Free software foundations problems

94 replies [Last post]
s1lv3r
Offline
Joined: 10/29/2017

Hi everyone
i wanted to talk about the fsf problems, this is my point of view and i wanted to know what you guys think about this topic.
I know that fsf is a no profit but the way the act make no sence to me.
Here there is an example https://www.gnu.org/distros/free-distros.en.html, this is the fsf recomended gnu/linux distros page, many distro here are dead or about to be(for the exception of parabola and pureOS)
Probably that page is the most important on the gnu website, for obvious reasons,and is not hard work to update that page, but is like fsf couldn't care less.
Imagine, you are a guy without computer skills, you hear about free software and fsf and you want to give it a try, you go on the gnu website and choose to download one of the recomended distros here, only to find out that the project is either dead or not updated, you probably go back to windows and think free software is a joke.
I know that on that page there is written that fsf is not responsible for other web sites, or how up-to-date their information is,but still,these are the best distro for them, and some are far from the best...
This is only bad for fsf.
Another example, let's talk about Trisquel, i love Trisquel, and i know that is developed by volunteers but still tha last release is Trisquel7 (2014), and i know that Trisquel8 will be released soon, but 4 years?
This lead to the next point, i find this info on this forum, fsf hired Ruben (the main trisquel developer) to work for them, and only recently Ruben started to work again full time on trisquel.
This is really a bad move by them, what are they thinking?
They should instead hire Ruben for work full time on Trisquel
Trisquel is the most used and user friendly fsf endorsed distro, and they leave the project without a new release?
One of the best fsf endorsed distro leaved to die?
What you guys think?
This post is my opinion, is not a troll post, if you don't agree with feel free to post why but please no flame.
As always sorry for my bad english.
s1lv3r

ADFENO
Offline
Joined: 12/31/2012

> https://www.gnu.org/distros/free-distros.en.html, this is the fsf
> recomended gnu/linux distros page, many distro here are dead or about
> to be(for the exception of parabola and pureOS)

Trisquel, Dyne:bolic, Ututo, and so on are not dead ([1]).

[1]
http://lists.nongnu.org/archive/html/gnu-linux-libre/2018-01/msg00002.html
. See the entire thread for proofs and discussion on improvements to the
page you mentioned. The discussion is still going.

--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.

s1lv3r
Offline
Joined: 10/29/2017

thanks for you answer adfeno the thread you posted is really intresting

ADFENO
Offline
Joined: 12/31/2012

> thanks for you answer adfeno the thread you posted is really intresting

You're welcome! ;)

quantumgravity
Offline
Joined: 04/22/2013

You're making some valid points.
I don't think that the fsf should really "exclude" any of those distros or label it as the "best" or "most recommended" one, but they definitely
should make more categories and should put the ones on top that are targeting the broadest audience. "dragora" for instance should be listed, but not as present as trisquel.
Also, it would be good to have a "most actively developed distros" list, excluding ones with little development progress.

s1lv3r
Offline
Joined: 10/29/2017

i totaly agree with you a most actively developed distro would be awesome and maybe add uruk and hyperbola

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Yes... this.

Hyperbola deserves to be on that list.

Its like parabola but with stability and security. :)

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

I have distro hopped between devuan, parabola and trisquel a lot more than a few times.

But I finally found what I was looking for in hyperbola. One of which being, the quick updates feature. The other being, the packages are updated way more often then devuan. And the last being, its all free software man!

Not to mention for me I am not fond of systemd... some people aren't. I am one of them.

Plus the hardened packages are the cherry on top!

:)

If you need help accessing wifi after you boot into a dm such as lxdm, there is an easy way, nmtui! at least in hyperbola anyways.

But let me tell you something, if you have a libreboot laptop, and are patient enough to do this all at a reasonable pace, FDE!

if not, and you know how to do encrypted /home and root,

then by all means, do so.

But in my opinion, its easy to install following the instructions as long as you don't want encryption. Although calamares is in the works...

But yeah, till that is done, I highly recommend being patient with encrypted install. Their libreboot fde install is working nicely, but anything in between may be a little bit harder.

Just my two cents for ya...

GrevenGull
Offline
Joined: 12/18/2017

What's SUSE/openSUSE? An OS?

GrevenGull
Offline
Joined: 12/18/2017

Is it free? It isn't on FSF's list?

ADFENO
Offline
Joined: 12/31/2012

> Is it free? It isn't on FSF's list?

It's not free/libre ([1]), I would suggest that people around here stop
recommending this distro otherwise people might as well start using the
post downvoting system.

[1] https://www.gnu.org/distros/common-distros.html#openSUSE .

