1. 6

    Interesting article, but saying we can’t truly fix free software until we destroy capitalism feels at once both a bit extreme and unhelpful.

    It’s a nice idea (Who doesn’t want to live in a world where everything is free? Oh wait. A lot of people :) but I’d rather focus on ideas that help us iteratively improve the current situation.

    1. 17

      I think the author’s point is that the free software movement is already a radical philosophy, but one which is doomed to failure by its individualist focus. As a movement, it doesn’t offer a solution for how to make free software the natural choice (where the structure of our systems inherently directs people to select it as the best option), preferring instead to focus on convincing individuals that it is the right choice (which may be true, but doesn’t scale, and will constantly fight against whatever the natural choice is, which is why open source has eaten free software’s lunch).

      So the choice is between an ineffective radical philosophy and a potentially effective one.

      1. 4

        how to make free software the natural choice…the best option

        There are many things that changed since the late 1990s when free software was the dominant ideology. One is that Google, and ultimately all of big tech, co-opted open source to mean “you are free to have all of the source code to the client that talks to our centralized proprietary service.” Having done so, free software isn’t the natural choice, because the benefits of freedom in being able to change the system to do what you want is not present. Its capabilities are limited to what the proprietary service provides, and it only works if the client implements what the proprietary service requires.

        1. 3

          I’m not sure in what sense it’s the case that “open source has eaten free software’s lunch”. At the moment, free software and open-source software are basically synonymous. An open-source library developed by paid programmers working for some Microsoft- or Facebook-sized corporation is free in exactly the same way that GNU Emacs or Firefox is.

          There are people who would like to change this situation - create and popularize software licenses that are “open-source” in the sense of having the source code be publicly available, but non-free in the sense of imposing four-freedoms-violating conditions on the use of that software. But the two main motivations for doing this are to prevent large cloud providers (such as Amazon specifically) from releasing products based on open-source software that might compete with smaller companies that develop such software, and to prevent organizations and people with political views specific activist programmers find distasteful from being able to freely use useful software. The former consideration is an attempt to limit the power of well-capitalized corporate institutions, and the latter is associated with “culturally leftist” politics but doesn’t directly help or hinder such institutions.

          1. 1

            At the moment, free software and open-source software are basically synonymous.

            I disagree, because “free software” is actually less free (as in freedom) than open source.

            For example, let’s say that “Bob” wants to release a videogame toolkit. He starts with the Quake III Arena source code (released under the GPL). He spends months building a complete game creation toolkit around it the likes of which could be compared to any modern AAA game engine.

            But, there are still sections of code that are recognizably Quake. If he tries to sell this thing that he spend so long on, he could get a cease-and-desist (and likely will).

            Imagine a similar situation where “Alice” does the same thing with the Sauerbraten engine (zlib license). She gets to sell her work (and it is hers if she’s spent months working on it). She can then decide later that she would like to release the source on her own time.

            Who had more freedom?

            This is a contrived example, because no reasonable person would start with GPL software who wants to sell something. The point is that “Bob” can’t use the Quake source for his own gains even though ID has decided that they are done using it.

            1. 3

              I don’t know how long you’ve been in the open source/free software realm, but these arguments were done to death 20 years ago.

              The difference is perspective: freedom for the developer vs. freedom for the user. When GNU started, AT&T was exercising its “freedom” to maintain exclusive control of UNIX, and RMS wanted the “freedom” to control what happened on his computer.

              From time to time this is intentionally confused by people with an agenda, as in “free software isn’t free because it doesn’t let us freely screw users.”

              1. 4

                I don’t know how long you’ve been in the open source/free software realm, but these arguments were done to death 20 years ago.

                Well, I’m only 20.

                The difference is perspective: freedom for the developer vs. freedom for the user.

                As the developer you always have the freedom to not release the source. As the user, you can choose to ignore the license (at your peril). Your freedom ends where another person’s freedom begins. It’s selfish and arrogant to think that you “deserve” to control other peoples use of your product.

                I like to draw a parallel with firearms. You have a right to not own one, but you cannot prevent me from owning one. Substitute any politically correct item for firearm if you wish.

                From time to time this is intentionally confused by people with an agenda, as in “free software isn’t free because it doesn’t let us freely screw users.”

                This is attributing the (perceived) malice of large corrupt corporations to people like me who prefer to keep personal liberties intact. It’s shameful.

                1. 5

                  This is attributing the (perceived) malice of large corrupt corporations to people like me who prefer to keep personal liberties intact. It’s shameful.

                  I didn’t mean to attribute it to you. As I said at the beginning of the post, I’m not sure about your background (thanks for clarifying it.) I do mean to say that the argument you provided is also provided by people with an agenda, and I’d encourage you to think critically about it.

                  Your freedom ends where another person’s freedom begins. It’s selfish and arrogant to think that you “deserve” to control other peoples use of your product.

                  Very true, but consider what that means in the context of software. Software released without source is trying to exercise control over the use of the product by preventing the user from altering it or improving it. These days it often goes further with code signing, DRM, online activation, etc, which is increasing the degree of control.

