1. 10

    This change avoids user confusion and leaking information to other users of the computer. It don’t leak information. It’s probably a good change:

    • Logging out of Google -> Logging out of Chrome

    This change is probably as likely to avoid user confusion as cause it. However it avoids leaking information to other users of the computer and doesn’t leak information to google. It’s probably a good change.

    • Logging out of Chrome -> Logging out of Google

    This change is probably mildly convenient for users, and probably avoids confusion. It doesn’t leak information, but it will cause some unsophisticated users to unknowingly overshare information with google. I’m basically ok with it.

    • Logging into Chrome -> Logging into Google

    This change leaks information to Google, is surprising behavior, and avoids no confusion. This is why I will not use Chrome to interact with Google services.

    • Logging into Google -> Logging into Chrome.

    The reasons cited in the article unsurprisingly only support changes 1 and 2.

    1. 4

      I have first hand watched this confusion among my less-technical family. The “logged into Chrome” versus “logged into Gmail” issue. I think for the very non-technical, those two things aren’t as obviously different to them as it might be to someone who has a better idea of the boundaries between things.

      I suspect for most users, this will be their computers just “doing what they want”.

    1. 3

      After reading that, I wonder why no one started a fork yet. Perhaps if someone does, people will quickly join.

      1. 8

        Most people who could & would implement a fork, use PureScript instead.

        1. 2

          Because it is very hard and takes a lot of time I’d wager. Few have the time, money or drive to do such a thing.

          1. 1

            There’s not a substantial amount of money in maintaining a language like this, so it would pretty much have to be a labour of love.

            Under those circumstances how many people would chose to fork an existing language and maintain it rather than create their own?

            1. 1

              Because the whole reason people use something like this is that they don’t want to develop and maintain it themselves.

            1. 6

              In Canada most home routers (well, from bell at least, which is one of two dominant ISPs) come with a long randomly generated wifi password stamped on them.

              Specifically 8 characters long. And for no apparent reason it is limited to hex ([0-9A-F]{8}). Creating about 4 billion passwords. It takes about a day on my gtx970m to try every single one against a captured handshake.

              The defaults ESSID’s (wifi network names) are of the form BELL###. So there are a thousand extremely common ESSID’s. Apparently WPA only salts the password with the ESSID before hashing it and publicly broadcasting it as part of the handshake. In a few years of computation time on a decent laptop (so far less if I rented some modern gpus from google…) I could make rainbow tables for every one of those IDs that included every possible default password.

              On the bright side it looks like this new method extracts a hash that includes the mac addresses acting as a unique salt, so at least the rainbow table method will still require capturing a handshake.

              1. 2

                Oh, ours from vodafone NZ are 16 chars 0-9a-zA-Z

                1. 1

                  I never had this realization. Now my head has exploded.

                  What tool do you use to try these combinations? And is it heavily parallelized? To me 4 billion should not take a whole day…

                  1. 1

                    I experimented with pyrit (24h runtime, builds some form of rainbow table, wrote a short program to pipe it all the passwords) and hashcat (20h runtime, no support for rainbow tables, supports generating the password combinations by itself via command line flags). They are both heavily parallelized, 100% utilization of my GPU.

                    My GPU is a relatively old GPU in a laptop with shitty cooling, which may contribute to the runtime.

                    Running on a CPU it said it would take the better part of a month.

                    1. 1

                      Interesting. While waiting for a reply, I thought to myself: I wonder how much it would cost to run it on Google Compute with the best hardware. Could be worth it to those who want wifi for a week or longer without paying anything. Spooky.

                  2. 1

                    In Luxembourg every (Fritz)box comes with a password written only on the notice (not on the box itself) that is 20 (5*4chars) in hexa. It’s a pain to type at first, but well, it’s seem like a good one.

                  1. 2

                    Something I’ve been wondering about (and this is probably the wrong forum to ask about) is whether or not doing this would result in employees or executives having issues if they go to Europe?

                    1. 0

                      What do you mean?

                      I’m doing GDPR consulting at the moment.

                      1. 1

                        I think the question is something along the lines of “could a company be prosecuted for violations of the GDPR if its employees visit or work in Europe”.

