How To Make Sure You Stay Libre

27 replies [Last post]
davidpgil
Offline
Joined: 08/26/2015

Hello All! I've been using Trisquel for a few months now and I am learning a lot while taking back my freedom :)

I am wondering as I install software using internet searches, I find I occasionally have installed stuff outside of the package manager included in Trisquel. This makes me wonder, if there is a way for Trisquel to do a sweep to check if my installed software is Libre? I understand that the package manager may be the place to stay, but sometimes the software isn't up to date.

For example, the latest version of Ardour in Trisquel 7 is version 3. Ardour is currently in version 4. If anyone coudl help me stay Libre, I'd appreciate it :)

Thanks in advance.

- David

vita_cell
Offline
Joined: 07/19/2015

Using TOR browser or Abrowser with: DownThemAll, Privacy Badger, LibreJS or NoScript, uBlock, HTML5 Video Everywhere!, printpdf, Self-Destructing Cookies. Installing only GPL-MIT-X11 licenced addons.

Using Trisquel, only official Trisquel's repositories.
If you install something out of official repositories, make sure that it is free software licence (not some GPL-MIT-X11 "modified" licence).

If you want to install some videogame out of official repository, sometimes only source code is under free licence, but not media files. Some free software games comes with fully free code and media.

Try to not using .rar.

Replace proprietary BIOS with Libreboot.

Alij
Offline
Joined: 05/07/2012

And still you can be tracked down by NSA or any goverment if they want to, of course usinng SL reduce the chances of that happend but any os is invulnerable, there's almost any chance to get 100% privacy on the web, period.

vita_cell
Offline
Joined: 07/19/2015

You right, only way to stay not tracked, is to not using Internet. But it is much more dangerous running proprietary BIOS, Intel CPU microcode, Intel Management Engine.........

We don't know what NSA, Russian FSB (or some other agency) hardware and software they have. Yes, we have some Snowden's revelation, but incomplete I think.

If you connect to Internet, you can be tracked. If you run fully free software machine (not one backd00red), you privacy and security will raise very high.

It is a very good idea to remove Microphones and Speakers(or headphones) from your computer, if you don't use them, and plug them when you will use them.

The worst spyware is your mobile phone, cuz it tracks you always, and records sound always (and it can take pictures too). And here no free modem or some reverse engineered phone/modem.

Alij
Offline
Joined: 05/07/2012

Maybe you can avoid 99% of tracking Using one of those libre bios laptops endorsed by fsf. Just buy one of them and use the machine like simple text editor, video/music player or storage device, of course without internet on it. Move archives to it with a usb stick from others computers with internet/tor conection and stay safe.

;)

tomlukeywood
Offline
Joined: 12/05/2014

i think definitely with the correct resources it is possible to make a 100% secure system running fully free software

you would just need to maby make it quite simple and hire a lot of people to debug it

so going with the assumption that anything connected to the internet is automaticly compromised is not quite true

vita_cell
Offline
Joined: 07/19/2015

BUT, here no free software SSD/HDD:

http://www.cnet.com/news/nsa-planted-surveillance-software-on-hard-drives-report/

Best option? buy a chinese "NO BRAND"/"NO NAME" cheap SSD. I have "KingDian", only 30€ for 64gb(enought for laptop running GNU).

--------------------------------------------------------------

http://libreboot.org/docs/security/index.html

pizzaiolo
Offline
Joined: 03/12/2015

There is an experimental free software SSD: http://www.openssd-project.org/wiki/The_OpenSSD_Project

evoblade
Offline
Joined: 10/25/2015

Maybe Chinese drives wouldn't report to NSA, but China does not have a good record for computer security, just look at the precautions people take before going to china (burner laptops, phones, format your burner when you get back, etc)

Jabjabs
Offline
Joined: 07/05/2014

They have a very poor track record, almost every Chinese designed phone I have checked calls back to home eventually. It does suck that this happens but at least it is reporting back to a government other than your own or its allies.

