Is tails a libre os?

39 replies [Last post]
tomlukeywood
Offline
Joined: 12/05/2014

Tails seems to be compleatly license under the gpl
https://tails.boum.org/doc/about/license/index.en.html
so why is it not promoted on gnu's website?:
https://www.gnu.org/distros/free-distros.html

dose it include non-free firmware?

onpon4
Offline
Joined: 05/30/2012

> dose it include non-free firmware?

Yes.

tomlukeywood
Offline
Joined: 12/05/2014

thats not good for a distro about protecting your privacy
how can you know what information your giving away if your using non-free software?

ill just use a gnewsense usb stick with tor then.

Chris

I am a member!

Offline
Joined: 04/23/2011

It would be better if Tails did not include any non-free software. Unfortunately they are targeting people who may be using PCs not under the users control (people who may be using a computer at and internet cafe for instance). That use case makes it difficult to exclude non-free driver/firmware software as near everybody here knows or should know most computers are not free software friendly.

That said your absolutely right. The non-free software included in Tails is a security risk. Fortunately for those who are not utilizing PCs dependent on non-free software it shouldn't load.

Tails has cleaned itself up a bit over the years. For example Tails added TrueCrypt, but later decided to remove it over licensing and closed development issues if my recollection serves me right. While all the code to TrueCrypt is/was available during its lifetime it didn't or at least may not have met free software licensing standards. It used a non-standard license which the intent of was not clear-but in it said something to the effect for 'academic purposes'. TrueCrypt itself was developed in a closed way. While the code for each release was available there was no public trail to audit which makes auditing as-things-go impossible (this is the only way to do it easily/properly in my view- and the Tails developers seem to agree).

We know that one of the original developers who wrote code that eventually turned into TrueCrypt was pro release of source and considered any encryption software that did not reveal the source to be something you could not trust. Most people won't recall this as it pre-dates TrueCrypts existence/popularity under the name TrueCrypt. What most people also don't know is TrueCrypt is derived from the source code of two different applications. It's popularly believed TrueCrypt is derived from from E4M, but there is another application called Scramdisk. It was the later which I can confirm was pro-release of source. SecurStar eventually bought the merged software, but there was already source released under the quasi-free license. I firmly believe SecurStar's claims over total ownership to be fraudulent in some respect as the code was already licensed such that it could be modified and redistributed by others. I do believe they bought the copyright to the code however. I always thought the company never really understood what it had bought. The developers who sold the code may have mislead or not revealed the licensing. However it seems they should have done there research. The developers did shut down the site and it was not for a year or more later that TrueCrypt came about. The only thing I'm not sure about is the GNU/Linux code base. This was never released from my recollection as it was unfinished at the time the code was sold. I don't know if the developers licensed it without publishing it and therefore considered it OK to use or if it was re-written or what. None of this is public information. That is what was sold exactly.. etc. I myself have no inside knowledge on this.

The problem with using Trisquel + Tor Browser Bundle or a similar 100% free setup is that you won't gain the benefit of utilizing an identical set of software to that of the majority of users. This means you'll lose some of the protections that Tails offers. I don't know there is a real-world solution to this problem as getting rid of the non-free software will shrink the user base and Tails will become useless or less anonymous. As it stands Tor does not really have enough nodes or users. More people need to use it to improve the anonymity of the user base- and preferably with the same or similar set of software/hardware.

marioxcc
Offline
Joined: 08/13/2014

Taking a glance at their web page Tails looks like a GNU/Linux distribution and I found several important problems with it:

*It asserts to be licensed as a whole under the “GNU/GPL (version 3 or above)” (sic). There are 2 errors with this: The license name is abbreviated “GNU GPL”, not “GNU/GPL”. In “GNU GPL” “GNU” modifies “GPL”, just as in “computer hardware”. The slash doesn't has this meaning and therefore is used in “GNU/Linux". See The GNU/Linux FAQ. This is by itself a minor problem, but it suggests that the maintainers are sloppy about licensing, and indeed they are, because there is software in GNU/Linux which isn't under that license or any compatible, including Linux and OpenSSL. Maybe they're not aware that the copyleft requirement of the GNU GPL doesn't applies to other works in aggregates (Such as distributions images, hence it's possible to distribute GPL-incompatible software).

*They call the operating system for its kernel, a confusion that has corrupted nomenclature to the point that some people postulate that there's a different entity called "Linux kernel". Linux (the kernel) programmers often do this, while they should be the first in rectifying this mistake. It's a pity, but nothing else can be expected from people who is happy to allow their software to be damaged by including proprietary software within it.