                        I assume the answer is “no”, as long as they’re not actually doing business in Europe. (Which would be the primary reason to have employees there, but with the increased prevalence of remote work, it’s not necessarily the case.)

                        1. 2

                          I am fairly certain you could even go to EU and work in an office on data for non-EU customers and still not be subject to GDPR. As long as you are not dealing with any EU entities, your physical location should not matter.

                          1. 1

                            “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

                            https://www.eugdpr.org/gdpr-faqs.html

                            So if you are working in the EU, your company would probably need to comply with GDPR, as they likely has personal information on you in their systems. I guess it comes down to how lawyers would interpret “residence”. Enforcable? Idk.

                        2. 1

                          Suppose I work for a company in Canada and that company flagrantly violate’s the GDPR. I later leave the company and move to Europe.

                          Is it possible for Europe to come after me personally, instead of (or as well as) the company?

                          What if I’m the CTO? CEO? Owner? Just an employee but directly responsible for the GDPR violations?

                          What if I don’t leave the company and just go to Europe on a vacation?

                          1. 4

                            Is it possible for Europe to come after me personally, instead of (or as well as) the company?

                            This is the entire point of the legal fiction of a “corporate person”. If a corporation is doing bad things, you go after the corporation. It’s very rare that anyone within the company directly is charged with a crime unless they’re knowingly and intentionally violating something. GDPR is fairly lenient with remediation and other things.

                            What if I don’t leave the company and just go to Europe on a vacation?

                            They’d more or less have to issue a warrant for you, and you would know.

                            1. 2

                              Maybe if it were egregious enough.

                              The US has been known to go after employees of money launderers and copyright violators in other companies, so it’s not without an international precedent, but I’d need more information to give better advice.

                        1. 3

                          I’m disappointed that companies who own significant copyright in Linux (like RedHat or Intel) and industry groups like the BSA don’t go after intellectual property thieves like Tesla. There are plenty of non-Linux choices if companies don’t want to comply with the GPL’s license terms. Other car companies seem to be happy with VxWorks and similar.

                          What’s the point of asking China to comply with American IP if the US won’t even police its own companies?

                          1. 10

                            I’m pretty unsurprised that a company like Intel or Red Hat wouldn’t sue. Lawsuits are expensive, and it’s not clear a GPL suit would produce any significant damages (can they show they’ve been damaged in any material way?), just injunctive relief to release the source code to users. So it’d be a pure community-oriented gesture, probably a net loss in monetary terms. And could end up a bigger loss, because with the modern IP regime as de-facto a kind of armed standoff where everyone accumulates defensive portfolios, suing someone is basically firing a first shot that invites them to dig through their own IP to see if they have anything they can countersue you over. So you only do that if you feel you can gain something significant.

                            SFC is in a pretty different position, as a nonprofit explicitly dedicated to free software. So these kinds of lawsuits advance their mission, and since they aren’t a tech company themselves, there’s not much you can counter-sue them over. Seems like a better fit for GPL enforcement really.

                            1. 8

                              a GPL suit would produce any significant damages (can they show they’ve been damaged in any material way?

                              This is generally why the FSF’s original purpose in enforcing the GPL was always to ensure that the code got published, not to try to shakedown anyone for money. rms told Eben in the beginning, make sure you make compliance the ultimate goal, not monetary damages. The FSF and the Conservancy both follow these principles. Other copyleft holders might not.

                              1. 3

                                Intel owned VxWorks until very recently. Tesla’s copyright violations competed directly with their business.

                                1. 2

                                  I’m not a lawyer but the GPL includes the term (emphasis added)

                                  1. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

                                  Even if monetary damages are not available (not sure if they are), it should be possibile to get injunctive relief revoking the right to use the software at all. Not just injunctive relief requiring them to release the source.

                                  1. 3

                                    This is from GPLv2.

                                    GPLv3 is a bit more lenient:

                                    However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

                                    Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

                                    Now, I think people should move to GPLv3 if they want this termination clausole.

                                    And in any case, 5 years are completely unrespectful of the various developers that contributed to Tesla through their contribution to the free software they adopted.

                                    To that end, we ask that everyone join us and our coalition in extending Tesla’s time to reach full GPL compliance for Linux and BusyBox, not just for the 30 days provided by following GPLv3’s termination provisions, but for at least another six months.

