How is software chosen, inspected, and changed for Trisquel?

22 replies [Last post]
Beko
Offline
Joined: 08/31/2019

So I know that Trisquel takes the packages from Ubuntu, removes non-free elements and branding, and then repackages and distributes what remains.

Does anyone glance through, inspect or audit the programs that are allowed to be in Trisquel? Do the Trisquel maintainers trust that Ubuntu adequately does their due-diligence, and thus does not really inspect source-code at all? Do the Trisquel maintainers look through all the source-code and determine which should be allowed or not? Do they only check VIP packages like TOR and [Insert firefox-clone] among-st others?

Is there a website where I can insert a package name, browse through its versions, and see whether someone independent from the coder has checked the contents of the source code.

ex.

Search: vlc

Found:

vlc-11234-2020-02 3 people have inspected source for this version
vlc-11235-2020-03 1 people have inspected source for this version
vlc-11236-2020-04 0 people have inspected source for this version

There's nothing preventing even the most reputable developers from one day pushing an update, stealing a whole bunch of info before people wise up, and then running off.

I recently found out about Gentoo, which is the reason I'm kind of asking these questions, not trying to critique Trisquel's package choices. Also I'm wondering if others worry about this like I do. Free software having open sources =/ no malware.

zigote
Offline
Joined: 03/04/2019

> I recently found out about Gentoo

What exactly did you find?

Beko
Offline
Joined: 08/31/2019

That the software is compiled from source by the user.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Does anyone glance through, inspect or audit the programs that are allowed to be in Trisquel?

This would mean 2-3 unpaid volunteers inspecting tens of thousands of packages, so... no.

> Do the Trisquel maintainers trust that Ubuntu adequately does their due-diligence, and thus does not really inspect source-code at all?

Ubuntu is a software distribution, not a team of security researchers. Their "due diligence" consists of packaging and maintaining software, not auditing it.

> Do the Trisquel maintainers look through all the source-code and determine which should be allowed or not?

The difference between Trisquel and Ubuntu is that Trisquel only packages free software. Packages in Ubuntu's Multiverse and Restricted repositories are assumed to be non-free, so they are rejected by default. Packages in Main and Universe are assumed to be free, so they are included by default unless there is a known freedom issue. If there is a fatal freedom issue, the package is removed. If there is a fixable freedom issue, *then* we start looking at the source code so that we can fix it.

> Do they only check VIP packages like TOR and [Insert firefox-clone] among-st others?

[These][1] are the packages that Trisquel modifies. New versions of these packages receive a little more scrutiny than packages which Trisquel does not modify. [These][2] are the packages that Trisquel rejects outright. They would receive a little more scrutiny before being accepted back in than before accepting a new Ubuntu package with no known issues. However, in no cases would the amount of scrutiny come close to that of a full audit.

> Is there a website where I can insert a package name, browse through its versions, and see whether someone independent from the coder has checked the contents of the source code.

I doubt it. Such a website would not be particularly useful. "vlc-11234-2020-02 3 people have inspected source for this version" tells you nothing. Who are these people? What are their qualifications? What were they looking for when they inspected the source code? What did they find? It is the details and the results of audits that you should be interested in, not just their number or frequency. [This][3] might interest you.

> There's nothing preventing even the most reputable developers from one day pushing an update, stealing a whole bunch of info before people wise up, and then running off.

In theory, yes, it would be possible for a VLC developer to insert some sort of malware into a VLC's codebase, and for this to go undiscovered by all other VLC contributors and people browsing VLC's VCS history for long enough that this malware makes it into the next VLC release, and for it to continue to go unnoticed a little while longer so that the new VLC version makes it into Debian's unstable branch, and for it to then continue to go unnoticed by the maintainers and users of Debian unstable and other rolling distributions until the freeze period for the next Ubuntu LTS release, during which Ubuntu stops accepting new versions of packages from Debian's unstable branch, and for the malware to go unnoticed in Ubuntu while the Trisquel release based on that Ubuntu release is under development, and for you to then install that Trisquel release and install VLC, and for the malicious developer to then finally decide to activate whatever malware they inserted, steal a bunch of info, and then run off. The ways in which free software is developed and distributed often provide some natural checks and safeguards against things like this happening, but they are not infallible.

