GPL licenses and spyware/malware

3 respostas [Última entrada]
Davide0
Desconectado
Joined: 12/01/2015

Hello to everyone! I would like to talk about FSF and GNU GPL licenses. The fact that a free software is open and has GPL license does not automatically imply that it's spyware and/or malware free. Does exist something that can guarantee that a free software is secure or that it doesn't spy you? I mean, a programmer can easily check the source code, but everyone else does have to call a programmer to check the code (that is maybe hundreds of lines of code)?
I don't want to asperse the free software movement, I love it and thakfully is existing! I just want to be more informed.

onpon4
Desconectado
Joined: 05/30/2012

There's no such thing as a perfect defense. The only defense is your freedom to check. In practice, that means that malware in libre software is very, very rare.

loldier
Desconectado
Joined: 02/17/2016

I think the license tells verbatim that it is available "as is". No warranty.

I don't think the license implies anything is guaranteed malware free. You'll have to trust your distributor (such as Trisquel). The only way to know if it's been tampered with is to check and compare the signatures. That will only tell you if the transfer was successful and the repository package legitimate. The only way to be sure is to read the source code yourself or write your own code.

OpenBSD "guarantees" that all base system code has been properly audited. I don't think any GNU/Linux distribution gives such promises.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

> Does exist something that can guarantee that a free software is secure or that it doesn't spy you?

If by "something" you mean a license, then I don't think so. A license defines the terms of use/modification/redistribution of the software. It's not really used for making promises about properties of the software.

Even if a developer does make such a promise, a promise is not reliable. The developer could be lying. The developer could have different values (Chrome is spyware in my opinion, but I doubt Screwgle would describe it as such). There are some things that the developer can't promise at all, such as that there will never be any security bugs.

In order to know for certain that software is not malicious or flawed, there is no way around using freedom 0.

Software freedom helps avoid malicious antifeatures in two ways:

(1) It allows us to find them and remove/modify them. As you note, this requires someone to first exercise freedom 0 and audit the source code.

(2) Because of (1), free software developers are less likely to implement malicious antifeatures. In doing so, they risk getting caught, losing credibility, and having their software forked. If a developer wants to slip something by their users, the best way for them to do that is to make their software proprietary, which is what they almost always do.

So not only is it possible to find and fix problems in free software than proprietary software, but there are also far fewer problems in the first place.

There are exceptions, of course, which is why (1) is important. If someone is not a programmer and cannot help with (1), the best way to contribute is to help strengthen (2) by loudly rejecting malicious antifeatures in free software. For example, when Canonical implemented surveillance in Ubuntu, Stallman and others complained. In response, Canonical removed the spyware, and they and other developers will now be less likely to try something like that again. However, there were other people defending Canonical, and if their voices had been louder then the spyware might have remained and emboldened Canonical and other developers to include more surveillance in free software.

As Stallman says[1] regarding the Ubuntu issue,

"We who present free software as a defense against malware do not say it is a perfect defense. No perfect defense is known. We don't say the community will deter malware without fail. Thus, strictly speaking, the Ubuntu spyware example doesn't mean we have to eat our words.

"But there's more at stake here than whether some of us have to eat some words. What's at stake is whether our community can effectively use the argument based on proprietary spyware. If we can only say, 'free software won't spy on you, unless it's Ubuntu,' that's much less powerful than saying, 'free software won't spy on you.'"

[1] https://www.gnu.org/philosophy/ubuntu-spyware.html