[Trisquel-users] Re : Free software foundations problems
Indeed. Pyllyukko, who is quite paranoid but honest, even keeps the protection against phishing that Safe Browsing brings: https://github.com/pyllyukko/user.js Honesty is what is probably lacking to somebody who, on one hand, pretends to be concerned about Google learning too much from Safe Browsing but, on the other hand, tracks the visitors of his website with Google Analytics: https://anchev.net/home.js
[Trisquel-users] Re : Free software foundations problems
A: I see no issue with this at this point. Previously (before WebExtensions) any extension could enable that or make changes to any other preference, but that is all sandboxed away now. *Third-party* attacks concern*ed* RMS. Not Mozilla. Not anymore. As you see - just mitigations, not a fix at the core of things and no plans for one. RMS' answer looks clear: for him, the telemetry component has never been the problem; extensions that could access Firefox's internals (including trigger the collect of sensitive data through the telemetry component) were. WebExtensions has *solved* that problem: "no issue with this at this point". Of course that is much better than default FF settings but still far from a completely clean and trustworthy program which many independent developers have checked. RMS *is* talking about the default Firefox. GNU IceCat, still at version 52, accepts to run XPCOM and XUL extensions. WebExtensions become the only accepted extensions with Firefox 57.
[Trisquel-users] Re : Free software foundations problems
analytics.js is not 10M lines of code. "Unminify" https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/google-analytics-bundle.js (about 1300 lines of code) all you want and try to rewrite part of it in understandable JavaScript (with meaningful variable names, comments, etc.) if you really believe it is doable. My posts about the impossibility to exercise freedom 1 were about the large code base of browsers. Studying 10M lines of code is too much work for one single person (who can however focus on a few features or even a whole module). It is not too much work for a whole community. Part of that community actually *wrote* the 10M lines of code. The actual intent is not that because telemetry reports things even without crashes. "E.g." introduces an example. The telemetry module does not exclusively deal with crashes. https://crash-stats.mozilla.org/topcrashers/?product=Firefox=58.0.2 shows how the telemetry data help the developer identify and prioritize bugs that cause many crashes in practice. Yet in combination with "look no further than GNU Icecat" it implies exactly that. No, it does not. And what is "not malicious" then? Unsafe? lol A malicious functionality is, by definition, *designed* to abuse the users. A bug creating a vulnerability is *unintended*. So, yes, "unsafe" software can be "not malicious". Where is the list of vulnerabilities? Here for instance: https://nvd.nist.gov/
[Trisquel-users] Re : Free software foundations problems
But you can unminify it. That's what I meant. It is still difficult to read due to the non-descriptive variable and function names but that is surely easier to reverse engineer than a binary code. Are you the same person who pretends that freedom 1 is not practical because it is too much work to read large source codes?! I may be wrong but it seems to me it contradicts your previous "I have never heard of licensing issues in Firefox." You confuse everything. Many files in Chromium's source code have unclear licensing. That source code includes files under copylefted licenses (and even under incompatible licenses), yet its developers pretend Chromuim as a whole is permissively licensed. Those are licensing issues. I have never heard of such licensing issues in Firefox. Mozilla's abusive trademark policy is a completely different problem. It has nothing to do with how the source code is licensed. Well, it is an issue that it exists in the first place and that it is enabled by default. It reveals the intent of the vendor and that is what bothers me. The intent is "improving Firefox by getting usage information, e.g., the state of the browser when it crashes". Add to that the affiliations of that same vendor with PRISMed companies Not the best argument to prefer Chromium, which is mainly developed by Google, listed in the PRISM documents. https://trisquel.info/en/forum/web-browser?page=4#comment-127279 "With a concern for your privacy and safety" does not mean "thoroughly tested". And as a whole: the talks about how malicious non-free software followed by conclusions and advises "that's why you should use free software" definitely creates the implication that free software is safe. "Not malicious" does not mean "safe". Nobody here claims that free software has no vulnerability. Yet consider the above and the reason why people here prefer free software and ask various questions about how to secure their communication and web browsing perfectly etc. Surely not because they want free telemetry. So this is an issue that needs to be addressed somehow. Your implication "People do not use free software because they want telemetry" => "They do not want telemetry" is wrong. Help Mozilla? The helpless Mozilla corporation? I am not quite sure I get your point. Using the same example has above: knowing the state of the browser when it crashes helps to discover the related bug and fix it.