                  The point of copyleft is that if we accept as a society that authors control the use of their product, then authors are free to prevent what they would see as misuse of that product, including distributing it without source code. There is an alternate universe where authors have much less control in general, but we happen to live in this one.

                  The genius of RMS, IMHO, was more about economics than software. He observed that in a market where fixed costs are high and marginal costs are low, which software takes to the extreme, the result will be a small number of vendors and a large number of users. In that context, users do not have a remedy through competition: they cannot choose a vendor that gives them the level of freedom they want. Market forces would push any user-respecting vendor out of existence. Taking your example, find a games publisher that releases source code [edit: to their new release game]. In the ultimate, he observed that the degree of vendor control would only increase over time, without limit, which has since proven to be true. In the last 15 years we’ve moved from a world where anyone can write a device driver or application to a world where these need to be approved by platform vendors, for example, and entire classes of software are unavailable to users as a result.

                  If competition among vendors can’t deliver the products users want, then the issue needs to be around restricting what vendors can do to ensure users can do what they want. As you put it, one person’s freedom ends where another person’s begins - but if we accept that anything which restricts the freedom of vendors is bad, then we accept that users should have no freedom whatsoever.

                  1. 2

                    Prologue: This thread has ended up way longer than I thought. Thank you for your time.

                    I think we agree on a lot of principles, we just disagree on where the line between author and user freedom is.

                    Fair warning, my firearm analogies got a little out of hand. If you are unfamiliar, feel free to ask for clarification.


                    I didn’t mean to attribute it to you.

                    Yes, I re-read the comment and I think I was being a little paranoid :)

                    Software released without source is trying to exercise control over the use of the product by preventing the user from altering it or improving it.

                    The same thing happens when somebody releases a product without specifying exactly how it was put together. For example: there are a fair amount of proprietary firearm designs, but the most popular rifle (AFAIK) is the AR-15. A modular design that pretty much anybody is allowed to manufacture and sell (well, if the government lets them).

                    These days it often goes further with code signing, DRM, online activation, etc, which is increasing the degree of control.

                    I see code signing as a net good. I appreciate the assurance that when something runs with administrative privileges that the program is (sort of) verified. DRM can be done well, but most companies do it wrong. Steam is pretty good, but if they were a smaller company I wouldn’t trust them as much (mostly because I would have no guarantee that they would stick around).

                    The point of copyleft is that if we accept as a society that authors control the use of their product, then authors are free to prevent what they would see as misuse of that product, including distributing it without source code. There is an alternate universe where authors have much less control in general, but we happen to live in this one.

                    Code authors cannot control the use of their product, in the same way that a firearms manufacturer cannot prevent people from murdering people. All you can say is “we do not warranty this software if it is used for anything other than…”.

                    The genius of RMS, IMHO, was more about economics than software. He observed that in a market where fixed costs are high and marginal costs are low, which software takes to the extreme, the result will be a small number of vendors and a large number of users. In that context, users do not have a remedy through competition: they cannot choose a vendor that gives them the level of freedom they want. Market forces would push any user-respecting vendor out of existence.

                    I agree with this statement, but I believe the solution is more information. If more people knew how corrupt big tech was then they would use them less.

                    Taking your example, find a games publisher that releases source code.

                    I think the new Unreal Tournament is “public” source. UE4 and Crytek are also “public” source (with EULAs and royalties of course).

                    In the ultimate, he observed that the degree of vendor control would only increase over time, without limit, which has since proven to be true.

                    I assume by he you mean Richard Stallman.

                    In the last 15 years we’ve moved from a world where anyone can write a device driver or application to a world where these need to be approved by platform vendors, for example, and entire classes of software are unavailable to users as a result.

                    Sure anybody can write a device driver. The approval process is IMHO necessary because otherwise somebody could socially engineer people into installing a malicious driver or application (technically still possible, but more difficult). It’s like a carry permit. It (ostensibly) proves that you are competent and stable, and that you won’t use your thing (firearm, device driver) to intentionally harm an innocent person.

                    If competition among vendors can’t deliver the products users want, then the issue needs to be around restricting what vendors can do to ensure users can do what they want. As you put it, one person’s freedom ends where another person’s begins - but if we accept that anything which restricts the freedom of vendors is bad, then we accept that users should have no freedom whatsoever.

                    How does not restricting vendors lead to users having no freedom? I don’t mean to be snarky, I just don’t understand.

                    1. 6

                      I think the high level observation I’d make is that each of us exist in a society that establishes certain “normal” practices. Those practices change over time. When RMS was starting in software, “normal” meant that commercial vendors provide sources, and moving away from that was a redline for him. When I was starting in software, “normal” meant closed source but no signing/activation/forced updates, and moving away from that was a redline for me. Over the next couple decades, “normal” will continue to change and the things which seem normal for you now will become more restrictive due to competitive forces. When you see it happen, RMS stops looking crazy.

