Stallman's Bizarre Take On Flatpaks & Snaps
Vložit
- čas přidán 18. 12. 2023
- Stallman has done some incredible things for the software world but he occasionally says things that don't make any sense, and his takes on flatpaks and snaps fit exactly that description.
==========Support The Channel==========
► Patreon: brodierobertson.xyz/patreon
► Paypal: brodierobertson.xyz/paypal
► Liberapay: brodierobertson.xyz/liberapay
► Amazon USA: brodierobertson.xyz/amazonusa
==========Resources==========
Wikinews Interview: en.wikinews.org/wiki/Wikinews...
=========Video Platforms==========
🎥 Odysee: brodierobertson.xyz/odysee
🎥 Podcast: techovertea.xyz/youtube
🎮 Gaming: brodierobertson.xyz/gaming
==========Social Media==========
🎤 Discord: brodierobertson.xyz/discord
🎤 Matrix Space: brodierobertson.xyz/matrix
🐦 Twitter: brodierobertson.xyz/twitter
🌐 Mastodon: brodierobertson.xyz/mastodon
🖥️ GitHub: brodierobertson.xyz/github
==========Credits==========
🎨 Channel Art:
Profile Picture:
/ supercozman_draws
🎵 Ending music
Track: Debris & Jonth - Game Time [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Debris & Jonth - Game ...
Free Download / Stream: ncs.io/GameTime
#Flatpak #Snap #Linux #OpenSource #FOSS
DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation. - Věda a technologie
Don't worry I saw Techrights blog post, I've got plenty to say about it
I do admire the ideals that Stallman holds, and it's a noble cause. But I need my wifi to work.
Can you get a wifi modem that has FOSS drivers and firmware?
@@jannikheidemann3805 look up ddwrt/openwrt
Also chances are your router firmware is a very specialized Linux distro
@@jannikheidemann3805(not really)
@@jannikheidemann3805AR9170 by Qualcomm Atheros fits the bill, but it's old Wi-Fi 4 hardware.
I like the ideals too, but I like Steam and Spotify.
As for Wifi, I haven't had driver issues for Wifi in well over a decade, the only propriety driver and I tend to run Fedora. Only propriety driver I have had to install over the last decade or so has been nvidia, and I stopped buying nvidia cards years ago not because of ideals, but because those drivers are a pain.
Stallman actually criticizes the Flatpak and Snap repositories, not the package management software itself. And I think he should rethink his answer to point to the actual problem, the repositories itself.
But we have filters?
@@Beryesa. I'm not sure what you mean by that and how it addresses my point?
isn't the flatpak repository fully open source?
isn't the flatpak repository fully open source?
isn't the flatpak repository fully open source?
A.K.A. Stallman's bizzare adventures.
Stand: Bare Feet
lignux
I'll go with BSD
@@henrylonghead bts
sounds like a pelican trying to throw up
@@yep596 brodie did a video on it, stallman is really creative
Lig-dezz-nux?
I think what Stallman meant is inspecting when snaps and flatpaks are already built.
E.g. deb and rpm can be opened in an archive manager and can thus be checked for proprietary things before installing.
and what does prevent unpacking a flatpak package? It's still just an archive
@@marcogenovesi8570 Can't judge if it works for every flatpak and if actual source will come out. Issue #126 (from 2016; Stallman could have tried it earlier) says it isn't that easy at least. Failed myself on my machine. Common archive managers definitely don't work so "still just an archive" is a bit misleading in my opinion.
Can't speak to snap, but at least on the flatpak side of things, you can inspect them on a pretty deep level because all they are is linux namespace containers using bubblewrap, built against a common buildroot which they call the "SDK". The biggest advantage of flatpaks over native distro packages is that the closed source app only has limited access to my filesystem, devices, and dbus session bus since it's containerized.
The "debugging" page of flatpak's docs has more info on how to dig into the contents of the flatpak's environment with "flatpak run --command=sh --devel ". The alternative that doesn't require installing the software is using the ostree tooling to extract the delta/bundle as described in the issue you mentioned - the destination filesystem will need to support xattrs though (since that's what was snagging people in that issue thread).
At the end of the day, flatpak is just a framework for packaging containerized apps against a common, portable userland with a few desktop integration features (like xdg-dbus-proxy) on the side and a permissions system to limit the containerized app's system access. Yes, there's still closed source software available, but sometimes there is no viable alternative when it's a necessity in your workflow. Third-party (non-flathub) repos are also not obligated to release their build files, so I can understand the concern there too. Ultimately it comes down to the chain of trust and what you consider an acceptable threat model for your use cases.
You wont get _source code_ from deb package (usually).
How often to you unpack debs and rpms?
It is a non-issue and I am 100% anti-flatpak and snaps.
As someone who amost never builds packages from sources, I entirely agree with the point of the chain of trust. As someone already mentioned in the comments - in many cases you can't trust the upstream dev, and the additional scrutiny that the maintainers put on packages (in a trustworthy distro, at least) adds that layer of trust.
University of Minnesota, log4j and thorium. All varying levels of severity and malice.
It's an old issue, the tension between developers moving forward with their project and the bug and security fixes they implement, and sometimes create.. With downstream distribution holding that work back because the old version has been more tested. There's no particularly good answer to this other than the fact that it's not particularly tenable for distributions to audit the enormous quantity of software in their distributions. In my view, distributions should be smaller than they are currently, with less commonly needed applications loaded in through some kind of container system which provides robust security controls. Additionally it's worth noting that once a project surpasses a certain level of sophistication, it's completely impossible for a distribution to be expected to do much of anything with it. Imagine a hypothetical situation where a distribution held back AutoCAD, or a video game for example, when a company like that pushes out a change, the user is going to expect that fix is available instantly. Distributions should be common infrastructure only.
@@entelin We have macos and windows for that.