> I recently found out about Gentoo, which is the reason I'm kind of asking these questions, not trying to critique Trisquel's package choices.

Gentoo is also a software distribution. They do not perform audits either. The main difference is that as a sources-based distribution, they do not compile binaries for you. They only provide source packages for you to compile yourself. Compiling them yourself allows you to know that the binaries you install are actually built from Gentoo's source packages, whereas when you install Trisquel's binary packages you cannot be 100% certain that they were actually built from Trisquel's source packages. However, if you do not trust Trisquel to compile binaries for you, I'm not sure why you would trust Trisquel to perform audits for you.

> Also I'm wondering if others worry about this like I do. Free software having open sources =/ no malware.

Yes, as some people learn about threats and social problems related to computing, they begin to obsess over all of the different ways in which they must trust others in order to use software. However, this just the reality of participating in society. You must also trust others in order to eat most foods, receive medical care, use modern forms of transportation, learn about science and history, etc. Software freedom is a question of what kind of society you want to live in--how you want power, and by extension trust, to be distributed.

[1]: https://devel.trisquel.info/trisquel/package-helpers/tree/flidas/helpers

[2]: https://devel.trisquel.info/trisquel/ubuntu-purge

[3]: https://nvd.nist.gov/

Beko
Offline
Joined: 08/31/2019

Thank you for your incredibly detailed response chaosmonk!

I've been thinking in a first-principles mindset for a bit. I was beginning to wonder of how computers are like icebergs with much of the mass hidden underneath the userspace. I don't see it much, therefore I don't think of it as much, but I want to learn more about it.

From bios to kernel to OS to userspace a lot of code runs on the computer that I have no knowledge of, a big reason I wanted to switch to free software was so that I would be able to understand what is running on my computer 100%.

I began to wonder about whether or not I could theoretically make a computer which would have source code only compiled by myself. What would that look like, would it even be usable? I have no clue.

For the sake of keeping text compact I'll only quote the beginning of your answers with an ellipsis.

>Ubuntu is a software distribution...
>This would mean 2-3 unpaid volunteers...
>The difference between Trisquel and Ubuntu...

I see what you mean here, that it is for practical purposes that neither Ubuntu nor Trisquel can audit such large volumes of packages. Later when you said--

>Gentoo is also a software distribution...

I never meant to say that I have a trust problem with Trisquel compiling binaries. It seems I did not understand how Gentoo worked. I thought that the user would download a 'package', personally inspect the source code, then compile and install. Thus knowing, even the internals, of everything installed on the computer.

>In theory, yes...

VLC release-->Debian Unstable-->Stable-->Ubuntu-->Ub LTS--> Trisquel. You make an excellent point here. I believe that this is due to the LTS nature of Trisquel though, would a long chain such as this exist in arch-derivative repositories as well?

> Software freedom is a question of what kind of society you want to live in--how you want power, and by extension trust, to be distributed.

A perfect world would be in a trustless one, I really do wish I could just go through every single bit of source prior to installing something. I would probably blow my brains out somewhere along the way though.

I've dived way too deep into the rabbit hole. I see that the conflict between pragmatism and idealism here. Thanks for setting my mind at ease :)

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> It seems I did not understand how Gentoo worked. I thought that the user would download a 'package', personally inspect the source code, then compile and install. Thus knowing, even the internals, of everything installed on the computer.