                                    As a developer, this sounds a lot like changing the license text for the benefit of big corporates without contributors agreement.

                                    When I read these kind of news I feel betrayed by FSF.
                                    I seriously wonder if we need a more serious strong copyleft.

                                    1. 2

                                      It is not without contributor agreement. Any contributor who does not agree is free to engage in their own compliance or enforcement activity. Conservancy can only take action on behalf of contributors who have explicitly asked them to.

                                      The biggest problem is that most contributors do not participate in compliance or enforcement activities at all.

                                      1. 1

                                        Conservancy can only take action on behalf of contributors who have explicitly asked them to.

                                        Trust me, it’s not that simple.

                                        The biggest problem is that most contributors do not participate in compliance or enforcement activities at all.

                                        Maybe contributors already agreed to contribute under the license terms and just want it to be enforced as is?

                                        I’m sincerely puzzled by Software Freedom Conservancy.

                                        Philosophycally I like this gentle touch, I’d like to believe that companies will be inspired by their work.

                                        But in practice, to my untrained eye, they weaken the GPL. Because, the message to companies is that Conservancy is afraid to test the GPL in court to defend the developers’ will expressed in the license. As if it was not that safe.

                                        I’m not a lawyer, but as a developer, this scares me a bit.

                                        1. 3

                                          If contributors want they license enforced they have to do something about that. No one can legally enforce it for them (unless they enter an explicit agreement). There is no magical enforcement body, only us.

                                          Conservancy’s particular strategy wouldn’t be the only one in use if anyone else did enforcement work ;)

                                          1. 1

                                            You are right. :-)

                                2. 2

                                  They’re asking China to comply with the kind of American IP that makes high margins, not the FOSS. They’re doing it since American companies are paying politicians to act in the companies’ interests, too.

                                1. 1

                                  In total there are 387 users online :: 42 Registered, 0 Hidden and 345 Guest
                                  Most users ever online was 23 on Thu Mar 21, 2002 10:18 am

                                  1. 7

                                    I opted to use nightly to help make Firefox a more stable product for people less willing to put up with crashse, and to help test certain new technologies (stylo originally, recently webrender). I did not install it with the understanding that Mozilla would feel free to share my browsing habits with a third party.

                                    It’s unfortunate that there is not a reasonable way to help test firefox that respects your rights, but I suppose I understand why they want some channel to test things like this. Either way, I’ve now uninstalled nightly and will stick to the stable version.

                                    1. 4

                                      Disable Shield Studies in the Preference Menu. Then you can test Firefox and not have Firefox share your browsing data with which an explicit agreement exists to not log your browsing data for anything beyond debugging purposes and 24h maximum which is used to develop DoH which massively increases user privacy.

                                      1. 2

                                        It’s not just this study I want to avoid. It’s any similar behavior in the future, which I may or may not hear about like I did this time. As the original post points out, there doesn’t seem to be any policy in place guaranteeing that this sort of behavior will be limited to shield studies. The attitutudes displayed in the bug for this study seem to be along the lines of “if it’s not forbidden this level of invasion of privacy is fine”, so I don’t see why I would trust that setting to prevent a similar thing from happening except not as a “study”. Moreover there is an open issue about that checkbox getting reenabled, which inspires little confidence.

                                        As for your attempt at minimizing the data shared, you’re right, it could be worse, but this is already far too much. Mozilla has no right to trust a third party like this on my behalf. Even if they did that agreement simply does not exist in the form you want it to for the simple reason that cloudflare is a US company. They do not have the power to enter into such an agreement since by law they can be required to provide that data to the US government (which, to me, is a foreign government).

                                        And to be perfectly frank, I wouldn’t even mind opting into this study, I already use a US dns provider. But the lack of trustworthiness and respect displayed towards nightly users means I will not be one.

                                        1. 3

                                          Again, you can opt out. The bug you mentioned is an open issue as you noted, if you’d like to see it fix, you can submit reports or code to help out.

                                          Mozilla is not a closed organization, almost everything happens in public.

