Free software foundations problems

109 replies [Last post]
s1lv3r
Offline
Joined: 10/29/2017

Hi everyone
i wanted to talk about the fsf problems, this is my point of view and i wanted to know what you guys think about this topic.
I know that fsf is a no profit but the way the act make no sence to me.
Here there is an example https://www.gnu.org/distros/free-distros.en.html, this is the fsf recomended gnu/linux distros page, many distro here are dead or about to be(for the exception of parabola and pureOS)
Probably that page is the most important on the gnu website, for obvious reasons,and is not hard work to update that page, but is like fsf couldn't care less.
Imagine, you are a guy without computer skills, you hear about free software and fsf and you want to give it a try, you go on the gnu website and choose to download one of the recomended distros here, only to find out that the project is either dead or not updated, you probably go back to windows and think free software is a joke.
I know that on that page there is written that fsf is not responsible for other web sites, or how up-to-date their information is,but still,these are the best distro for them, and some are far from the best...
This is only bad for fsf.
Another example, let's talk about Trisquel, i love Trisquel, and i know that is developed by volunteers but still tha last release is Trisquel7 (2014), and i know that Trisquel8 will be released soon, but 4 years?
This lead to the next point, i find this info on this forum, fsf hired Ruben (the main trisquel developer) to work for them, and only recently Ruben started to work again full time on trisquel.
This is really a bad move by them, what are they thinking?
They should instead hire Ruben for work full time on Trisquel
Trisquel is the most used and user friendly fsf endorsed distro, and they leave the project without a new release?
One of the best fsf endorsed distro leaved to die?
What you guys think?
This post is my opinion, is not a troll post, if you don't agree with feel free to post why but please no flame.
As always sorry for my bad english.
s1lv3r

ADFENO
Offline
Joined: 12/31/2012

> https://www.gnu.org/distros/free-distros.en.html, this is the fsf
> recomended gnu/linux distros page, many distro here are dead or about
> to be(for the exception of parabola and pureOS)

Trisquel, Dyne:bolic, Ututo, and so on are not dead ([1]).

[1]
http://lists.nongnu.org/archive/html/gnu-linux-libre/2018-01/msg00002.html
. See the entire thread for proofs and discussion on improvements to the
page you mentioned. The discussion is still going.

--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.

s1lv3r
Offline
Joined: 10/29/2017

thanks for you answer adfeno the thread you posted is really intresting

ADFENO
Offline
Joined: 12/31/2012

> thanks for you answer adfeno the thread you posted is really intresting

You're welcome! ;)

quantumgravity
Offline
Joined: 04/22/2013

You're making some valid points.
I don't think that the fsf should really "exclude" any of those distros or label it as the "best" or "most recommended" one, but they definitely
should make more categories and should put the ones on top that are targeting the broadest audience. "dragora" for instance should be listed, but not as present as trisquel.
Also, it would be good to have a "most actively developed distros" list, excluding ones with little development progress.

s1lv3r
Offline
Joined: 10/29/2017

i totaly agree with you a most actively developed distro would be awesome and maybe add uruk and hyperbola

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Yes... this.

Hyperbola deserves to be on that list.

Its like parabola but with stability and security. :)

heyjoe
Offline
Joined: 01/09/2018

I admire the passion you have for this distro :) I am definitely going to give it a try when I have time.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

I have distro hopped between devuan, parabola and trisquel a lot more than a few times.

But I finally found what I was looking for in hyperbola. One of which being, the quick updates feature. The other being, the packages are updated way more often then devuan. And the last being, its all free software man!

Not to mention for me I am not fond of systemd... some people aren't. I am one of them.

Plus the hardened packages are the cherry on top!

:)

If you need help accessing wifi after you boot into a dm such as lxdm, there is an easy way, nmtui! at least in hyperbola anyways.

But let me tell you something, if you have a libreboot laptop, and are patient enough to do this all at a reasonable pace, FDE!

if not, and you know how to do encrypted /home and root,

then by all means, do so.

But in my opinion, its easy to install following the instructions as long as you don't want encryption. Although calamares is in the works...

But yeah, till that is done, I highly recommend being patient with encrypted install. Their libreboot fde install is working nicely, but anything in between may be a little bit harder.

Just my two cents for ya...

heyjoe
Offline
Joined: 01/09/2018

> the quick updates feature

That is not necessarily a good thing. I would rather say it may be risky (not tested well enough).

> Plus the hardened packages are the cherry on top!

What are these?

> if you have a libreboot laptop

I don't and I am not planning one for the moment. I just don't see why I should buy yet another buggy (and low performance) CPU.

> Just my two cents for ya...

Thanks. My 2 cents on less popular distros would be the community support. I have been using SUSE (now openSUSE) for many years and I really like it. 10+ years ago I also used Red Hat for a while, tried Debian (and couldn't stick to it, looked too difficult at that time). What I like about SUSE is not only the ease of use and stability but also the great community support and the speed at which bugs are handled. Yesterday for example I found a critical bug in the latest NVIDIA driver and reported it. A few hours later people have been finding (and perhaps already found) ways to fix it. Also when more people are using/testing something that makes it better verified. I am not sure if exotic distros can offer anything like that - that's my main concern with them.

