• 4 Posts
  • 92 Comments
Joined 1 year ago
cake
Cake day: June 9th, 2023

help-circle
  • Yep.

    There are two big end-user security decisions that are totally mystifying to me about Lemmy. One is automatically embedding images in comments without rehosting the images, and the other is failing to warn people that their upvotes and downvotes are not actually private.

    I’m not trying to sit in judgement of someone who’s writing free software but to me those are both negligent software design from an end-user privacy perspective.


  • Of note about this is that image links in comments aren’t rehosted by Lemmy. That means it would be possible to flood a community with images hosted by a friendly or compromised server, and gather a lot of information about who was reading that community (how many people, and all their IP address and browser fingerprint information, to start with) by what image requests were coming in kicked off by people seeing your spam.

    I didn’t look at the image spam in detail, but if I’m remembering right the little bit of it I looked at, it had images hosted by lemmygrad.ml (which makes sense) and czchan.org (which makes less sense). It could be that after uploading the first two images to Lemmygrad they realized they could just type the Markdown for the original hosting source for the remaining three, of course.

    It would also be possible to use this type of flood posting as a smokescreen for a more targeted plan of sending malware-infected images, or more specifically targeted let’s-track-who-requests-this-image-file images, to a more limited set of recipients.

    Just my paranoid thoughts on the situation.



  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    11 months ago

    Depending on the nature of the changes, it might be more advantageous to tell them that it’s easier (i.e. cheaper) to contribute changes upstream, rather than maintaining them separately forever. Also, the good will and reputation boost involved can be significant.

    Don’t say it if it isn’t true or anything, but in a lot of cases it’s true.



  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Yeah, 100%. At this point the resources invested in MacOS / iOS have probably exceeded even the decades of work they were able to leverage by starting with FreeBSD / NeXT / Mach / whatever else.

    (Edit: Actually, not 100% true. Macs are still very BSD-like under the hood; I actually really like development on Macs because I can basically treat them as BSD systems with unusual package management and a fancy GUI. For that reason they’re far preferable for me over Windows or pre-OSX Macs. But yes, your point is well taken that iOS development at this point has far eclipsed anything they started out from in terms of LOC and time spent.)


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    11 months ago

    There’s a list of open source Android distributions. Although not very good, they are viable.

    Yeah, I get that. This is why I’m not fully in agreement with Perens that this is an urgent problem.

    How are phones free-software-hostile?

    Because the whole idea of the GPL was to usher in a future that was like the environment RMS grew up in, where you always had the source code to all your stuff and you could examine or modify or build on it. Linux machines are in actual practice that way, which is super cool. Android phones are basically not, from the viewpoint of almost any mortal human. I think the argument is that the efforts that the manufacturers make to close off modifications to the phones, and then put software on them that’s sometimes hostile to the best interests of the phone owner, means they shouldn’t be able to use all this GPL-licensed software for free in order to build the phones they’re selling.


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    11 months ago

    This to me is a good question. The lack of something concrete that sounds like “yes, that would definitely work” is something that makes me have reservations about this whole thesis… but that said I think it has some merit.

    Mysql and Qt already have a pretty solid model, where there’s a GPL-enabled alternative that the community can use, or you can pay a fee to use the commercial version. You could scale that up to something where if you want to pay a certain fee, you can use lots of currently-GPL software (maybe any that’s been assigned to the FSF or something with the FSF shepherding the whole thing). Then, we can stop the sort of benign neglect of companies that are sloppy with their licensing of uboot or Busybox, and just tell them to start paying the fee if they don’t feel like dotting all their "i"s as far as licensing, and then use the fees to fund development of open source software that’s needed but doesn’t have a lot of motivated developers working on it.

    I’m not as convinced that it’s necessary as Perens is. Like I think he overblows by quite a lot the impact of RHEL skirting their licensing, because in his mind RHEL is such a big part of the computing world when in reality it’s not. But it sounds like he’s describing real problems and the solutions make some version of good sense to me.


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    11 months ago

    Violating the (spirit of) the license (without violating the letter, because of loopholes in the license) is exactly what Perens is talking about.