--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.

akito
Offline
Joined: 05/10/2017

> It is free unless you explicitly add the non-OSS repos.
I agree with you but still it is not 100% ensured free/libre, at any time they may include non-free..

> Where exactly did you read "I recommend"?
It maybe because of the sentence: "One of the most popular distros."

>Perhaps it would be a better idea people here to start reading more carefully and stop thinking in binary (free/non-free) because technology and everything around it is much more complicated than the recommendation and the stickers of organization X.

Are you referring to hardware vulnerabilities? (meltdows/spectre, intel, proprietary hardware, the other line of the wire, etc etc),
FSF endorsed free/libre operating systems (softwares) still ensures that we will have privacy and security, but in the end it depends on your threat model.

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> FSF endorsed free/libre operating systems (softwares) still ensures that we will have privacy and security

FSF endorsement is more to the ethical stance of a distro than it's security and privacy. Of course, ethically being correct entails the latter ones, but it's not a sine qua non.

For instance, default Debian is found to be ethically incorrect by the FSF, while it doesn't necessarily mean default Debian is less secure than the endorsed distributions.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> It is free unless you explicitly add the non-OSS repos.

If this page

https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions

is accurate then the kernel also has binary blobs, which do not respect freedoms 1 and 3. Whether or not you consider that to be a problem is your decision. I don't want an argument, just to provide this information in case it is useful to you.

If you do wish to install the linux-libre kernel used by Debian and the FSF-endorsed distros, this page

https://www.fsfla.org/ikiwiki/selibre/linux-libre/freed-ora.en.html

may help, if I understand correctly that openSUSE is RPM-based.

Peace.

quantumgravity
Offline
Joined: 04/22/2013

Why are you talking about icecat now? Can't you see that this has zero relevance in the current discussion?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>openSUSE offers a repository of nonfree software.
>It is free unless you explicitly add the non-OSS repos.

So, if I understand it correctly this non-free repository is disabled by default? That's to say, a user that installs opensuse will only have free software and they need to manually edit a file in order to add the non-free repository?

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> unrar: because I need a way to extract rar files when clients send me such. If there is a free alternative to it, I would use it but so far I haven't found one.

Relevant FOSS packages in Debian:

Package: unrar-free
Description-en: Unarchiver for .rar files
Unrar can extract files from .rar archives. Can't handle some archives in the RAR 3.0 format natively. Package "unar" can be used to extract those archives if installed.

Package: unar
Description-en: Unarchiver for a variety of file formats
The Unarchiver is an archive unpacker program with support for the popular zip, RAR, 7z, tar, gzip, bzip2, LZMA, XZ, CAB, MSI, NSIS, EXE, ISO, BIN, and split file formats, as well as the old Stuffit, Stuffit X, DiskDouble, Compact Pro, Packit, cpio, compress (.Z), ARJ, ARC, PAK, ACE, ZOO, LZH, ADF, DMS, LZX, PowerPacker, LBR, Squeeze, Crunch, and other old formats.
.
This package contains the lsar tool which lists the contents of archives and the unar tool which extracts those contents.

quantumgravity
Offline
Joined: 04/22/2013

> So, if I understand it correctly this non-free repository is disabled by default?

I highly doubt it. Look at this article:
https://www.cio.com/article/3003865/open-source-tools/8-things-to-do-after-installing-opensuse-leap-421.html

It lists "eight things to do after installing opensuse" and it's recommending to install chrome and stuff, but it nowhere talks about enabling the nonfree repo - i'm pretty sure this kind of article would have recommended enabling nonfree right away at the beginning.
So I guess it is already be enabled by default and therefore should not be recommended here.

loldier
Offline
Joined: 02/17/2016

S.u.S.E, SUSE -- one of the oldest still maintained distros. There are two variants: SUSE Linux Enterprise and OpenSUSE. The Enterprise version is a paid, commercial distribution in the same vein as Red Hat. SUSE's logo has a green Gecko lizard.

It originated in Germany in 1994.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

I have very few if any problems once I have it all installed.

The hardened packages include a network manager, an iceweasel and icedove hardener. and the linux kernel itself is hardened by default.

These basically increase security.

My libreboot laptop works fine for me. I have an x200 with P8600. It is almost as fast as my thinkpenguin korora penguin with a 4th gen processor. Which sadly as intel me still embedded into it... ;(

By the way, they use stretch as the base for stable and Buster for testing.

They have no unstable or experimental which is why they get updates done quicker.

If debian is difficult, I do not recommend switching to hyperbola yet. Once you figure out debian or devuan then its worth while. :)

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

By harden I mean an increase in security/privacy. That's all I really know.