                                          The study hasn’t even started yet, so I’m not sure why people are freaking out unless Mozilla will actually implement this as opt out (the mailing list seems to indicate otherwise)

                                          1. 2

                                            I can opt out this time because I heard about it in advance. There is no guarantee I will hear about it in advance next time, so next time I may not be able to. Mozilla in doing this (even in seriously considering this) has clearly indicated that they do not respect the rights of nightly users.

                                            As I read it the mailing list has everyone approving the opt out version, so I don’t think the mailing list indicates otherwise. Specifically of the 6 people who were asked to approve it, 5 already have. From context I think the last one is a lawyer checking if it’s legal? When the limit of whether or not you’re violating privacy too much is “is this literally illegal” you don’t impress me.

                                            That fact that it’s a bug doesn’t terribly matter, it means that there isn’t even an effective way to opt out of the studies. The only proper response upon discovering that bug was halting all shield studies until they found the cause, fixed it, and alerted everyone who might have had the button automatically rechecked about it (which in practice may mean every nightly user). I’d care more about if Mozilla hadn’t already lost my trust in regards to nightly in general, and if it provided some form of meaningful consent (which it doesn’t, since it could easily have remained check simply by me not hearing about it or realizing what it meant).

                                            1. 2

                                              The opt out is not per study, you can opt out of any shield studies. And as others have noted, Nightly is not for production. It is playground for Mozilla where they test exactly these kinds of features.

                                              If you run Beta software, be prepared that it does things you wouldn’t expect.

                                              I’m still fairly convinced people are simply overreacting over simple A/B tests to improve privacy of Firefox proper.

                                              1. 2

                                                The opt out is not per study, but it is per feature. I see no reason to believe that the only way Mozilla will do things like this is through shield studies when none of their policies indicate that this is the case. It is also not clearly communicated what the opt out is for - assuming it has the same text above it as in firefox stable (I have uninstalled nightly already and didnt check first) it says immediately above it that “We always ask permission before receiving personal information”, which is plainly not the case here.

                                                I expected nightly to be buggy, to crash sometimes, and maybe to not work at all once in awhile. That was about the case (surprisingly unbuggy without enabling things like webrednder.enabled.all actually). I did not expect nightly to intentionally violate my privacy.

                                                As I said at the start, maybe I just misunderstood what nightly is for, either way I’m not going to continue using it.

                                                1. 2

                                                  Mozilla explicitly notes in their privacy page that Nightly will have different privacy characteristica than the normal distribution, so no it’s not simply “the same text”.

                                                  If you value privacy you should not be using a pre-beta release of a software meant for (A/B) testing latest features.

                                    1. 1

                                      Since Cloudflare serves an inordinate amount of Internet traffic, I’m not sure this changes much.

                                      1. 1

                                        If I understood correctly, this sends all hostnames to Cloudflare, not just those served by Cloudflare. I think it is a significant change.

                                        1. 3

                                          Not many DoH servers out there. Somebody has to host them.

                                          1. 1

                                            It seems like it should be possible to find a DNS provider that already exists to host them, and then only test on users who already use that DNS provider.

                                            1. 6

                                              Let me amend what I said: There are no DoH servers out there except for the one Mozilla set up. DoH isn’t even a standard yet. It’s a draft proposal to the IETF.

                                              1. 2

                                                Google has a DoH server, not sure how compliant with the draft though.

                                                Meanwhile Yandex has a DNSCrypt server (and client in their browser).

                                                1. 1

                                                  That doesn’t change what I said. Instead of partering with cloudflare to have them implement this/run servers providing it, partner with someone who already provides DNS to a substantial number of users. Either way you are requring someone to implement new technology, this is just changing who that someone is.

                                            2. 1

                                              It’s a change, but it would only matter if you trust Cloudflare to see a significant fraction of your traffic, but are not ok with them seeing all your DNS queries. I can’t fathom how that makes sense.

                                          1. 2

                                            I use both Sublime Text and Visual Studio Code, but I often noticed VSCode having some decent input lag (at least when using the Vim Mode), where Sublime, once it is started, rarely does to the same extent.

                                            That being said, there are a lot of things that VSCode does that can be quite useful, and somehow, it manages to have a terminal that is less laggy than ConEmu.

                                            1. 1

                                              VSCode’s vim emulation is really laggy.