GrevenGull
Offline
Joined: 12/18/2017

What's SUSE/openSUSE? An OS?

heyjoe
Offline
Joined: 01/09/2018

https://www.opensuse.org/

One of the most popular distros.

GrevenGull
Offline
Joined: 12/18/2017

Is it free? It isn't on FSF's list?

ADFENO
Offline
Joined: 12/31/2012

> Is it free? It isn't on FSF's list?

It's not free/libre ([1]), I would suggest that people around here stop
recommending this distro otherwise people might as well start using the
post downvoting system.

[1] https://www.gnu.org/distros/common-distros.html#openSUSE .

--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.

heyjoe
Offline
Joined: 01/09/2018

> It's not free/libre ([1]),

It is free unless you explicitly add the non-OSS repos.

> I would suggest that people around here stop recommending this distro

Where exactly did you read "I recommend"?

> otherwise people might as well start using the post downvoting system.

Perhaps it would be a better idea people here to start reading more carefully and stop thinking in binary (free/non-free) because technology and everything around it is much more complicated than the recommendation and the stickers of organization X.

akito
Offline
Joined: 05/10/2017

> It is free unless you explicitly add the non-OSS repos.
I agree with you but still it is not 100% ensured free/libre, at any time they may include non-free..

> Where exactly did you read "I recommend"?
It maybe because of the sentence: "One of the most popular distros."

>Perhaps it would be a better idea people here to start reading more carefully and stop thinking in binary (free/non-free) because technology and everything around it is much more complicated than the recommendation and the stickers of organization X.

Are you referring to hardware vulnerabilities? (meltdows/spectre, intel, proprietary hardware, the other line of the wire, etc etc),
FSF endorsed free/libre operating systems (softwares) still ensures that we will have privacy and security, but in the end it depends on your threat model.

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> FSF endorsed free/libre operating systems (softwares) still ensures that we will have privacy and security

FSF endorsement is more to the ethical stance of a distro than it's security and privacy. Of course, ethically being correct entails the latter ones, but it's not a sine qua non.

For instance, default Debian is found to be ethically incorrect by the FSF, while it doesn't necessarily mean default Debian is less secure than the endorsed distributions.

mason

I am a member!

Offline
Joined: 07/07/2017

> It is free unless you explicitly add the non-OSS repos.

If this page

https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions

is accurate then the kernel also has binary blobs, which do not respect freedoms 1 and 3. Whether or not you consider that to be a problem is your decision. I don't want an argument, just to provide this information in case it is useful to you.

If you do wish to install the linux-libre kernel used by Debian and the FSF-endorsed distros, this page

https://www.fsfla.org/ikiwiki/selibre/linux-libre/freed-ora.en.html

may help, if I understand correctly that openSUSE is RPM-based.

Peace.

heyjoe
Offline
Joined: 01/09/2018

This page:

https://www.fsf.org/working-together/gang/icecat

says

"If you're looking to surf the web at speed, but with a concern for your privacy and safety at the same time, look no further than GNU Icecat."

but IceCat has privacy issues (demonstrated by me personally).

In any case I am using the NVIDIA proprietary video driver anyway, so it is inevitable to have bin blobs. (For the next person who would tell me not to recommend it - I am not recommending anything, it is just what I need to do, otherwise my videocard works x10 slower with nouveau and I can't do my work)

quantumgravity
Offline
Joined: 04/22/2013

Why are you talking about icecat now? Can't you see that this has zero relevance in the current discussion?

heyjoe
Offline
Joined: 01/09/2018

Because people here obviously respect the authority of an organization which recommends things which are not quite factual and IceCat is one of them (for the moment, until it gets fixed). The point is: just reading recommendations does not equal testing or even less - understanding. That has relevance to all discussions.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>openSUSE offers a repository of nonfree software.
>It is free unless you explicitly add the non-OSS repos.

So, if I understand it correctly this non-free repository is disabled by default? That's to say, a user that installs opensuse will only have free software and they need to manually edit a file in order to add the non-free repository?

heyjoe
Offline
Joined: 01/09/2018

I can't recall for sure because the last time I installed openSUSE from scratch was years ago. Since then I am only upgrading it to newer versions. But during initial setup you can choose what you install - package by package. And you can select repos from which you install.

https://en.opensuse.org/Package_repositories

The "OSS and "Update" repos are the ones from which comes the main installation (base system), so this is what is surely enabled by default.

"Non-OSS" repo contains only 34 packages. 2 of them (patterns-openSUSE-non_oss and patterns-openSUSE-non_oss_opt) are just text files:

/etc/products.d
/etc/products.d/openSUSE-Addon-NonOss.prod
/usr/share/doc/packages/openSUSE-Addon-NonOss-release-addon-nonoss
/usr/share/doc/packages/openSUSE-Addon-NonOss-release-addon-nonoss/README

From that repo I have installed only 2 packages:

AdobeICCProfiles: which is just a bunch of ICC profiles, surely that won't invite NSA into your computer)

unrar: because I need a way to extract rar files when clients send me such. If there is a free alternative to it, I would use it but so far I haven't found one.

The "Non-OSS Update" repo list only 1 package (opera) and it is not installed (and not in the list of recommended in YaST)

"Packman" contains a mix of free and non-free software. It is NOT part of the official repo list, i.e. you must add it manually and explicitly. I have done that and I am using only packages with free licenses (FSF's license list).