Of course I also double the protection by using firetools. :)

Most likely though, its some form of sandboxing. ;)

Hyperbola is a stable arch that uses debian packages for stability and security.

debian has buster aka testing, and stretch aka stable.

That's my best answer for ya.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>Waterfox is also supposed to be a hardened Firefox but it is really the same.

Not really, it's supposed to be a snappier Firefox, if anything.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Well, if you want more info you can always ask the hyperbola devs more about it, particularly, emulatorman.

By the way, Waterfox has some issues now, but yeah,

Brave on the other hand, has many more... I wouldn't trust A: Brave, and B: anything based off of chromium... Even Iridium the fully free version... unless they somehow can support firefox addons...

Noscript really does make huge waves for firefox in the way of security/privacy.

ps, the linux libre lts kernel itself is hardened for hyperbola by default.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Chromium dials back to google very frequently. Although if a chromium based browser had something similiar to a noscript feature built in + no anti-features of any kind it would be extremely secure I am sure.

As for the kernel being hardened for hyperbola, I don't know enough to give you feedback so, sorry fella... ;)

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

so there is a function within chromium like noscript?

Interesting...

and by dials back I mean it reports back to google.

If you know something I don't though, feel free. I haven't used chromium too much... to be honest.

Though if I used anything, it would be iridium the chromium based browser...

its completely free software.

ps, look at libreplanet's reasons why chromium is not to be trusted. Before you respond okay?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Unclear to who? Some lawyer? Seems pretty clear to me. Do you really want a lawyer to tell you what software to use? Or a layman who fails to understand legal terms?

I really want the lawyer. The layman may be somebody who believes he understands everything after looking at one single license file. It is not that easy. Opening the "third_party" directory (and, no, I am not saying there is no issue outside "third_party", I have not checked), one can read https://chromium.googlesource.com/chromium/src/+/master/third_party/README.chromium includes that sentence:

Code in third_party must document the license under which the source is being used.

Taking a look at the subdirectories of "third_party", I noticed "unrar", which I believed was proprietary. And, indeed, https://chromium.googlesource.com/chromium/src/+/master/third_party/unrar/LICENSE says, among other things:

2. UnRAR source code may be used in any software to handle
RAR archives without limitations free of charge, but cannot be
used to develop RAR (WinRAR) compatible archiver and to
re-create RAR compression algorithm, which is proprietary.

I also clicked on the "analytics" subdirectory because I found it interesting that Google Analytics is part of Chromium. There, the main file contains obfuscated JavaScript (what does not qualify as "source code"): https://chromium.googlesource.com/chromium/src/+/master/third_party/analytics/google-analytics-bundle.js

There is a license notice in the middle of that obfuscated JavaScript:

Portions of this code are from MochiKit, received by
The Closure Authors under the MIT license. All other code is Copyright
2005-2009 The Closure Authors. All Rights Reserved.

What portions? What MIT license (there are two)? Do "All Rights Reserved" to the "the Closure Authors" mean the default (proprietary) copyright?

Clicking on the issues in the "Blocked on" list on the left of https://bugs.chromium.org/p/chromium/issues/detail?id=28291 (which was already pointed out to you several times), one sees that Chromium's source code actually includes hundreds of files with unclear licensing.

Finding out the license of the whole program must be fun too. There are components distributed under the terms of the GPLv2: https://chromium.googlesource.com/chromium/src/+/master/third_party/jmake/LICENSE and https://chromium.googlesource.com/chromium/src/+/master/third_party/lcov/COPYING and https://chromium.googlesource.com/chromium/src/+/master/third_party/logilab/README.chromium (with the license file mentioned in that README that is actually missing) and https://chromium.googlesource.com/chromium/src/+/master/third_party/pylint/pylint/LICENSE.txt and https://chromium.googlesource.com/chromium/src/+/master/third_party/speech-dispatcher/COPYING and ...

That suggests (but I may be wrong: they may all be the source codes for separate binaries) the whole program is under the GPLv2. It is not what the Chromium developers say, however. And there are other components with licenses that are incompatible with the GPLv2, e.g., the Apple Public Source License version 2: https://chromium.googlesource.com/chromium/src/+/master/third_party/apple_apsl/LICENSE

About the incompatibility: https://www.gnu.org/philosophy/apsl.html

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I don't think it is not part of the browser (is it?).

