How to be sure that the source code I see is the source code I get?
- Inicie sesión ou rexístrese para enviar comentarios
I just thought that most users of GNU/Linux systems don't compile the source code themselves.
There is someone who makes the job for them (I don't even know who this is exactly).
Isn't this really a mess, since it is not longer the programmer who controls the users, but the one who compiles the program?
It would be easy to implement malicious features without anyone knowing it.
I can study the source code and it is free of bad features - but how to be sure, that this is the source code of the program I run?
In this sense, not compiling the program myself does harm to many benefits of free software.
It's a good point - More people should be doing this, IMO.
If you set up your own automated build environment that's the same as what the distro uses to compile packages (like the same GCC version, etc.) then you can compile packages and make sure they have the same hash. If the hashes match you know the binary is the same. This is a difficult process though because you need to duplicate the setup of the build farm exactly.
A different package manager called GNU Guix makes this easier and I've been keeping an eye on that - http://www.gnu.org/software/guix/
That package manager seem neat.
If you don't care about matching hashes with the distro, then just grab the source code for everything, compile, and make your own Trisquel ISO, potentially even recompiling any other packages from the repository that you may need too.
El 23/04/13 11:02, name at domain escribió:
> It's a good point - More people should be doing this, IMO.
>
> If you set up your own automated build environment that's the same as
> what the distro uses to compile packages (like the same GCC version,
> etc.) then you can compile packages and make sure they have the same
> hash. If the hashes match you know the binary is the same. This is a
> difficult process though because you need to duplicate the setup of
> the build farm exactly.
>
> A different package manager called GNU Guix makes this easier and I've
> been keeping an eye on that - http://www.gnu.org/software/guix/
>
> That package manager seem neat.
>
> If you don't care about matching hashes with the distro, then just
> grab the source code for everything, compile, and make your own
> Trisquel ISO, potentially even recompiling any other packages from the
> repository that you may need too.
>
>
I like it. How would you with low end computers (like the one I sue now:
Celeron D) Which take a lot of time to compile but not su much to run
programs?
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
Quiliro Ordóñez asked:
>
> I like it. How would you with low end computers (like the one I sue now:
> Celeron D) Which take a lot of time to compile but not su much to run
> programs?
This is why distros provide precompiled programs for people to use:
There's a convenience there, but I still agree with quantumgravity
that not enough people make use of the source code. I'd bet most on
these forums have not taken the time to compile the operating system
and software they use. I have to admit that even I haven't done that.
Set up a chroot on your better powered desktop and have it build the binaries for the low powered one.
Not all packages are built in deterministic ways: some will get a
different hash on each run. This makes/made Haskell packaging more
difficult, since there even ABIs are nondeterministic so after a library
is rebuilt all its dependencies needed rebuilding. There are also
trivial issues like archives containing timestamps of when they were
built.
I think the answer is that we trust distro developers and we don't know
any problems which we explain by the packages not being what would be
built from the source.
I think this answer is not very pleasant and in fact it spoils a bit my fun with free software.
There is a strong need for mechanism that provides more transparency and control for the users of precompiled free software, because very few users can build really everything from source.
Although I use GNU/Linux for many years and have a rather technical background, I just don't know how to build a whole Distro like Trisquel from source.
If someone who knows it could write a tutorial, this would be a first step towards the transparency I mentioned.
Of course it makes more sense to trust the distro developers of Trisquel than a company like microsoft or apple, but just taking packages someone has compiled for me misses the point of free software and breaks the strongest argument of control.
//edit
and it should be an easy and practical method of proving the similarity to the source code, no complicated hash thing which only works in special cases.
I believe this might be the tutorial you're looking for http://www.linuxfromscratch.org/
Haven't done it myself but could be very interesting and educational.
I was somewhat reluctant to post that link since it uses the vanilla Linux kernel with binary blobs and all. Perhaps something else too, so keep your eyes peeled for trouble and substitute freedom respecting components when needed, like Linux-libre.
Thank you! I will go through it this week
I will be all over Guix once it's stable and can build KDE4.
I don't know, I think insisting on building everything from source yourself is a bit too paranoid. In general, I don't think people lie about the source code; if they don't want you to see, they simply withhold the source code altogether. Why go through the trouble of changing the code you show people to remove malicious features when you can withhold the source code altogether to hide the malicious features? Besides, someone is probably going to find out if you do such a thing, and that would completely shatter your reputation.