                      I see code signing as a net good. I appreciate the assurance that when something runs with administrative privileges that the program is (sort of) verified.

                      “Verified” in this context means it does what the vendor intended, not that it does what you want. If it was done to verify that it does what you want, then you’d be in control of the certificates that you’re willing to trust, and would be able to use software that is trusted by anyone you trust. As it stands, you’re not allowed to run code that you wrote yourself, because the vendor doesn’t trust you.

                      Code authors cannot control the use of their product…

                      (I’m avoiding firearms comparisons since it’s a business I don’t know anything about.) Code authors have an unusually high amount of control due to things like the DMCA which give legal protection to any measure they can create. Control is just an arms race - if it can be enforced somehow, it’s legal and legitimate. The makers of devices have a lot of resources to ensure they retain control of things like the applications that run, and they are highly motivated to exercise that control since they get a 30% cut. The maker of a hammer cannot control how it is used, but the maker of a technical device can and does control the software that runs on it (although you are free to use it to drive nails into a wall, which is often its most valuable use.)

                      I believe the solution is more information. If more people knew how corrupt big tech was then they would use them less.

                      Users are given the choice to use tech or not use tech. They do not have a competitive remedy. Your cell phone company knows where you are at all times and sells that information to marketers. Your remedy is to not carry a cell phone. It is true that if everyone rejects the entire category of tech then the problem goes away, but that seems like a big societal failure that gives us a choice between dystopia or dark ages.

                      I think the new Unreal Tournament is “public” source.

                      It’s an interesting model to be sure, but note that UT4 is cancelled. You’re free to get the source code so long as anything you do with it has copyright assigned such that your contributions can be released as part of UT4. This is a volunteers-develop-a-commercial-product model. I think the reason this thread started - taking issue with the idea that “free software” is more free than “open source” - is because “open source” is often a volunteers-develop-a-commercial-product model. This one happens to be far more explicit than most.

                      Sure anybody can write a device driver. The approval process is IMHO necessary because otherwise somebody could socially engineer people into installing a malicious driver

                      To be clear, you can write a device driver, but you cannot run the thing you just wrote.

                      The argument about needing approval amounts to an argument that users cannot be trusted to make their own decisions. Logically, it applies to anything. Can you socially engineer people into installing a malicious usermode program? Can you socially engineer people to visit a website with a bitcoin miner? Can you socially engineer people to visit a phishing website? If the solution is an explicit approval step, then we’d live in a very different world - perhaps our conversation might need explicit approval, because we might be engaging in social engineering right now.

                      How does not restricting vendors lead to users having no freedom? I don’t mean to be snarky, I just don’t understand.

                      This is exactly the argument you made about one person’s freedom ending where another’s begins. It’s easy enough to illustrate by example, but that relies on examining the examples with an open mind, and remembering that in the not-that-distant past things which appear as normal today were not remotely normal.

                      Personally I’m in the strange position of developing device drivers professionally. There’s a lot of value in them - I’m paid pretty well really - but I haven’t written any open source drivers. Why not? Because nobody could run them. I have written open source applications, because people can run those. But when you’re on both sides of the same fence and realize that you have a skill which is valuable but can’t contribute it to the community, the lack of user freedom becomes very visible.

                      1. 1

                        To be clear, you can write a device driver, but you cannot run the thing you just wrote.

                        I thought that (on windows at least) you could develop the driver and run in unsigned on your own machine? I’ll take your word for it if I’m wrong because I looked at your blog and it looks like you’re a lot more knowledgeable on the subject than I am.

                        This is exactly the argument you made about one person’s freedom ending where another’s begins. It’s easy enough to illustrate by example, but that relies on examining the examples with an open mind, and remembering that in the not-that-distant past things which appear as normal today were not remotely normal.

                        I would appreciate an example. My point is that practically speaking a vendor cannot limit the freedoms of a user. They can get the user to agree not to do something, but what cost would be incurred in trying to enforce that agreement?

                        Personally I’m in the strange position of developing device drivers professionally. There’s a lot of value in them - I’m paid pretty well really - but I haven’t written any open source drivers. Why not? Because nobody could run them. I have written open source applications, because people can run those. But when you’re on both sides of the same fence and realize that you have a skill which is valuable but can’t contribute it to the community, the lack of user freedom becomes very visible.

                        You have a very interesting vantage point, thank you for your contribution to the conversation.

                        1. 3

                          I thought that (on windows at least) you could develop the driver and run in unsigned on your own machine?

                          The bootloader has no way to know whether the unsigned code it’s loading came from your compiler or came from a malicious source on the Internet. The “obvious” way to fix this is to allow for self signed code and allow the user to manage which certificates they trust, but attestation signing is doing the exact opposite of that.

                          The way I develop drivers is by running systems under a kernel debugger, which disables driver signing requirements. A kernel debugger runs on a second machine. So you could run arbitrary drivers if you configure a machine to run multiple VMs so one can act as a debugger for the other, but realistically there’s no point writing drivers for that set of users, and nobody is going to run in that configuration to run code that’s not written.