@@SnakePlissken25 Is... there a point in there somewhere? An OS is only as relevant as the software it can run. Distributions are currently so fragmented and simultaneously enormous, that almost all of them have a workload that is vastly beyond what they can realistically handle. Nobody is auditing everything in their distro, most stuff is just built and shipped, and that's about it. And even that much is a ton of work... duplicated across every distro. Distro's need to focus on the core stuff that everyone needs, the stuff they can actually do QA for. Everything else should be the developers responsibility, and use more universal packaging systems with security controls.
You know the bar to becoming a distro maintainer is actually not that super high. There's almost nothing that community distro projects do or can do to assure contributors have good intentions. They are usually happy to take almost anybody with the skills and willingness to volunteer.
Being a trusted core contributor to a major software project is usually a significantly harder thing. Core maintainers of important projects usually have demonstrated enormous personal investment in their project, through development and interaction with other users and contributors over the course of years. Such people are rarely inclined to sabotage their own projects at the expense of hard earned trust and reputation. A distro maintainer is not normally expected to demonstrate such investment. Some distros do not even have a policy that requires maintainers to share their real identity, and when they do there's usually no verification. This idea that the distro people are somehow more trustworthy is totally backwards, (though they almost always are fine people).
On top of all that, few top-level projects distribute binaries, and when they do distros never use them! Even if you didn't trust maintainers, you don't have to - everything is verifiable. If I wanted to covertly tamper with some package to exploit users I'd totally do it by infiltrating some project at the distro level. They're ripe easy targets. The criminal that targets the top-level devs, where people smarter than you and intimately familiar with the code base scrutinize everything that happens, is not mastermind-level. (No need to worry about me - Gentoo person. ^^)
Note that that unofficial snap server/repo project shown at 10:21 appears to have been abandoned by its developer... contrary to what a recent editorial on The Register would have us believe!
But can you use snap or flatpak to pull down the source code skipping the binary? Something like apt-get source?
Not every flatpak repo is forced to make the packaging repo public. I think that's where stallman is coming from, and as usually he just worded it really poorly.
you said it best
Does he realize that most Linux users use a distro where the same can be achieved with the standard package manager?
Not automatically but you can follow the build manifest by hand
@zekodun most package managers dont actually ship source code nowdays and they use seperate repos for source code and your standard package doesnt actually ship the code just final binaries
most snap/flatpaks are created by repackaging binaries (i.e. for most closed source applications) so even if you know how to build the package it's just a "download binary and make package"
I'm not a streamer so I wasn't aware of the OBS thing, but as a software developer it sounds like nonsense to me.
If it's got private keys in it then binary vs source doesn't make much difference, it's pretty easy to extract them from the binary, but also you shouldn't distribute private keys or shared secrets anyway, that's what public keys are for.
It may be just some API keys that they can't openly share for legal reasons but are only required to "reasonably" hide from the public. In that case, it makes sense that anyone building their own binaries would need to supply their own keys.
I have my own project that's in such a situation, I will release it under a free license once it's ready, but anyone wanting to build it from source must supply their own keys for it to be able to fetch data.
They're just CZcams and Twitch API keys
@@BrodieRobertson There's no "just" about it. It's a bloody cyber-security nightmare in distributing private keys out to anyone else, they are "private" for a reason.
@@terrydaktyllus1320 This is how many applications function
@@BrodieRobertson Then those applications are also insecure. There should only ever be one instance of any specific private key.
What Stallman is saying is you can't simply trust the dev. Your distro maintainer well check the app when compiling it and potentially find any issues.
It sounds reasonable but I have no idea whether the maintainers actually do check for issues or not.
Do you know?
What rather makes packages from distro repos more secure than packages from outside is that those versions went though numerous hands before they end up on your computer. If you run Debian, those packages were basically tested by all those arch users who had them years before you, all those guys in Debian unstable and testing, Gentoo unstable, Ubuntu etc. etc. That xscreensaver thing was a time bomb that especially targeted Debian, the usual malware is not.
That really varies between distributions (and individual maintainers) I believe, but full audits are never a thing.
@@mskiptr Thank you. In which case, he's point doesn't really stand.
Having said that I hope that Flathub can put in place a verification system to verify that the packager is the actual dev of the app and not a 3rd party. Then at least you can be 100% sure the dev packed it himself/herself.
That should alay any doubts.
the only person in the world you can truly trust is yourself.
Xscreensaver isn't malware, I assume you're referring to the warning message telling debian users to update because they're on a 2 year out of date version
I think Stallman's mistake here is always needing to verify the integrity of the application. There is a very good and short article by Ken Thompson called "Reflections on Trusting Trust". It basically says that no matter how much you read the source code before bulding an app, you are trusting the compiler. Even if you read all the compiler source codes to the first one and build them in chronological order, you still have to trust your firmware and hardware.
This is peak Richard Stallman. The fact that non-free software EXISTS as flatpak or even snap is enough for him to wash his hands of the thing, since he doesn't know what it is. The man wouldn't touch F-Droid because it contains "anti-features" and is probably using a Nokia candy bar, if he's using a mobile phone at all.
He claimed he does not use smartphones because he does not trust them, so probably yes
Setting RMS aside for a moment, you can audit boundaries produced in most official repos, they are built and signed by maintainers, usually with sources available. Snap by comparison was design to be a walled garden managed by Canonical and package authenticity is a rather serious problem. Flathub is slightly better, but unofficial packages are still not marked as such.
No, but official packages are marked as such
@@razzeeeethe actual cli utility doesn't differentiate them to my knowledge
@@AnEagle there is a subset you can filter by
@@razzeeee that's nice to know, actually, but I think it would be cool if it showed up when you did stuff like flatpak list
I generally avoid what Stallman and his FSF fanboys say,
I use open source software when i can, and I use proprietary drivers because I need to and I dont feel like jumping through insane hoops for some philosophical reason.
FOSS only when it does not ruin my ease of use.
It seems to me like some of Stallman's concerns are valid, but more about the repositories than the format itself... but we could have repositories that answer those concerns. The answer is there on Android in the form of the F-Droid, an "app store" and repository which only hosts free and open source applications, AND (critically imo) performs builds of the applications from source centrally, based on the publicly accessible code. That addresses a good chunk of the "It's hard to trust these snaps and flatpaks" point.
