Is Linux not free software itself? I thought propietary stuff was added downstream.
Am I getting something wrong?
The Linux-libre Wikipedia entry sums it up pretty well:
“According to the Free Software Foundation Latin America, Linux-libre is a modified version of the Linux kernel that contains no binary blobs, obfuscated code, or code released under proprietary licenses.[7] In the Linux kernel, they are mostly used for proprietary firmware images. While generally redistributable, binary blobs do not give the user the freedom to audit, modify, or, consequently, redistribute their modified versions. The GNU Project keeps Linux-libre in synchronization with the mainline Linux kernel.[8]”
Basically; some stuff in the kernel is either not free or not open but is included for convenience.
AFAIK, the Linux codebase is actually open source in its entirety. However it has parts that are capable of loading non-free stuff like firmware. The linux-libre project makes sure those parts are disabled.
Personally, I think it’s a fool’s errand as it would render most modern systems unusable (in the reasonable sense).
They also don’t apply such harsh judgement to firmware that resides in ROM, and only to firmware updates. In most of these cases you’d have systems with outdated firmwares with neither QoL nor security updates.
A lot of drivers for hardware are actually not open source, just unreadable binaries that do …something. No one knows exactly how they work, so some people consider them a security risk.
I think its because the linux kernel is GPL2, not the modern GPL3 like most free software, so I think thats why some components are allowed to be non-free. Not sure though.
So, that practice violates the spririt of free software. So some distributions have those components removed. Its safer, but you may lose functionality, depending on what computer components you have.
Its an important project, and judging by the other comments here, underappreciated.
Could we please stop associating open source with security? Don’t get me wrong, I love open source software and it is easier to trust open source software than proprietary, because it is highly unlikely, that they hide stuff like trackers in there. It is also most of the time highly configurable and sometimes even hackable and as a software developer you are able to look into the mechanisms behind the APIs which is sometimes really helpful.
But events like the lzma incident last year and predictable openssl RNG in Debian some time ago (https://lists.debian.org/debian-security-announce/2008/msg00152.html) should tell us, that open source doesn’t mean secure software. And the argument, that there are many people looking at the code is not really true. E.g. many maintainers of the linux kernel only look at specific parts/drivers in it and maybe into some other things they need for that. There are probably only a few people if any (apart from governments), that have read, understood and analyzed the linux kernel in its entirety with all the (open source) drivers built into it and all the possible combinations of configurations. And I don’t want to know how many have done all that for less popular projects. And even if that is done at some point for an upstream project, you would have to check the patches from your distro and if there are any do it all for yourself again. And when the next release arrives you would have to do all that in its entirety again (although with some head start) if a new version arrives (that has, say, at least a thousand lines of code changed, removed or added). And now think about how many big releases come with some software per year. And don’t forget to also include all the dependencies you have to check including the compiler and standard library of the language(s) used.
Of course it is easier to do all that for OSS as an outside party because you don’t have to decompile it, but it is still increadibly hard. And only to be easier to analyze for security risks doesn’t mean to be more secure just like packaging being recyclable doesn’t mean that it will be recycled.
Well, to run with your analogy, I prefer things to be recyclable then to just throw them away.
I agree with you - to a point. The linux kernel is too big and complex to understand all of it as a single person. However, its critical software. Meaning, we are not depending on some nerd to find a bug anymore. There are companies that look through critical code to check for security issues.
Now imagine I made some somewhat popular open source server software that saved passwords in plaintext. Chances are good, that by sometime next week ill have someone on the internet scream at me for that. With proprietary software, no one is coming.
(Maybe at the next code review, someone will say something, but proprietary software does not imply me working at a corporation, and corporation does not imply the software having to be closed source)
Open source does not guarantee 100% secure software, but it does make obvious lapses in judgement much less likely. And sometimes, there IS a nerd who will look through the code because they wanted a feature, and finds a critical bug. Like the person that found the xz backdoor. The chance for that happening with closed source is zero.
I agree because it is exactly what my claim is. It would still be foolish to say that open source software is by design more secure than proprietary. I know that this is not what you said and you most likely also don’t mean that, but there are enough people who think that way because they read everywhere that OSS=secure software.
Your example with xz however does not really hold imo. The xz bug was not found because xz is open source but because someone realized, that their ssh session build up took longer than usual and they then used valgrind to check for issues and not because they looked in the source code. It wasn’t even really an easy to spot backdoor because it was a malicious compressed file that changed the build process while running the tests and injecting the actual backdoor in the compiled file. Therfore this would have been found with proprietary software with the same likelyhood.
And regarding my analogy: I also like it more when things are recyclable, that is also why I like open source software more and have more trust in it. But now that I think about it, that wasn’t the best analogy I could’ve chosen but it was the first thing that came to my mind.
This is why I like fediverse. Redditors would downvote this to oblivion.
Well, the majority still seems to be unhappy. I think it is mainly because I chose Linux as an example and it reads like I think that Linux is not secure software which is not at all what I intended to say and also (obviously?) not what I think is true.
I could understand that some distros’ kernel had binary blobs, but the main kernel?? I was not expecting that if it’s true.
BSD people laugh about linux because of that all the time
There were tons of comics by OpenBSD vs. Linux (being the corporate slave)
It’s definitely not safer. It does not include microcode updates so it’s quite the opposite of secure. Technically you can load them at boot but why would you intentionally make security harder to achieve?