*It's based from Debian, and since Tails developers don't seem interested in making a fully free distribution or even getting licensing right, I doubt they're removed the recommendations of proprietary software that Iceweasel and Linux (for instance, there may be more software like this) produces, even though the Linux version of Debian in the “main” section doesn't contain proprietary software AFAIK. Also, they have likely not removed the invitation of Linux, Iceweasel, and other programs to install proprietary software and may include the contrib and “non-free” Debian repository. Also, some packages in Debian “main” are not free according to the FSF, but they're good enough for Debian. Debian is the project that supports, adverstises, develops and distributes proprietary software which “isn't a part of the system”, if they haven't done anything to remove this hypocrisy, then it's still there and they're making the same mistake. I don't know which if any of the points in this paragraph applies.

Edit: to clarify, I don't know if Tails is fully free, but at a glance it seems unlikely. You should do your own research. I raised some points that you may take as your starting point. I'm confident that it doesn't meets the free software guidelines because of the mistake of calling the whole OS "Linux" in its official documentation. You might want to contact them and ask them to make a fully free distribution, reminding them of the moral reason and practical reasons (especially security-related) to use only free software.

Regards.

Chris

I am a member!

Offline
Joined: 04/23/2011

The problem is the projects use-case makes eliminating the non-free software difficult. I think they'd likely agree that the non-free software is a security risk and the licensing is problematic. They've chosen to remove TrueCrypt as an example for similar issues. While not closed in nature (the source code is available) it is not in line with free software license standards. This is in part because of things that happened a long time ago prior to a lot of the standardization and the fact the copyright was sold to a company that isn't going to re-license it. You can only develop under an out-of-date incompatible license as a result.

The best thing to do in this situation is talk to the Tails developers. Maybe post a bug report. Some of these bugs might actually get fixed over time and some of these "bugs" may already have been filed. Somebody might be working on them. However you need to look into it. I keep tabs on the Tails project, but am in no way involved in development- nor do I keep tabs on the bug reports. At best I've read bug reports from time to time. I am on both the Tor and Tails mailing lists-merely as a passive observer.

Chris

I am a member!

Offline
Joined: 04/23/2011

There are advantages to using Tails for the use-cases Tails covers. You lose anonymity by deviating software/hardware. So by using Tails you have a larger pool of users to hide between compared running it on Trisquel and at best being able to blend in with a handful of users.

There are other advantages as well. Tails includes firewall rules which prevents accidental leaks. It's not a distribution you would want to use all-the-time. It's overly restrictive by default to protect its users from attackers. They aim to do things like security hardening, sandboxing, and similar which protects users who really need anonymity. Not just people who are trying to protect themselves from advertisers.

I do think removing non-free drivers from the distribution would be a good move. However I think it might also hurt the ultimate real users who actually need this software- as opposed to those of us who just want a little extra anonymity- but don't have a government coming after us for saying the wrong things.

If you do not need the level anonymity that Tails aims to provide Rubén has attempted to add at least some support for Tor to Trisquel already. I'd be more weary of it for anything more than more casual anonymity (like, if they find out who you are your lifes not going to be over). Keep in mind that Tails needs people also who are not doing anything that would attract attention to. Without such users governments and the like can simply assume all those using Tails/Tor/etc are people they need to watch out for.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Tails is excellent at protecting your privacy and anonymity - it is actually the best and most powerful tool we have beacuse it is preconfigured with several security enhancements.
It is not 100% libre for it is targeted at a very large audience. It is more important to them to give anonymity to a as larger as possible base of users then to make a 100% libre os.
I would certainly like it if it was libre. If you know how to make a live trisquel as safe as tails go ahead (mac address spoofing for example); if you don't, stick with tails - it is as safe as it gets!
cheers

tomlukeywood
Offline
Joined: 12/05/2014

but if tails includes non-free software
then how can you be sure its private?
how do you know what that software is doing if you cant see the source code?

quantumgravity
Offline
Joined: 04/22/2013

Exactly, it's a contradiction. With non-free code, tails provides neither freedom nor privacy - so it doesn't satisfy anyone except people who don't know better and believe it makes them anonymous.

Chris

I am a member!

