The FSF don't actually care about such details - sure, they'll deride ME, but they make no attempt to inform users about how it compares with alternatives and which options are better for users. That's because their criteria are not based on technical analysis, like determining what the access surface of the blobs is, but instead on the mere existence of the blobs. To them, all visible blobs are equally bad, regardless of whether one can completely compromise your system and another one is completely harmless and requires no trust.
>To them, all visible blobs are equally bad, regardless of whether one can completely compromise your system and another one is completely harmless and requires no trust.
For a company that values software freedom above all else this is completely fine. If they are called Secure Software Foundation then your arguments would hold more weight. For example, I really doubt that FSF would claim that GNU Guix is more secure than Open BSD
but security is associated with free and open source software. i think this is a common position of a vast majority of security experts. to make your claim that FSF deceives or misleads people you need to do a LOT more. for example, can you provide an example where someone claims that GNU Guix is secure by design[0]
i think that taking a position that free software supports security and also that free software principles come before security considerations is not contradictory let alone deceptive
[0]EDIT: i just searched the RYF site and did not obtain a signle result for the term 'security'
The factors that actually impact the upper boundary of achivable security are availability of source code (open or not) and reproducible builds. The 4 freedoms do not actually affect any aspect of security, they are orthogonal.
Also, just because the 2 factors above impact the upper boundary of achievable security does not mean an open source software is automatically more secure.
It is conceivable for 2 comparable pieces of software to exist one open source and the other closed source and for the closed source one to be more secure.
There are many reasons why open source software is in practice considered more secure, among others being faster availability of updates and the aforementioned higher upper ceiling of security.
>does not mean an open source software is automatically more secure
well my point is that FSF never anywhere claimed otherwise. if they did THAT would be wrong and irresponsible
>It is conceivable for 2 comparable pieces of software to exist one open source and the other closed source and for the closed source one to be more secure.
sure. well a simple example is that security by obscurity is a valid concept in a right environment
Security is part of protecting your freedom from being compromised. I read this entire thread and wholeheartedly agree with marcan_42. FSF's position to draw a line where none exists is foolish wishful thinking and potentially dangerous.
I prefer knowing that I live in a world where COMPLETE software freedom is close to unachievable and it (COMPLETE software freedom) is a worthy goal to strive for compared to deceiving myself into believing it has been achieved by ignoring anything below a certain level.
Just because I choose to amputate my ability to update firmware does not mean a malicious party might not be able to do so. Anyone with physical access to hardware will still have that ability by using extra hardware. Handwaving the firmware away does not work against an evil maid attack.
>I read this entire thread and wholeheartedly agree with marcan_42
and you are free to do that and i would not say that you are a part of marcan-worshipping-cult or following some dogma
>deceiving myself into believing it has been achieved by ignoring anything below a certain level
if you are stating that this is what FSF believes then you are in fact spreading a falsehood and fud. this is what marcan has been doing regarding FSF the whole time during this engagement
>Just because I choose to amputate my ability to update firmware does not mean a malicious party might not be able to do so. Anyone with physical access to hardware will still have that ability by using extra hardware. Handwaving the firmware away does not work against an evil maid attack.
Unless FSF is claiming that GNU Guix is secure by design, or is free from such attacks, this is just a strawman argument
The FSF is deceiving themselves and others by believing that just because a user no longer has the ability to update firmware on a device, that device is acually no longer running non-free code.
I really do not understand what is so hard to understand that from a free software POV there is no distinction between a chip loading a blob from system storage and a chip loading a blob from it's own tiny updatable flash. Both load a non-free blob. Neither fully respects your freedom. Drawing the line of Respects Your Freedom TM between those 2 is stupid and deceptive.
The users ability to update firmware is also the ability to revert firmware changes (to a old trusted even if closed source version) made by a malicious party. Users do not gain any freedom by giving up that ability. They loose freedom.
Being able to choose between MS Office and Lotus and Star Office and WPS Office (1) gives the user more freedom compared to being stuck with just MS Office (2), even if none of those respect your freedom. Being able to also choose Libre Office (3) is obviously better. But 1 is still obviously better than 2. The existance or absence of 3 does not change that.
With regards to firmware, the FSF believes that 2 is better than 1. That is stupid. How do you not see that?
It is a valid form of protest but Respects Your Freedom TM certified hardware does not truuuuly respect your freedom.
This is harmful because the goal should be hardware with FLOSS firmware with reproducible builds and with the option for the user to add their own signing keys, NOT unupdatable (by the user) closed source proprietary firmware.
>With regards to firmware, the FSF believes that 2 is better than 1. That is stupid. How do you not see that?
your comparison with MS is ridiculous. FSF software is open. do with their software what you like. FSF believes it should not help you with 1 or 2 due to its principles, and that is OK. why wouldnt it be? the source is there so help yourself if you really want something that they are not willing to help you with (even if they often do apparalently)
anyway this whole exchange is becoming tyring to me. a lot of these comments by people seem to be more about vaging a crusade against FSF than it is about discussing issues in good faith. its somewhat dissapointing, esspecially since i only just realised who marcan is. as far as i am concerned, i am completely unconvinced by marcan and co that FSF is a deceptive organisation and that their work is somehow bad for free software. quite the opposite, i am happy that they exist. i say this simply as a spectator. to me the following comment on their website just clearly shows that they are aware that products they certify run nonfree code:
"If and when free software becomes available for use on a certain secondary processor, we will expect certified products to adopt it within a reasonable period of time. This can be done in the next model of the product, if there is a new model within a reasonable period of time. If this is not done, we will eventually withdraw the certification"
(source given elsewhere in the exchanges)
i do not feel deceived in the slightest. if deception is happening it seems to be regarding FSF's position. take care
If that's isolated to a separate CPU, it's easier to track the signals going in and out, and the bad things it can do are limited.