I can think of one real possible concern: if a program is compiled with a nonfree compiler (e.g. a nonfree C compiler), then there's no way to be sure that the compiler itself doesn't insert malicious code (against the language standard). This would be a valid concern in my opinion on a Windows-compatible free system since Visual Studio is commonly used to compile C and C++ programs on that platform, but nonfree compilers are not usually used for Unix systems these days (I'm not even aware of any), and there isn't a very good free Windows-compatible system (ReactOS fits into that category, but it's not in a state where it's really usable).
Such a compiler could also exist in the free world - Having access to
the source code for the compiler is not a defense. See this for the
reason why:
Well, that is very interesting, but if you don't know that the compiler itself is safe from malicious features, that therefore means that nothing is truly safe. You need some trust, or you need to write your own compiler for the compiler directly in machine code (a task I imagine is not easy). How do you compile a compiler without a compiler?
@ #10 (sorry I failed to reply properly)
I think you're getting it wrong:
I don't claim, that we can't trust the distro makers, and I don't really believe that they replace some code to do harm to the users.
But this possibility exists in theory, and that's a problem, since free software wants to give back the control over the computing to the users.
For advocates of proprietary software, this possibility would be a strong counter argument.
I will read a bit through the documentation of Guix and find out how it deals with the problem.
Well, my point is that it's so unlikely for something to go wrong, it's a waste of effort, and there are plenty of ways for things to go wrong regardless. I mentioned the possibility of a nonfree compiler and jxself extended that further to any compiler which you have not yourself compiled with a compiler that you have yourself compiled and so on. To be 100% safe, you would pretty much have to go back to the stone age of computing and start doing things from scratch.
Then there's actually checking what the source code does, which I meant to mention before. Nobody checks all the source code they use; most of us depend on others to do that and make a fuss when something is wrong with it. It is simply unfeasable for everyone to analyze every source file for every program they use.
It's one thing to protect yourself, but this is just paranoia that cannot be resolved efficiently. We have to put some trust somewhere, and I don't think it's too crazy to trust that free programs do what their source code says.
Quis custodiet ipsos custodes?
It's great when authors allow the public to review their work. This step supports the community's confidence that his program is safe. If a small fraction of users look at the code once in a while, that adds to the community's confidence in the program.
I hope that's enough. It's enough for me.
If we don't trust others, and accept some division of labour, we would have less time to put toward other things. The alternative is to use a lot of time, for an abstract principle that probably isn't a problem in practice.
Free software prioritizes principle over convenience. Free software adherents are closer to the "principle" end of the spectrum --as the FSF might define "principle"-- than open source adherents, or proprietary adherents.
I am glad that we have discussions like this one. I think it's great to challenge how we do things, so that we can try to recognize our shortcomings.
quantumgravity suggests (quote below) that users would be more likely to support our abstract principle, if they could do so conveniently (easily, and quickly). I agree, and hope that capable people take up the cause.
"There is a strong need for mechanism that provides more transparency and control for the users of precompiled free software, because very few users can build really everything from source." - quantumgravity
This is still my opinion, but after thinking about the whole discussion some of my attitudes have changed:
Whenever a producer of proprietary software implements malicious features without anyone knowing it, that's just normal life! Most of them do.
But when a distro maker takes a free program and adds malicious code silently, that's almost a crime, it's really bad.
Free software will never be able to prevent us from all forms of criminal energy.
Does your notebook store implement a small gps transimitter? Very unlikely, but no free software can avoid this.
Free software can contain security lacks, too. In theory, it's possible to become a victim of malware...
So, yes, it's necessary to trust someone, whether you use free software or not. And I think it's important to minimize this amount of trust, but it's not the huge problem I thought at first.
It's convenient to trust others and accept a division of labour.
I don't always choose principle over convenience. Does that mean that I am not part of the free software community?
It's good that ideologies exist, so that we have frames of reference for talking to eachother.
But I think that ideologies are an unattractive way of appealing to people. People make exceptions to a lot of things, for practical reasons. Religion, liberalism, socialism, etc. And perhaps for their software as well.
I personally find the ideology of the GNU project very inspiring and uplifting. That's why I'm here.
El 25/04/13 10:11, name at domain escribió:
> It's convenient to trust others and accept a division of labour.