As for kernel, the following packages come from the "OSS" repo:

kernel-default: GPL-2.0
kernel-default-devel: GPL-2.0
kernel-devel: GPL-2.0
kernel-firmware: SUSE-Firmware and GPL-2.0 and GPL-2.0+ and MIT
kernel-macros: GPL-2.0

I also have ucode-intel (License: SUSE-Firmware) which is perhaps the thing which most people are concerned about (blobs for CPU microcode which you have in your CPU regardless of OS). It is from the "OSS update" repo (I don't know why).

Again: I am not recommending anything. Just sharing what is.

opensuse-non-oss.png
Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> unrar: because I need a way to extract rar files when clients send me such. If there is a free alternative to it, I would use it but so far I haven't found one.

Relevant FOSS packages in Debian:

Package: unrar-free
Description-en: Unarchiver for .rar files
Unrar can extract files from .rar archives. Can't handle some archives in the RAR 3.0 format natively. Package "unar" can be used to extract those archives if installed.

Package: unar
Description-en: Unarchiver for a variety of file formats
The Unarchiver is an archive unpacker program with support for the popular zip, RAR, 7z, tar, gzip, bzip2, LZMA, XZ, CAB, MSI, NSIS, EXE, ISO, BIN, and split file formats, as well as the old Stuffit, Stuffit X, DiskDouble, Compact Pro, Packit, cpio, compress (.Z), ARJ, ARC, PAK, ACE, ZOO, LZH, ADF, DMS, LZX, PowerPacker, LBR, Squeeze, Crunch, and other old formats.
.
This package contains the lsar tool which lists the contents of archives and the unar tool which extracts those contents.

heyjoe
Offline
Joined: 01/09/2018

Thanks!

I guess unar is what I need (I see it in openSUSE's OSS repo too).

quantumgravity
Offline
Joined: 04/22/2013

> So, if I understand it correctly this non-free repository is disabled by default?

I highly doubt it. Look at this article:
https://www.cio.com/article/3003865/open-source-tools/8-things-to-do-after-installing-opensuse-leap-421.html

It lists "eight things to do after installing opensuse" and it's recommending to install chrome and stuff, but it nowhere talks about enabling the nonfree repo - i'm pretty sure this kind of article would have recommended enabling nonfree right away at the beginning.
So I guess it is already be enabled by default and therefore should not be recommended here.

heyjoe
Offline
Joined: 01/09/2018

That article is not by openSUSE so what it lists and recommends is someone's personal preference (including adding Google Chrome from external Google's repos etc).

> So I guess it is already be enabled by default and therefore should not be recommended here.

I already explained everything I know about the repos. Nobody is recommending you anything.

loldier
Offline
Joined: 02/17/2016

S.u.S.E, SUSE -- one of the oldest still maintained distros. There are two variants: SUSE Linux Enterprise and OpenSUSE. The Enterprise version is a paid, commercial distribution in the same vein as Red Hat. SUSE's logo has a green Gecko lizard.

It originated in Germany in 1994.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

I have very few if any problems once I have it all installed.

The hardened packages include a network manager, an iceweasel and icedove hardener. and the linux kernel itself is hardened by default.

These basically increase security.

My libreboot laptop works fine for me. I have an x200 with P8600. It is almost as fast as my thinkpenguin korora penguin with a 4th gen processor. Which sadly as intel me still embedded into it... ;(

By the way, they use stretch as the base for stable and Buster for testing.

They have no unstable or experimental which is why they get updates done quicker.

If debian is difficult, I do not recommend switching to hyperbola yet. Once you figure out debian or devuan then its worth while. :)

heyjoe
Offline
Joined: 01/09/2018

But what do you mean by "harden"? Give specific examples please, so that I know what is "softened" and "hardened" in your mind.

> stretch as the base for stable and Buster for testing.

What is 'stretch' and 'Buster'?

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

By harden I mean an increase in security/privacy. That's all I really know.

Of course I also double the protection by using firetools. :)

Most likely though, its some form of sandboxing. ;)

Hyperbola is a stable arch that uses debian packages for stability and security.

debian has buster aka testing, and stretch aka stable.

That's my best answer for ya.

heyjoe
Offline
Joined: 01/09/2018

> By harden I mean an increase in security/privacy. That's all I really know.

:) That's pretty vague. Brave is supposed to be hardened Chromium but it leaks network packages in the background like crazy (much more than Chromium). Waterfox is also supposed to be a hardened Firefox but it is really the same. And so on.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>Waterfox is also supposed to be a hardened Firefox but it is really the same.

Not really, it's supposed to be a snappier Firefox, if anything.

heyjoe
Offline
Joined: 01/09/2018

https://www.waterfoxproject.org/#develop

Perhaps you haven't read what it advertises.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Well, if you want more info you can always ask the hyperbola devs more about it, particularly, emulatorman.

By the way, Waterfox has some issues now, but yeah,

Brave on the other hand, has many more... I wouldn't trust A: Brave, and B: anything based off of chromium... Even Iridium the fully free version... unless they somehow can support firefox addons...

Noscript really does make huge waves for firefox in the way of security/privacy.

ps, the linux libre lts kernel itself is hardened for hyperbola by default.

heyjoe
Offline
Joined: 01/09/2018

> anything based off of chromium

Why?