cooloutac
Offline
Joined: 06/27/2015

I would worry more about the 13 year old kid down the block, or other organizations not affiliated with gov'ts, more then the NSA.

tomlukeywood
Offline
Joined: 12/05/2014

that would depend on whether your for example a investigate journalist going into a area a government or corporation dose not want you to go into or not

some people have a good reason to fear the "security" agency’s

if you are a good well behaved citizen then i guess you don’t have to fear the NSA

moxalt
Offline
Joined: 06/19/2015

Even if we're not being directly targeted, we should resist state surveillance.
The existence of enormous compendiums of information on the citizenry is in
itself dangerous.

Security should ideally be government-proof. Aim for that goal, and you'll be
more than prepared for the common-or-garden script kiddie.

strypey
Offline
Joined: 05/14/2015

Just rewatched the excellent film 'Enemy of the State' recently. Even a well-behaved citizen is foolish not to fear the NSA. Considering that governments almost always enforce irrational morality laws (eg drug laws, criminalization of homosexuality etc), and punish people who are more ethical than them or their corporate buddies, I think there's good reason for everyone to do what they can to secure their privacy when using computers and the net.

Also, don't think you're safe just because you use USB sticks and never connect to the net. That was how that Stuxnet virus was sneaking into that nuclear facility in Russia:
http://gizmodo.com/did-a-usb-stick-infect-a-russian-nuclear-plant-with-stu-1462369236

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>Using TOR browser or Abrowser with: DownThemAll, Privacy Badger, LibreJS or NoScript, uBlock, HTML5 Video Everywhere!, printpdf, Self-Destructing Cookies. Installing only GPL-MIT-X11 licenced addons.

https://www.torproject.org/download/download-easy.html.en#warning

Don't enable or install browser plugins

The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.

And yes, by additional addons they mean any addon at all.

vita_cell
Offline
Joined: 07/19/2015

Yes, that is.

I wanted to say, to use Tor Browser only, with no addons. Some problems installing addons for Abrowser?

tomlukeywood
Offline
Joined: 12/05/2014

"but sometimes the software isn't up to date."

if you ever get software from outside sources
you would need to check the license of the software to ensure its libre

if you are unsure if a license is free or not you can check this page:
https://www.gnu.org/licenses/license-list.html

also its a good idea to compile the program yourself
as this is much more secure and will ensure you have the absolute latest version

"This makes me wonder, if there is a way for Trisquel to do a sweep to check if my installed software is Libre?"
currently only for the deb packages
there is a program call vrms(virtual Richard stallman)
that lists any deb packages installed that are non-free by the Debian free software guidelines

but this program is controversially and quite incorrectly named as it goes on Debians free software guidelines not the fsf's and is inconsistent with RMS's

cooloutac
Offline
Joined: 06/27/2015

I found this guide might be useful to some when compiling.

https://wiki.debian.org/Hardening

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

'vrms' is not only misnamed (it would, for instance, consider GNU FDL documentation non-free!) but it is also useless on Trisquel. It only scans the packages available in the Debian repository. Not the packages installed by hand, the extensions, etc. Trisquel's repository is 100% free software (otherwise, it is a critical bug). There is nothing to check. The work has been done upstream. It even is the main advantage I see in using Trisquel: if you stick to what is in the repository (and in Abrowser's extension page), you can peacefully install anything. Your freedom is in good hands. If you want to install programs found elsewhere, then you need to do the work by yourself.

