (if I have one) to be  
tracked, logged, turned into a cog of a huge machine. What am I to do?


You trust the community.  Even if you were a programmer, it is impossible to  
read all the software you run: a life time is not enough.  Exercising a  
collective control over the software is the reason for freedom 3.


If you do not want to trust the community, then you should stop using  
software.  I see no other possibility.  The four freedoms do not solve 

[Trisquel-users] Re : Web Browser

[lcerf]

Yeah, as I said a truly libre and privacy friendly browser would not come  
with a ton of antiprivacy nonsense and a user should not have to do such a  
hard work to 'clean it up'.


Taking a look at outgoing connections is not enough to deem how  
privacy-respectful a feature is.  And that feature has advantages too.  A  
compromise has to be sought.  What I am saying is: details matter.


Take Safe Browsing for example.  The feature you manually disable after  
copying pyllyukko's user.js.  That feature aims to warn a user who is about  
to access a page that is known for phishing or about to download known  
malware.  Let us agree it is a useful feature.


Now, you know Google is actually managing the lists of pages known for  
phishing or of known malware.  If you stop your investigation at that point,  
you may believe that every URL that ends up in your address bar is sent to  
Google along with your IP address.  *That* would be a privacy nightmare not  
worth the enhanced security... but SafeBrowsing, in Firefox, does not work  
that way.


https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/  
explains how it works.  And anybody can check whether it is true, thanks to  
freedom 1.  In the case of phishing:


Every 30 minutes, Firefox downloads, from a Safe Browsing server, a list of  
4-byte hashes of URLs, which were deemed unsafe since the last update;
Whenever the user is about to visit a page, the hash of its URL (excluding  
what is following a possible "?" in the URL) is compared with those in the  
local lists (no outgoing connection here);
If it is not found, the page is displayed; otherwise the 4-byte hash is sent  
to a Safe Browsing server which returns all unsafe URLs matching the hash  
(there may be several: hashes suffer from collisions) and Firefox locally  
checks whether one of them is the URL to be accessed (if so, the warning is  
displayed; otherwise the page);
To enhance privacy, Firefox requests, from time to time, the URLs of random  
hashes taken in the list.



So, through Safe Browsing, Google only knows:

every 30 minutes, that an IP address has a Web browser opened;
that the user may (or not: because Firefox adds noise) have visited a URL  
whose hash was sent: it may be one of the unsafe pages having this hash or a  
safe page with the same hash.



Not the privacy nightmare a naive implementation would yield.  Safe  
Browsing's protection against malware is more intrusive.  To block malware,  
even if it comes from unlisted pages, metadata about all binaries Firefox is  
about to download are sent to a Safe Browsing server.  The risk of installing  
malware for GNU/Linux is probably not worth the privacy loss.  That is why  
Abrowser disables that part of Safe Browsing by default.


You see: a compromise is sought between security, privacy, performance and  
ease of use (Firefox's preferences only propose a global switch to disable  
Safe Browsing as a whole).  The balance between those features (again:  
security, privacy, performance, ease of use, ... are features/capabilities,  
not freedoms) cannot suit every user.  But it not "antiprivacy nonsense": for  
most users, being warned that a page is phishing (maybe imitating the page of  
your bank) is worth having Google know every 30 minutes that they have a Web  
browser opened and having it possibly guess (with a rather small probability)  
that they visited some specific pages.


Especially when Google has many more reliable ways to do profile users (i.e.,  
I very much doubt Google uses Safe Browsing to so): the advertisement it  
displays on most of the Web, the Google+ buttons, the Google fonts most of  
the Web pages download from Google, Google Analytics, which dominates the  
market, etc.