> ps, the linux libre lts kernel itself is hardened for hyperbola by default.

Still that means nothing without exact description.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Chromium dials back to google very frequently. Although if a chromium based browser had something similiar to a noscript feature built in + no anti-features of any kind it would be extremely secure I am sure.

As for the kernel being hardened for hyperbola, I don't know enough to give you feedback so, sorry fella... ;)

heyjoe
Offline
Joined: 01/09/2018

> Chromium dials back to google very frequently.

Not if you have configured it properly. I don't know what you mean by "dials back". The only case when it communicates to a third party host is when opening chrome://settings in which case it sends a single request to translate.google.com to check which languages are available. I have already filed a bug report about that and it is being considered.

> Although if a chromium based browser had something similar to a noscript feature built in

In chromium you can disable/enable JS per-site without additional extensions.

> + no anti-features of any kind it would be extremely secure I am sure.

What anti-features are you referring to?

js-disabled.png
CalmStorm

I am a member!

Offline
Joined: 12/31/2014

so there is a function within chromium like noscript?

Interesting...

and by dials back I mean it reports back to google.

If you know something I don't though, feel free. I haven't used chromium too much... to be honest.

Though if I used anything, it would be iridium the chromium based browser...

its completely free software.

ps, look at libreplanet's reasons why chromium is not to be trusted. Before you respond okay?

heyjoe
Offline
Joined: 01/09/2018

> If you know something I don't though, feel free. I haven't used chromium too much... to be honest.

Then you should not assume what others say/recommend but test for yourself. I have tested and I have found that out of the box both Chromium and Firefox-based browsers contact third party hosts. Firefox is actually much more "evil" in that sense because it has telemetry enabled by default + it creates connections not only to Mozilla but also to Amazon, Akamai, OCSP etc. Additionally it is not trivial to configure it in a way to stop that. (it needs a lot of customizations, advanced user stuff). Chromium out of the box connects only to Google and it is fairly easy to stop that. There is enough info about it in the web browsers thread. In particular this is my report about its privacy issues, with full details:

https://bugs.chromium.org/p/chromium/issues/detail?id=795526

As you can configure it so that it does not contact anyone. And until this "bug" is fixed you can also set translate.google.com to point to 127.0.0.1 in your hosts file and you can be sure there are no connections to other hosts which you don't explicitly initiate yourself.

> ps, look at libreplanet's reasons why chromium is not to be trusted. Before you respond okay?

Have they done the tests which I did? If yes - where are their results and reports? Or are they merely comparing license terms to recommended license terms? They write:

> Problem: (1) Copyright or license of some code is unclear
> (2) Links to proprietary plugins.

Which code?

https://src.chromium.org/viewvc/chrome/trunk/src/LICENSE?revision=HEAD&view=markup

Unclear to who? Some lawyer? Seems pretty clear to me. Do you really want a lawyer to tell you what software to use? Or a layman who fails to understand legal terms?

They also link to some bug report from 2009 which I haven't read in full detail but skimming through it looks like mainly a concern about some automatic license checker script failing to verify things correctly. And note: the bug report was opened by a project member with email address @chromium.org which is a positive signal (at least to me).

As a comparison: Is Mozilla's "privacy policy" better?

https://trisquel.info/files/firefox-privacy-policy-2.png

+ the way they react to the bug reports about the privacy issues (they close them).

Libreplanet also writes:

> Recommended Fix: Remove program/package
> Use GNU IceCat, or equivalent

IceCat also has all the issues which Firefox has as it is the same code base. As discussed in the web browsers thread it is really just a rebranded Firefox with some customized prefs (more tightened) and relies on extensions (but not the best ones) to enhance privacy:

https://trisquel.info/en/forum/web-browser?page=4#comment-127390

So it is not an entirely different program which is specifically made to respect your privacy. It is rather a patched problematic program.

As I said: you should not trust words (including mine) but look and test for yourself. And btw as a side note: anyone who thinks he can hide from Google completely must be quite naive. They own too many domains and too many sites use their hosted libraries, APIs etc.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Unclear to who? Some lawyer? Seems pretty clear to me. Do you really want a lawyer to tell you what software to use? Or a layman who fails to understand legal terms?

I really want the lawyer. The layman may be somebody who believes he understands everything after looking at one single license file. It is not that easy. Opening the "third_party" directory (and, no, I am not saying there is no issue outside "third_party", I have not checked), one can read https://chromium.googlesource.com/chromium/src/+/master/third_party/README.chromium includes that sentence:

Code in third_party must document the license under which the source is being used.

Taking a look at the subdirectories of "third_party", I noticed "unrar", which I believed was proprietary. And, indeed, https://chromium.googlesource.com/chromium/src/+/master/third_party/unrar/LICENSE says, among other things:

2. UnRAR source code may be used in any software to handle
RAR archives without limitations free of charge, but cannot be
used to develop RAR (WinRAR) compatible archiver and to
re-create RAR compression algorithm, which is proprietary.

I also clicked on the "analytics" subdirectory because I found it interesting that Google Analytics is part of Chromium. There, the main file contains obfuscated JavaScript (what does not qualify as "source code"): https://chromium.googlesource.com/chromium/src/+/master/third_party/analytics/google-analytics-bundle.js

There is a license notice in the middle of that obfuscated JavaScript:

Portions of this code are from MochiKit, received by
The Closure Authors under the MIT license. All other code is Copyright
2005-2009 The Closure Authors. All Rights Reserved.