    He’s not “complaining he isn’t getting paid.” I think it’s pretty rare that the people working on open source software are actually hurting for money or anything. He’s complaining that the actual practice of how the software is being used, RHEL and Android on phones and etc, isn’t doing well at reflecting the vision of the computing world the GPL was supposed to create. Then, as one possible solution, he’s proposing to kill two birds with one stone with a new license where the companies that are skirting the license right now can have to fund the development of particular types of open source software that need to get done anyway but is lacking right now (because of lack of profit motive).

    You might or might not agree with his thesis; as much as I think it’s interesting and insightful I have some reservations about it. I just thought you were misunderstanding his whole argument as being in terms of money, that’s all.


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    11 months ago

    Hm, interesting stuff. Yeah, maybe it’s more common than I was aware of – that’s still a little weird to me, because there are entities like FSF that are so happy to go to bat for people legally if they do want to make it a legal issue.

    Maybe it’s made a little more complex because a lot of authors don’t want to “punish” the company involved so much as they just want people to comply with the terms of the license, and a lot of companies aren’t violating the license out of maliciousness but just from lack of knowledge or it just being more difficult than it sounds to keep your ducks in a row with source availability.

    FWIW, I know Android phones generally have something buried in the settings where it explains what the licensing is for the code on the phone and with a theoretical offer for the source if you want it. That seems like what the Youtube talk is about; just creating the technical tools so that people can be in compliance without it being a pain in the butt that costs your engineers time and costs you money to do which companies are going to be tempted to avoid. But yeah, maybe people are getting sloppy about it in a way I wasn’t aware of; that’s sad to me if so.




  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    11 months ago

    On what is your doubt based? Like what devices do you have that you think are violators? Like I say I imagine that careless violations aren’t, like, un-heard of, but correcting them once things are explained is almost always the response. I mean, correcting the violation is usually free and easy. I’m not real familiar with the SFC, but I know they’re actively suing Visio right now, and I know the FSF is happy to bring cases to trial if it comes to that (they kind of like doing it it seems like).

    Link to the Best Buy case


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    11 months ago

    They were selling TVs with GPL-licensed software inside without complying with the terms of the GPL. When challenged, their defense was some version of “But it’s completely free for anyone to use!”

    They didn’t have to give up every one of their TVs of any model, just the infringing models (the ones that used Busybox without complying with the GPL).


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    11 months ago

    Generally speaking I agree; I like how Perens is thinking about it.

    I do think it’s pretty well established that the GPL “has teeth” though. The FSF has a list of enforcement cases against fairly large defendants; it looks like their record is 2 for 2 in the US. I think it rarely comes up, just because complying with the terms of the license is so no-brainer-ly easier than trying to make the legal argument that you can use someone else’s stuff for free while thumbing your nose at the terms and conditions they want you to abide by in order to do that.

    I think most of the “big company ignores the GPL” things you hear about are either things like RHEL, where they’re carefully skirting the line in a clearly bad-faith way that has some decent chance in court for some particular reason, or else someone breaking the GPL and then their legal department looking at it for 2 seconds and telling them to stop doing that. The cases where someone with anything to lose actually doubles down and says “fuck you” are rare I think for pretty obvious reasons.

    (Also, I just learned this today: When Best Buy did this in 2009, the judge eventually made them give the plaintiffs the TVs as part of the damages when it was all done. That’s the funniest thing I’ve heard all week.)


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    47
    arrow-down
    3
    ·
    11 months ago

    This is a common misconception. A couple times, it’s even gone to court. Both Cisco and Best Buy had to pay nontrivial amounts of money, and in the case of Best Buy, it hilariously had to give to the plaintiffs its inventory of TVs which contained software copyrighted and GPL-licensed by the plaintiffs.

    GPL licensed does not in any world mean “completely free for anyone to use”. For end-users, it does. For companies that want to resell the GPL-licensed software, it means, you can do it for free if you comply with the terms of the license, and if you don’t, then you can’t. There’s not a monetary exchange, but there are licensing terms you need to comply with which were apparently important enough to the people that wrote the software for them to apply that particular license instead of some other one.