Sorry to be that person that nitpicks comments, but there are actually some non-open source apps on F-Droid. But they are flagged with the not open source anti-feature.
@@pandapip1 Maybe you are talking about apps that source code is not longer available in official developer repo, or source code in official developer repo is not open source (have some closed-source parts). I don't think that f-droid have any open source apps, I didn't encountered it. Can you name one so I can check?
@@Daniel_VolumeDown Inure App Manager
@@Daniel_VolumeDownthe majority of apps on F droid are open source, you can examine the contents of the package. When the apps contain non free code or rely on non free web content, F droid will disclose it on the page for the app it will tell you.
@@Daniel_VolumeDown I know apps are flagged if they make use of proprietary services.
9:53 I think this tangent is missing the point here. Stallman wasn't talking about the tooling for creating a snap/flatpak in general. He's talking about the source code of individual published applications, and the user being able to tell where the source code is, and have some level of assurance that that version of the source code is precisely what was used to create a particular snap/flatpak binary. As you later point out, yes, often you can look at a manifest and find where the source for something is, but that's not a requirement, and there's usually no assurance that it actually matches the binary package that was uploaded. I would tend to favor having major repositories that built the packages centrally from public code for that sort of reason. It's easier to trust a repository maintainer than trust the weakest link among a whole bunch of application developers. That's not to say there aren't issues with trusting repository maintainers too, but the fewer people you're trusting to produce binaries, the better, all else being equal. In an ideal world you also involve reproducible builds, too, etc.
" _but that's not a requirement_ " -- For Flathub specifically, though, it sure looks like it's a requirement.
When a repo makes its Manifests public (as seen at 11:26 onwards) for the users to inspect, that's pretty much equivalent to how a distro like Arch makes its PKGBUILDs public.
@@The_Lawnmower_Man Well, that's true, Flathub requires a public manifest, but that doesn't necessarily mean much the way it's implemented. It looks like it can just point to downloading some other binary even when an application is not listed as "proprietary"
@@rougenaxela That's correct, but traditional distro packages sometimes are also like that.
@@The_Lawnmower_Man EYES HP printer drivers.
3:42 oh i disagree so much.
snaps are app + all needed libs bundled together. Licensed on 'trust me bro'. Difference between precompiled and binary packages is their origin. While latter come mainly from vendor's repoistories, the former come mainly from 3rd parties (like github releases). And are ultimately generally dumb idea, because what's the point of having operating system with **shared** libraries if apps come with their own libraries?
Is it convienient? Sure. Is it good? subject of discussion:)
The perceived convenience is the only selling point for these things, nothing else. It comes at the expense of bloat, and (not always, but often) at the expense of devs having no incentive to maintain their software to be compatible with newer versions of libraries, with bugfixes and security patches - simply because why the hell would they bother, they can just keep using their janky libs from three years ago in a container, because that's what they're used to. It's not good. It keeps software stale, and it encourages mediocrity.
@@SnakePlissken25 loool, believe or not, i literally made whole paragraph about bundling "hearthbled libssl" in 2023's snaps but i thought to myself "naah, one will point out that i am RMS himself" :D
But i can't stress enough that this form of distribution is modern Ubuntu for linux on desktop, serving both edges of the blade of course. After all i am grateful that Canonical made theirs "linux for human beings", despite endless waves of noobs seeking no further but "to just work". Especially mods and power users of these countless forums devoting their time and patience for people that couldn't be bothered with searching forums first ;p.
Of course snaps won't force Intel to start/ accelerate work on linux drivers for their devices, but maybe out of these 100k new users 10 will stay and 1 will be next key figure in our linux family?
I hope at least.
Containers are whole different level. If we speak about snaps/flatpaks, they are pretty well updated. And provide good foundation for a developers. Unified, sandboxed environment is a win for both sides. User can run his favorite distro and dev has one platform to support.
I can speak more about snaps - confined snaps are also quite well isolated, not only with "better chroot" but also with plugs/capabilities and possibly apparmor profiles. You can't say that about most of parts of native OS system... even though this is changing already.
Therefore I would be careful with fast takes on this.
@@AlesStibal Fine, not "containers"; "Bundles"; "Environments", "sandboxes", call them what you will. Whether they're well updated or not depends entirely on the upstream dev; "Pretty well" is an entirely subjective statement; Are they updated in sync with the updates on my distro, that is the real, quantifiable question.
If there is a critical security issue in a common library, I expect the distro to give a timeline for its update, and I expect the software that depends on that library to be either updated in time for that update if such an update is needed, or to break and stop working, not to sneak another unpatched version of it onto my system without my explicit consent, regardless of whether it's the only piece of software that uses it; I perceive that sort of behaviour as happening at my expense as a sysadmin, as it adds a new patch schedule to keep in mind, in addition to the one provided by the distro, and as disrespectful of me as a user, as, again, explicit consent;
That is not to mention the redundancy (which is a polite word for bloat; Resources are still finite. Why TF do I need six different versions of mesa on my system, each around 500MiB?????).
Isolation is not a selling point for me; It's quite the opposite. If I explicitly want isolation, I will use an OCI container, I don't want extra features that add complexity forced on me by arbitrary decisions. As such - Yeah, I kinda want the software to be updated in time, and not at the expense of the drawbacks of isolation.
Nah man, bundled packaging is a regression to the days of distributing software via static tarballs, only with extra steps, not an "advancement".
@@SnakePlissken25 It looks bit strange you blame me for using inaccurate or subjective expressions, and then using them too. I don't agree with most of conclusions you made, but that's all fine. Use whatever flows your boat. ;)
Richard Stallman is an international treasure!
There IS a downside to flatpaks and snaps, though. They can increase the memory usage on your system because sharing of libraries between applications is no longer a thing when you use them. Each application has a private copy of all the libraries it uses. You still get sharing between, say, multiple instances of Firefox, but you don't get the same sharing for things like libc if you launch both Firefox and Chromium.
