Re: [libreplanet-discuss] SaaSS (was: The GNU ethical repository criteria will only harm free software.)

[Mike Gerwitz]

On Sat, Oct 24, 2015 at 13:33:58 +0200, Alexander Berntsen wrote:
> I firmly believe we can, at least theoretically, reduce the risk so
> far that the only hazard for the user is the service shutting down.
> *Everything* else can be solved. We just need some time. And some
> dependent types as first class citizens of a higher-order ranks
> programming language. :]

I think that you might be talking about the risk of tricking users by
obfuscating or writing intentionally deceptive code (e.g. [0]).  This is
a risk in software (including Free), but is not applicable to SaaSS.

Service as a Software Substitute (SaaSS) means that the software runs on
a remote server---other than your own, that you do not control---in
place of conventional software on your computer.  For example, if you
use a service that manages your source code repository on your
behalf---by committing for you via a web interface, managing pull
requests, tagging, rebasing and otherwise rewriting history/code,
etc---you have no control over the software that is running.  Even if
the software running on the sever were free (e.g. GitLab CE), you still
cannot study or modify the running instance.  If the software on the
server is licensed under the AGPL, then you can get the source code of
the running instance, but you still cannot modify that running instance;
you must trust that the host is being truthful and providing all of the
modifications;[1] and there may be other software running.[2]

A service can also spy on you, and may even report you to third
parties.  Unfortunately, most servers are set to spy by default, by
storing certain data in (e.g.) access logs.[3]  But even using an
anonymizing service like Tor, if your data contains anything personal
that the server can look at, your privacy is lost.  You can expect that
your own software on your own computer---so long as it is Free---will
respect your privacy.  And if it doesn't, you or someone can modify it
to ensure that it does.

By using SaaSS, you relinquish all control to the server.  This is
incompatible with freedom.


[0]: http://underhanded-c.org/
[1]: Not all modifications are observable.  For example, a modification
     that logs all of your actions or your personal data cannot be
     observed by the user.
[2]: If the program licensed under the AGPL is part of a pipeline, then
     other parts of that pipeline are not subject to the AGPL.  For
     example, a program sitting between the AGPL program and the user
     may monitor or modify data.
[3]: https://www.eff.org/wp/osp


-- 
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

signature.asc
Description: PGP signature