                          It’s hard to describe the things that don’t exist as a result of restrictions. I can’t point you to a giant repo of things you can’t run; nobody bothered to create the repo because nobody can use what’s in it. But note that every app store restriction exists to prevent some developer from doing something that users want. (If developers didn’t want to build it or users didn’t want to run it, there’d be no point preventing it, because it wouldn’t have a market.) I don’t know how you feel about this, but I don’t think my cell phone has more amazing software now than it did six years ago. Either human creativity just ended, or something is preventing that creativity from getting to our phones - and it’s not hard to find what’s between the developers and the users.

                          Edit: To be a bit more concrete, note that most commercial phones have locked bootloaders, and most PCs are capable of booting arbitrary operating systems. As a result, there’s a large PC Linux community, but a very small Android developer community. Since the community is smaller, there’s not as much benefit to a user using a community Android distribution. I don’t know exactly what we’re missing out on, but the PC Linux community has contributed a ton of value, and there’s no equivalent on the phone, because our phones have locked bootloaders.

                          1. 2

                            So you could run arbitrary drivers if you configure a machine to run multiple VMs so one can act as a debugger for the other

                            But note that every app store restriction exists to prevent some developer from doing something that users want.

                            Ok, I was sorely mistaken on the kernel driver point. You’re also correct that most app store restrictions are BS. Code signing would also be a lot better if you could permanently “trust” an application like on macOS (or a driver).

                            I don’t know how you feel about this, but I don’t think my cell phone has more amazing software now than it did six years ago.

                            The crazy thing is that I feel like we go backwards in a lot of ways. I’m with you on this one.

                            1. 2

                              If developers didn’t want to build it or users didn’t want to run it

                              One of the common complaints in the Windows world is bundled browser toolbars. While there are people who actually like the Ask Toolbar and Yahoo Search, does anybody want it bundled with the JRE?

                              In a strict neoliberal sense, I suppose that users do willingly run the Java installer and consent to everything it installs, but describing it as something that the end users “wants to run” doesn’t ring true. The JRE itself is usually just a means to run some other app, and the bundled toolbars are probably not part of the end-user goal.

                              After all, free software distributions like Debian and Fedora have rules about what they allow in their repositories. And plenty of people complain about those rules. But do you actually think they’re trying to be user-hostile?

                              I don’t know how you feel about this, but I don’t think my cell phone has more amazing software now than it did six years ago. Either human creativity just ended, or something is preventing that creativity from getting to our phones - and it’s not hard to find what’s between the developers and the users.

                              Or, as an alternative explanation, the easy and low-hanging fruit has already been exhausted. Web apps haven’t really gotten better now as quickly as they were improving ten years ago, yet it isn’t any more proprietary now than it was in the past (If you say “Google’s fault”, I’ll reply by reminding you of IE6).

                              1. 2

                                While there are people who actually like the Ask Toolbar and Yahoo Search, does anybody want it bundled with the JRE?

                                No, clearly not. But as you say, there are people who want them, outside of the JRE. Platforms which restrict classes of software will invariably exclude software that some people do want. At least personally, I did use the Google toolbar back when it added value to me by displaying Pagerank. Somewhat cynically, I can’t help but notice these things are designed to redirect traffic to obtain revenue, and platform owners would like to keep that revenue for themselves, so they have an interest in preventing things unrelated to user benefit.

                                software distributions like Debian and Fedora have rules about what they allow in their repositories…do you actually think they’re trying to be user-hostile?

                                No, I don’t. But as distributions, they don’t have a monopoly on software, and a feedback loop exists. If some piece of software is released that breaches a repository rule but a lot of people end up going around the repository to install it, it will spark a conversation about whether the repository’s policies are correct. That’s why people are able to complain about rules. In more closed ecosystems, that new piece of software just can’t exist, so users are excluded from the feedback loop.

                                If you say “Google’s fault”

                                I think the comments and criticisms I’m making here apply to pretty much all of the tech majors and are comments on restrictions that exist now among multiple vendors which did not exist 15 years ago. I don’t mean to single any one of them out.

                2. 2

                  Both engines are Free Software. Both engines are Open Source. The FSF and the OSI both define their licensing criteria, and the GPL and ZLIB licenses both comply with the Four Freedoms and with the Open Source Definition.

                  You’re contrasting copyleft with permissive licensing, which is a totally different distinction.

                  1. 1

                    Thank you for pointing this out. I thought Stallman’s definition of free software required copyleft.

                    I stand behind my arguments for permissive licensing though.

                    1. 1
                      1. 2

                        Thank you for linking it. I’ve just read it. I still disagree with a lot of Stallman’s assertions.

                        1. 4

                          I’m not asking that you agree with him. I certainly don’t.

                          I just don’t want you to misrepresent him, or anyone else.

                          1. 1

                            Understandable. We could do with less misrepresentation these days.

