Questions about Linux-Libre's effectiveness

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Mon Aug 22 13:46:24 UTC 2022 

On Fri, 19 Aug 2022 15:07:12 -0400
LUH LAH <welpthisdidnotwork at gmail.com> wrote:
> However, it seems quite foolish (to me) to disqualify Firefox solely
> because you "could" install non-free addons. I think that if I were to
> simply look on each developer's website (which Mozilla makes very
> easy), I could easily find out whether or not it's FLOSS.
FSDG compliant distributions makes sure that browsers do not come with
a repository of addons which also contains nonfree addons.

This is typically done by either patching the browser, changing its
build configuration or using a forks browsers (like icecat for
instance) that don't have these issues.

So we have browsers derived from Firefox, but they're not called
Firefox (look instead for icecat, iceweasel, gnuzilla, etc) because the
modifications are important enough to require to call it something
else, even if most of the code is the same.

Even looking for Firefox (with pacman -sS firefox or guix package -s
firefox) works because the description of the package often mention
that it's a browser that is based on Firefox.

Here the project that makes Firefox requires distributions to change
the name if the changes made to the code is too invasive, and that's
not necessarily a bad thing: if someone modifies linux-libre to add
nonfree software in it it would make sense to change the name along the
way, otherwise that would mislead users.

As for the repositories of software like the mozilla addon repository,
they raise many issues:
- First the FSDG requires to not refer to repositories that
  contain nonfree software. So if distributions still want to refer to
  these repositories, then they have the choice between working to
  modify the FSDG or deciding not to follow them anymore. The
  later is not a decision that is to be taken lightly.

- Then the FSDG has these requirement for good reasons, many users,
  especially the less technical ones, can easily think that
  everything in the repository is free software while it's not. If that
  repository is not mentioned in any way or used in any way by an FSDG
  compliant distribution, it's pretty clear that users are on their own.

  If not, users make mistakes, and even technical users like me
  sometimes make that mistakes because we don't have the time to check
  everything.

  Getting together and doing that work together is precisely what FSDG
  compliant distributions enable people to do, so we are better off
  doing that together because of time constraints.

  In contrast with non-FSDG distributions having nonfree software is not
  a bug, so nonfree software can't be removed by bug reporting and/or
  contributing to remove it.

  That leaves users alone to do all the checking work, but that is
  almost as much work as doing an FSDG compliant distribution anyway,
  so it doesn't make sense not to regroup together to do that work. And
  for GNU/Linux distributions we also need to modify packages for it to
  work as often in non-FSDG distributions some crucial packages contain
  nonfree software.

  And the alternative of hoping that everything is fine in non-FSDG
  compliant distributions doesn't work either because things are not
  fine.

- Anyone can claim that a given addon is free software. The question
  here is that, if I understood well, it's up to each addon maker to
  build the addon. So the current implementation of the mozilla addon
  repository makes it extremely difficult to check licensing
  information at a large scale. So again users have a hard time
  collaborating to do the checks here.

  The free software directory can help users collaborate to do freedom
  checks on projects but again there is a limitation because this
  project isn't concerned about binaries, it only check project source
  code, and it doesn't even build the source code. So for instance
  nonfree libraries and other things could be in the addons without the
  ability for users to learn about it easily.

  In contrast many distributions (including non-fsdg ones) do build
  packages themselves. This makes checking much more easy and it scales
  pretty well. Just building the package already tests many things
  automatically (that there is no missing dependency, that nothing is
  missing, etc). Combined that with manual review (like what the free
  software directory does) can yield pretty good results. 

  Not combining building software and manual review however let too
  many nonfree software in for package users.

- Different distributions have different licensing standard. For
  instance Debian main is 100% free software (but not FSDG compliant),
  so at least what it claims is free software usually is (but it might
  refer to addons repositories that contain nonfree software for
  instance).

  FSDG compliant distributions are also very strict on that as they try
  to do their best not to redistribute nonfree software. This
  also includes not redistributing upstream source code with nonfree
  software in it. Parabola has a mechanism (mksource()) that copes well
  with that requirement for instance.

  In contrast in many non-FSDG compliant distributions, Linux is
  considered free software even if it has files that contain nonfree
  software like arch/powerpc/platforms/8xx/micropatch.c.

  Some nonfree firmwares (like signed firmwares that can't be
  modified by the end users and the distributions) are also considered
  as free by many of these distributions.

  And here we're in a situation that is even worse because as I
  understood each addon producer would have their own standards. So we
  can safely say that there are freedom bugs that can't be fixed in
  such repositories.

That said, it may be possible to make an FSDG compliant addon
repository out of the mozilla addon repository without rebuilding the
addons, but it would at least require a way to review the addons
and to be able to fix things (for instance by removing non-compliant
packages). 

Parabola works a bit like that as it reuses the FSDG compliant Arch
Linux packages, but it also has the ability to replace the blacklisted
packages by packages of its own (because otherwise it wouldn't be able
to boot, because some packages like linux need to be replaced).

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.fsfla.org/pipermail/linux-libre/attachments/20220822/1ba30f44/attachment.sig>

More information about the linux-libre mailing list