Re: [GNU-linux-libre] DSFG in perpetuity

[Luke]

Subject: Re: [GNU-linux-libre] DSFG in perpetuity
Date: Mon, 26 Mar 2018 16:41:52 -0400
From: bill-auger <address@hidden>
Reply-To: Workgroup for fully free GNU/Linux distributions
<address@hidden>
To: address@hidden

On 03/26/2018 03:27 PM, Donald Robertson wrote:

and at this point we at the FSF need to bring some guidance.

there has been a healthy flurry of activity on this list recently and i
think the will exists to forgot about any friction in the past and move
forward - but i must firmly say that "guidance" is too weak of a word
for what the FSF needs to do to in order to smooth over the past
wrinkles - as i understand, tensions have gotten high in the past and
many are still not at ease - there are at least 2 issues that the
community has argued over for years that only the FSF should decide
definitively - namely:

* are the debian kernel blob error log messages acceptable or are they
unacceptable? *regardless of the distro*

* what to do about chromium - now i think it is finally removed from all
FSDG distros - should we just let that dog lie? - i am happy to tell
users "forget it - she is a lost cause" (that probably is the case for
'electron') - but i was told that RMS was interested in doing something
about it - so maybe the answer should be "not now - but maybe someday" -
even that distinction would make a difference - i happen to know we have
the co-operation of qt5-webengine - if only that library could be deemed
acceptable, it would have the greatest impact.

I would also be interested in where the FSF stands on Chromium,  and how to proceed moving forward.
Below is the article from last January which was apparently withheld from publishing.

------------------

-------- Forwarded Message --------
Subject: 	Re: Article: Chromium's subtle freedom flaws
Date: 	Mon, 30 Jan 2017 23:33:15 +0000
From: 	Luke <address@hidden>
To: 	address@hidden



On 01/30/2017 02:49 AM, Richard Stallman wrote:

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Would you like the FSF to publish your article?
If so, please send me the latest version.

Hello,

You may publish it. Here is the latest text. HTML / formatting can also
be adjusted as needed.

Thank you.

Sincerely,
Luke
Parabola GNU/Linux-libre Packager.
---------------------------------------------------------------------------
Chromium's subtle freedom flaws

As free software activists, we all enjoy using the latest and greatest
in free software, but we need to make sure that the software we are
using really does respect our freedom. Many users have expressed to us
their desire to run Chromium web browser, since it appears to be fully
free software, but it still fails in several ways.

In our research, we discovered that the situation is improving. Just a
few years ago, there were over one thousand unlicensed files which were
considered to be non-free. Thanks to Debian's Lintian Reports and
efforts, this number has come down to under 100 files as of this
writing. Licensing the remaining code with GPL-compatible licensing is
fairly trivial and is expected to be completed soon - the majority of it
being minified _javascript_.[1]

However, Chromium, by default, still has a number of issues that are of
concern for free software users - even if all the source code is
licensed properly.


-What are the issues?-


Queries to Google
---

By default, Chromium source code still has many lines of code that makes
direct internet connections to Google.
When building the software unpatched, much of your browsing experience
is under the control of Google's online web services.
As mentioned in our article "Who does that server really serve?"[2],
free software is only free when you are in control and should not be
dependant on third-party web services. Some work has already been done
to free Chromium from this problem, including the removal of "Google
OK", a Google web service plugin used for voice recognition, after user
outcry.[3]

Pre-built Binaries
---

By default, Chromium still includes some pre-built binaries to aid in
faster compiling. In order to have fully free software, we require all
software to be built from source. Packagers should not use
"use_prebuilt" as a compile option.

DRM and Proprietary Codecs
---

Chromium supports the use of Widevine DRM, Adobe Pepper Flash, and
third-party codecs which are non-free. Packagers must ensure that these
are removed and disabled in the makefile options prior to compiling in
order to be free software.


Privacy problems
---

While not specific to free software, we would like for users to have
control over their private information. Chromium has a number of
reported privacy concerns which made it ineligible for use with Tor.
Issues include outstanding proxy bugs which leak a user's IP address,
fingerprinting issues that leak the computers hostname and hardware, and
timing issues that enable timing attacks even in the browser's
"Incognitio" mode. Free software users should be aware of these issues
and work to patch them upstream and in their packages as needed.[4]


A work in progress
---

There is work being done to remove queries to Google and pre-built
binaries, as well as strengthen user-privacy.

The patch-set called ungoogled-chromium, which itself is a combination
of inox, iridium, and Debian patches is one such effort.[5]
Free software advocates are advised to use these patchsets and help
contribute to their maintenance, while pushing for a self-contained
version of Chromium with these fixes built-in. With each consecutive
Chromium release a new patchset must be created to remove Google
specific code and binaries which affect your freedom. Having a
self-contained version ensures that no one will be forced to
accidentally use non-free software during these updates.


-The Bigger Picture-

Chromium is also being used as an embedded framework in various projects.

Users should be aware that QTWebengine is based on Chromium and
therefore contains many of the same flaws. Proprietary codecs and other
anti-features must be disabled at compile time to ensure user's freedom
is respected.[6] Due to QT being a primary component of KDE and many
applications, ensuring it is compiled correctly and removing non-free
software is of even greater importance to the free software movement.

For our freedom's sake, free software projects should take care about
all kinds of freedom issues when deciding what components to depend on.

We are hopeful that the various projects currently working with Chromium
source code will make Chromium fully respect both users' freedom and
users' privacy, making the internet safer, as well as more freedom
respecting, for everyone.


1.
https://lintian.debian.org/maintainer/address@hidden
2. https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
3.
http://www.pcworld.com/article/2940499/ok-google-hotword-detection-yanked-from-chromium-after-user-revolt.html
4.
https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
5. https://github.com/Eloston/ungoogled-chromium
6. http://doc.qt.io/qt-5/qtwebengine-features.html#audio-and-video-codecs

This is Free work, you can redistribute it and/or modify it under the
terms of either:
The Creative Commons Attribution-ShareAlike 4.0 International License as
published by Creative Commons; either version 4.0, or (at your option)
any later version, or
The GNU Free Documentation License as published by the Free Software
Foundation; either version 1.3, or (at your option) any later version;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts

-------------------------



Sincerely,
Luke

signature.asc
Description: OpenPGP digital signature