Offline
Joined: 04/23/2011

Has anybody actually confirmed what non-free software is in Tails? I don't think it is as much of a security threat as it is a freedom-threat. I'm pretty sure they're primarily only including non-free firmware. While that is not good it's not loaded unless your using a system that already has devices that are dependent on non-free software.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

It does not include non free software - basically it's debian (open source, so you can read the code and free software) -- but its kernel it's not deblobbed so if you use the module of the kernel in order to make for example your ati graphics card work you are using a binary blob and you don't know what that little part of tails is really doing.. And that could certainly screw you..
That is my understanding but I may be wrong.
Anyway, unless you have a completely open hardware (no proprietary bios, no proprietary firmware and all the hardware backdoors that is shipped on every pc nowadays) you can't really be safe nor sure..
Lets not forget that this november more then 400 deep web hidden services vere seized down and a lot of dudes are now in prison!
We are at a state now where real anonymity in the long run is simply not possible.
cheers

quantumgravity
Offline
Joined: 04/22/2013

It *does* include non-free software. I guess you mean it doesn't include proprietary programs on top of the kernel and that's right.
Clearly, the amount of proprietary code included in tails is very small.
But who is using tails? People who really want to stay anonymous, and some of them even _need_ to stay anonymous.
Are those people gonna say "ah come on, a tiny bit doesn't matter anyway?".

However, maybe it's ok for those people to use tails with hardware that doesn't depend on non-free binary blobs. Afaik in that case, the proprietary code will just lie on the hard disk and not get executed.
But how can one be sure?
I wouldn't rely on that.

If i really needed reliable anonymity, I guess i would go with a gluglug + trisquel on a usb stick + tor browser bundle.

Legimet
Offline
Joined: 12/10/2013

Why not just remove the firmware from the image?

GNUser
Offline
Joined: 07/17/2013

gluglug laptop + trisquel + tbb would be a good start... but not the end of it.
If you wanted to have a secure system that could protect your private communications you would have to go a greater lenght.
I would suggest:

1. firewall, close all ports except 80 and 443.
2. use tbb, thunderbird with torbirdy, pidgin with tor settings.
3. use apparmor profiles in each of these apps. Whonix has good starting profiles if you want to work on it.
4. download libre linux kernel, patch it with grsecurity patches, install.
5. add encryption (full disk and GPG encyrption).
6. Set up RAM secure clean in shutdown.

Without this, your system would be a easy target.
Also, nothing beats the fact that someone can just kidnap you, beat the shit out of you, and force you to tell them your password. So, a good home security alarm is a good thing to add :)
Does anyone know a good alarm to the house that works with free software??

Chris

I am a member!

Offline
Joined: 04/23/2011

See- here is the problem. Your suggesting people take steps that are way beyond the average user and will actually reduce the anonymity pool. That is also a security risk. This is why Tails is needed. Despite this Tails is not even that easy to use despite it doing a lot of these things. You still need to know how to update it, etc. Which is not that easy for a typical user. I have quite a bit of first-hand experience with people using Tails and it's not something that is that easy to use. Even when your buying hardware for use with Tails and the hardware works out of the box. You still have to keep Tails up to date, etc. I believe it is getting better, but unfortunately I'm not an at-risk user- nor do I have the time to use it. I have though experience with Tor and the underpinnings of Tails and the technology behind much of it.

GNUser
Offline
Joined: 07/17/2013

Agree. As you can see I was replying to quantumgravity post. I actually meant to say that security and privacy are not easy to obtain. All the steps I mentioned are not THAT hard, but they are nearly impossible to some friends of mine that have the idea that computers were made to run facebook :P
TAILS is a good system for it's specific user-case. The one I recommend when needed. BUT if you are a more "power user" and want to have your own system tweaked to your liking and still need some basic/not-so-basic protection, I think my suggestions might be a good starting point.

And anyway, the strongest password is weak against a hammer hitting your head until you give up the password :P
I only do these things because I don't want some lousy kid on my neighborhood to spy on me because I took 0 steps to protect myself.

tomlukeywood
Offline
Joined: 12/05/2014

how do you get the libre-linux kernel?
dose debian 7 come with it by default?

marioxcc
Offline
Joined: 08/13/2014

Hi.

I think that chris means Linux-libre, which you can get from <http://www.fsfla.org/ikiwiki/selibre/linux-libre/>. Debian doesn't uses Linux-libre, but it removes the proprietary part of Linux and puts it in the “non-free” section of their repositories, give support to in their communication channels, and then claim that it's “not part” of their system. (See <http://jxself.org/debian-doubletalk.shtml>).