7:06 to me, it makes more sense to create reproducible build systems for Flatpaks, distributed storage like IPFS and torrents, signing the builds to systems like cosign, and having the client tools that can check against these systems. So a distro maintainer could set the base config to say only just images built and signed by these trusted groups. Even better start having these build systems build to SLSA spec! I do also think the build and package tooling and code should be downloadable from the same source. This is very much what GUIX is aiming for, but I do very much love OCI and Flatpak images as well. They just don't compare to GUIX or Nix in being able to take a package and modifying it to your hearts content.
Again, all of the Guix parts are very much inline with what GNU foundations goals are. That users of a system feel empowered as much as possible to modify and tinker with their systems. This is a divergence from the Flatpak, and immutable images concepts of the dev building the system and knowing that the end user isn't messing with their stuff. You can be a flatpak or OCI dev/maintainer, but you aren't expected to be.
That said flatpaks and OCI images, imo, can be improvements of giving the user easier access to modify the systems by taking advantage of layering and runtimes, meaning users can play around with apps easier than before without borking their systems.
For me the best distro is Gentoo.
You can put a allow list or deny list of licences in a file and the package manager wont install packages that doesnt follow your rules.
But, you can install flatpack in gentoo which is great. Some applications are difficult to compile.
Freedom is using your system how you want.
Executing propietary binaries is freedom as well if you are not enforced to do so.
Hakuna Matata.
Can you filter flatpacks by license?
@@jannikheidemann3805 that is a good question.
No, that is a feature that should implement flatpak.
It good be nice to have It.
I wanted to clarify the point about non-Free binary code within the kernel.
The kernel itself does not contain any non-Free binary code, nor are there any non-free drivers shipped with the kernel. This would violate the GPL.
However, there are non-Free binary firmware blobs usually distributed with the kernel, including distributions from the official sources. These binary firmware blobs are not part of the kernel in any way, and they do not directly interact with the kernel. Instead, they are loaded into the memory of hardware peripherals as a kind of rudimentary operating system (or sometimes not so rudimentary) for the hardware peripheral itself. Then it is the hardware peripheral that interacts with the kernel through drivers that are Free software.
Often, the difference between a hardware peripheral that requires a binary blob to be loaded from disk and one that does not is just that the one that does not has its firmware stored in a ROM chip on the peripheral. Most external peripherals, like printers, store their firmware on internal ROMs, and may even boot up separately, but during operation their firmware comes just as close to being part of the kernel as the blobs that are usually distributed with the kernel.
To be clear, Richard Stallman avoids the use of all non-Free software to the extent he finds possible, including non-Free firmware contained on ROMs within hardware peripherals because he feels that all software should be Free software.
Stallman such an extremist. There's absolutely no room for discussion or debate with him. It's his way or the highway.
I like free Software. I prefer free software. That said, I also play Skyrim. I know Stallman would disapprove, but Stallman will just have to deal with it.
Yeah Richard I have all the time in the world to compile my entire OS including the kernel and all its packages from scratch.
These guys live in a self masturbatory virtue bubble. Some people just want to use tools to get things done.
Well like they say. Linux is free if you don't value your time. Sounding like a fake Linux fan is going on here.. 😆
hope you're ready to start paying for updates then to cover " remote compilation times" then. Fedora and Ubuntu are going to roll it out next year. flat $20 a month, or $180 for a year
@@angeldirk00 hopefully you got another 30+ years to catch up to those paid for updates that will be used day one on a real os instead of some bootleg alternative.. 😂
Some people have principles, other don't.
In re 9:45, for what it's worth, neither Flathub nor Snap Store require the inputs for producing the Flatpak/Snap to be published. Technically the Firefox and OBS Studio Flatpaks count in this regard as they are not built through Flathub's infrastructure and there's no meaningful way to verify that the build on the store matches what you can produce through the upstream scripts.
Additionally, here's a counterpoint about distro packaging: a large number of contributors to a very large set of projects are distro packagers. They become contributors as a consequence of packaging and shipping the software, as well as adapting it for their needs and environments. This is incredibly important because it implicitly provides consensus on the nature of building the software and often ensures that dependencies are upgraded as distros upgrade (which is often faster than when the developer notices).
Keep in mind, without distro packagers, you won't have things like ports of software to new architectures or technologies. They have a place and they're very important for the success of the platform moving forward.
I also know that some application developers package the software they work on for their distro of choice (and if it's a semi-big project with multiple maintainers, that can mean that they don't use the same distro)
The last time I ever used a flatpack, snap, appimage, whichever it was. Was a few years ago, it broke, and I went to the dev discord to ask what was up. I got flatly told that my distro had a version of crypto library that wasnt supported, and had this blamed on me for choosing a dumb distro with stupid package management. (note: I was on the most up to date version of debian stable at the time, I cant remember if the library was too old or too new of a version.)
ever since I've not bothered with any of these out-of-band package alternatives, if these solutions cant even deal with the intended use case of making programs agnostic to the specific library versions available on the system, I dont see the point of the headache.
Devs should do dev work, not packaging work.
While I fully agree with the world that Stallman champions - one where all software is open source and free to distribute and modify, I must concede that we do not yet live in such a world. Sometimes, the only (practical) option is proprietary garbage, and insofar as this is the case, one should be free to install it as they please and, crucially, have that software available for an open platform.
it's because people use what they accommodated to, but if they shown their interest in open software and protest there would be. It's like what Louis Rossmann talks about how services are bad but many people complain but keep using them.
reality is we never will there are variaty of reasons why properitary software exists and will exist
@@bigpod In the digital world scarcity can be alleviated by the ability to make perfect copies of everything.
It could be a post scarcity world.
Scarcity is artificially enforced using DRM to generate revenue for the pre-post-scarcity world outside.
If we can convince the people that a post-scarcity digital world is beneficial to the world outside of the digital we can change the way people think about the exchange of digital goods.