There is no sure way to automatically decide whether an arbitrary program is free software. Even if the license and the source code are given. The vanilla Linux kernel, under the GNU GPL, is a good example. Here are other difficult cases: http://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

There is a way. A very simple way indeed: TRIPLECHECK the license of each software you install (or better yet - compile) outside from the repository.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Well, no. Take the Linux kernel for instance. It is under the GNU GPL. Yet it includes blobs. The page I linked above lists other difficult cases.

suitsmeveryfine
Offline
Joined: 08/15/2014

Simple! Use the Free Software Directory. See for example the entry on Ardour.

davidpgil
Offline
Joined: 08/26/2015

Wow! this got out of hand fast! :) I think suitsmeveryfine answered my question the most directly :)

lilos
Offline
Joined: 09/04/2015

What about we use FPGA with Softcore CPU ?

And https://github.com/sergev/LiteBSD

lembas
Offline
Joined: 05/13/2010
lilos
Offline
Joined: 09/04/2015

LiteBSD has been ported to PIC32 MIPS 200MHz with MMU.

I think LiteBSD is freesoftware.

http://retrobsd.org/wiki/doku.php

ADFENO
Offline
Joined: 12/31/2012

1. When possible, avoid adding package repositories (be it by using
APT's "add repository" command, by editing the "/etc/apt/sources.list"
directly, by using your graphical package sources editor, and so on),
just avoid it when possible. Even if the project which owns the
repository is related to a free software, because there's no way to
guarantee that the future versions of that package that come from that
repository will still be free software, even after checking the
licenses, that is because they are already provided to you in compiled
form, and as such, there's no user-friendly way to know if obfuscated
source code was used to make that binary available for you, other than
downloading the source code yourself to check every single line of it
making sure that there are no strangely-numbered phrases like
"\123\325\123", "(123, 325, 123)", or "123 325 123" (the numbers are
just examples). Note that the source code that you download must come
from the same place where you would download the compiled package and as
you see: all this procedure is no way user-friendly. Exceptions from
this case are repositories of other free software distributions approved
as such by the FSF, like GuixSD, GNewSense, Parabola, LibreCMC,
ProteanOS, Replicant, Ututo, BLAG, Musix, and so on, and repositories
from people who are really known to be trusted here, and that are
following the philosophy successfully.

2. An addendum for the item above: You can try to download the compiled
package manually/by yourself from the same repository that was
originally suggested to be added to your system's package sources. You
should be able to download the package from any web browser, and you'll
probably be asked by the web browser where to save the package file.
This way, you'll have a chance to add just the needed versions, not
corrupting your whole system, not receiving upgrades for that package
blindly, and if you're an advanced user, you'll also have the chance to
download the corresponding source code to check for obfuscated code.

3. Use the Free Software Directory[1] to check if things are free
software. Hint: Go to the Free Software Directory and at the search
field of your browser (the one on the right of the address/URI/link
field), click on the small button that's on the left and click on Add
"Free Software Directory". And now you have the Free Software Directory
there, available as a search engine. Note that, even though your browser
has a home page ("about:icecat" or "about:abrowser") and this home page
has a search field that takes the search engine currently selected on
the search field at the top, this search field doesn't seen to work, as
it just takes you to the homepage of the search engine, at least for me.
The only field that works is the search field at the top of the window.
If the package version found in the Free Software Directory matches the
one you want, then you're safe. Otherwise, not, and you'll have to pass
through (1) and (2).

4. Check if the same packages exist in Trisquel's repositories. You can
either use your package manager, or visit the web search[2]. By using
your system's package manager, you can check for the existence of older
versions of the same package in Trisquel's repositories. If the package
version found in Trisquel's repository matches the one you want, then
you're safe. Otherwise, not, and you'll have to pass through (1) and (2).

5. When a computer program is free software, it means that the programs
that it depends, recommends and suggests must also be free software, and
so all the items above apply to the dependencies, recommendations and
suggestions. Exceptions for this case are in cases where the computer
program is a reverse engineering effort based on a non-free program, or
when the program's purpose is to provide a free implementation of the
non-free one.

REFERENCES

[1] https://directory.fsf.org/

[2] http://packages.trisquel.info/

davidpgil
Offline
Joined: 08/26/2015

Excellent and thoughtful response! Many thanks!