What portions? What MIT license (there are two)? Do "All Rights Reserved" to the "the Closure Authors" mean the default (proprietary) copyright?

Clicking on the issues in the "Blocked on" list on the left of https://bugs.chromium.org/p/chromium/issues/detail?id=28291 (which was already pointed out to you several times), one sees that Chromium's source code actually includes hundreds of files with unclear licensing.

Finding out the license of the whole program must be fun too. There are components distributed under the terms of the GPLv2: https://chromium.googlesource.com/chromium/src/+/master/third_party/jmake/LICENSE and https://chromium.googlesource.com/chromium/src/+/master/third_party/lcov/COPYING and https://chromium.googlesource.com/chromium/src/+/master/third_party/logilab/README.chromium (with the license file mentioned in that README that is actually missing) and https://chromium.googlesource.com/chromium/src/+/master/third_party/pylint/pylint/LICENSE.txt and https://chromium.googlesource.com/chromium/src/+/master/third_party/speech-dispatcher/COPYING and ...

That suggests (but I may be wrong: they may all be the source codes for separate binaries) the whole program is under the GPLv2. It is not what the Chromium developers say, however. And there are other components with licenses that are incompatible with the GPLv2, e.g., the Apple Public Source License version 2: https://chromium.googlesource.com/chromium/src/+/master/third_party/apple_apsl/LICENSE

About the incompatibility: https://www.gnu.org/philosophy/apsl.html

heyjoe
Offline
Joined: 01/09/2018

> I really want the lawyer.

I don't. I hope I will never need one.

> I also clicked on the "analytics" subdirectory because I found it interesting that Google Analytics is part of Chromium.

I don't think it is not part of the browser (is it?). As the README says:

"The third_party directory contains sources from other projects."

Chromium does not connect to Google Analytics (otherwise we should have seen it in tcpdump) and cannot open rar files.

Re. licenses: I agree with you, it is not 100% clear. Ideally everything should be free as per FSF's terms, audited by many people, trustworthy and privacy respecting (like the kernel). But when you have a huge project which contains a mix of things perhaps it is not very simple to unify licenses (another reason to hate lawyers). Is the situation with Firefox any different? I have some memory that it was noted in previous threads that it also has similar problems. (+ we have clear factual evidence of Mozilla's attitude about certain concerns).

Personally I am still using Chromium (and Gmail) and looking for alternatives. Although I have a user.js file about Firefox which tightens it quite a lot, I am still hesitant to switch to Firefox (or IceCat) because that would mean having to check for new leaks on each version update. And I honestly lost any trust in Mozilla. OTOH the wonderful extensions uBO and uMatrix are not available for non popular browsers. It is a real mess.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I don't think it is not part of the browser (is it?).

They are like embedded dependencies. "third_party" contains 3,726,248 lines of codes, according to 'sloccount'. They are not included for nothing.

https://chromium.googlesource.com/chromium/src/+/master/ui/webui/resources/js/analytics.js only aims to make it easier to include google-analytics-bundle.js ... and that script is itself included by https://chromium.googlesource.com/chromium/src/+/master/ui/file_manager/file_manager_resources.grd among "common scripts" or by https://chromium.googlesource.com/chromium/src/+/master/ui/webui/resources/webui_resources.grd

Excluding "third_party/analytics/", there are 44 files that reference (usually load) one of those four files:

$ grep --exclude-dir=third_party/analytics -e google-analytics-bundle.js -e analytics.js -e file_manager_resources.grd -e webui_resources.grd -lR .
./android_webview/BUILD.gn
./chrome/browser/resources/chromeos/echo/manifest.json
./chrome/common/extensions/docs/templates/articles/analytics.html
./chrome/common/extensions/docs/templates/private/site.html
./chrome/test/data/chromeproxy/extension/_metadata/computed_hashes.json
./chrome/test/data/chromeproxy/extension/detailed_data_usage.html
./chrome/test/data/chromeproxy/extension/popup.html
./chrome/test/data/extensions/network_delay/pjohnlkdpdolplmenneanegndccmdlpc/1.0/analytics.js
./chrome/test/data/extensions/network_delay/pjohnlkdpdolplmenneanegndccmdlpc/1.0/background.html
./components/domain_reliability/baked_in_configs/google-analytics_com.json
./components/test/data/autofill/heuristics/input/115_checkout_walgreens.com.html
./components/test/data/autofill/heuristics/input/116_cc_checkout_walgreens.com.html
./components/test/data/autofill/heuristics/input/147_panera.custhelp.com_app_ask.html
./components/test/data/dom_distiller/core_features.json
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/angularjs/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/backbone/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/inferno/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/jquery/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/preact/dist/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/react/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/dependency-examples/flight/flight/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/functional-prog-examples/elm/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/vanilla-examples/es2015/node_modules/todomvc-common/base.js
./third_party/WebKit/PerformanceTests/Speedometer/resources/todomvc/vanilla-examples/vanillajs/node_modules/todomvc-common/base.js
./tools/check_grd_for_unused_strings.py
./tools/gritsettings/resource_ids
./ui/file_manager/BUILD.gn
./ui/file_manager/audio_player/manifest.json
./ui/file_manager/file_manager/background/js/import_history_unittest.html
./ui/file_manager/file_manager/background/js/media_import_handler_unittest.html
./ui/file_manager/file_manager/common/js/error_util.js
./ui/file_manager/file_manager/common/js/metrics_unittest.html
./ui/file_manager/file_manager/foreground/js/import_controller_unittest.html
./ui/file_manager/file_manager/foreground/js/main_scripts.js
./ui/file_manager/file_manager/manifest.json
./ui/file_manager/file_manager_resources.grd
./ui/file_manager/gallery/manifest.json
./ui/file_manager/image_loader/manifest.json
./ui/file_manager/video_player/manifest.json
./ui/resources/BUILD.gn
./ui/webui/resources/PRESUBMIT.py
./ui/webui/resources/js/analytics.js
./ui/webui/resources/js/jstemplate_compiled.js
./ui/webui/resources/webui_resources.grd