>
> I don't always choose principle over convenience. Am I not really a
> part of the free software community?
>
Your own principle or my principle? If you do not have steadfast
principles, you don't know who you are. If you have principles you
violate, they are not your principles, they are just temporary
conveniences to make you feel good.
> It's good that ideologies exist, so that we have frames of reference
> for talking to eachother.
>
Actions are the best way to talk to each other. There is no ideology
without practice. The contrary are lies.
> But I think that ideologies are an unattractive way of appealing to
> people. People make exceptions to a lot of things, for practical
> reasons. Religion, liberalism, socialism, etc. And perhaps for their
> software as well.
I do not think ideology is not practical. I think ideology is just
seeing beyond superficiality. It is always convenient and practical to
use free software. If you choose not to do it because you don't want to
make the effort now, you will pay for it in the future with money,
dependency and/or unjust conditions imposed onto you and others you pull
along with you. It is your decision to do it now or procrastinate. Of
course you can take small steps. But a small step will not install more
non-free software. A small step will always remove non-free software,
regardless of how much free software you install. Otherwise, it is big a
step backwards.
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
Solid principles are a good thing, but you should also be aware of fanaticism.
Free software is not about founding a new religion or something like this.
El 26/04/13 05:49, name at domain escribió:
> Solid principles are a good thing, but you should also be aware of
> fanaticism.
*fanatism* (/uncountable
/)
1. excessive intolerance of opposing views
How to measure fanatism? Is it bad to be exgessively honorable?
> Free software is not about founding a new religion or something like
> this.
>
It is about freedom measured scientifically. Religion cannot be
measured. It has no scientific base.
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
Freedom is not a scientific measurable quantity. You can recognize how many degrees of freedom a physical system has; you can measure the behaviour of a gas under certain conditions, you can measure pressure, temperature and its volume and conclude how much degrees of freedom this gas must have, but you can't measure how much "freedom is in the world" due to free software.
So you shouldn't talk about science, neither in case of religion nor in case of freedom or free software.
El 26/04/13 08:02, name at domain escribió:
> Freedom is not a scientific measurable quantity. You can recognize how
> many degrees of freedom a physical system has; you can measure the
> behaviour of a gas under certain conditions, you can measure pressure,
> temperature and its volume and conclude how much degrees of freedom
> this gas must have, but you can't measure how much "freedom is in the
> world" due to free software.
> So you shouldn't talk about science, neither in case of religion nor
> in case of freedom or free software.
>
>
I disagree. Freedom is measurable. "This software is free or is it not"
is the question. That is perfectly measurable as per the FSF.
Other aspects of freedom are also measurable. "I may move from place to
place without restriction" is either true or it isn't.
Freedom is scientifically provable. All we have to do is establish the
parameters. Religion is not scientific. It is based solely on faith
which is not provable by the scientific method.
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
A measurement quantifies a certain object or event; it gives them a number in physical units.
In this sense, you can't quantify the freedom you have;
If this would be possible, you would have to make an action (the measurement) which gives you back a concrete number. This number would show "your freedom", but such an action does not exist.
You write the following:
"Other aspects of freedom are also measurable. "I may move from place to
place without restriction" is either true or it isn't."
And if you can go in another direction twice as far? How does your freedom increase? Does it become twice as big?
Many people discuss about which thing includes freedom and which not.
I'm not allowed to go 20 meters south, because there's the house of my neighbour. Does this restrict my freedom? I don't think so.
No measurement will show up the answer.
No science at all.
I will agree that freedom is about science if you come and show me the newest numbers of your freedom measurement.
El 30/04/13 12:47, name at domain escribió:
> A measurement quantifies a certain object or event; it gives them a
> number in physical units.
> In this sense, you can't quantify the freedom you have;
> If this would be possible, you would have to make an action (the
> measurement) which gives you back a concrete number. This number would
> show "your freedom", but such an action does not exist.
>
> You write the following:
> "Other aspects of freedom are also measurable. "I may move from place to
> place without restriction" is either true or it isn't."
>
> And if you can go in another direction twice as far? How does your
> freedom increase? Does it become twice as big?
> Many people discuss about which thing includes freedom and which not.
> I'm not allowed to go 20 meters south, because there's the house of my
> neighbour. Does this restrict my freedom? I don't think so.