    If you disagree, that’s completely fine, but that doesn’t mean you can all of a sudden resell their software and use their work for free, even if there are other people (in compliance with the license) who can.


  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Can you elaborate on this?

    I think we’re saying the same thing; maybe I worded it confusingly. BSD is supposed to allow proprietary-ization, and GPL is supposed to prevent it. Apple is within both the letter and spirit of the BSD license with what they’re doing with iOS. Google is technically within the letter of the GPL with how they distribute Android, just as Redhat is technically within it in how they distribute RHEL, and honestly maybe both cases are fine, but it’s far from the intent. The spirit of the GPL is that people who would receive an Android phone would know that the relevant parts of their phone’s software are open source and have a realistic ability to modify them, which I’d argue is true for pretty much 0% of even tech-savvy users today.

    If the courts would just back that up, you would be able to recompile all the GPL’d parts of your smartphone’s firmware and run that on your phone.

    Firmware? You mean kernel, right? (in addition to whatever low-level userland tools are GPLd, which I’m sure is a bunch.)

    I don’t think Google really did anything wrong here. The letter of the law is being upheld pretty well in what they’re doing. I think the issue is the cell phone manufacturers making it de facto impossible to modify your cell phone. I don’t think the GPL actually makes any requirement for modifying the software in-place being a requirement (nor should it IMO), and providing the source code is done carefully in accordance with the license. It’s very different from the “fuck you I take your stuff, sue me hippie” stance that Broadcom took. Broadcom very clearly broke the law.

    In my opinion, the issue is that a cell phone is such a free-software-hostile environment that arguably GPL software shouldn’t “be allowed to” come into contact with it in any capacity if the spirit of the GPL were being upheld. IDK how you can write something like that into a license though. And I think that’s what Perens is saying – that we need a new model that comes closer to the spirit in terms of what the actual result is.

    (Edit: Actually, maybe making it a realistic possibility to drop in a recompiled replacement should be a part of the GPL. I remember people were talking about this decades ago with signed bootloaders and things, so that a recompiled kernel wouldn’t boot on particular machines unless you broke the DMCA by doing something to your hardware. I said I wouldn’t like any attempt in the license to forbid that, but on reflection, it sounds like maybe a pretty good way to better uphold the spirit of the GPL with particular legal language.)



  • mo_ztt ✅@lemmy.worldtoOpen Source@lemmy.mlThoughts on Post-Open Source?
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    2
    ·
    edit-2
    11 months ago

    I wasn’t too psyched about reading this article, but I was surprised at how sensible it is – among a bunch of pretty good points he makes, this is one of them:

    Another straw burdening the Open Source camel, Perens writes, “is that Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company’s systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn’t know about Open Source, they don’t know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them.”

    From the end user’s point of view, there is absolutely no open-source-ness to your Android phone. (BSD which iOS is based on was always designed to make this a possibility, but the GPL was not.) They’re using all this software which was supposed to be authored under this theory of GPL, but except for the thinnest thinnest veneer of theoretical source availability, it’s proprietary software at this point.

    RMS actually talked about this. He laid out this vision of this bright future where you’d always have access to the source code for all the software on your computer and the rights to take a look at it or build on it or modify it, and some reporter said, well yes but what about all these other urgent problems that are ruining the world with private industry trying to make money at all costs and destroy it all. And RMS said, more or less: Yes. It bothers me a lot. But I don’t really know about that, and I know software, and I felt like in this one specific area I could write a bunch of software and solve this one problem in this one area where I felt like I could make a difference. If other people could get to to work on these other more urgent problems that’d be great, because they also bother me a lot.


  • Yeah. To me it seems transparently obvious that at least some of the applications of AI will continue to change the world - maybe in a big way - after the bust that will inevitably happen to the AI-adjacent business side after the current boom. I agree with Doctorow on everything he’s saying about the business side, but that’s not the only side and it’s a little weird that he’s focusing exclusively on that aspect. But what the hell, he’s smart and I hadn’t seen this particular business-side perspective before.