Also, https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/google-analytics-bundle.js is another "version" of google-analytics-bundle.js, as obfuscated as the other one, inside the "chrome" folder (rather than "third_party"). https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/ contains more obfuscated JavaScript bearing no license notice, e.g., detailed_data_usage_compiled.js: https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/detailed_data_usage_compiled.js

Chromium does not connect to Google Analytics (otherwise we should have seen it in tcpdump)

Your tests do not show that. Maybe data are send every time 10 MB were collected, maybe only on Halloween day, maybe when a website using Google Analytics is visited (more than 60% of the top-100k sites according to https://trends.builtwith.com/analytics/Google-Analytics : scary), etc. With obfuscated JavaScript involved, it is hard to be sure...

and cannot open rar files.

Talking about unrar, a comment on line 27 of https://chromium.googlesource.com/chromium/src/+/master/chrome/services/file_util/public/cpp/BUILD.gn says "This dependency is here temporarily". We can see if it is still there in a few months (or if it is in Chromium temporarily in the same way that the Eiffel tower was in Paris temporarily). For the moment, that looks bad.

But when you have a huge project which contains a mix of things perhaps it is not very simple to unify licenses (another reason to hate lawyers). Is the situation with Firefox any different?

I have never heard of licensing issues in Firefox. Mozilla has a rather clear "Source Code License Policy" https://www.mozilla.org/en-US/MPL/license-policy/

For instance, it states that the GPL is incompatible with the MPL. It asks to "always consult the licensing team before importing Third Party Code" too.

heyjoe
Offline
Joined: 01/09/2018

Thanks for sharing that info. That's what I was hoping to see from you when I asked you to show actual code in the web browsers thread.

What catches my eye is:
./android_webview/BUILD.gn

and

var n=analytics.getService("Data Saver Extension")

in detailed_data_usage_compiled.js. These make me think that the analytics may be part of the Android version or Chrome (where I assume that being tracked is inevitable).

It seems uBO and uMatrix can block any behind-the-scenes XHR but of course it is not safe to assume that as a guarantee.

> Maybe data are send every time 10 MB were collected, maybe only on Halloween day

I have thought about that too. Still I have no proof for or against it. Just like I don't have a proof that Firefox actually respects the telemetry disabling through about:config.

> maybe when a website using Google Analytics is visited (more than 60% of the top-100k sites according to https://trends.builtwith.com/analytics/Google-Analytics : scary), etc. With obfuscated JavaScript involved, it is hard to be sure...

When I have worked on sites which have GA and have monitored each and every XHR I have never seen data submission beyond what the actual site sends to GA. So I would exclude that (unless the spyware which we suspect sends data in a way which is not visible in browser console (not impossible, still no proof)).

BTW if https://www.google-analytics.com/analytics.js is unminified it is not impossible to understand what it does. I remember some time ago (> year) looking at that code and I didn't see any functionality which is not in GA documentation.

I wouldn't trust that scary stats. I would rather say it is incomplete because GA has an API which allows sending data to GA without JavaScript (e.g. from PHP). I have used it, it works. It can't report things like browser resolution etc. but it still can report the parameters which are available without JS. So just because there is no explicit HTTP request to google-analytics.com on the front-end doesn't mean the site is not using GA. I.e. - disabling JS does not save you from GA.

Something else which I noticed today: A bug report about Chromium with owner with email address @intel.com (What has Intel to do with Chromium?)

https://bugs.chromium.org/p/chromium/issues/detail?id=752375

> "This dependency is here temporarily".

Yes and it also says "#TODO(crbug/750327)". I tried to visit that bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=750327

but I am getting:

"You do not have permission to view the requested page.

Reason: User is not allowed to view this issue"

which is quite strange for an "open source" project. Normally only specific security related bug reports are invisible to the general public (to avoid the possibility of privacy issues) but unrar?

> I have never heard of licensing issues in Firefox.

I think we have:

https://trisquel.info/en/forum/web-browser#comment-125929

> For instance, it states that the GPL is incompatible with the MPL.

Is that not an issue? And does it really matter if all the forks (including Tor browser) inherit the telemetry code (and who knows what else) and simply disable it through prefs?

I am still unclear which browser is safe to use.