@@jannikheidemann3805 where in my comment im talking about scarcity of any variaty
Im saying there are reasons someone might want their software to remain proprietary including security, trade secrets, baked in access keys and so on
@@jannikheidemann3805 and no DRM doesnt enforce scarcity it enforces access control for use of product because simple reason is making something takes money people and compute(which takes money electricity and so on) which are in turn are scarce it doesnt mattwr if something is digital and therefore not scarce if it doesnt exist because nobody created it we pay for that act
Stallman is such a self-important bawbag 😂
One of the few men fighting the good fight for software freedom. People making fun of such an important person is gross
I respect Stallman alot because it's essentially thanks to him that we have Free Software and GNU/Linux.
We would all be using windows or Mac right now if it weren't for him. So he's done a tremendous amount. But in this case he should have declined to answer, saying he isn't familiar enough with them to comment.
I do think many a new Linux user would do well to at least watch a video by Stallman explaining Free Software and it's importance for user freedom because otherwise they have no idea and think Linux is just a non paid OS which they can dump anytime if it isn't as good as windows, being clueless as to how GNU/Linux is actually protecting their freedom.
He should know what they are. They are like lisp images for C with a wrapper.
Stallman doesn't give a rat's ass about user freedom, as that quote clearly demonstrates.
Furthermore, I think it's a bit silly to act like Stallman is solely responsible for the existence of alternative operating systems. That would require that you ignore BSD, Minix, Haiku, Mach/Darwin, and probably a hundred other projects I don't know off the top of my head, which conceivably could've received more focus in a non-GNU timeline.. The GNU Project was just one of many, and it was going nowhere until Torvalds made the Linux kernal. It's just as easy to imagine a scenario where BSD became the preferred FOSS focus.
@@RunePonyRamblings i agree entirely. it's similar to the idea of who's responsible for ideas in philosophy, or discoveries in science. while we may credit Socrates with saying something, or Einstein with discovering something for examples, do we really think that nobody else would have ever thought of it, or even already had already thought of it uncredited in the past?
many things are borderline inevitable to happen for a very good reason, often correlating entirely with "logic", and not some mystically fated prophetic reason like "Stallman was the ONLY person who could do it!".
@@ImHeadshotSniper to be fair, Stallman combining GNU with the Linux kernal was instrumental to Linux catching on as quickly as it did (along with lucky timing coinciding with BSD's legal trouble). But yeah, a FOSS movement was inevitable.
Listen to what actual FOSS devs say about GPL vs BSD. Look at X, or any of the BSDs and see the actual massive technical differences that play out between GPL vs BSD software. Perhaps you enjoy using proprietary software but hey "at least I can look at the BSD-backend that was written down somewhere" right? That is fundamentally user freedom, to have access to the source of the software we use. You can dislike Stallman but the GPL is undeniably the source of the FOSS movement. @@RunePonyRamblings
Stallman has made great contrubutions to humanity.
He should have also retired years ago.
I kind of agree, at least with the concept that snaps/flatpaks have the potential to be problematic, I think the potential for abuse is just way too high. The last piece of software i want to install is drm-heavy corporate binary blob wrapped in a snap/flatpak.
But really that's always a possibility with any package that depends on proprietary code, ie video drivers. You really have to choose your battles in tech because that crap isn't going away without a major paradigm shift we can't force.
@@cericat I don't know what you've been using, but most of the time the only proprietary blobs on my system are codecs. And the only 'popular' binary driver I can think of seems to be always causing problems.
at the end of the day you can always download the package itself and unpack it when it comes to snaps and see everything about it
Great video Brodie,
and great opinion.
"I have approximate knowledge of many things..."
0:52 To be fair, Stallman is also asked about his opinion for a lot of software related things.
He's famous afterall.
Back in the 1990s Stallmans freedom stopped me from doing what I wanted to do for my company, so I installed OpenBSD on a Mac we had laying around :D
Ok, I started my IT life with HP-UX, AIX, SCO OpenServer and Infornix, but my first unixoid system at home was more or less based on Yggdrasil with Kernel 0.95 running on a 386 with 2MB RAM and a 200MByte SCSI HD.
Yes, I'm that old! And no, I'm not a Stallman fan although I do like the GPL.
Wonder what Stallman thinks of Wayland, Pipewire, etc?
Considering GNU Guix advertise Sway with Wayland support on it front page, I doubt he has a negative opinion towards Wayland and such.
Nothing bad, since they are FOSS.
It'd probably be the same thing as his comment on systemd
“I’ve never seen it, I’ve never used a system that had it; I know it’s free software, so ethically speaking, it’s not an issue - it’s just a convenience question.”
I think that Mr. stallman is generally against centralization and instead wants a collective distributed control over software distribution. At the end of the day using snap/flatpak you need to trust the publisher who is incentivized to make money/ship more features (wacom drivers spying on you) whereas a distro is ideologically incentivized to protect your privacy.
I personally think it is more efficient to have centralized packages for all of linux which makes it easy for third party developers to target but i think Mr Stallman wants a pure libre system with or without these third party devs.
Privacy, end user control, and trustworthiness > efficiency.
reality is centralization will exist whether there is one center or 1 million in all honesty we probably dont want too many of them casue there is little control and even more chance for bad things
Aren't those the same folks that decredited non-gnu libre git remotes for not worshipping GNU each minute?
Moreso, it's EASY to build your Flatpaks yourself. You just feed the manifest and an output directory to the flatpak-builder tool... and the build is sandboxed and the manifest contains hashes so you *know* you're only using the listed dependencies and they can't change behind your back.
Flathub also supports filtering to only show FOSS results in the web UI and adding a filtered view of the repo to the flatpak client so it only ever accesses FOSS-licensed packages.
Beyond that, Firefox is one of the only packages where upstream is allowed to build the package on their own infrastructure rather than uploading a manifest to the Flathub build farm and letting it do the build.
(I can vouch for this because I'm the Flathub maintainer for I Have No Tomatoes and did the legwork to get a working build manifest for PySolFC and guide upstream through getting it onto Flathub. I'd have done more if things didn't go pear-shaped for me for a while there and I do still intend to get more classic Linux indie games onto Flathub when I came make time again.)