> No measurement will show up the answer.
> No science at all.
>
> I will agree that freedom is about science if you come and show me the
> newest numbers of your freedom measurement.
>
>
It is relative to your specs. Free software has its specs. Human rights
by the UN United Nations: *Human Rights*
is another example. It is
absolutely measurable. They are either respected or not. That is
measurable. It is either true or false, 0 or 1. Those are phisical
units. So you can say freedom is science.
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
I absolutely disagree.
Your measurement only works because some people gave a definition of freedom for some certain cases - very limited ones!
With this definition, you're able to count how many programs fulfil the requirements - and yes, this is kind of a measurement.
But think of beauty. Let a group of people create a definition of beauty (the nose has to be this long, the ratio of cheeks to the forehand has to be xy and so on); this would give you the ability to measure how many women fulfil this requirements.
But does this make beauty to science? No one would claim this.
The FSF provide a very useful and sensible definition of freedom concerning software; they transform something rather vague and undetermined to something we can work with.
But this does not make freedom a scientific topic, and even less in general.
Furthermore, the whole thing about freedom doesn't include finding out something, doing research.
I think when you talk about freedom being scientific, you rather mean "concrete". And in my opinion, that's only true in a very limited area.
You can say: free software is concrete.
But not: freedom is science.
I guess you have a right to your own definitions. You are playing with
semantics.
The point is that we can set a set of parameters and define something by
those terms. For me, that is science. Ergo: freedom is scientific;
religion is not. If you don't define it that way, that is OK with me.
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
You use a peculiarly limited definition of 'science.' According to
The Dictionary (that is the Oxford English Dictionary) science is
characterised by concern with knowledge and theory. Philosophy can
properly be called a science. The four software freedoms are a work
of philosophy and therefore science.
Contrary to your requirement for measurement, botanical and
biological classifications are not based on numbers, and are most
definitely science.
If by science you mean 'based on the scientific method,' then I ask
you what is using Trisquel if it is not taking part in an experiment
on the validity of a philosophy.
OTOH it might be that the .de (or other) word you are translating
from is slightly unlike the English word and more specific. The
English word is a borrow from Spanish and Portuguese, so it's less
likely there's confusion on Quiliro's part.
"Contrary to your requirement for measurement, botanical and
biological classifications are not based on numbers, and are most
definitely science."
Since I accepted Quiliro's view of a measurement ("it is, or it is not; 0 and 1"), botanical and biological issues are of course scientific ones.
For example, a biologist defines "to be a member of the species xy, a plant has to look like ....) and then they can observe and conclude whether this plant is or is not part of the species.
What you said about philosophy etc is true; my point of view only includes natural sciences.
BUT if you include such fields like philosophy, then you can't refuse religion to be a scientific topic any longer.
Theology has the same scientific value like philosophy, and the first one deals with religion as its topic.
Perhaps we use the words in different ways due to language differences, but this does not change the inconsistency of their usage.
I was approximating just having one difference of opinion at once. :-)
Yes, Theology, the study subject, is referred to as a science in older English (C19 say) texts. However, Quirilo (Q) used the terms religion and faith in conjunction and they are not scientific by any standard definition.
Q rightly refutes your implied allegation of fanaticism, and by similarity ESR's attribution of 'zeal' in his writings. Free software is only a rational philosophy confined to one aspect of existence. If we were fanatics or zealots, we would not use buildings with heating or air conditioning, because they are typically controlled by non-free software. The same for bank accounts, public transport / plane tickets, walk / don't walk signals, the intermediary systems between us and the Trisquel servers, etc. All we are doing is applying the philosophy and using free software when it is available as we are able. Obviously we also advocate others do likewise.
IMO the allegations of zeal, fanaticism, or Linux Action Show's 'fundamentalist' are examples of the known flaws of what psychologists call Type 1 processes (of the brain). In everyday thinking people's minds match things by similarity to 'available' ideas. People who express religious views that transgress accepted norms with utter conviction are a common feature of the mainstream media. Thus expressing the conviction that comes from a rational philosophy that argues against the status quo is given a very fuzzy and bad match to something that was in the news within the last month.
On a more personal note I identify as LGBT and am old enough to have been born when it was illegal here in the UK. I've met real zeal, real fanaticism and been on the receiving end. The free software community is far from it. I wouldn't have anything to do with them if it were otherwise.
