RMS On Why Free Software Is More Important Now Than Ever Before

jrepin points out an article by Richard Stallman following up on the 30th anniversary of the start of his efforts on the GNU Project. RMS explains why he thinks we should continue to push for broader adoption of free software principles. He writes, "Much has changed since the beginning of the free software movement: Most people in advanced countries now own computers — sometimes called “phones” — and use the internet with them. Non-free software still makes the users surrender control over their computing to someone else, but now there is another way to lose it: Service as a Software Substitute, or SaaSS, which means letting someone else’s server do your own computing activities. Both non-free software and SaaSS can spy on the user, shackle the user, and even attack the user. Malware is common in services and proprietary software products because the users don’t have control over them. That’s the fundamental issue: while non-free software and SaaSS are controlled by some other entity (typically a corporation or a state), free software is controlled by its users. Why does this control matter? Because freedom means having control over your own life. ... Schools — and all educational activities — influence the future of society through what they teach. So schools should teach exclusively free software, to transmit democratic values and the habit of helping other people. (Not to mention it helps a future generation of programmers master the craft.) To teach use of a non-free program is to implant dependence on its owner, which contradicts the social mission of the school. Proprietary developers would have us punish students who are good enough at heart to share software or curious enough to want to change it."

SubjectsInCommentsAreStupid

[lesincompetent]

I dare anyone, especially after mr. Snowden's revelations, to contradict mr. Stallman's points.

Re:SubjectsInCommentsAreStupid

[Wootery]

You've made no mention of crypto. Crypto is what stops 'them' getting to see your data, not software freedom. Non-Free/closed-source crypto can never be trusted, though.

It could all be free software and they could still spy on you.

Not if this Free software was implementing proper end-to-end crypto.

Of course, in practice there might be issues with trusting them to be running the code they say they're running.

Re:SubjectsInCommentsAreStupid

Crypto fixes that for you. End-to-end crypto under the control of the user, that is. Which is "hard" so the majority will say they don't care in order to hide incompetence.

Re:SubjectsInCommentsAreStupid

[turbidostato]

"But, how does that stop them (the guys running the servers) having access to all of your information you have stored on their machines?"

So exactly making the second RMS' point: beware service as a software substitute.

Re:SubjectsInCommentsAreStupid

[Lumpy]

You dont need end to end trust chain.

You need your endpoints trusted and treat the rest as hostile, like you should have always been doing if you had any real interest in security. The NSA revelation's are that your endpoints are compromised.

If I have secure endpoints, the technology is out there to easily transmit data in a way that in uncrackable in any useable amount of time. There are a lot of FUD claims that came out of the Snowden release flurry floating about that just do not add up. YES if the encryption system is compromised it's cracked, but not all of them are.

Plus they dont NEED to crack your communication if they own your endpoints, and I am certain that is their current operation as it makes sense.

So secure your endpoints and stop worrying.

Re:SubjectsInCommentsAreStupid

[flyingfsck]

You can trust Free software the same way that you trust that a road and a bridge over a river is good. Lots of other people in front of you are using it without problems and various maintenance crews are doing their level best to keep the road open and all road construction and repairs are visible to anyone driving past.

Re:SubjectsInCommentsAreStupid

[AlphaWoIf_HK]

As a Gmail user I'm perfectly fine knowing that Google reads my mail and potentially shares that info with the Government.

Then you are a naive fool and are part of the problem.

at the mercy of the owners

[Joining+Yet+Again]

One thing the FSF's licences haven't dealt with properly is the problem of Free software being used to TAKE control rather than GIVE it. Most of the huge SaaS providers are running Free software, adapted as they will - but with code not distributed, because it doesn't need to be as long as they're not distributing their proprietary platforms - and with all your data on their systems. Should the GPL be adapted to deal with that? Could it?

Maybe the FSF need to prepare a set of terms to explain what counts as adequate vs inadequate control over systems and data - to be more clear about e.g. how one could prepare a 'phone ecosystem which leaves control in the hands of the user. For "server" to be a person's home computer rather than Google's cloud would perhaps be a start.

Re:at the mercy of the owners

One thing the FSF's licences haven't dealt with properly is the problem of Free software being used to TAKE control rather than GIVE it. Most of the huge SaaS providers are running Free software, adapted as they will - but with code not distributed, because it doesn't need to be as long as they're not distributing their proprietary platforms - and with all your data on their systems. Should the GPL be adapted to deal with that? Could it?

Maybe the FSF need to prepare a set of terms to explain what counts as adequate vs inadequate control over systems and data - to be more clear about e.g. how one could prepare a 'phone ecosystem which leaves control in the hands of the user. For "server" to be a person's home computer rather than Google's cloud would perhaps be a start.

Uh, please look up the GNU Affero GPL. It is intentionally one-way compatible with the GNU GPL 3.0.