I dread the day all the distrobutions switch to this 'dream ideology' of flatpaks for everything that's 'not different'. If the linux market share was more i'd buy stock in harddrive manufacturers. Funny that microsoft has spent years minimizing duplicate libraries, and the linux community can't wait to get a copy of every library for every application.
Stallman can talk out of his ass about many topics.
I did enjoy your take on snaps and flatpaks though.
12:57 in Guix you can quite easily verify if a substitute is identical to your local build (guix challenge)
The description has a typo in it, "Stallma"
Stallma nutz
10:20 You completely misunderstood what Stallman meant. He means that he doesn't know if the application inside of the Flatpak has non-free software. He doesn't know if the source of all the software in the snap is available.
That's not what he said though
@@BrodieRobertson It is completely what he said; but you also seem to think that sharing a private key isn't a big deal in "some circumstances" so... I wouldn't be surprised if you couldn't get the gist of what he said:
"How do I know whether that flatpak [as in, THE BUNDLED SOFTWARE, not the flatpak system or how its made] includes some non-free software. How could I check? I don't think they're designed to let people check."
And he would be right. There is no simple or convenient way to check whether a snap includes non-free software or not. No, a repo with the build script does not count. We're talking about source availability here.
Most people might not care (I certainly do not), but that doesn't make him wrong.
@@spell105 if build scripts don't count when you can build it yourself and verify it then source code also doesn't count
Honestly I wouldn't be surprised if you could make Flatpak build things from source if you forked it, might also be able to add make flags etc. Like Gentoo
Build steps in case of flathubs manifests are just download manifest and
flatpak-builder --install thing
So there's not a lot to automate.
So why not just use Gentoo then? It has worked for me for 20 years, I could care less about "universal package managers", Gentoo's Portage package manager does all I need.
Yes, Gentoo has a huge learning curve, at least initially, so you sound like someone who knows what the problem is but is desperate not to have to put in the necessary time and effort to teach themselves how to fix the problem.
@@terrydaktyllus1320 You could have a lot of the benefits on Gentoo on any distro and on a selective bias, not to mention you have sand boxing etc.Also because why not?
Flatpak kinda already does this
You just check the build manifest for source code/binaries used, and you can add flags to the sources section of said file
same vibe as refusing to differrenciate between wayland and its implementations
Packaging proprietary software is what I feel Snaps and Flats are for. Proprietary software requires the dependencies it was built against, open-source software can be rebuilt against the dependencies.
I like Stallman, but he's too extreme for me. A good compromise for me is to use as much free software as I possibly can. If I can find an alternative to proprietary software, I will use it, but if not I'll still use the proprietary software.
Ironically, I am officially more extreme than him, because for some reason he finds the conclusion that licensing a program "under a noncopyleft free software license, such as the X11 license" is unethical "unacceptably extreme"
Direct quote from the GNU site's selling-exceptions article by him: "So either we have to conclude that it's wrong to release anything under the X11 license-a conclusion I find unacceptably extreme-or reject the implication. Using a noncopyleft license is weak, and usually an inferior choice, but it's not wrong."
It is wrong - any support of unethical products, period, is wrong, though you can be within your rights to do so, so long as you don't actually release unethical products yourself. But then again, this is the guy who doesn't approve of the SSPL - a license which simply patches up one of the major flaws of the GNU AGPL.
How do you know if flatpak is builded with that source available and not other??
Ah, okay. Stallman actually has a valid point here, though I don't even think _he_ realizes it. He's saying that Debian, Fedora and Arch play a vital role as _gatekeepers_ who audit the software that's included, even in their nonfree repos. The reason PPAs and the AUR exist is that the distro maintainers (leaders in the free software movement) don't deem that software as an essential part of their experience.
Stallman's concern is that the rise of Flatpaks means that people won't be installing the "Debian-approved" build of Blender or Firefox, but the _developer-approved_ bundles, and that this will encourage bad habits. Audacity is a good example. They're FOSS, but they threw in telemetry on a whim, and there was little stopping the Flatpak version from _immediately_ going out to users.
To be clear: while I would agree with this stance if distros had all the staffing and funding in the world, *they don't,* and the amount of time and the effort spent reviewing and repackaging software across a dozen distros is squandering precious resources.
I also think Flatpak's sandboxing-by-default and dependency isolation features more than outweigh this lack of review.
Especially because, ultimately, _these are our systems,_ we're going to install the software we want, and having to apt-add a PPA has never deterred me in the past.
Given some time a fart becomes old and irrelevant to the point you can't smell it anymore.
just to add debian provided pipewire and wireplumber set works perfect. before , the ones i get from aur and flatpak has problems like easy effects can not pass through permission to start as daemon etc. now is running well. no flatpak involved.
One could argue that Stallman, being solicitous for (ideally) everything being FOSS, should be assiduously following the snap and flatpak ecosystems that pose theoretical dangers to it. If he did, he'd probably have some useful suggestions, perhaps for how to make it as easy as possible to determine or ensure that a given snap or flatpak is in fact all FOSS, and to warn about those that aren't. (After all it, or any other binary package distribution, could claim so and yet be incorrect either accidentally or intentionally.) Being absolute doctrinaire about any philosophy of the world has a way of blinding a soul.
The problem Stallman have mainly with Flatpaks is the fact it comes with versions of all common system libraries. If one of those libraries have a vulnerability in it, your system is compromised, without even knowing it because you think your entire system is up to date. Would you be at ease with a flatpak of something having your personal informations, having a vulnerable implementation of OpenSSL? That's the dilemma we have to get through with how those packages are made. It's the same dilemma with proprietary software, you don't really know what's included in it. If i have a vulnerable package with classic packages, i can update only the package itself, i can audit for security, and i know it's there, good luck doing that with flatpaks. Just compare some general packages with Flatpaks, for a 50MB software, you end up installing for 1.2GB of libraries and who knows what at this point on your machine with that entire sandbox. Debugging it is also impossible really, which is one of the core principal of Linux, being able to debug, troubleshoot, make a patch and send it to the dev/maintainer. It's huge problems for very little convenience.
can be good if fsf builds a internal freedesktop runtime without things that can break the GPL and use FFMPEG using just GPL modules including the GStreamer too, and have just freesoftware apps
The only thing I respect about him is that he created the GNU base, but with the rest it seems to me that he has no idea what he's talking about, or he's very much in his free software cloud.