                  2. 2

                    I don’t quite follow the argument you’re making, nor what distinction you’re drawing between “free software” and “open source”. It sounds like you’re saying that even though a piece of software like Quake III Arena is “free software” (that is, released under the GPL free software license), someone forking that software, writing a derivative work, and trying to sell it would be subject to legal action from Id Software for violating their Quake-related intellectual property rights - whereas some other piece of software Sauerbraten (which I’m not familiar with), released under a different-but-still-FSF-approved license, wouldn’t have this problem?

                    1. 1

                      @notriddle hit the nail on the head. I am talking about copyleft vs permissive licensing, the zlib license doesn’t preclude inclusion in proprietary software. The GPL does.

                      1. 2

                        I am talking about copyleft vs permissive licensing, the zlib license doesn’t preclude inclusion in proprietary software. The GPL does.

                        Interestingly, that makes GPL software less free in its own right, copyleft people seem to disagree that this matters but its the root of why some of us dislike it. Sometimes I just want to get my job done and don’t want to involve the legal team. Its also why I don’t put anything I do up as GPL unless I have to. I want others to do the same.

                        GPL’s virality is both a pro and a con. I lean to it being more of a con in that it imposes a philosophy of world upon source code that I find too extreme. We can differ on this but axiomatically they are approaching free from different starting points.

                    2. 1

                      remember that free software has no restrictions on commercial use. so when you say “if he tries to sell this thing that he spend so long on, he could get a cease-and-desist,” you are either mistaken, or employing a rhetorical trick.

                      it would be more honest to say that bob can’t prevent people from reading and modifying the source code of his game. this may or may not make it more difficult to make money on, depending on the circumstances.

                      with a clear view of the situation, people can decide for themselves whether the freedom to violate other peoples’ freedom is a worthy criteria for what makes a license “free.”

                      1. 1

                        it would be more honest to say that bob can’t prevent people from reading and modifying the source code of his game. this may or may not make it more difficult to make money on, depending on the circumstances.

                        The reason I chose a game engine rather than a game, is because the product is the source code. Sure, there are a handful of image assets for the GUI but those can easily be replicated. Am I wrong in my understanding that you cannot sell a GPL program without providing the source for free? (or at least allowing the purchasers to distribute it for free?)

                        with a clear view of the situation, people can decide for themselves whether the freedom to violate other peoples’ freedom is a worthy criteria for what makes a license “free.”

                        My point is that GPL violates more freedoms than permissive licenses.

                        1. 4

                          Am I wrong in my understanding that you cannot sell a GPL program without providing the source for free? (or at least allowing the purchasers to distribute it for free?)

                          yes, the latter is correct.

                          My point is that GPL violates more freedoms than permissive licenses.

                          yes, it violates the freedom to violate other people’s freedoms.

                          1. 1

                            yes, it violates the freedom to violate other people’s freedoms.

                            What “other people’s freedoms” does a permissive license allow people to violate?

                            1. 2

                              the freedom to read/modify/share the code.

                              1. 1

                                Using a closed-source program that is based on open-source software is a choice. Don’t make it if you don’t want to. Vote with your money.

                                Here’s something I think we can all agree on: selling a program based on open-source software without putting any significant work in is immoral.

                                My additional point, is that one can put enough effort into something that they earn the right to keep the source to themself.

                                1. 1

                                  Using a closed-source program that is based on open-source software is a choice. Don’t make it if you don’t want to. Vote with your money.

                                  i don’t see your point. same goes for software that was proprietary to begin with. in each case the software violates freedoms. or does it not?

                                  1. 0

                                    Yeah, looking back I wasn’t really saying anything there.

                                    What I should’ve said is: I don’t believe that seeing how everything works and being able to pick it apart/audit it is an inalienable right. (This may have something to do with the fact that I’m a Catholic and I believe things that have no scientific explanation, and to criticize them would be heresy.)

                                    1. 2

                                      nor is it an inalienable right to keep proprietary control over one’s modifications to a code base.

                                      that’s why complaints that the GPL is “less free” come off as concern trolling. if you care about software freedom, you would at least acknowledge that the only freedom the GPL takes away is the freedom to take away other people’s freedom. preferring a license that allows modifications to be proprietary would suggest that you don’t actually care about software freedom, so complaining about the GPL being less free seems hollow.

                                      if you simply disagree with free software and would prefer to be able to keep control over a digital artifact with no reproduction cost, fine, but you aren’t arguing for freedom at that point.

                                      1. 0

                                        if you simply disagree with free software and would prefer to be able to keep control over a digital artifact with no reproduction cost, fine, but you aren’t arguing for freedom at that point.

                                        I think it depends on your definition of freedom. In a communist sense, the GPL is more free. If property rights factor in at all, then permissive licenses are still superior (even if you don’t think it’s more free).

                                        The only issue I have with the GPL is that people who legally obtain your source code can distribute it for free, which would destroy any business that I built off of it. As an anti-communist, I won’t participate in the spread of the GPL virus.