They are like embedded dependencies. "third_party" contains 3,726,248 lines of codes, according to 'sloccount'. They are not included for nothing.

https://chromium.googlesource.com/chromium/src/+/master/ui/webui/resources/js/analytics.js only aims to make it easier to include google-analytics-bundle.js ... and that script is itself included by https://chromium.googlesource.com/chromium/src/+/master/ui/file_manager/file_manager_resources.grd among "common scripts" or by https://chromium.googlesource.com/chromium/src/+/master/ui/webui/resources/webui_resources.grd

Excluding "third_party/analytics/", there are 44 files that reference (usually load) one of those four files:

$ grep --exclude-dir=third_party/analytics -e google-analytics-bundle.js -e analytics.js -e file_manager_resources.grd -e webui_resources.grd -lR .
./android_webview/BUILD.gn
./chrome/browser/resources/chromeos/echo/manifest.json
./chrome/common/extensions/docs/templates/articles/analytics.html
./chrome/common/extensions/docs/templates/private/site.html
./chrome/test/data/chromeproxy/extension/_metadata/computed_hashes.json
./chrome/test/data/chromeproxy/extension/detailed_data_usage.html
./chrome/test/data/chromeproxy/extension/popup.html
./chrome/test/data/extensions/network_delay/pjohnlkdpdolplmenneanegndccmdlpc/1.0/analytics.js
./chrome/test/data/extensions/network_delay/pjohnlkdpdolplmenneanegndccmdlpc/1.0/background.html
./components/domain_reliability/baked_in_configs/google-analytics_com.json
./components/test/data/autofill/heuristics/input/115_checkout_walgreens.com.html
./components/test/data/autofill/heuristics/input/116_cc_checkout_walgreens.com.html
./components/test/data/autofill/heuristics/input/147_panera.custhelp.com_app_ask.html
./components/test/data/dom_distiller/core_features.json
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/angularjs/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/backbone/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/inferno/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/jquery/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/preact/dist/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/dependency-examples/flight/flight/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/functional-prog-examples/elm/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/vanilla-examples/es2015/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/vanilla-examples/vanillajs/node_modules/todomvc-common/base.js
./tools/check_grd_for_unused_strings.py
./tools/gritsettings/resource_ids
./ui/file_manager/BUILD.gn
./ui/file_manager/audio_player/manifest.json
./ui/file_manager/file_manager/background/js/import_history_unittest.html
./ui/file_manager/file_manager/background/js/media_import_handler_unittest.html
./ui/file_manager/file_manager/common/js/error_util.js
./ui/file_manager/file_manager/common/js/metrics_unittest.html
./ui/file_manager/file_manager/foreground/js/import_controller_unittest.html
./ui/file_manager/file_manager/foreground/js/main_scripts.js
./ui/file_manager/file_manager/manifest.json
./ui/file_manager/file_manager_resources.grd
./ui/file_manager/gallery/manifest.json
./ui/file_manager/image_loader/manifest.json
./ui/file_manager/video_player/manifest.json
./ui/resources/BUILD.gn
./ui/webui/resources/PRESUBMIT.py
./ui/webui/resources/js/analytics.js
./ui/webui/resources/js/jstemplate_compiled.js
./ui/webui/resources/webui_resources.grd

Also, https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/google-analytics-bundle.js is another "version" of google-analytics-bundle.js, as obfuscated as the other one, inside the "chrome" folder (rather than "third_party"). https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/ contains more obfuscated JavaScript bearing no license notice, e.g., detailed_data_usage_compiled.js: https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/detailed_data_usage_compiled.js

Chromium does not connect to Google Analytics (otherwise we should have seen it in tcpdump)

Your tests do not show that. Maybe data are send every time 10 MB were collected, maybe only on Halloween day, maybe when a website using Google Analytics is visited (more than 60% of the top-100k sites according to https://trends.builtwith.com/analytics/Google-Analytics : scary), etc. With obfuscated JavaScript involved, it is hard to be sure...

and cannot open rar files.

Talking about unrar, a comment on line 27 of https://chromium.googlesource.com/chromium/src/+/master/chrome/services/file_util/public/cpp/BUILD.gn says "This dependency is here temporarily". We can see if it is still there in a few months (or if it is in Chromium temporarily in the same way that the Eiffel tower was in Paris temporarily). For the moment, that looks bad.

But when you have a huge project which contains a mix of things perhaps it is not very simple to unify licenses (another reason to hate lawyers). Is the situation with Firefox any different?

I have never heard of licensing issues in Firefox. Mozilla has a rather clear "Source Code License Policy" https://www.mozilla.org/en-US/MPL/license-policy/

For instance, it states that the GPL is incompatible with the MPL. It asks to "always consult the licensing team before importing Third Party Code" too.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Nah, firefox forks are better than chromium forks... for a few reasons...

Chromium doesn't even do lip service towards privacy, they don't even try to care...

At least firefox tries to care somewhat...