GNUser
Offline
Joined: 07/17/2013

Yes, when you install Debian you install only FLOSS. Just like Trisquel.
Then you can install non free software if you want to. Just like Trisquel.
So, I don't understand why so much hate towards Debian (without which, Trisquel wouldn't exist).

But yes, I was referring to that kernel, you can download it and patch it and install it in any distro you use, but if you want a 100% FLOSS OS, you should do so in Trisquel, Debian, or another FLOSS distro.

quantumgravity
Offline
Joined: 04/22/2013

Be careful to call debian a floss system in here because thanks to the new voting system, your post gets banned to limbo in no time :P
I'm speaking from personal experience!

GNUser
Offline
Joined: 07/17/2013

I know :P This voting system is just ridiculous, but I won't stop saying what I believe in just because someone can censor me.

Also, this voting system might prove more harmful to the forum than to me. I do know a thing or two about scripts, and it would be very easy to turn the entire forum down with a couple of them, using the voting system.

But I would have to be in a very very very very very bad day to do such a thing :) So don't worry.

lembas
Offline
Joined: 05/13/2010

> Yes, when you install Debian you install only FLOSS. Just like Trisquel.
Then you can install non free software if you want to. Just like Trisquel.
So, I don't understand why so much hate towards Debian (without which, Trisquel wouldn't exist).

Here we go once again.

https://www.gnu.org/distros/common-distros.html#Debian
https://gnu.org/distros/optionally-free-not-enough.html

The difference is unlike Debian Trisquel doesn't advertise nor distribute proprietary software.

Also if Debian was free, we wouldn't need to have Trisquel.

jxself
Offline
Joined: 09/13/2010

"Also if Debian was free, we wouldn't need to have Trisquel."

I don't know about that. There is a benefit to have a free version of Ubuntu, regardless of Debian's own status.

onpon4
Offline
Joined: 05/30/2012

I actually want to point a couple things out:

Firstly, network cards aren't typically configured to have access to the rest of the system. Simply encrypt your data, and a network card running non-libre software can't do anything with it. If anything, your ISP is likely to be more of a threat to your privacy than proprietary software in a network card.

Secondly, firmware only runs on certain devices. If you don't have those devices that require proprietary firmware blobs on your computer, the blobs won't run anywhere. For instance, if I were to run Tails on my laptop, none of the proprietary software included on it would run.

Also, Tails doesn't use a kernel that was not deblobbed; it uses Debian's kernel, which is deblobbed, but also ships blobs, effectively adding these blobs back in. I'm not entirely sure, but I think it's likely that it only distributes the blobs needed by network cards, not blobs for full GPU support, since they added these blobs in on purpose specifically to make sure the system would be useful for as many people as possible (their reasoning probably being that a system designed to access the Internet anonymously is kind of useless if you don't have Internet access).

I want to note that I don't endorse Tails; it has no policy against non-libre software, and that's no good. It would be great if someone would do a similar live system that we could endorse. But I think some are exaggerating the potential damage to privacy caused by non-libre firmware blobs.

onpon4
Offline
Joined: 05/30/2012

Oh, one more thing to note:

I think the only proprietary software in Tails is now firmware blobs, but this wasn't always the case. In the past, it was distributed with TrueCrypt.

Chris

I am a member!

Offline
Joined: 04/23/2011

Back to what you were saying in the above post. The source code is available for TrueCrypt and the problem is standards / licensing issues mostly rather than security. However there is a security concern in the way TrueCrypt was being developed behind closed doors. I think the security issue could have been solved, but the free software issues could not, due to copyright ownership having passed over to a hostile entity and as such licenses could not be changed. This is why it's ideal for copyright assignments to be handed over to an entity like the Free Software Foundation, the GNU project, etc.

GNUser
Offline
Joined: 07/17/2013

My two cents:

TAILS is not a libre distro. It has been discussed in another thread. However, I maintain my opinion that it certainly is the best distro one can use in the specific user-case it targets, and they don't rely on just adding proprietary software for any reason, so it's not as bad as it may seem. Maybe it would be possible to develop a libre system similar to this one, but I never heard of such a system. If anyone wants to develop one, I believe TAILS devs would love to help.

quantumgravity
Offline
Joined: 04/22/2013

After reading onpon's post i actually have to agree.
All traffic is encrypted by default and if wifi firmware can't access the rest of the system, then it's no privacy threat.
On top of that you can just use a pc which doesn't need non-free firmware in the first place.

Chris

I am a member!