                                        I wish more licenses required that modified source be distributed, but only if they don’t allow users to distribute it further.

                                        1. 4

                                          Whether property rights should apply to intangibles like software is an open question.

                                          “Intellectual property” is actually an artificial monopoly enforced by the state.

                                          1. 1

                                            The only issue I have with the GPL is that people who legally obtain your source code can distribute it for free, which would destroy any business that I built off of it.

                                            So what’s your take on Redhat? Their product is GPL’ed, and you can even argue that it benefits them, because anyone who chooses to also use and improve their software, necessarily has to give back their contribution, so that Redhat benefits from it again.

                                            1. 1

                                              I wish more licenses required that modified source be distributed, but only if they don’t allow users to distribute it further.

                                              what do you mean

                                              1. 1

                                                The GPL requires that modified source be available to users. That’s something that I wish caught on more. I just don’t like the part where the users can distribute the source themselves.

                                                1. 1

                                                  so who can modify the source? only someone with a specific license agreement with the company/person that wrote the code?

                                                  1. 1

                                                    The idea would be that anybody who obtains/buys the software can modify it, but they would need a specific license agreement to distribute/sell it.

                                                    The point would be to put such a clause on an open-source project so that if somebody uses it in a proprietary application, the users can at least modify that portion of the software.

                                                    1. 2

                                                      so your idea would be like the GPL, but instead of saying “any changes you distribute must be under this license,” it would say “any changes you distribute must include source code and must allow modification of the source code by the end-user.”

                                                      this might be possible under copyright law but i’m not sure.

                          2. 1

                            This point has been made may times, and it boils down to “localized” or “downstream” freedom. Do you give Alice the power to restrict/control their users? Alice could have extended the engine with a mechanism that requires her to be paid every month, or that (for whatever reason) only works on Intel CPUs. By not releasing the source, and allowing the software to be modified+shared, “Carol” is dependent on Alice, or is not allowed to port the engine to her Raspberry Pi. That’s certainly less freedom for her (setting aside that this is “just” a game engine we are discussing). And there are a lot more “Carol”s than there are “Alice”es.

                            I’m quite pro-copyleft, and I see it in the same terms (albeit less extreme) as we would dismiss anyone who claims that the fact he can’t own a slave limits his freedom. It’s the freedom to restrict others (“permissive”) vs the freedom from foreign control.

                            1. 2

                              You can also draw an analogy (I think direct but perhaps not quite) to negative vs positive rights. Permissive licenses grant negative rights to do whatever you want with the software, while copyleft grants positive rights to have access to free software.

                              I’m rather sad that all rhetoric about rights tends toward negative rights, even though that’s not what most people care about once a baseline of negative rights is established.

                          3. 1

                            and to prevent organizations and people with political views specific activist programmers find distasteful from being able to freely use useful software

                            what do you mean by this exactly?

                            is there any reason releasing code under the GPL would not satisfy the wants of these smaller companies?

                            1. 1

                              what do you mean by this exactly?

                              The people who promote licenses like this want to be able to write software under a license that is widely-accepted as open-source but that also bans their political enemies from using the software.

                              is there any reason releasing code under the GPL would not satisfy the wants of these smaller companies?

                              The GPL allows software licensed under it to be used for any purpose, and creating a SaaS product that competes with the SaaS product the core developers of the software use to fund themselves is “any purpose”.

                        2. 4

                          challenging capitalism is perfectly compatible with iterative improvements. you can make iterative steps to put more resources and power in the hands of working people, and less in the hands of corporations. the importance of free software comes when you see that proprietary software is one lever of power that corporations can use against working people.

                          1. 5

                            It’s a nice idea (Who doesn’t want to live in a world where everything is free? Oh wait. A lot of people :) but I’d rather focus on ideas that help us iteratively improve the current situation.

                            Capitalism != markets. If you’d like I’d be happy to answer questions, but this is my usual recommendation for friends who have been taught that all market systems are “capitalism”. https://m.youtube.com/watch?v=ysZC0JOYYWw

                          1. 1

                            I don’t like the native browser interface very much. For quick work I quite like Cantor, which has Sagemath as a plugin. If you have a more complex project structure or need more graphics support (interactive 3D doesn’t work well in Cantor), Cocalc has a Docker image with good defaults, and that notebook interface is way more usable (as well as offering Jupyter, iPython, TeX and a few others natively).

                            1. 1

                              FWIW both SageMath and CoCalc are part of Sage project. I’ve been using them in the past few weeks mostly because of the seamless collaboration. Haven’t heard of KDE Cantor though.

                            1. 27

                              It’s worth linking to A&A’s (a British ISP) response to this: https://www.aa.net.uk/etc/news/bgp-and-rpki/

                              1. 16

                                Our (Cloudflare’s) director of networking responded to that on Twitter: https://twitter.com/Jerome_UZ/status/1251511454403969026

                                there’s a lot of nonsense in this post. First, blocking our route statically to avoid receiving inquiries from customers is a terrible approach to the problem. Secondly, using the pandemic as an excuse to do nothing, when precisely the Internet needs to be more secure than ever. And finally, saying it’s too complicated when a much larger network than them like GTT is deploying RPKI on their customers sessions as we speak. I’m baffled.