Firefox is easier to configure securely, and noscript and privacy settings help with that immensely... I don't think chromium has a noscript feature built in as good...

and my last reason is basically this, The fsf based their Icecat browser off of firefox, not chromium...

Think about why that is... and get back to me when you do.

ps,

"You do not have permission to view the requested page."

This is highly suspicious...

Nice debate though... but at this time as bad as firefox is, it makes waves of privacy compared to chromium and of course the awful google chrome

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

These make me think that the analytics may be part of the Android version or Chrome (where I assume that being tracked is inevitable).

I see no reason why the Android version of Chromium would "need" Google Analytics more than the desktop versions.

BTW if https://www.google-analytics.com/analytics.js is unminified it is not impossible to understand what it does.

It is minified.

Something else which I noticed today: A bug report about Chromium with owner with email address @intel.com (What has Intel to do with Chromium?)

That does not prove anything.

"You do not have permission to view the requested page.
Reason: User is not allowed to view this issue"
which is quite strange for an "open source" project.

That does not prove anything either.

https://trisquel.info/en/forum/web-browser#comment-125929

Jxself points out how Mozilla restricts freedom 2 through its trademark policy. That abuse is a (real) problem that is not related in any way to hypothetical licensing issues in Firefox's code base.

Is that not an issue?

What do you mean? As long as Firefox's code base does not include GPL code (except for separate binaries), there is no licensing issue.

And does it really matter if all the forks (including Tor browser) inherit the telemetry code (and who knows what else) and simply disable it through prefs?

It is a completely separate issue. Actually a "non-issue" if it is disabled.

Otherwise the recommendation creates the impression that something has been thoroughly tested.

I have never seen the FSF pretending that.

"Does not include proprietary software at all" should be questioned more deeply because a feature like telemetry is a form of proprietary behavior in which the proprietor collects data.

For the nth time, the free/proprietary distinction essentially has nothing to do with what the software does, with its "behavior". Proprietary software is bad even if it does nothing bad, technically. It is bad because it does not let the users in control of their computing. The power that the proprietary software developer has over its users is the fundamental injustice. The fact that malware and proprietary software often go hand-to-hand is a consequence: power corrupts.

Most users do not see telemetry as malware and see no reason to remove such a feature.

So I think FSF should not recommend any distro which includes a fork of Firefox unless it has been checked that the telemetry code has been completely removed (and not just disabled through prefs).

The only difference that it makes is that a user who wants to help Mozilla improve Firefox through telemetry cannot.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

But you can unminify it. That's what I meant. It is still difficult to read due to the non-descriptive variable and function names but that is surely easier to reverse engineer than a binary code.

Are you the same person who pretends that freedom 1 is not practical because it is too much work to read large source codes?!

I may be wrong but it seems to me it contradicts your previous "I have never heard of licensing issues in Firefox."

You confuse everything. Many files in Chromium's source code have unclear licensing (because license notices are missing). It includes files under copylefted licenses (and even under incompatible licenses), yet its developers pretend Chromuim as a whole is permissively licensed. Those are licensing issues. I have never heard of such licensing issues in Firefox. Mozilla's abusive trademark policy is a completely different problem. It has nothing to do with how the source code is licensed.

Well, it is an issue that it exists in the first place and that it is enabled by default. It reveals the intent of the vendor and that is what bothers me.

The intent is "improving Firefox by getting usage information, e.g., the state of the browser when it crashes".

Add to that the affiliations of that same vendor with PRISMed companies

Not the best argument to prefer Chromium, which is mainly developed by Google, listed in the PRISM documents.

https://trisquel.info/en/forum/web-browser?page=4#comment-127279

"With a concern for your privacy and safety" does not mean "thoroughly tested".

And as a whole: the talks about how malicious non-free software followed by conclusions and advises "that's why you should use free software" definitely creates the implication that free software is safe.

"Not malicious" does not mean "safe". Nobody here claims that free software has no vulnerability.

Yet consider the above and the reason why people here prefer free software and ask various questions about how to secure their communication and web browsing perfectly etc. Surely not because they want free telemetry. So this is an issue that needs to be addressed somehow.

Your implication "People do not use free software because they want telemetry" => "They do not want telemetry" is wrong.

Help Mozilla? The helpless Mozilla corporation? I am not quite sure I get your point.

Using the same example as above: knowing the state of the browser when it crashes helps to discover the related bug and fix it.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

analytics.js is not 10M lines of code.

"Unminify" https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/google-analytics-bundle.js (about 1300 lines of code) all you want and try to rewrite part of it in understandable JavaScript (with meaningful variable names, comments, etc.) if you really believe it is doable.