                                              I was playing with throttling my CPU to 400MHz to see how slow certain things were, an unexpected consequence was it took substantial time (felt like about half a second, but I didn’t measure) for a keystroke in vscode to actually register. Turning of the vim extension fixed this entirely.

                                              1. 2

                                                So, minor update on this: I don’t think it’s just the Vim Emulation that’s laggy. I suspect there are other extensions that are similarly laggy (I didn’t test to figure out which ones, because I have other things to do at the moment). I actually switched from VS Code back to Sublime Text for Angular/Typescript development due to just getting fed up with the general lack of responsiveness I was getting. Given that Sublime Text has autocomplete for TypeScript, I’m not losing a great deal.

                                                1. 1

                                                  That’s a shame. I like having my Vim keys. Maybe I’ll have to look into other Vim for VS extensions

                                              1. 5

                                                Another case of using “the null garbage collector” is (was?) the dmd compiler for D.

                                                1. 4

                                                  That’s also work bookmarking as a great illustration of why programmers should instrument and profile code instead of guessing what optimizations should work. The author, who is a very experienced programmer, was getting the intuitive choices wrong. Switching to instrumenting the code showed exactly where the problems were. That let the author make better choices for optimization that actually worked.

                                                1. 6

                                                  As a (primarily) C programmer who has been eyeing Rust from a distance with some interest, the author makes a number of compelling points – but from what I’ve read elsewhere…

                                                  No integer overflow

                                                  Enough said.

                                                  No, very much not enough said – if this is an issue you care about, this is a gross oversimplification. Such a description might be accurate for a language with automatic bignum-promotion, where integer overflow can be really said to (within the bounds of memory) actually not happen – Python, say. But the situation in Rust, while yes, probably preferable to the one in C in most ways, isn’t that simple.

                                                  1. 2

                                                    Yeah, it wasn’t obvious to me why that was ”enough said.” I use (unsigned) overflow on purpose quite a lot in audio programming.

                                                    I think it’s nice how Swift made overflow trap, using regular arithmetic operators, but added versions prefixed with & to opt-out, e.g. &+.

                                                    1. 4

                                                      In case you didn’t check the article 1amzave linked:

                                                      Rust has .wrapping_<op> methods for 2’s compliment arithmetic (and a few other variants, saturating, checked - which gives a handable error on overflow, overflowing - which wraps and tells you if it wrapped), as well as a Wrapping<T> type that makes the normal operators wrapping.

                                                      It doesn’t have a fancy &+ syntax though, which is probably a good thing IMO given how rarely wrapping arithmetic is used in general.

                                                      1. 1

                                                        Yes, I didn’t know about those before coming here for the comments!

                                                        &+ is not really special syntax in Swift though, since it allows user-defined operators, for better or worse.

                                                    2. 2

                                                      Rust panics on overflow by default, but provides functions that explicitly allow integer overflow wrapping, as well as functions for checked arithmetic and saturating arithmetic:

                                                      https://doc.rust-lang.org/std/primitive.u32.html

                                                      This seems like the best of all approaches to me.

                                                      1. 4

                                                        Rust panics on overflow by default

                                                        But not in release mode. (This has bitten me, painfully!) Worth being vigilant while coding in case your code might run into edge cases in production it doesn’t in test.

                                                        1. 1

                                                          Thanks for pointing that out! I somehow missed that important detail. I’ll have to keep that in mind!

                                                    1. 2

                                                      Anyone have a copy?

                                                      1. 2

                                                        Just google “iboot github” and find a not-yet-dmcad link. Currently https://github.com/emrakul2002/iboot works.

                                                        1. 1

                                                          Apparently the original upload have been taken down, but there are more copies that can be easily searched at the same site. I would assume that a lot of people have copies by now…

                                                        1. 2

                                                          I use cryfs for this, it’s a transparent fuse filesystem that maps one folder with plaintext (don’t store this in dropbox) into another folder with a bunch of cyphertext blocks (store this in dropbox).

                                                          Doesn’t (yet) work on windows, not sure about mobile, but it’s pretty painless.

                                                          1. 1

                                                            Although I’d prefer having everything encrypted client-side, this would break all the Dropbox functionality on my phone – hence I went with something in between. Thanks for sharing your interesting setup!