                                (And a long heated debate followed that.)

                                A&A’s response on the one hand made sense - they might have fewer staff available - but on the other hand RPKI isn’t new and Cloudflare has been pushing carriers towards it for over a year, and route leaks still happen.

                                Personally as an A&A customer I was disappointed by their response, and even more so by their GM and the official Twitter account “liking” some very inflammatory remarks (“cloudflare are knobs” was one, I believe). Very unprofessional.

                                1. 15

                                  Hmm… I do appreciate the point that route signing means a court can order routes to be shut down, in a way that wouldn’t have been as easy to enforce without RPKI.

                                  I think it’s essentially true that this is CloudFlare pushing its own solution, which may not be the best. I admire the strategy of making a grassroots appeal, but I wonder how many people participating in it realize that it’s coming from a corporation which cannot be called a neutral party?

                                  I very much believe that some form of security enhancement to BGP is necessary, but I worry a lot about a trend I see towards the Internet becoming fragmented by country, and I’m not sure it’s in the best interests of humanity to build a technology that accelerates that trend. I would like to understand more about RPKI, what it implies for those concerns, and what alternatives might be possible. Something this important should be a matter of public debate; it shouldn’t just be decided by one company aggressively pushing its solution.

                                  1. 4

                                    This has been my problem with a few other instances of corporate messaging. Cloudflare and Google are giant players that control vast swathes of the internet, and they should be looked at with some suspicion when they pose as simply supporting consumers.

                                    1. 2

                                      Yes. That is correct, trust needs to be earned. During the years I worked on privacy at Google, I liked to remind my colleagues of this. It’s easy to forget it when you’re inside an organization like that, and surrounded by people who share not only your background knowledge but also your biases.

                                  2. 9

                                    While the timing might not have been the best, I would overall be on Cloudflare’s side on this. When would the right time to release this be? If Cloudflare had waited another 6-12 months, I would expect them to release a pretty much identical response then as well. And I seriously doubt that their actual actions and their associated risks would actually be different.

                                    And as ISPs keep showing over and over, statements like “we do plan to implement RPKI, with caution, but have no ETA yet” all too often mean that nothing will every happen without efforts like what Cloudflare is doing here.


                                    Additionally,

                                    If we simply filtered invalid routes that we get from transit it is too late and the route is blocked. This is marginally better than routing to somewhere else (some attacker) but it still means a black hole in the Internet. So we need our transit providers sending only valid routes, and if they are doing that we suddenly need to do very little.

                                    Is some really suspicious reasoning to me. I would say that black hole routing the bogus networks is in every instance significantly rather than marginally better than just hoping that someone reports it to them so that they can then resolve it manually.

                                    Their transit providers should certainly be better at this, but that doesn’t remove any responsibility from the ISPs. Mistakes will always happen, which is why we need defense in depth.

                                    1. 6

                                      Their argument is a bit weak in my personal opinion. The reason in isolation makes sense: We want to uphold network reliability during a time when folks need internet access the most. I don’t think anyone can argue with that; we all want that!

                                      However they use it to excuse not doing anything, where they are actually in a situation where not implementing RPKI and implementing RPKI can both reduce network reliability.

                                      If you DO NOT implement RPKI, you allow route leaks to continue happening and reduce the reliability of other networks and maybe yours.

                                      If you DO implement RPKI, sure there is a risk that something goes wrong during the change/rollout of RPKI and network reliability suffers.

                                      So, with all things being equal, I would chose to implement RPKI, because at least with that option I would have greater control over whether or not the network will be reliable. Whereas in the situation of NOT implementing, you’re just subject to everyone else’s misconfigured routers.

                                      Disclosure: Current Cloudflare employee/engineer, but opinions are my own, not employers; also not a network engineer, hopefully my comment does not have any glaring ignorance.

                                      1. 4

                                        Agreed. A&A does have a point regarding Cloudflare’s argumentum in terrorem, especially the name and shame “strategy” via their website as well as twitter. Personally, I think is is a dick move. This is the kind of stuff you get as a result:

                                        This website shows that @VodafoneUK are still using a very old routing method called Border Gateway Protocol (BGP). Possible many other ISP’s in the UK are doing the same.

                                        1. 1

                                          I’m sure the team would be happy to take feedback on better wording.

                                          The website is open sourced: https://github.com/cloudflare/isbgpsafeyet.com

                                          1. 1

                                            The website is open sourced: […]

                                            There’s no open source license in sight so no, it is not open sourced. You, like many other people confuse and/or conflate anything being made available on GitHub as being open source. This is not the case - without an associated license (and please don’t use a viral one - we’ve got enough of that already!), the code posted there doesn’t automatically become public domain. As it stands, we can see the code, and that’s that!