A Gentoo user has the *option* of inspecting the source code of a given package before compiling, but they are not forced to, and they certainly don't have time to do this for every package. Compiling from source yourself ensures that the resulting binary corresponds to the source code, but does not otherwise make that source code itself more secure. It provides other advantages though. For example, sometimes a program can be configured with different compile-time options. With a binary-based distribution, the package maintainers decide these for all users. With a sources-based distribution, each user can configure the package to best meet their own needs.

> VLC release-->Debian Unstable-->Stable-->Ubuntu-->Ub LTS--> Trisquel. You make an excellent point here. I believe that this is due to the LTS nature of Trisquel though, would a long chain such as this exist in arch-derivative repositories as well?

A rolling distribution is quicker to accept new versions of upstream packages, so yes, it's generally more likely for an undesirable change to make it into a rolling distribution before it is discovered and fixed than into a stable distribution. The undesirable change is usually an unintentional bug rather than an intentional vulnerability introduced by a malicious developer, but the trade-off between enjoying newer features and avoiding regressions comes into play in either case. However, even rolling distributions like Arch generally track upstream releases, not individual commits, so there is still a chance for contributors, users, and observers to spot issues before they make it into the distribution.

> A perfect world would be in a trustless one

Trust comes with risks, but also allows for cooperation, without which people are isolated and weak. Be smart about who, how, and when you trust, but don't become paranoid and misanthropic.

> I've dived way too deep into the rabbit hole. I see that the conflict between pragmatism and idealism here. Thanks for setting my mind at ease :)

Skepticism can be healthy, and you wouldn't want to swing too far in the other direction and blindly trust all software under a free license. Just treat computing like anything else and make the best decisions you can with the information you have.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

However, this just the reality of participating in society.

Adam Smith agrees:

The woolen-coat, for example... is the produce of the joint labor of a great multitude of workmen. The shepherd, the sorter of the wool, the wool-comber or carder, the dyer, the scribbler, the spinner, the weaver, the fuller, the dresser, with many others, must all join their different arts in order to complete even this homely production. How many merchants and carriers, besides, must have been employed in transporting the materials from some of those workmen to others who often live in a very distant part of the country! How much commerce and navigation in particular, how many ship-builders, sailors, sail-makers, rope-makers, must have been employed in order to bring together the different drugs made use of by the dyer, which often come from the remotest corners of the world! What a variety of labor too is necessary in order to produce the tools of the meanest of those workmen! To say nothing of such complicated machines as the ship of the sailor, the mill of the fuller, or even the loom of the weaver, let us consider only what a variety of labor is requisite in order to form that very simple machine, the shears with which the shepherd clips the wool. The miner, the builder of the furnace for smelting the ore, the feller of the timber, the burner of the charcoal to be made use of in the smelting-house, the brick-maker, the brick-layer, the workmen who attend the furnace, the mill-wright, the forger, the smith, must all of them join their different arts in order to produce them.
The Wealth of Nations, Modern Library Edition, pp. 12-13

Beko
Offline
Joined: 08/31/2019

>Trust comes with risks, but also allows for cooperation, without which people are isolated and weak. Be smart about who, how, and when you trust, but don't become paranoid and misanthropic.

Wise words, I hope I don't become misanthropic but I'm definitely already paranoid. I wonder things like how would the NSA secure their computers? I bet you they audit or even write their software in-house. Their threat level is probably the highest in the world... and how the US Navy releasing TOR to the public is such a power-move.

I meant digital-trust not like trust between people. For example I would trust your advice but that's not the same as trusting the [millions?][billions?] lines of code that run on a computer even if it is free software.

zigote
Offline
Joined: 03/04/2019

> a big reason I wanted to switch to free software was so that I would be able to understand what is running on my computer 100%.

Free software is a concept of software development and licensing. It is not a method aimed to educate the user. To learn how all things work you must start with hardware, then learn about software in relation to it and to the actual needs etc.

100% is impossible. Nobody knows 100%. There is no such thing as complete knowledge.

> I began to wonder about whether or not I could theoretically make a computer which would have source code only compiled by myself. What would that look like, would it even be usable? I have no clue.