So saying "One thing the FSF's licences haven't dealt with properly" is uninformed bullshit. Like with any licensing choice, it's a tradeoff between freedoms to use and freedoms to abuse. But the abuse case is important enough to the FSF that they do offer this licensing choice and make it possible to employ it in connection with GPLv3-licensed software.

Re:Goes too far

[Internetuser1248]

but democratic values are less likely to be transmitted if I use Office?

If you are a teacher, yes. If you learn office at a young age, it becomes very unlikely you will switch to anything else. It can be difficult for some people too, as the interface is different. Once the students go home and have to set up their own computer they will likely use office. They will either pay for it or not pay for it. If they don't pay they are committing a crime which can be severely punished if they get caught. If they pay then the school is basically training them to give money to a large corporation. Not only that, a specific corporation, with a partial monopoly in that market. Evidenced by the fact that you write 'Office' with a capital O and take it as a given that everyone knows you mean Microsoft® Office®.

Training kids to give money to support a monopolistic corporation does not seem to be directly in line with the principles of democracy.

Traffic analysis; diverse double compiling

[tepples]

Crypto is what stops 'them' getting to see your data

End-to-end cryptography won't stop "them" from seeing with whom you communicate, how often, where, and when.

Of course, in practice there might be issues with trusting them to be running the code they say they're running.

Things like "trusting trust" are why David A. Wheeler invented diverse double compiling. Take two or more independently developed compilers, preferably Free ones such as such as GCC and Clang, and bootstrap a compiler in all of them. If the end result of both bootstrap processes is the same binary, the resulting compiler is overwhelmingly unlikely to be booby-trapped.

Re:Traffic analysis; diverse double compiling

[K.+S.+Kyosuke]

that proof still doesn't rule out malicious behaviour.

It's not a proof - it's evidence. The point is that there are a large number of, e.g., (largely) conforming C89 compilers. Some of them are common, such as GCC, MSVC, or Boland C++. Some of them are more obscure - MIPSPro, IBM XL. Some of them are outright bizarre - the Symbolics C compiler for Lisp Machines that uses a large array as a simulated raw memory without compromising the physical memory space to C bugs comes into mind. Some of them are very simple and can be subjected to the test quite easily on both sides (as the compiler being verified, or the compiler used for verification), such as TCC. Assuming that there are booby traps in commonly distributed compiled binaries is being cautious, but thinking that the same group of attackers compromised GCC binaries, MSVC binaries, and the Symbolics C stuff in identical way is rapidly approaching clinical paranoia. You can throw a few other obscure systems into the mix and cross-check all the results. If all the binaries you end up with behave identically for a large number of binaries and a large number of inputs, you ought to be able to end up with an arbitrarily high confidence that your new binary is trustworthy. (You might even try to add arbitrary levels - if, say, the binary of X compiled by (Y compiled by Z), where X, Y and Z are all C89 compilers, generates the same outputs for the same inputs for a large number of tuples, you're as close to being certain as it is possible without inspecting the binaries by hand, since orchestrating Ken Thompson's attack in a way that would allow it to propagate through a cross product of very diverse compilers is nearly impossible.

Re:Traffic analysis; diverse double compiling

[K.+S.+Kyosuke]

you don't need to compromise all, just one that has enough spread to be a good vector

Actually, you do need to compromise all of them because that's the only way in which you can alter the behavior (not just shape) of resulting compiler binaries in an identical way. Given the maximum possible variety of compiler sources and running environments (which you ought to strive for in this kind of verification), an attack that would be able to trans-infect the bootstrapped compiler for any combination of bootstrapping and bootstrapped compiler seems infeasible. Or, to put it in different words, if your attacker has the knowledge, resources, and connections to pull off *this*, you probably have a much worse problem than merely not having a trustworthy compiler.

You're still paying them.

Why is it that you think that if the entire chain is open that means it has to be zero cost to you the customer?

They don't follow on.

Free has more than one meaning. You're a free man, yes? Does that mean you work for zero wages?

Think on it.

If you can.

Re:Goes too far

[flyingfsck]

Yes, but since the hood is not welded shut, you can take your car to ANY garage: The dealer, Wal-Mart, Canadian Tire, the old scoundrel down the street... That is the freedom that you get with Free software. You can fix it yourself, or pay someone of your choosing to fix it.

Misrepresenting RMS is still unfair.

[jbn-o]

Slashdot is currently running this story with the logo of the Open Source Initiative—an organization RMS has never been a part of, did not start, and which offers a different philosophy that does not agree with the philosophy of the older free software movement Stallman did start.

I don't know why someone would make the choice to run this story with the wrong logo attached to it, but I hope Slashdot will correct the error. It is still unfair to misrepresent RMS's opinion.