Offline
Joined: 04/23/2011

I don't think this is totally correct. Once the firmware loads it can pretend to be another device, capture keystrokes, etc. There is definitely potential for malice. We shouldn't exaggerate the risk though as it pertains to security. While it is a threat there are lots of threats to security/privacy on every computer. The most glaring one is the proprietary BIOS. However there are other pieces besides this on a modern system we should be concerned about. We definitely need something better than what exists today.

GNUser
Offline
Joined: 07/17/2013

A stupid question: is it so impossible to build your own computer? For me it sure is, but I wonder if a tech savvy person who is used to "mod" devices could do it.
Apparently there is a home made laptop for sale (about 1500€ IIRC).

Chris

I am a member!

Offline
Joined: 04/23/2011

Not really sure what you are asking here. I think it depends on what you mean by build. Do you mean assemble from pieces? You can certainly assemble a laptop from pieces, but changing any physical characteristics about those pieces requires mass production-level machinery.

GNUser
Offline
Joined: 07/17/2013

well, it was a two different questions in one thing.

1. Can I get different pieces and make them work together (as in connect a GPU and WIFI and MOtherboard that were not supposed to work together)?

2. Can I create a graphics card or a wireless card? As in, create it myself? Make the blueprint, create the circuit board, write firmware and flash it into it.... Is it POSSIBLE?

Chris

I am a member!

Offline
Joined: 04/23/2011

The answer to (1) is no. The GPU is integrated into the board. You would have to have a company with the machinery manufacture a lot of boards to make design changes. Even a small sample run (which is essentially what it sounds like the Librem people are doing) for quality control purposes is expensive. $250,000+ doesn't sound unrealistic.

The answer to (2) is no. The Librem project isn't designing chipsets and as an individual there is no way you could pull it off. The companies designing chipsets are billion dollar companies. Companies like Intel, Qualcomm, and AMD. Companies like Apple, Dell, and similar are at best taking reference designs, but even that's probably not going on in most cases. There are all sorts of regulations that have to be complied with and certifications to get. These are non-trivial projects and hugely complex systems. There are very few companies deigning chipsets. Most are merely designing boards with those chipsets on them and using reference designs from the company which designed the chipsets. There is little difference in many cases (or no difference) between products of different companies. At best you might find a company like ThinkPenguin which is actively engaged in software development or seeking source code/spec. But ultimately the hardware is largely the same under the hood and often the software is too.

You can often find nearly identical boards:

For example the original CubbieBoard vs Banana Pi vs Odroid-C. The boards are very similar although not entirely identical. However in many cases the boards are identical. The board we use in our router for example can be found in several other routers which have been on the market (not necessarily currently available, but at one time or another). The differences might be as little as a change of the logo in the firmware- or the change of a logo in the driver install program (on some operating systems where you actually need to install a driver anyway). You can even find the same combination of chipsets in laptops in fact that are found in desktop/mini-boards if you look around a bit. Particularly if your looking at different world markets.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>I think the only proprietary software in Tails is now firmware blobs

right on onpon4!! that is exactly what I was saying.

>TAILS is not a libre distro. It has been discussed in another thread. However, I maintain my opinion that it certainly is the best distro one can use in the specific user-case it targets

totally agree with you gnuser!

JadedCtrl
Offline
Joined: 08/11/2014

I wouldn't trust Tails for anything important.

Chris

I am a member!

Offline
Joined: 04/23/2011

Out of curiosity what would you trust and why?

There are so many problems all over the place I have a hard time believing one should have more faith (from a security stand point) in Trisquel for instance than Tails. Tails does a pretty good job of keeping up on patching security-related bugs. It does a better job of being transparent than Trisquel. What do you consider when it comes to being trustworthy?

I personally have had my doubts about Tails and ability of those behind it (security expertise that is). However I think I've also been overly harsh. I don't exactly see the majority of developers maintaining good security habits. In fact a lot don't even take the minimum precautions. The Tails developers are at least pushing others to implement secure distribution channels, sign stuff, etc.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Snowden used Tails for almost a year while he was stealing the docs and communicating with Poitras and others..
One would think that Mr. Ed knows a thing or two about computer security..
Several other experts suggest you use Tails if you have to do "anything important".
See, Tails routes every connection through Tor and if any connection tries to connect directly it gets blocked and that is the whole point of it.
Sure, every piece of software has bugs and holes but as far as I know Tails is the best

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

trisquel is way better then ubuntu and much better then debian. a free and easy system and very nice looking too :)
p.s - once again i'll say this voting ridiculozzzz is useless and stupid. never used a single - or + , never will.
Don't use it and it will disappear!