Re: [libreplanet-discuss] Free software is not trusted software

[bill-auger]

as much as i hate to be a web blanket :) - i must say that my
suggestion to elect Nicolás the chief of this operation was entirely
sarcastic - this discussion is all well intentioned, of course, but
not very realistic

take this as one representative example (i.e. food for thought) - the
chromium web browser has been under suspicion for improper licensing
since it was released about 10 years ago - in that time, no one has
audited it comprehensively, not even it's own developers were able to
reach a conclusion (it appears they they honestly did try), and probably
no one ever will be able to; not because of disinterest, but because of
the sheer magnitude of the task

it would probably take a reasonably sized team working full time for
about six months to audit that behemoth for licensing compliance alone,
then who knows how much longer to actually read all of the source code;
and that does not imply that any of the reviews would have a thorough
understanding of what they have read - it is probably safe to assume
that not one developer of that program actually understands all of the
complex inter-workings of the many many parts of such a large code-base
- to expect a team of volunteers to accomplish that super-human feat
is ... ok, i will say it ... a pipe dream - and that is only considering
one single software project - the proposal in this thread is literally
to audit every bit of source code that has ever been written and ever
will be written - it should be obvious that would be many orders of
magnitude more difficult

and by the way, i don't recall anyone suggesting that proper licensing
should be among the goals of this committee - that would actually be
best as the first thing audited; because it is a significantly simpler
task, and if the program is indeed improperly licensed, then the
evaluation can stop there, because no one has any right to use it
anyways - this is essentially the position of the FSDG distros by not
distributing chromium; and users are generally advised not to use any
software that the distro does not provide, regardless of any reasons
*why* the distro does not provide it


On Sun, 20 Jan 2019 23:54:16 +0100 Julian wrote:
> It will not be simpler and eventually more effective just to rank the
> trustability of the software according to the ratio of reviewers/
> maintainers?

so, call me a negative nancy if you will, but i suggest that an
optimistic estimation of that ratio would be on the order of one
reviewer for each 10,000 to 100,000 software projects; so those
rankings would differ only beyond the fifth decimal place, and the vast
majority would be forever marked: "pending evaluation - please help!" -
again, that's not because it is a bad idea, nor because no one is
interested; the scale of the endeavor itself renders it's success
dubious at best - it is probably safe to assume that it would require
at least as many reviewers perpetually reviewing, as the number of
developers that are actively developing - BTW this is already in common
practice under the name "code review" - of course, not all projects do
it, but they should and ideally would if only they had the peoples-power
to do so

just for a grounding in reality here: there is probably more software
published, to github alone, every day, than a team of a thousand
reviewers could audit in a year - simple math would indicate that this
would require a team of millions, just to keep on top of all the new
software that is published, and work slowly toward scratching the
surface of the back-log of existing software - if anyone wants to take
this proposal seriously, you may be better off playing the lottery in
hopes of being able to fund this effort for the first year

and just in case anyone is thinking: "automation! that's the solution!";
i suggest that you would probably need to solve "the halting problem"
before that fantastic "malware detector" program could be written

if you like (or even if you don't), you could consider the world of
free software (and the internet, and all software, really) not
much at all as alike to your grandmothers cozy, safe living room; but
more realistically like the wild outback - it contains all sorts of
savages, bandits and wolves, that have been there since the beginning
and are not likely to go away anytime in the foreseeable future - free
software is not to blame for that; it is a fact of life - free
software is actually the only hope in reducing whatever damage to
society of which such "bad neighbors" possess the potential to inflict

i would be sorry if that portrait frightens anyone away from using free
software, but it is the very price you pay for freedom in this, the only
universe we have to explore: everyone must be willing to accept the
risks associated with their own actions, and learn how to avoid the
activities which they consider to be dangerous; or else that person is
not responsible enough to competently manage themselves with that
particular level of freedom - there is a word for such people; they are
usually called: "children" - as a mature adult, no one else will,
should, or can accept those risks for you

the best that helpful shepherds can hope to do, is to warn Little Red
Riding Hood not to talk to strange wolves, or to keep her locked in at
home - the latter would be the metaphorical analog of turning your
computer OFF, or trusting that purveyors of proprietary software (ala.
MS/apple/google) can "protect" her for you - luckily, the moral of
this story, is that the actual tangible "dangers" to this sort of
activity are as mythical as the Big Bad Wolf himself - if one exercises
basic common sense and restraint, then the worst "harm" those wolves can
actually do, is to corrupt your data or to spy on your web browsing -
they can not actually eat you, nor grandma - whew, now isn't that
comforting and reassuring - let us rejoice :)

perhaps this rant may sound hopelessly pessimistic to some, but i do
hope that no one would see it as a validation of the OP's claim - my
advice to anyone holding these concerns, is to trust your distro, use a
FSDG endorsed distro and do not use any software that your distro has
not provided - additionally, and as importantly: engage yourself with
your distro's developers, file bug reports, ask the experts about your
security concerns and for advice on how you can learn to manage them,
and so on - that is how bugs are found and fixed, and how privacy
concerns are identified and warned about or patched out; and that dialog
between users and devs seems to have been working quite well these many
years - because of that, i am not at all pessimistic nor frightened
about anything i mentioned in this post

:) that was fun - thanks for reading - if you made it this far down:
you are awesome!!