Note that to *make* a computer you need much more than just compiling source code. To *use* a computer you take one made by others and it runs code on various chips. Not all of that code is available as FOSS. It has been discussed on these forums many times that as of today such perfect system doesn't exist.

If your theoretical goal is to have a fully verified computer (which your questions seem to imply) that would need many life times and a time-frozen isolated world where the computer (incl. any form of software) does not change. Even if that was possible it would be completely useless - computers should serve people, not the opposite.

> A perfect world would be in a trustless one

Ideals are a mental concept. Trusting nobody and nothing is hardly perfect or healthy (or sane). Doubt can help to understand but it can also be a poison. So doubt the very doubt too.

> I meant digital-trust not like trust between people. For example I would trust your advice but that's not the same as trusting the [millions?][billions?] lines of code that run on a computer even if it is free software.

Actually it is the same. Thought is playing tricks with itself choosing to relax in familiar things which it considers secure and to be nervous about things it does not understand. It always looks for security in knowledge but as I said above: there is no complete knowledge, so thought can never be secure and is always neurotic. That's why it invents more and more complicated systems, then more sophisticated hacks for its own inventions. The very computers are such systems.

Beko
Offline
Joined: 08/31/2019

> It has been discussed on these forums many times that as of today such perfect system doesn't exist.

Could you please link one of the threads you mention? I'm very interested in reading more about this. I wouldn't know what to search.

>Ideals are a mental concept. Trusting nobody and nothing is hardly perfect or healthy (or sane). Doubt can help to understand but it can also be a poison. So doubt the very doubt too.

Yes but in reality when face-to-face with someone, or even someone you may have known online for months, trust can be established. Especially over time once you get to learn, know and understand the other person's mannerisms. Whether they are trustworthy can be something as simple as keeping a tiny secret.
Computers' code trust would be like a web-of-trust whereby if I know, met or trust some developer of software and I personally get their gpg pubkey. I can then say safely that I have the intended software by checking to see if it is signed. When verifying Trisquel for example, I do not know if the keys obtained online are valid and true keys. Unless I meet one of the developers it is impossible to verify.

zigote
Offline
Joined: 03/04/2019

> Could you please link one of the threads you mention?

I don't keep/remember them. You would have to browse. It won't be difficult as many threads end up discussing this.

> Yes but in reality when face-to-face with someone, or even someone you may have known online for months, trust can be established.

Still the the same - you choose to trust based on what you know.

> Computers' code trust would be like [...]

> When verifying Trisquel for example, I do not know if the keys obtained online are valid and true keys. Unless I meet one of the developers it is impossible to verify.

If you believe that PKI cannot be trusted unless you meet and know well enough the person F2F, then you should stop using computers and anything in the modern world (as it is the result of using computers) today and move to live in a cave.

Let me ask you something:

How do you know that 6*5=30? Do you know the man who said it well enough? Or have you verified personally that when you put 6 things on 5 places and you count them you will get 30? Also considering that you don't know me personally (and perhaps nobody else on this forum) - why would you trust any answer which you receive from us? Similarly: how do you think anyone would open yourself to you (so one can receive your trust) if you trust only what/who you know and cannot trust anyone you don't?

Beko
Offline
Joined: 08/31/2019

>How do you know that 6*5=30?

The axioms of mathematics dictate the rules. Math is completely arbitrary, and is a result of agreed-upon axioms.

Wikipedia says "An axiom or postulate is a statement that is taken to be true, to serve as a premise or starting point for further reasoning and arguments."

What would the axioms of computing look like?

>If you believe that PKI cannot be trusted unless you meet and know well enough the person F2F

I believe PKI CAN be trusted, I use Trisquel and I verify from the sha256sum file on jenkins.trisquel when I download the iso. This is because the effort to intercept my connection between the trisquel servers, forge sha256sum, keys and iso is too costly.