Not including microcode updates is also extremely dumb from the philosophical standpoint. Microcode is closed source firmware running “inside your CPU” so if you don’t include the updates, your CPU now runs on both vulnerable and proprietary firmware.
I think there are som non-free firmware stuff included in most distros.
It exists because FSF. (watch Linus’s opinion on FSF) Unfortunately the FSF is full of obsessive people, who want politics to be an if-else problem. But that’s not how politics work, you always have to compromise somewhere. You cannot have hardware that uses open-source firmware, has schematics available, doesn’t use slave labor, is usable, is secure etc. You always have to choose between different evils.
But that’s not what the FSF does. They decided to draw a thick line through this blurry mess, so that these obsessive coders can have a digital high/low solution to this analog problem.
hm how do I continue…? It’s hard to explain because it does really make sense but I will try. So if some software runs on your computer and you can modify it from the OS, it has to be Open Source otherwise it’s not FSF big wholesum chungus certified. But if it runs on your PC and you cannot modify it from the OS, it can be closed source and still get the Chungus certification. What you end up with is that FSF recommends some old crap wifi cards running proprietary firmware because you cannot modify the firmware without external flashing. But it rules out new wifi cards that load the firmware during boot because the linux kernel cannot have proprietary software in it reeee. Obviously the latter situation is better for freedom because it’s at least easier to replace with Free firmware but they don’t care about that.
In other words Linux Libre exists only because of some stupid bureaucratic rule that actually harms Free Software instead of helping it.
Wait I haven’t told you about microcode updates! Microcode is proprietary software controlling your x86-64 CPU. Linux Libre does not include updates to this firmware even though the microcode is proprietary regardless. So with Linux Libre your CPU is controlled by code that is proprietary, broken and vulnerable to stuff like Spectre or Meltdown. This part is so stupid that it’s almost funny. (but it’s actually sad)
But that’s not how politics work, you always have to compromise somewhere
THAT IS how politics works. You have to always try to make as much noise in getting what you want with the hopes that once it comes to a compromise somewhere you end up in a better position.
I mean sure. But that is exactly what the FSF isn’t doing.
The FSF has clear guidelines and follows them rigorously, nothing else. It’s good that they don’t make exceptions. Any problem with microcode or other proprietary drivers starts with the fact that they are not free. Making exceptions would partially solve the problem, but the situation would not change significantly, and the FSF would then be violating its own principles.
The FSF’s job in this regard is to try to open debate about the problems of not having free security patches and, in any case, to try to uncover hidden vulnerabilities in proprietary tools and facilitate the creation of free tools that solve the problems.
But their principles are bs to begin with. They decided what’s good and what’s bad based on completely arbitrary metric. It does not matter whether code is baked into hardware or is flashed in it during boot process. Proprietary is still proprietary.
They should fight for 100% free software and choose the lesser evil from there instead of fighting for the lesser evil (or imo the bigger evil) from the beginning.
Edit: Imo they are violating their own principles spiritually. They are just avoiding violating their own principles bureaucratically.
You know anyone is capable of telling the same thing, but about proprietary code or about that stance you have? Not everyone has to follow the FSF steps nor LInux-Libre, they’re there for people who want them and follows their principles. They do what they think is right and invest in that, you don’t so you don’t invest in that. I think it’s great for them to work in projects like GNU Health, Linux-Libre or even Hurd (if it’s even active) so we can see more free software development in the future and free software culture in things like health devices (which may or may not be inside your body). I agree with you about microcode, though, but I think AMD is working on opening some microcode in their GPUs (I’m not sure about CPUs), which is great! You can just do your own thing, I prefer to use free software when I can and settle with proprietary code I can’t change, other people likes to settle with proprietary systems and a small group likes to force free software in everything they can. I can still help with donations, reporting issues (my favorite part about FOSS/OSS is clear communication) and helping the community until I’m knowledgeable enough in programming.
Btw, I don’t think we have to always settle, we can still fight and get things changing for the better. It may take some time, but I think it’s worth it.
I also think there are great projects under the FSF. My issue is the politics and Linux-libre because it’s harmful.
I don’t think CPU microcode will be open source but the good thing is that RISC-V and ARM don’t need microcode so that could be avoided entirely in the future.
Right now (and for a while from now) we have to always settle, the FSF only never settle because they settled when writing their nonsensical guidelines. Closest you can get to full open source device is the MNT reform laptop. Technically you can even have an Open Source CPU on it but everything is at the cost of usability and yet it’s still not perfect. But nothing is perfect imo, that’s why imo you can never settle.
Linux itself is Libre on its own, but its modular and anybody can add non-libre software/drivers to it. Android is a popular example to see what that means. But to be fair, I don’t understand why Linux-libre exist. These projects would remove proprietary software from Linux. It’s a script, so maybe its intended to be used with any Linux Kernel you have, that comes with proprietary blobs? In that case the project makes very much sense to me.
But as you I am not educated enough to understand all of this.
Edit: Found the script, so you can look at what it does to understand its purpose better: https://www.fsfla.org/svn/fsfla/software/linux-libre/scripts/deblob-6.9
https://wiki.hyperbola.info/doku.php?id=en:philosophy:incompatible_packages
I just want to know what did conky do to get in that list lol
They actually stopped using the linux kernel all together as well.
yeah well thats hyperbola, they are generally known to be extreme to the point of nonsense. If you want a good free-software only distro try guix. They apparently have the third largest software repo in existence. They have an unofficial non-free repo too.
Thanks, I’m actually building the libre kernel when you typed this.
Some people are just insane… That’s why they exist.