                                            1. 7

                                              There’s no open source license in sight so no, it is not open sourced.

                                              This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed. I’ll raise that internally.

                                              You, like many other people confuse and/or conflate anything being made available on GitHub as being open source.

                                              You are aggressively assuming malice or stupidity. Please don’t do that. I am quite sure this is just a mistake nevertheless I will ask internally.

                                              1. 1

                                                There’s no open source license in sight so no, it is not open sourced.

                                                This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed.

                                                I don’t care either way - not everything has to be open source everywhere, i.e. a website. I was merely stating a fact - nothing else.

                                                You are aggressively […]

                                                Not sure why you would assume that.

                                                […] assuming malice or stupidity.

                                                Neither - ignorance at most. Again, this is purely statement of a fact - no more, no less. Most people know very little about open source and/or nothing about licenses. Otherwise, GitHub would not have bother creating https://choosealicense.com/ - which itself doesn’t help the situation much.

                                              2. 1

                                                It’s true that there’s no license so it’s not technically open-source. That being said I think @jamesog’s overall point is still valid: they do seem to be accepting pull requests, so they may well be happy to take feedback on the wording.

                                                Edit: actually, it looks like they list the license as MIT in their package.json. Although given that there’s also a CloudFlare copyright embedded in the index.html, I’m not quite sure what to make of it.

                                                1. -1

                                                  If part of your (dis)service is to publically name and shame ISPs, then I very much doubt it.

                                        2. 2

                                          While I think that this is ultimately a shit response, I’d like to see a more well wrought criticism about the centralized signing authority that they mentioned briefly in this article. I’m trying to find more, but I’m not entirely sure of the best places to look given my relative naïvete of BGP.

                                          1. 4

                                            So as a short recap, IANA is the top level organization that oversees the assignment of e.g. IP addresses. IANA then delegates large IP blocks to the five Regional Internet Registries, AFRINIC, APNIC, ARIN, LACNIC, and RIPE NCC. These RIRs then further assigns IP blocks to LIRs, which in most cases are the “end users” of those IP blocks.

                                            Each of those RIRs maintain an RPKI root certificate. These root certificates are then used to issue certificates to LIRs that specify which IPs and ASNs that LIR is allowed to manage routes for. Those LIR certificates are then used to sign statements that specify which ASNs are allowed to announce routes for the IPs that the LIR manages.

                                            So their stated worry is then that the government in the country in which the RIR is based might order the RIR to revoke a LIR’s RPKI certificate.


                                            This might be a valid concern, but if it is actually plausible, wouldn’t that same government already be using the same strategy to get the RIR to just revoke the IP block assignment for the LIR, and then compel the relevant ISPs to black hole route it?

                                            And if anything this feels even more likely to happen, and be more legally viable, since it could target a specific IP assignment, whereas revoking the RPKI certificate would make the RoAs of all of the LIRs IP blocks invalid.

                                            1. 1

                                              Thanks for the explanation! That helps a ton to clear things up for me, and I see how it’s not so much a valid concern.

                                          2. 1

                                            I get a ‘success’ message using AAISP - did something change?

                                            1. 1

                                              They are explicitly dropping the Cloudflare route that is being checked.

                                          1. 2

                                            “Use Signal.”

                                            I have met more than one woman who wasn’t a fan of this advice.

                                            “The GnuPG community, which mishandled the Efail disclosure”

                                            That’s a funny way of spelling “The EFF,”.

                                            1. 1

                                              Why women specifically?

                                            1. 3

                                              7 bit bytes for the win.

                                              1. 2

                                                Last year’s DEFCON CTF used an architecture with 9 bit bytes.

                                              1. 6

                                                Also worth mentioning are his updated paper, where he goes over a much more complex proof in this style, and the LaTeX style source for structuring proofs this way. It’s pretty well internally documented.

                                                1. 1

                                                  That was a great paper, too. I appreciate it.

                                                1. 5

                                                  This is not a great way to analyze cryptographic algorithms. The grains of sand are a good analogy to use for brute force search, but cryptographic attacks are rarely equivalent to pure brute force search on the key space. There is more analysis that has to be done to find the effective key space you would have to search over to have an equivalent level of difficulty.

                                                  You don’t need to be a math expert to know this, all the analysis has been done. According to NIST (the relevant paper is here), a 2048-bit RSA key is equivalent to a 112-bit search space, and according to ANSSI it’s equivalent to 100 bits.

                                                  1. 1

                                                    Thanks for the feedback, it’s my first post on the subject. But yes, I understand your point that it’s not the best way to explain it because of algorithms with sub-exponential running time for factoring integers and so on. But I’ve yet to be more familiarised with the details in it, and just wanted to try explain for myself and whoever wanted to read it how big numbers we’re talking about.

                                                    1. 2

                                                      Well to be fair, this isn’t overturning any physics, but rather an attempt at proving something we already believe is true (at least in practice; all our cryptography depends on it).

                                                      1. 3

                                                        There’s always Merkle puzzles!