                                                            1. 0

                                                              That looks incredibly painful. There’s no way it works on anything but a Linux desktop.

                                                              1. 3

                                                                Should work on mac to… but I live my life on linux desktops so that’s good enough for me.

                                                                Keep in mind that the alternative we are comparing to is “manually click a bunch of buttons to encrypt a PDF for anything you want to keep secure”.

                                                            1. 4

                                                              I thought Moxie’s response on HN (technically responding to the wired article, but I don’t think he would say anything substantially different about the blog post) was really good. The conclusion of which is

                                                              To me, this article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not. It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.

                                                              1. 2

                                                                Nonsense. If you build an end-to-end encrypted thing you inherently call the server your adversary. Hence, don’t handle key management in the server.

                                                                1. 1

                                                                  I think this accurately highlights a real problem with how security and privacy are talked about in popular culture and even in many technical outlets: they are seen as something you either have or don’t. In reality, of course, all technology has to balance security with other concerns, such as usability, cost of building and maintaining the product, technical feasibility, etc. There is no such thing as completely secure software, only software which is secure enough for a certain purpose. Signal says that their service is designed to combat passive surveillance, and I think you could make a case that what this article is describing is more of an active/targeted attack. Which, of course, is not an argument against plugging the hole in Signal’s model if possible.

                                                                  Signal has done a pretty good job of maximizing security while providing a nice user interface. It is probably worth pointing out that it is still a better option than many of the alternatives in articles like this one.

                                                                1. 4

                                                                  I’m not sure I follow what you’re talking about–the only way to see a user score is to click through to their profile or look on the users page.

                                                                  Do you mean something else?

                                                                  1. 2

                                                                    Your own score is in the top right beside your username.

                                                                    1. 5

                                                                      Indeed. I would have no problem if it were removed from there. Who really needs that feature?

                                                                      1. 3

                                                                        It could have motivational value for someone. On my end, I mostly just try to help people with stuff they might not know about. I avoid most topics and comment styles that get popularity votes. That means my score is significant indicator of impact. A large number in the first year meant high impact. Or that I spent way too much time on these sites versus other activities that could be more beneficial. We’ll just pretend that option isn’t a factor for now. :)

                                                                        So, that’s at least what I thought as I observed it over time. However, anyone contributing a lot probably doesn’t need to see the score on front page, though, since we’re the type of people to do that anyway. If we’re curious, it’s always in profile a few clicks away. Conclusion: it doesn’t need to be visible even for those of us that use it to assess impact over time. Plus, anyone consistently doing stuff here others appreciate will usually get individual comments or private messages saying so. Eventually.

                                                                        1. 2

                                                                          Need? No. But I sometimes use it to estimate the response to one of my comments in “the waiting period”. I think it’s usually a distraction though :-)

                                                                    1. 5

                                                                      Why does every headline mention “MINIX based” now? MINIX is not what’s bad about it >_<

                                                                      1. 4

                                                                        On the other hand if “Minix” becomes synonymous with “that spyware OS” in public perception maybe it will get Tannenbaum to realize the whole “BSD licensing offers the users maximum freedom” schtick is hilariously backwards.

                                                                        1. 4

                                                                          Tannenbaums statement about the news MINIX was being used continued to support the BSD license. He only wished that Intel had told him, cause it would have been cool to know.

                                                                          1. 0

                                                                            He also said “this bit of news reaffirms my view that the Berkeley license provides the maximum amount of freedom to potential users” which is just utterly delusional.

                                                                            1. 12

                                                                              Intel is the user. Intel got maximum freedom. I don’t see what is ambiguous about that.

                                                                              Unless, are you are recursively applying a broader concept of freedom to all users potentially affected by consequences of the license choice? Because that’s an entirely separate matter altogether. And highly subjective.

                                                                              1. 7

                                                                                It seems to me that I am the user of my CPU and all the software on it, Intel is just the manufacturer. At least legally, morally, and in terms of how GP used the term. Unfortunately there may be an argument that Intel is a user in reality.

                                                                                1. 5

                                                                                  You’re a user of your CPU as a complete product, not of MINIX. Intel is the user of MINIX, they are the ones the license applies to. Legally speaking, that much is completely unambiguous.