My posts about the impossibility to exercise freedom 1 were about the large code base of browsers.

Studying 10M lines of code is too much work for one single person (who can however focus on a few features or even a whole module). It is not too much work for a whole community. Part of that community actually *wrote* the 10M lines of code.

The actual intent is not that because telemetry reports things even without crashes.

"E.g." introduces an example. The telemetry module does not exclusively deal with crashes. https://crash-stats.mozilla.org/topcrashers/?product=Firefox&version=58.0.2 shows how the telemetry data help the developer identify and prioritize bugs that cause many crashes in practice.

Yet in combination with "look no further than GNU Icecat" it implies exactly that.

No, it does not.

And what is "not malicious" then? Unsafe? lol

A malicious functionality is, by definition, *designed* to abuse the users. A bug creating a vulnerability is *unintended*. So, yes, a piece of software can be at the same time "unsafe" and "not malicious". It is even common.

Where is the list of vulnerabilities?

Here for instance: https://nvd.nist.gov/

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Actually, you are right this discussion is a constant stupid nit picking... sadly though its not MagicBanana who is doing the nitpicking...

I disagree with him on things, such as a certain init system, but when it comes to firefox vs chromium...

Yeah... he is the one who is showing facts, you are nitpicking to support Chromium.
I don't know why, but trust me, I used to nitpick about stuff too.

I am only trying to help you. Ps, Apple products are in fact not good to use because apple is raging a war on right to repair. Essentially, though, Firefox is though not superior on its own, vastly superior when compared to google's web browser and all else... with the exception of forks...
Also, keep in mind RMs endorses icecat which IS a FIREFOX BASED browser...

Emphasis needed because what I am saying is accurate and you seem to not get it.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

"You mean the videos I shared and the copy-paste from Mozilla's docs are non-facts? Or the tcpdump tests?"

Actually, I was more talking about the forks then firefox itself.

"Did you even read that (#48):

>> It is not an argument to prefer Chromium but an argument to avoid Firefox/forks.
?"

Okay, Well it just seemed suspicious that you attacked firefox forks too. Because essentially, if you attack firefox forks even, you basically have nowhere to move to...

Unless lynx is your fix,

"Thanks but in this thread I am not asking for help."

Okay, well I thought wrong I guess, its just kind of strange that someone would attack both firefox and chromium as if they were both on the same level...

When firefox is actually somewhat better on its own... With tweaking and without...

"RMS wouldn't even know about the IceCat's background leaks if I didn't tell him. And that is still not fixed in IceCat + there are no plans to actually remove completely the telemetry code from it (recent feedback from the developer). I will let you figure out for yourself what value have these endorsements is."

Okay, does RMS plan to have the problems fixed? I would guess he would if it is a problem otherwise, he would find a better fix that is more substantial than the one the developer has.

"Just because someone wants to consider more essential factors about security of communication than endorsements and licenses, doesn't quite mean he does not "get it". As you may have noticed I prefer to question what is a "hardened kernel" and "hardened package" and learn about it rather than easily accept and trust nice sounding words giving a false sense of security."

Yes, well all I know is its based on grsecurity's linux 4.9 patches. I neglected to mention that, because, I forgot the specfics,

That is how it is hardened, but after 4.9 as we both know, grsecurity is going to bully people into paying money to see the source code... which is absurd completely and totally...

As such with 4.14

Essentially, someone has to fill grsecurity's shoes in the future for kernels after 4.9 kernel fades away from support from debian even...

Anyways, my bad, I thought you were nitpicking.

Although, tcpdump I know little of, first I heard of it was a month or two ago which probably was you. right?

so yeah...

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

"you have probably read too many articles which say that Mozilla is your friend."

Nah, I just don't trust anything google uses as a base for their web browser.

If someday, Iridium gets updated again, maybe...

but yeah...

"Also Chromium devs don't close the bug report about it and admit it should not communicate without need. That must not be extrapolated and associated easily to the general mischief which both corporations are involved in on a different level. This is just browser test and nothing else."

This, might be true for chromium but I know very little of chromium so I really cannot comment... but yeah, firefox does have an issue there.

"The forks inherit the codebase from FF. For IceCat in particular I have investigated more thoroughly than for any other by looking at the actual code repository. You can find my comments here:

https://trisquel.info/en/forum/web-browser?page=4#comment-127390"

Yeah, one question comes to mind, do you have noscript when doing these tests?

Noscript is something that VASTLY improves security and privacy.

I doubt firefox would be secure without it. derivatives that are free software disable some of firefox's junk but noscript is a godsend for any firefox based browser.

Chromium I don't think has something on the same level of configuration and security as that.