In Firefox's preferences, the check box "Allow Firefox to send technical and  
interaction data to Mozilla" globally enables/disables Mozilla's telemetry.   
heyjoe's bug, filed against the "telemetry" component, pretended the  
opposite.  He had not understood that the settings in about:config depend on  
each other: if datareporting.healthreport.uploadEnabled (the setting that can  
be set from the preferences) is false, no telemetry is sent, whatever the  
values of other entries in about:config that stands for more specific tunings  
of the telemetry component.  That is why the bug was closed with the status  
"WORKSFORME".  Telemetry allows the developers to discover bugs and know how  
the browser is used.  They can then make it evolve the way the community  
wants it to evolve.  https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c4  
says "[Mozilla] only collect[s] anonymous usage statistics like how often  
Firefox crashes and how quickly the javascript garbage collector runs".  It  
continues:


But you don't have to trust us, you can check:
If you enjoy reading bugs, please browse "Toolkit::Telemetry" for bugs about  
preferences and what they do. If you enjoy reading C++ and JavaScript, 

[Trisquel-users] Re : Web Browser

[lcerf]

There are two claims in there, as freedom (in the software sense) and privacy  
are to important but separate issues. I agree that Firefox does not  
adequately respect privacy, but it is free software which is why it is  
possible to create Firefox derivatives that improve the software with respect  
to privacy.


Well said.  heyjoe raises interesting privacy concerns.  It is unfortunate he  
pretends they are freedom issues.  They are not.  That makes his arguments  
look bad, including on Mozilla's bug tracker:


It is a shame that generally a useful technical investigation is made all but  
useless by waving "freedom 0" around here. Your freedom is about the user  
using the program in any way you like - not having the program or the vendor  
DO exactly what YOU what. Hence the other freedoms to achieve that.

https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c16

https://www.gnu.org/philosophy/imperfection-isnt-oppression.html starts with:

When a free program lacks capabilities that users want, that is unfortunate;  
we urge people to add what is missing. Some would go further and claim that a  
program is not even free software if it lacks certain functionality — that  
it denies freedom 0 (the freedom to run the program as you wish) to users or  
uses that it does not support. This argument is misguided because it is based  
on identifying capacity with freedom, and imperfection with oppression.


The issues heyjoe raises are not lacks of capabilities but undesired  
capabilities or, to be more precise, capabilities whose side effects  
(potential spying) makes them undesirable.  Yet, the same rationale applies.   
Ubuntu's spyware was a similar issue (although worse imho: even the main goal  
of the capability was not laudable) as those heyjoe points.  The conclusion  
of https://www.gnu.org/philosophy/ubuntu-spyware is not that freedom 0 is  
tainted.  Not at all.  It is:


What's at stake is whether our community can effectively use the argument  
based on proprietary spyware. If we can only say, “free software won't spy  
on you, unless it's Ubuntu,” that's much less powerful than saying, “free  
software won't spy on you.”


Another problem, that  
https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c14 clearly states, is  
that Firefox/Chromium's bug tracker is not the place where policies are  
discussed.  They are places for specific technical issues.  And heyjoe does  
not seem to understand even simple technical explanations (e.g., that the  
check box "Allow Firefox to send technical and interaction data to Mozilla"  
switches datareporting.healthreport.uploadEnabled and that, once "false", all  
"telemetry" configs become moot: no telemetry is sent).


Finally, I do not understand heyjoe's conclusion, in this thread:

Mozilla seems not to care at all. Chromium developers replied much more  
sanely and as a whole Chromium so far seems the most privacy respecting  
browser


On Mozilla's side he got an invitation to argue for policy changes in  
https://lists.mozilla.org/listinfo/governance and several statements like:


No user should ever have to go into about:config to do anything as important  
as preserve their privacy. We take user control and user privacy too  
seriously to hide it away. It's the reason we have such rigorous review on  
the data we _do_ ask to collect, and the reason we only collect anonymous  
usage statistics

https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c4

On Chromium's side:

I guess your feature request boils down to "Create a setup in Chrome such  
that not network communication happens in the background." I acknowledge this  
feature request but don't think that it is very likely to become a priority  
soon.

https://bugs.chromium.org/p/chromium/issues/detail?id=795526#c2

[Trisquel-users] Re : Web Browser

[lcerf]

Indeed.  And using the same source, here is the free software status of  
Chromium (the original question):
Chromium might or might not be free. During the last review, the copyright or  
license of some code was unclear. It also has a similiar problem to Iceweasel  
and Firefox in which it links to proprietary plugins. (Chromium should NOT be  
confused with Google Chrome, which shares a codebase with Chromium but is not  
free software.)


For details on the license issues, see the "Blocked on" list on the left of  
https://bugs.chromium.org/p/chromium/issues/detail?id=28291