Maybe we are way off-topic already but it is still a common question about all free software. When an organization like FSF recommends things it is not quite fair not to take certain responsibility in the quality of what they recommend. Otherwise the recommendation creates the impression that something has been thoroughly tested. "Does not include proprietary software at all" should be questioned more deeply because a feature like telemetry is a form of proprietary behavior in which the proprietor collects data. So I think FSF should not recommend any distro which includes a fork of Firefox unless it has been checked that the telemetry code has been completely removed (and not just disabled through prefs).

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Nah, firefox forks are better than chromium forks... for a few reasons...

Chromium doesn't even do lip service towards privacy, they don't even try to care...

At least firefox tries to care somewhat...

Firefox is easier to configure securely, and noscript and privacy settings help with that immensely... I don't think chromium has a noscript feature built in as good...

and my last reason is basically this, The fsf based their Icecat browser off of firefox, not chromium...

Think about why that is... and get back to me when you do.

ps,

"You do not have permission to view the requested page."

This is highly suspicious...

Nice debate though... but at this time as bad as firefox is, it makes waves of privacy compared to chromium and of course the awful google chrome

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

These make me think that the analytics may be part of the Android version or Chrome (where I assume that being tracked is inevitable).

I see no reason why the Android version of Chromium would "need" Google Analytics more than the desktop versions.

BTW if https://www.google-analytics.com/analytics.js is unminified it is not impossible to understand what it does.

It is minified.

Something else which I noticed today: A bug report about Chromium with owner with email address @intel.com (What has Intel to do with Chromium?)

That does not prove anything.

"You do not have permission to view the requested page.
Reason: User is not allowed to view this issue"
which is quite strange for an "open source" project.

That does not prove anything either.

https://trisquel.info/en/forum/web-browser#comment-125929

Jxself points out how Mozilla restricts freedom 2 through its trademark policy. That abuse is a (real) problem that is not related in any way to hypothetical licensing issues in Firefox's code base.

Is that not an issue?

What do you mean? As long as Firefox's code base does not include GPL code (except for separate binaries), there is no licensing issue.

And does it really matter if all the forks (including Tor browser) inherit the telemetry code (and who knows what else) and simply disable it through prefs?

It is a completely separate issue. Actually a "non-issue" if it is disabled.

Otherwise the recommendation creates the impression that something has been thoroughly tested.

I have never seen the FSF pretending that.

"Does not include proprietary software at all" should be questioned more deeply because a feature like telemetry is a form of proprietary behavior in which the proprietor collects data.

For the nth time, the free/proprietary distinction essentially has nothing to do with what the software does, with its "behavior". Proprietary software is bad even if it does nothing bad, technically. It is bad because it does not let the users in control of their computing. The power that the proprietary software developer has over its users is the fundamental injustice. The fact that malware and proprietary software often go hand-to-hand is a consequence: power corrupts.

Most users do not see telemetry as malware and see no reason to remove such a feature.

So I think FSF should not recommend any distro which includes a fork of Firefox unless it has been checked that the telemetry code has been completely removed (and not just disabled through prefs).

The only difference that it makes is that a user who wants to help Mozilla improve Firefox through telemetry cannot.

heyjoe
Offline
Joined: 01/09/2018

> I see no reason why the Android version of Chromium would "need" Google Analytics more than the desktop versions.

I am not saying it needs it.

> It is minified.

I know. But you can unminify it. That's what I meant. It is still difficult to read due to the non-descriptive variable and function names but that is surely easier to reverse engineer than a binary code.

> Jxself points out how Mozilla restricts freedom 2 through its trademark policy. That abuse is a (real) problem that is not related in any way to hypothetical licensing issues in Firefox's code base.

I may be wrong but it seems to me it contradicts your previous:

>> I have never heard of licensing issues in Firefox.

To put it differently: license-wise, it looks like Firefox is not free software due to the restrictive licensing terms which you and jxself mention. So saying that it has no licensing issues is incorrect.

> What do you mean?

The above.

> It is a completely separate issue. Actually a "non-issue" if it is disabled.

Well, it is an issue that it exists in the first place and that it is enabled by default. It reveals the intent of the vendor and that is what bothers me. Add to that the affiliations of that same vendor with PRISMed companies, the way they disregard bugs about privacy concerns etc.

> I have never seen the FSF pretending that.

You have because I have shown it previously (paragraph 3 and next):

https://trisquel.info/en/forum/web-browser?page=4#comment-127279

And as a whole: the talks about how malicious non-free software followed by conclusions and advises "that's why you should use free software" definitely creates the implication that free software is safe. So it becomes a common assumption.

> For the nth time, the free/proprietary distinction essentially has nothing to do with what the software does, with its "behavior".

I know that. Yet consider the above and the reason why people here prefer free software and ask various questions about how to secure their communication and web browsing perfectly etc. Surely not because they want free telemetry. So this is an issue that needs to be addressed somehow.

> The only difference that it makes is that a user who wants to help Mozilla improve Firefox through telemetry cannot.

Help Mozilla? The helpless Mozilla corporation? I am not quite sure I get your point.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

But you can unminify it. That's what I meant. It is still difficult to read due to the non-descriptive variable and function names but that is surely easier to reverse engineer than a binary code.

Are you the same person who pretends that freedom 1 is not practical because it is too much work to read large source codes?!