Huh, someone is offended that flatpak runs on gnu-less distros /s
Typo in the description lol
(Stallma is supposed to be Stallman, first word in the desc)
Maybe it's a ligma joke.
I think I know how Stallman meant it. It could be a similar reason why Debian is not seen as a recommended distro by the FSF - because the user COULD install non-free software when he wants to and this is a big problem for the FSF. And with snaps/flatpaks the user COULD install non-free software too, so I think this is an instant killer argument for Stallman
Well for me it is freedom if I can install what I want. Free software or not. It is none of the FSFs business.
I think issue with Debian was that they provided optional repository with proprietary packages (haven't used Debian in a while, so I may be wrong), with non-free codecs, blobs and drivers.
@@hikkamorii yeah, iirc this was the case
I just think its weird how many adult grown men literally wait around for Stallmans opinions on things just so they can parrot them as if they were some kind of law or something (not you btw just a lot of linux users)
13:39
7:24 Putting private keys into a binary blob does not solve the problem.
The install script should generate private keys as needed.
these are private keys for third party services like youtube and twitch and install script what is an install script most pakcage technologies basically spew content of the archive onto your file system and then maybe run a command but prefer not to
The problem I have with Stallman, as demonstrated here is, he's a fanatic and they can't be trusted because their perception is skewed from that of reality.
I'm glad he exists, he's done a huge amount of good, but nothing's perfect.
fanatic? fanatic of what?
Does you not subscribing to him because he is too resolute in what you think not just show weakness on your part instead of error in him?
@@phillipanselmo8540Fanatic of software respecting the user's freedom, awful I know.
@@WoodsSooperDooperShop Every individual word you typed, is English. The comment as a whole however, is gibberish.
@@ChrispyNut : Not gibberish, but certainly irrational from the instigation of fanatacism.
tbh, flatpak and snap are just the admission that dynamic linking is fundamentally broken.
What problem do they solve that is not better and easier done with static linking?
Just don’t ask stallman about the age of consent
lmao
If you have ever watched a Richard Stallman interview, he's very thoughtful in his answers. In my humble opinion, he's a highly intelligent person. Let's keep in mind that Linus would have not had a compiler to write Linux with if it wasn't for RMS. In an ideal world, we'd only have free software.
GCC was not the only compiler around. Minix had the Amsterdam Compiler Toolkit. There were other "free" compilers as well. The Portable C Compiler was used to write BSD long before Linux existed. Linus has said that if he knew about 386BSD he may not have created Linux. The major role of GCC may have been to keep Linus from looking too hard. I think that Dave Conroy wrote GCC though. That said, your points are valid. GCC was the most available free compiler on i386 at the time. RMS is clearly intelligent. The GNU Project is certainly historically important. We are lucky to have Linux.
Now that is a bit of an exaggeration as well, as rms did not invent C compilers
Highly intelligent people don't talk out their ass about stuff they don't know anything about. He was a talented programmer way back when, that's about it. Now he's just an extremist zealot.
@@justinmalcolm6287 Well said!
@@justinmalcolm6287 Interesting list of acknowledgements which I think illustrate that Stallman wasn't as integral to pushing the movement forward as everyone likes to think. It's not as though other languages couldn't have replaced C as the language of choice for developers at the time, and there have been multiple operating systems that were written in Pascal from that time. However, if one of the BSD variants had won that particular popularity contest instead of Linux, we might actually have a better open source landscape as the BSD licensing is significantly more free than the GPL.
I don't like Green Eggs and Ham Sam I Am. I don't like Green Eggs and Ham. I don't like them ...
Yeah, just RMS being RMS. It's annoying at times but without him it would be even more annoying. I do agree though that it's nice when you have the choice between using a flatpak/snap or something from your default package manager. Also appimages are great! You can just extract them and laugh at the container autism.
stallman apologists are coping hard on the comment section.
Main reason to use flatpak (for me) is.., because I dont trust the application and its possible bugs! Its just a security thing: dont allow your browser to access your file system, and it just cant do bad thing, even if it wants to. Yes, its possible to acquire same behaviour by utilizing selinux, apparmor or plain cgroups, but why do things, flatpak already doing?
5:12 There is a kind of freedom, in the sense of one meaning of that word, which you can't have more or less of.
Either you are free, or you aren't.
Kind of like you can only ever be alive or dead.
I think this absolute and binary freedom is what Richard Stallman deems as most important when it comes to software.
It's about being _really_ free.
Not just to a certain degree,
completely free.
As long as snaps auto-update with no ability to disable that feature, they're garbage.
Those that give up freedom for easy don't desevered it. Fools always try to lead others into chains.
The beard looks cool tho
what about nix? it behave same like flatpak/snap
what the hell is that weird outro "music" are they killing a cat or something?
I actually am very fond of Richard Stallman, but he's crazy. The personality traits which were necessary to found the free software foundation and lead the creation of a fully open source clone of Unix are those of a fanatical zealot. Those attributes are not required so much anymore, and there are people who are much more capable of outreach while sharing the same fundamentalist viewpoint.
The result of which is that for the last 15-20 years, he has been increasingly out of touch with the average user of GNU software, like for instance from his point of view the whole idea of "open source" is a backing down from the concept of "free software" to compromise with people who want to limit your personal freedom to do whatever you want with your own computer.
It must be hard for someone whose work was so fundamental to have watched watered down versions of his ideas promoted by people who don't really care about human rights, become mainstream while his original vision is sidelined, to then come to the table and not sound like an angry lunatic who practically froths at the mouth with evangelism.