I might be misinformed, but regardless,

Neither default browser is good. I would really like it if someone continued working on the iridium browser. Then firefox based browsers would have an actual alternative as you say...

Not that its super needed, but it would be good to have an alternative to chromium.

actually maybe it is, but I think both browsers could do better than they are now...

For one thing, the person who used to run mozilla was shamed into leaving.

This happened a while back, but I would guess firefox would have been a lot better if that never happened. If that guy was still in charge... aka.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

"Perhaps it would be better to comment browsers in the web browsers thread as this one has become a mess."

Perhaps your single most intelligent idea so far...

although, I found something you may find interesting...

https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium

Iridium is I think? The free software version of Chromium and also this,

https://iridiumbrowser.de/faq

Especially read this part below from that faq:

"Why do some audio / video players not work in Iridium Browser?"

onpon4
Offline
Joined: 05/30/2012

It's already been explained to you that Google learns nothing about you from this behavior. They know that your IP address is running a Web browser. Big whoop. I think the benefit of protecting people from malicious websites, scamming, phishing, etc is much more important than not letting Google know that you're running a Web browser, the same as practically everyone else on the planet. It's like worrying that the gas company knows you're running the stove.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Indeed. Pyllyukko, who is quite paranoid but honest, even keeps the protection against phishing that Safe Browsing brings: https://github.com/pyllyukko/user.js

Honesty is what is probably lacking to somebody who, on one hand, pretends to be concerned about Google learning too much from Safe Browsing but, on the other hand, tracks the visitors of his website with Google Analytics: https://anchev.net/home.js

onpon4
Offline
Joined: 05/30/2012

LOL, dude, just a couple comments down from the one you linked, MB points out that you could disable GA instantly and your only response was, "what I put on my website is not your business". You're so full of shit. You have nothing against using Google Analytics to track your visitors whatsoever.

> You should also put Snowden, Assange, Wikileaks, EFF, The Tor project and many others on your wall of shame as they use Twitter

And the FSF, by your standard:

https://mobile.twitter.com/fsf
https://www.fsf.org/twitter

But this is a bullshit standard, and you know it. Using Twitter isn't even remotely comparable to actively tracking your website's visitors.

onpon4
Offline
Joined: 05/30/2012

Ah, a quote mine. Classy.

(See, I can do sarcasm too.)

onpon4
Offline
Joined: 05/30/2012

> No. It is like letting the gas company know where your stove is, exactly when you are using it, what you are cooking and allowing the gas company to control whether you are worth receiving that gas for the particular meal you are cooking or not.

You're so full of shit. All Google knows by your downloading that data is that you're using a Web browser that supports a safe browsing feature. It tells them nothing about what websites you're visiting, or even whether you're visiting websites at all. Your browser could just be sitting there doing nothing for all they know.

> You are simply buying what they are selling you

I have NEVER read ANY promotional material about safe browsing from Google. EVER. But I have seen countless malicious websites that attempt phishing, or trick the user into installing malware, or just do so automatically through JavaScript. I don't need to be sold on the idea of someone auditing websites for such things and then offering a dataset for any Web browser to check.

> But this "protection" tool is a method for censoring.

If a non-malicious website is listed as unsafe, it doesn't mean the website is "blocked". It's up to the browser at that point what to do, and the browser typically gives a very strong warning, but gives the user the ability to override it. If the browser does block sites entirely, maybe you shouldn't use that browser. But that's not a strike against Safe Browsing; that's a strike against a forcible implementation of Safe Browsing.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Onpon sometimes is a bit let's call it, harsh. Though I am sure Onpon means well.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

I would say it is better than Chromium at least.

Although, its wise to read Onpon's reply.

Apparently it only reveals your ip address which is easily revealed anyways.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Well, maybe you should do a comparison of the two sometime.

by the way, if there is more to it, please educate me, and tell me what you mean.

I am curious.

Jodiendo
Offline
Joined: 01/09/2013

calmstorm said:

Why do some audio / video players not work in Iridium Browser?"

the answer to this dilemma is the factor of distance and of processing data.

example: IF YOU ARE PLAYING games that are tcp-ip it works fine, but if you are using the same game through a sat-phone lag is the biggest killer. Most satellites are thousand of miles from earth and stationary in a fix orbit and for it to work it needs more power for the transponder or down link. Other factor is weather and solar flares. most java develop games works fine but the server is it Hosting all java games?

the net is built underground, meaning buried in the ocean floor, made of fiber optic cables all connecting the world. In space for us to connect to a different country we need geostationary satellites.

reference:
Hand book of satellite communications
satellite communication

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

A: I see no issue with this at this point. Previously (before WebExtensions) any extension could enable that or make changes to any other preference, but that is all sandboxed away now.