[Trisquel-users] Re : Free software foundations problems
These make me think that the analytics may be part of the Android version or Chrome (where I assume that being tracked is inevitable). I see no reason why the Android version of Chromium would "need" Google Analytics more than the desktop versions. BTW if https://www.google-analytics.com/analytics.js is unminified it is not impossible to understand what it does. It is minified. Something else which I noticed today: A bug report about Chromium with owner with email address @intel.com (What has Intel to do with Chromium?) That does not prove anything. "You do not have permission to view the requested page. Reason: User is not allowed to view this issue" which is quite strange for an "open source" project. That does not prove anything either. https://trisquel.info/en/forum/web-browser#comment-125929 Jxself points out how Mozilla restricts freedom 2 through its trademark policy. That abuse is a (real) problem that is not related in any way to hypothetical licensing issues in Firefox's code base. Is that not an issue? What do you mean? As long as Firefox's code base does not include GPL code (except for separate binaries), there is no licensing issue. And does it really matter if all the forks (including Tor browser) inherit the telemetry code (and who knows what else) and simply disable it through prefs? It is a completely separate issue. Actually a "non-issue" if it is disabled. Otherwise the recommendation creates the impression that something has been thoroughly tested. I have never seen the FSF pretending that. "Does not include proprietary software at all" should be questioned more deeply because a feature like telemetry is a form of proprietary behavior in which the proprietor collects data. For the nth time, the free/proprietary distinction essentially has nothing to do with what the software does, with its "behavior". Proprietary software is bad even if it does nothing bad, technically. It is bad because it does not let the users in control of their computing. The power that the proprietary software developer has over its users is the fundamental injustice. The fact that malware and proprietary software often go hand-to-hand is a consequence: power corrupts. Most users do not see telemetry as malware and see no reason to remove such a feature. So I think FSF should not recommend any distro which includes a fork of Firefox unless it has been checked that the telemetry code has been completely removed (and not just disabled through prefs). The only difference that it makes is that a user who wants to help Mozilla improve Firefox through telemetry cannot.
[Trisquel-users] Re : Free software foundations problems
I don't think it is not part of the browser (is it?). They are like embedded dependencies. "third_party" contains 3,726,248 lines of codes, according to 'sloccount'. They are not included for nothing. https://chromium.googlesource.com/chromium/src/+/master/ui/webui/resources/js/analytics.js only aims to make it easier to include google-analytics-bundle.js ... and that script is itself included by https://chromium.googlesource.com/chromium/src/+/master/ui/file_manager/file_manager_resources.grd among "common scripts" or by https://chromium.googlesource.com/chromium/src/+/master/ui/webui/resources/webui_resources.grd Excluding "third_party/analytics/", there are 44 files that reference (usually load) one of those four files: $ grep --exclude-dir=third_party/analytics -e google-analytics-bundle.js -e analytics.js -e file_manager_resources.grd -e webui_resources.grd -lR . ./android_webview/BUILD.gn ./chrome/browser/resources/chromeos/echo/manifest.json ./chrome/common/extensions/docs/templates/articles/analytics.html ./chrome/common/extensions/docs/templates/private/site.html ./chrome/test/data/chromeproxy/extension/_metadata/computed_hashes.json ./chrome/test/data/chromeproxy/extension/detailed_data_usage.html ./chrome/test/data/chromeproxy/extension/popup.html ./chrome/test/data/extensions/network_delay/pjohnlkdpdolplmenneanegndccmdlpc/1.0/analytics.js ./chrome/test/data/extensions/network_delay/pjohnlkdpdolplmenneanegndccmdlpc/1.0/background.html ./components/domain_reliability/baked_in_configs/google-analytics_com.json ./components/test/data/autofill/heuristics/input/115_checkout_walgreens.com.html ./components/test/data/autofill/heuristics/input/116_cc_checkout_walgreens.com.html ./components/test/data/autofill/heuristics/input/147_panera.custhelp.com_app_ask.html ./components/test/data/dom_distiller/core_features.json ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/angularjs/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/backbone/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/inferno/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/jquery/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/preact/dist/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/dependency-examples/flight/flight/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/functional-prog-examples/elm/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/vanilla-examples/es2015/node_modules/todomvc-common/base.js ./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/vanilla-examples/vanillajs/node_modules/todomvc-common/base.js ./tools/check_grd_for_unused_strings.py ./tools/gritsettings/resource_ids ./ui/file_manager/BUILD.gn ./ui/file_manager/audio_player/manifest.json ./ui/file_manager/file_manager/background/js/import_history_unittest.html ./ui/file_manager/file_manager/background/js/media_import_handler_unittest.html ./ui/file_manager/file_manager/common/js/error_util.js ./ui/file_manager/file_manager/common/js/metrics_unittest.html ./ui/file_manager/file_manager/foreground/js/import_controller_unittest.html ./ui/file_manager/file_manager/foreground/js/main_scripts.js ./ui/file_manager/file_manager/manifest.json ./ui/file_manager/file_manager_resources.grd ./ui/file_manager/gallery/manifest.json ./ui/file_manager/image_loader/manifest.json ./ui/file_manager/video_player/manifest.json ./ui/resources/BUILD.gn ./ui/webui/resources/PRESUBMIT.py ./ui/webui/resources/js/analytics.js ./ui/webui/resources/js/jstemplate_compiled.js ./ui/webui/resources/webui_resources.grd Also, https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/google-analytics-bundle.js is another "version" of google-analytics-bundle.js, as obfuscated as the other one, inside the "chrome" folder (rather than "third_party"). https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/ contains more obfuscated JavaScript bearing no license notice, e.g., detailed_data_usage_compiled.js: https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/detailed_data_usage_compiled.js Chromium does not connect to Google Analytics (otherwise we should have seen it in tcpdump) Your tests do not show that. Maybe data are send once 10 MB was collected, maybe only on Halloween day, maybe when the users
[Trisquel-users] Re : Free software foundations problems
Unclear to who? Some lawyer? Seems pretty clear to me. Do you really want a lawyer to tell you what software to use? Or a layman who fails to understand legal terms? I really want the lawyer. The layman may be somebody who believes he understands everything after looking at one single license file. It is not that easy. Opening the "third_party" directory (and, no, I am not saying there is no issue outside "third_party", I have not checked), one can read https://chromium.googlesource.com/chromium/src/+/master/third_party/README.chromium includes that sentence: Code in third_party must document the license under which the source is being used. Taking a look at the subdirectories of "third_party", I noticed "unrar", which I believed was proprietary. And, indeed, https://chromium.googlesource.com/chromium/src/+/master/third_party/unrar/LICENSE says, among other things: 2. UnRAR source code may be used in any software to handle RAR archives without limitations free of charge, but cannot be used to develop RAR (WinRAR) compatible archiver and to re-create RAR compression algorithm, which is proprietary. I also clicked on the "analytics" subdirectory because I found it interesting that Google Analytics is part of Chromium. There, the main file contains obfuscated JavaScript (what does not qualify as "source code"): https://chromium.googlesource.com/chromium/src/+/master/third_party/analytics/google-analytics-bundle.js There is a license notice in the middle of that obfuscated JavaScript: Portions of this code are from MochiKit, received by The Closure Authors under the MIT license. All other code is Copyright 2005-2009 The Closure Authors. All Rights Reserved. What portions? What MIT license (there are two)? Do "All Rights Reserved" to the "the Closure Authors" mean the default (proprietary) copyright? Clicking on the issues in the "Blocked on" list on the left of https://bugs.chromium.org/p/chromium/issues/detail?id=28291 (which was already pointed out to you several times), one sees that Chromium's source code actually includes hundreds of files with unclear licensing. Finding out the license of the whole program must be fun too. There are components distributed under the terms of the GPLv2: https://chromium.googlesource.com/chromium/src/+/master/third_party/jmake/LICENSE and https://chromium.googlesource.com/chromium/src/+/master/third_party/lcov/COPYING and https://chromium.googlesource.com/chromium/src/+/master/third_party/logilab/README.chromium (with the license file mentioned in that README that is actually missing) and https://chromium.googlesource.com/chromium/src/+/master/third_party/pylint/pylint/LICENSE.txt and https://chromium.googlesource.com/chromium/src/+/master/third_party/speech-dispatcher/COPYING and ... That would suggest the whole program is under the GPLv2. It is not what the Chromium developers say, however. And there are other components with licenses that are incompatible with the GPLv2, e.g., the Apple Public Source License version 2: https://chromium.googlesource.com/chromium/src/+/master/third_party/apple_apsl/LICENSE About the incompatibility: https://www.gnu.org/philosophy/apsl.html