I'd also like to link this : https://www.gnupg.org/gph/en/manual/x547.html

zigote
Offline
Joined: 03/04/2019

> The axioms of mathematics [... ] Wikipedia says [...]

Did you ignore my last 2 questions deliberately?

The questions I put are not a request for quoting Wikipedia (or whatever source) but to ask yourself. You want to approach things by doubting everything and not trusting anything but you seem not ready to question the very ground. The moment you are asked to you simply find another well known ground and (kind of) argue that it is something different. But without questioning the ground you will never go deep enough and will always have to trust.

Alright then ask this: why not question axioms? Lobachevski did that and created a whole new branch of mathematics which moved the whole mathematics forward. If he merely assumed that axioms are something given and fixed that would not happen.

Maybe the question is how far do you want to go.

> What would the axioms of computing look like?

Computing is rooted in mathematics and logic.

> I believe PKI CAN be trusted, I use Trisquel and I verify from the sha256sum file [...]

OK, so you trust PKI and SHA-2. (SHA is not PKI but anyway)

So I am asking:

Why do you trust SHA-2? Do you know it is designed by NSA? I.e. did you trust it before knowing that or would you trust it after knowing that?

(just giving you food for further doubts :p)

> How low can you go, before hitting non-free software? Can you change the microcode on the CPU and edit it at a machine-code level. I agree that since a "perfect" computer cannot exist, at what points are the non-free elements introduced?

The "perfect" computer based on your criteria is Talos II with POWER9. But peripheral devices include non-free elements.

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

I would like to ask your thought about this happening.

https://trisquel.info/en/forum/chess#comment-145507

> Computing is rooted in mathematics and logic.

andyprough
Offline
Joined: 02/12/2015

It seems to be beyond computing. An angel or a demon could possibly do that move.

Beko
Offline
Joined: 08/31/2019

>(SHA is not PKI but anyway)
I wrote that sentence incomplete, I apologize I'm not too familiar with PKI. I gpg --verify every iso I download. I sha256sum as well.

>Did you ignore my last 2 questions deliberately?

Sorry I felt overwhelmed the entire last paragraph were questions :)

The human mind can only make about 150ish connections according to Dunbar's number.
Sorry to link Wikipedia again https://en.wikipedia.org/wiki/Dunbar%27s_number

There seems to be a literal cap on the number of people that can be truly trusted, and known by every person. I can trust the people on the forums because the same people have been posting for months. Like in a big city, lots of people you know little. Versus a small town with few people you know well.

>Why do you trust SHA-2? Do you know it is designed by NSA? I.e. did you trust it before
>knowing that or would you trust it after knowing that?

I did not know that, but it doesn't change my opinion.
TOR was made by the US Navy, the arpanet was a Department of Defense network, GPS also from Department of Defense. This doesn't make them untrustworthy necessarily. It all depends on if the computers can function trustlessly. TOR tries to be as trustless as possible by dividing information between nodes, thus trusting each node as little as possible.
TOR without a doubt, undoubtedly has been checked or audited by countless people because it is so vital for people under authoritarian regimes. Even though I have not personally gone through the source-code, I know that the law of large numbers would state such a VIP package is thoroughly checked.

>The "perfect" computer based on your criteria is Talos II with POWER9. But peripheral devices include non-free elements.

Which devices include non-free elements?

zigote
Offline
Joined: 03/04/2019

> I can trust the people on the forums because the same people have been posting for months.

Then you might be an easy victim. Example (just one of many): Politicians talk and repeat things for many months (especially before elections), exactly so that you can trust them based on the same principle - familiarity. At the same time many of them do the opposite of what they proclaim behind the curtains.

The fact is that you cannot possibly know anyone because a person is a living entity, i.e. moving/changeable/influence-able. So what you know today may have no value tomorrow. And computers and software are made by people (ones who will never even meet).

> I did not know that, but it doesn't change my opinion.