                                                                                  1. 3

                                                                                    Intel is the distributor of Minix, they require a license to create copies and distribute it because that’s how copyright works.

                                                                                    I do not need a license for my use of Minix because my use does not create a copy or otherwise implicate copyright law. That does not mean I am not the user, legally or otherwise. Just as I am the user of a book when I read it, but I do not require a license to do so.

                                                                                    1. 4

                                                                                      Precisely, Intel is the user of the license. That was the intended meaning of user in Tannenbaum’s letter.

                                                                                    2. 1

                                                                                      Hmmm. Just like I may be a user of a Dell Machine with Windows on it? But in that case, the license applies to me.

                                                                                      MINIX’s license applies equally to source and binary forms, so the “user” is actually quite questionable. Technically, it seems that the license is passed on to me, the user of the CPU, since the copyright notice and such must be distributed along with a binary distribution…

                                                                                      So, I guess I could legally redistribute my changes to the binary blob that Intel puts on the CPU, too, no? Of course, provided my changes are also released under a BSD license. (Difficulty of this aside)

                                                                                      Disclaimer: IANAL.

                                                                                      1. 4

                                                                                        Hmmm. Just like I may be a user of a Dell Machine with Windows on it? But in that case, the license applies to me.

                                                                                        Totally different. Intel is licensing MINIX as a component. Dell is an authorized reseller of Windows, i.e. they are authorized to sell you a Windows license along with their product. While they probably license Windows for their employees, they don’t license Windows as a part of the product. Their terms of resale allow them to modify the original distribution, to include drivers and so on. Also crapware, apparently.

                                                                                        MINIX’s license applies equally to source and binary forms, so the “user” is actually quite questionable.

                                                                                        No, it isn’t. The user of the license is the distributor. The license notice must be attached. That’s all.

                                                                                        Technically, it seems that the license is passed on to me, the user of the CPU, since the copyright notice and such must be distributed along with a binary distribution…

                                                                                        A notice of license use does not constitute a license grant. That is, if I buy a software library A and include it in my product, that does not transitively grant a license for A to all of my users. That would be absurd.

                                                                                        So, I guess I could legally redistribute my changes to the binary blob that Intel puts on the CPU, too, no? Of course, provided my changes are also released under a BSD license.

                                                                                        BSD does not require you release derivatives under a BSD license, only that you attach the original license in the documentation or other materials provided with your derivation. And you could only redistribute changes if Intel’s license for their blob permits redistribution.

                                                                                2. 3

                                                                                  He also said “this bit of news reaffirms my view that the Berkeley license provides the maximum amount of freedom to potential users” which is just utterly delusional.

                                                                                  How is it delusional exactly? Seems to be correct, the freedom for intel to use it in the way they see fit is preserved.

                                                                                  1. 2

                                                                                    BSD is about developer freedom whereas GPL is about end user freedom. For Tannenbaum to claim otherwise is bizarre. He should be arguing for the license he chose on its merits.

                                                                                    1. 5

                                                                                      What are you talking about? He said BSD provides maximum freedom to potential users. And the next sentence makes it extremely clear he is referring to developers like Intel, not end users.

                                                                                      So as far as I’m aware Tannenbaum never made any such claim. He certainly didn’t in his open letter to Intel.

                                                                                3. 1

                                                                                  Intel is the user here, and Intel indeed got maximum freedom. I see nothing wrong with that.

                                                                                  What kind of license would you suggest?

                                                                                  GPL/copyleft? Wouldn’t do anything, Intel would just reluctantly post an uninteresting dump of MINIX source with the tiny modifications they made to make it fit in a small device.

                                                                                  “Don’t use this for evil” licenses? They’re just broken. Incompatible with any existing FOSS licenses. No one will use your code.

                                                                                  1. 12

                                                                                    GPL/copyleft? Wouldn’t do anything

                                                                                    The whole point of the tivoization clauses of the GPLv3 is to make it illegal to prevent the end user from modifying this kind of thing and allowing them to remove user-hostile behavior.

                                                                                  2. 1

                                                                                    BSD forbids the use of the original name without author’s permission, so the license is fine. But no license is going to protect you from FUD and journalist misinterpretation.