*Third-party* attacks concern*ed* RMS. Not Mozilla. Not anymore.

As you see - just mitigations, not a fix at the core of things and no plans for one.

RMS' answer looks clear: for him, the telemetry component has never been the problem; extensions that could access Firefox's internals (including trigger the collect of sensitive data through the telemetry component) were. WebExtensions has *solved* that problem: "no issue with this at this point".

Of course that is much better than default FF settings but still far from a completely clean and trustworthy program which many independent developers have checked.

RMS *is* talking about the default Firefox. GNU IceCat, still at version 52, accepts to run XPCOM and XUL extensions. WebExtensions become the only accepted extensions with Firefox 57.

fbit

I am a member!

Offline
Joined: 07/07/2013

>Ok. Make a public poll "Do you want telemetry, enabled by default and difficult to
>disable?" in a separate thread and let us see the result...

>I may be wrong and it may turn out that people who like free software also like to
>be part of massive and continuous data collection. Then your golden logic will
>shine.

https://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

As stated several times, by several people, your logic is spurious.

Here you go:

https://yourlogicalfallacyis.com/

ADFENO
Offline
Joined: 12/31/2012

Also, putting security and privacy aside, you might be interested on
helping with evaluating Chromium and other things based on it ([1]), we
are really short on human resources for that.

After the main evaluation is done, you can perhaps contribute to other
project teams in the FSD so that the antifeatures of Chromium and other
software are clearly described.

[1]
https://directory.fsf.org/wiki/Free_Software_Directory:Free_software_evaluation .

--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.

akito
Offline
Joined: 05/10/2017

The free distro's has different person assigned to them and mostly they are bei g developed by volunteers around the globe that is why they appear to be dead, mostly are probably developing on their own free time. Trisquel 8 has some issues that blocks the release and you can probably help to sort it out. I do not know if fsf funds the main developers.

FindEssential
Offline
Joined: 08/23/2017

Firstly, you are correct, and this is a point I have made too. At minimum Blag and Musix should be removed from the list, but to insure the list remains up to date distros should have to re-certify every few years. This way the FSF will know if this project is active. They could even have an "inactive" list on the same page if a project fires back up within a reasonable time frame.

Second, Trisquel is an LTS release. This means that it will go years without an update, that is the point. LTS is stability over cutting edge. If one wants cutting edge they should utilize a rolling release distro like Parabola. However, even using that stick Trisquel 8 is late, in fact the next LTS release of Ubuntu will be out before 8 is done.

That said, as someone who uses LTS specifically for stability this doesn't really bother me. As long as the next version of Trisquel is out before the current one reaches its end of life in 2019 I am happy. Now, if this community is unable to muster an updated LTS release that mirrors Ubuntu's schedule that should just be said outright. I would be completely accepting of an LTS focused distro that skips every other Ubuntu LTS release, as long as the current version doesn't lose support, and fresh ISO's are supplied for newer users. I would be equally supportive of an ETS release. The problem is Trisquel says it follows Ubuntu's schedule when it is clear it can't. This doesn't mean there is a huge problem, but rather that stated goals need to reflect reality.

Trisquel's development doesn't reflect at all on the FSF, like all distro's (except GuixSD I believe) they are independent. FSF set the standards for the community to follow and communities change over time. This is very common. Ruben has a day job working in something that reflects is personal values, thats something to be respected, not derided.

s1lv3r
Offline
Joined: 10/29/2017

I totaly respect Ruben, the fact is that fsf use Trisquel, and they recommend it to newcomers, hire Ruben to work with them was a bad move, but this is just my opinion, instead of hire the main developer of one of the best free sistems out there they should have hired someone else, or maybe hire Ruben to work full time on Trisquel, and support the project economically.

FindEssential
Offline
Joined: 08/23/2017

Trisquel is Ruben's project, connected to a for profit venture related to free software consulting. That has led to his employment at the FSF. The FSF provides logistical support through all the packages it maintains and services it provides, without that Trisquel would not be possible at all. The relationship is symbiotic.

Rubens employment has nothing to do with Trisquel, and the FSF needs good people to keep the fight for free software going. The man needs to make a living and FSF has software that needs development. Trisquel is a volunteer only operation, no money is made here. That he didn't drop developing Trisquel is a huge thing. It really speaks to his commitment.

The FSF can't just employ people for anything. They have grant requirements, ongoing campaigns, and so forth. Playing favorites with endorsed distros could cause issues with the wider FSF community. FSF recommends Trisquel, but they also recommend the other distros based on what the user needs.