The actual question here is how opinion is formed and what value it has. You speak of perfection as something with zero trust, you question the FOSS packagers but at the same time you trust the products of some of the most malicious entities. This self-contradiction makes doubting really meaningless. Perhaps you should ask first: What is your goal? What are you protecting?

> Which devices include non-free elements?

Almost all devices today need firmware which is almost always proprietary - storage, video cards, USB devices etc.

*Side note: it is correct to write Tor (not TOR):
https://support.torproject.org/about/why-is-it-called-tor/

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

>> Which devices include non-free elements?

> Almost all devices today need firmware which is almost always proprietary - storage, video cards, USB devices etc.

So since you seem to be extremely familiar with "all devices" in the world, and that means there are only few devices which is not proprietary, it would not be so difficult for you to make a list of those non-proprietary devices, I guess? I would appreciate it if you could provide us the short list. We would not have to ask such kind of stupid question anymore if you show us it once. Or is there already that kind of list? maybe on FSF website or somewhere?

zigote
Offline
Joined: 03/04/2019

> So since you seem to be extremely familiar with "all devices" in the world

When I wrote "all devices" that didn't mean "I am extremely familiar with each and every device in the world". It is simply quite common for device manufacturers to use firmware and microcode in their products. It is generally assumed that they are part of the hardware but in the context of what we discuss here - it is still proprietary code.

The rest of your question got answered already. There may be other devices too which are not on FSF's RYF list but I don't know which they might be.

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

I don't get it well. I have a librebooted X60s and X200. From this link (https://ryf.fsf.org/products), it seems that some manufacturer sells something PCI card and PCLe card. But I have not replaced those PCI or PCLe or something, including the keyboard, the microphone, the video card, SSD
(> Almost all devices today need firmware which is almost always proprietary - storage, video cards, USB devices etc.)
etc with those libre peripheral devices. Does that mean my X60s and X200 are not libre machines? Do I need to buy those PCI or PCLe or video card if I want the perfect laptop?

> It is simply quite common for device manufacturers to use firmware and microcode in their products.

Were the firmware and microcode in my X60s and X200 replaced with libre ones when I librebooted those laptops?

> The rest of your question got answered already. There may be other devices too which are not on FSF's RYF list but I don't know which they might be.

So you agree with the FSF's RYF list is a good list of libre devices, even so not a perfect one. I understand it. But is there any difference between those RYF X200s and mine? Those RYF X200s's peripherals (keyboard, video card, etc) and microcode and firmware are replaced with libre ones while mine are not?

> It seems to be beyond computing. An angel or a demon could possibly do that move.

I think it was Google's advertisement, though it was a good move. But I was not sure if that move was so great from the view point of computer professionals, so I asked. How it is beyond computing??

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Could you please link one of the threads you mention?

https://trisquel.info/forum/purism-announces-specifications-librem-5-smartphone comes to my mind.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Free software is a concept of software development and licensing. It is not a method aimed to educate the user.

A list of freedoms define "free software". Among them, the freedom to study how the program works has consequences on education, especially education in programming: https://www.gnu.org/education/

"Free software" does not deal with software development. "Open source" does.

Beko
Offline
Joined: 08/31/2019

https://www.coursera.org/learn/build-a-computer#syllabus

This is what I mean, if you check the syllabus on this course it explains computers from the ground up. I can't load too much of the site because no-JS.

The trustless computer I refer to is something where I can get the parts, the source-code, compile myself and then install.

How low can you go, before hitting non-free software? Can you change the microcode on the CPU and edit it at a machine-code level. I agree that since a "perfect" computer cannot exist, at what points are the non-free elements introduced?

I know that for practical purposes it is impossible for me to manufacture boards and chips. If those were purchased, would the motherboard have any non-free code aside from the bios? Would the CPU have any non-free microcode if its a Core-2 Duo or prior? Would something as simple as the power button have 'code'? Where is the line drawn?