El 26/04/13 05:49, name at domain escribió:
> Solid principles are a good thing, but you should also be aware of
> fanaticism.
> Free software is not about founding a new religion or something like
> this.
>
*Fanaticism* is a belief
or behavior involving uncritical zeal
, particularly for a religious
or political
cause or in some cases sports,
So defending freedom in software cannot be fanatical because it is not
uncritical.
or with an obsessive enthusiasm for a pastime or hobby.
That is called art.
--
Saludos libres,
Quiliro Ordóñez
Presidente (en conjunto con el resto de socios)
Asociación de Software Libre del Ecuador - ASLE
Av de la Prensa N58-219 y Cristóbal Vaca de Castro
Quito, Ecuador
(02)-600 8579
IRC: http://webchat.freenode.net?channels=asle&uio=OT10cnVlJjEwPXRydWU3a
Todo correo que reciba será tratado como información pública, de libre copia y modificación, sin importar cualquier nota de confidencialidad.
I posted that I sometimes choose convenience over principle. Quiliro asked me to clarify which principles. I meant that I sometimes choose convenience over the free-software principles. Like trusting others to compile stuff for me.
"I personally find the ideology of the GNU project very inspiring and uplifting. That's why I'm here." - Lembas
I'm with you Lembas. But some people are not interested in abstract thoughts generally. Some people are not attracted to our particular abstract thoughts - our particular vision of fairness. We have been the minority for a few decades.
Quiliro posted that ideology can be practical and convenient:
"It is always convenient and practical to use free software. If you choose not to do it because you don't want to make the effort now, you will pay for it in the future with money, dependency and/or unjust conditions imposed onto you and others you pull along with you." - Quiliro
I think this approach is more likely to work with those people who are not interested in "seeing beyond the superficial" in an abstract way.
I agree that free software can be more convenient and practical in the long term.
I would not agree that free software is more convenient and practical in the short term. At least not in every case.
It's a big step to not use the proprietary software or formats that your peers use. It's often self-marginalizing. Your peers may not be interested in your explanation, and may judge you negatively for your choice.
How do you successfully explain the benefit of a long-term convenience, when challenging a short-term convenience?
The question of trusting others to compile programs is further along on the road of "principle vs convenience" questions than most people get. Many of us choose convenience on the compiling question, but would encourage others to choose "principle" on the more fundamental software decisions.
Many of us have agreed that compiling our own stuff just takes too much time. What if, for most people, choosing a free OS, or free program, is similarly daunting?
I don't think that actually self-compiling all the source necessarily follows from the free software freedom to have it. One small part of Trisquel, the kernel, passed a million lines of code years ago, so what benefit do you gain from merely compiling what you are unlikely to have read? What really matters is that because the source is available it has already been read by many independent people. Distros routinely patch software to remove security vulnerabilities that are present because the root developers mistakenly want them in. Calibre, the e-book tool, was famously a case of that until recently.
Nor is it a case of 'who keeps the keepers,' at least in proportion to the user base. Any distro with programmers using it will have people pulling the source and rebuilding the package to make the debug symbols when they are faced with new bugs they need fixing. Seemingly irrelevant differences do get noticed when this happens. Further if I have two non-hacker friends who have quit Ubuntu for good over the privacy invasion (yes, I recommended Trisquel :-), then we can assume that free market pressures will kill any distro that gets caught doing seriously counter freedom things like shipping compromised free software binaries that don't match their source repo.
Moving from the big two proprietary o/ses to GNU/Linux involves learning both new applications and differences in the desktop. It's a mistake to think of that effort as an inconvenience, it is simply a necessary part of change. Better one makes the change now, rather than spend effort, say, learning the changes in W$8 which doesn't improve ones freedom. Similarly changing to open data formats now, which improves your freedom and brings a host of practical benefits is better than hanging on to proprietary formats when the practical difference is no worse than the next .doc to .docx et. al. equivalent change. In short all you're doing is changing the timing and you're sacrificing your freedom for this meagre benefit.
As to self marginalizing, with your name and no idea of geography I can't advise you. The fact that I live in a town that is 30% Muslim doesn't help. British Muslim culture is a thing of its own and Western ideas about individuality influenced the mix.
- Inicie sesión ou rexístrese para enviar comentarios