I may be wrong but it seems to me it contradicts your previous "I have never heard of licensing issues in Firefox."

You confuse everything. Many files in Chromium's source code have unclear licensing (because license notices are missing). It includes files under copylefted licenses (and even under incompatible licenses), yet its developers pretend Chromuim as a whole is permissively licensed. Those are licensing issues. I have never heard of such licensing issues in Firefox. Mozilla's abusive trademark policy is a completely different problem. It has nothing to do with how the source code is licensed.

Well, it is an issue that it exists in the first place and that it is enabled by default. It reveals the intent of the vendor and that is what bothers me.

The intent is "improving Firefox by getting usage information, e.g., the state of the browser when it crashes".

Add to that the affiliations of that same vendor with PRISMed companies

Not the best argument to prefer Chromium, which is mainly developed by Google, listed in the PRISM documents.

https://trisquel.info/en/forum/web-browser?page=4#comment-127279

"With a concern for your privacy and safety" does not mean "thoroughly tested".

And as a whole: the talks about how malicious non-free software followed by conclusions and advises "that's why you should use free software" definitely creates the implication that free software is safe.

"Not malicious" does not mean "safe". Nobody here claims that free software has no vulnerability.

Yet consider the above and the reason why people here prefer free software and ask various questions about how to secure their communication and web browsing perfectly etc. Surely not because they want free telemetry. So this is an issue that needs to be addressed somehow.

Your implication "People do not use free software because they want telemetry" => "They do not want telemetry" is wrong.

Help Mozilla? The helpless Mozilla corporation? I am not quite sure I get your point.

Using the same example as above: knowing the state of the browser when it crashes helps to discover the related bug and fix it.

heyjoe
Offline
Joined: 01/09/2018

> Are you the same person who pretends that freedom 1 is not practical because it is too much work to read large source codes?!

analytics.js is not 10M lines of code. My posts about the impossibility to exercise freedom 1 were about the large code base of browsers. You should really pay attention to context (I say this for 358th time).

> You confuse everything.... It has nothing to do with how the source code is licensed.

Ok. Now I understand what you mean. As I said - I may be wrong.

> The intent is "improving Firefox by getting usage information, e.g., the state of the browser when it crashes".

I don't know what exactly you are quoting. The actual intent is not that because telemetry reports things even without crashes. KDE programs also have crash reporting functionality but it shows a specific dialog box when a program crashes and you have to explicitly send a report (if you want), it doesn't send data to anyone during regular usage.

> Not the best argument to prefer Chromium, which is mainly developed by Google, listed in the PRISM documents.

It is not an argument to prefer Chromium but an argument to avoid Firefox/forks.

> "With a concern for your privacy and safety" does not mean "thoroughly tested".

Yet in combination with "look no further than GNU Icecat" it implies exactly that. So again - excerpts, context, wholeness.

> "Not malicious" does not mean "safe".

And what is "not malicious" then? Unsafe? lol

> Nobody here claims that free software has no vulnerability.

Where is the list of vulnerabilities? Oh wait - that would be demotivating!

> Your implication "People do not use free software because they want telemetry" => "They do not want telemetry" is wrong.

Ok. Make a public poll "Do you want telemetry, enabled by default and difficult to disable?" in a separate thread and let us see the result. Make sure to include the following info:

----------------
"Telemetry is a feature that allows data collection. This is being used to collect performance metrics and other information about how Firefox performs in the wild."

https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/index.html

"Data Collection Categories
There are four "categories" of data collection that apply to Firefox:
...
Category 2 “Interaction data”
Information about the user’s direct engagement with Firefox. Examples include how many tabs, addons, or windows a user has open; uses of specific Firefox features; session length, scrolls and clicks; and the status of discrete user preferences."

https://wiki.mozilla.org/Firefox/Data_Collection (the word 'crash' is mentioned only one single time in the lengthy document)
----------------

I may be wrong and it may turn out that people who like free software also like to be part of massive and continuous data collection. Then your golden logic will shine.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

analytics.js is not 10M lines of code.

"Unminify" https://chromium.googlesource.com/chromium/src/+/master/chrome/test/data/chromeproxy/extension/google-analytics-bundle.js (about 1300 lines of code) all you want and try to rewrite part of it in understandable JavaScript (with meaningful variable names, comments, etc.) if you really believe it is doable.

My posts about the impossibility to exercise freedom 1 were about the large code base of browsers.

Studying 10M lines of code is too much work for one single person (who can however focus on a few features or even a whole module). It is not too much work for a whole community. Part of that community actually *wrote* the 10M lines of code.

The actual intent is not that because telemetry reports things even without crashes.

"E.g." introduces an example. The telemetry module does not exclusively deal with crashes. https://crash-stats.mozilla.org/topcrashers/?product=Firefox&version=58.0.2 shows how the telemetry data help the developer identify and prioritize bugs that cause many crashes in practice.

Yet in combination with "look no further than GNU Icecat" it implies exactly that.

No, it does not.

And what is "not malicious" then? Unsafe? lol

A malicious functionality is, by definition, *designed* to abuse the users. A bug creating a vulnerability is *unintended*. So, yes, a piece of software can be at the same time "unsafe" and "not malicious". It is even common.

Where is the list of vulnerabilities?

Here for instance: https://nvd.nist.gov/