I cherish RMS though, because ultimately he's right about free software. We wouldn't tolerate it if companies wanted to impose after market limitations on what we could do with, say, a hammer. We're allowed to use and modify most objects that we own in more or less any way we want, as long as we don't cause harm to other people. But for some reason when it comes to software, as a society we practically bend over, drop our pants and apply the KY jelly so that corporations can insert whatever they want whenever they want.
i just removed all flatpak version of apps i used, and use the debian versions of them instead, guess what, some of those that didnt worked before works just fine now. i dont know about stores that sell non free software good or bad or not, i had BAD experiences with flatpak apps. period. and im not the only one.
There's Flatseal app which handles permissions of flatpak apps, by default, flatpak apps have a lot of permissions off/restricted by default which one can turn on for more functionality.
I had a problem with Brave browser installed, it didn't remember which folder I saved a downloaded file, until I gave it permission to browse directories through Flatseal.
I dislike using flatpaks or any sort of containerized packages, so I always avoid them where possible (Even as far as to installing a different distro on my Steam Deck lol)
Howver, I think they're a good choice for Linux newbies.
Flatpack are nice, but their security model isn't good. It is not secure from what I've seen in the sense that it seems to be a bad sandbox.
I for one agree with stallman on this. Spend the afford and build deb/rpm. These flatpak/snaps are against linux ethos.
I'll say it again, Stallman has been a hindrance on the free software movement, not a driver of it. It's his stringency towards what qualifies as free software that really holds everything back. However, he's right in this particular instance, but he's also not criticizing the technology itself either. He's basically just criticizing binary distributions of packages, which is a general complaint that'll be valid for any method of binary distribution as not every source will show you the build instructions and point you to the source used to build the package. That's not to say that I agree with his stance because while I wish everything was open source I'll use closed source without a problem. One final note, which I've mentioned before in various places but maybe neglected to say here, is that open source was pretty much the norm before software companies started taking over. We had source code printed in manuals and in magazines and posted on bulletin boards, and not the electronic variety. It's the greedy corporations that screwed things up, but they were enabled by governments that didn't understand the technology nor what was going wrong.
It's a mistake to think that it is the mission of the free software movement to be highly popular, you are confused to think that there is a mission for the mass adoption of free software. The principle of the free software movement is that _a free society deserves free software_ and that anybody who chooses to install proprietary software cannot have freedom. This is the principle you need to understand if you want to understand the Free Software Foundation (and Richard Stallman) in its proper context.
The people who are holding back free software are the people who insist on developing and distributing proprietary software.
@@FreeSalesTips Striving for free software, as in open source and completely user modifiable, is an admirable goal, but it shouldn't be the only thing to be focused on. Popularity is important if you wish for people to adopt this way of life. You can't merely espouse doom and gloom and say you're a prisoner or some such because they choose to settle for what they can get that still allows them to do most of the things they want to do. And you certainly can't lie to them and say that everything will work and be better because that kind of thing is only valid on a case by case basis and not for the whole. If everyone adopted free software, including the companies making money from software, then the world would indeed be a better place, but it's not something that's going to happen overnight and companies need to be taught that they can still make a profit by releasing the source code to their software. Once they believe that truth, things will change for the better.
@@anon_y_mousse It's a mistake to conflate "open source software" as a synonym for "free software". The Free Software Foundation and Richard Stallman promotes that _free software is the ethical solution to the social problem of proprietary software_ . The Open Source Initiative rejects the ethics of the Free Software Movement, it promotes the practical benefits of free software while ignoring the ethical morality of proprietary software. Please don't conflate these ideas to be synonyms.
I am an activist who promotes user software freedom through free software. I agree with the ethical stance that proprietary software is an immoral force for a free society. I teach people about this political opinion and point them towards free software as the ethical solution. Proprietary software is inherently doom and gloom, there is no denying the fact that users are subjugated prisoners every time they accept and choose proprietary software. I tell the truth that proprietary software can be convenient and powerful to use, I don't deny this reason for choosing proprietary software. I don't promote free software on the grounds of being more convenient or more powerful; however it doesn't mean that free software is inherently difficult or weak in features. I always promote free software on the grounds that it is the ethical solution to the social problem of proprietary software. Sometimes people do not care about this morality; that is not my problem, I cannot make that choice for them.
@@FreeSalesTips While I can agree with and admire your idealism, the way you get the message out seems counterproductive to me. You know the old saying, you can catch more flies with honey. Oddly, I think a company that's heavily invested in proprietary software, Valve, may actually increase adoption better than anyone that came before them because of how they're promoting the concept. Maybe you disagree with that viewpoint?
@@anon_y_mousse I have two ideas of "productivity" in regards to free software. The first productivity is to promote an ethical dimension to the distribution of software; i.e. proprietary software is an immoral social concept: proprietary software subjugates users to control their own computer and proprietary software keeps communities divided from sharing with one another. The second productivity is in the writing, development, and sharing of free software. I actively promote the ethics of free software, this knowledge is more important for me to share. whether my audience accepts or rejects this message isn't my problem.
I don't promote free software on the basis that it's more convenient or more powerful. This is a shallow way of reasoning to promote free software. The counter to this kind of reasoning is that proprietary software can become more convenient and more powerful; people who choose on the basis of convenience will logically choose the more convenient proprietary software. I make the ethics of free software to be the primary focus, I try to convince particular individuals who also believe that freedom is highly important. With this foundation of freedom, the powerful and convenient free software can follow afterwards because the community can work together to make it happen.
7:38 This is precisely Stallman's argument: You have just confirmed than OBS flatpaks are not free software!
No, that isn't his argument. In the interview, he said that " _I don't think_ [flatpak and snap] _are designed to let people check_ " whether or not an individual package contains non-free software.
And in the case of Flathub specifically, he's *incorrect* about that. As the section of the video starting at 11:26 shows, each Flathub package's webpage has a link to the Manifest for that package; this is just like how each package in the official distro-package repositories for Arch or Debian has its source-package build files linked to from the distro's website.
(redundant comment removed -- spam filter is a nuisance...)
Some flatpaks are free software some aren't, in the OBS case the build includes a private key that isn't shared to the public. I don't know if 1 line of non code change stops something being free software though
@@BrodieRobertson If that private key is relevant to the functionality of the package, it means that normal users who rebuild the package by themselves will not get a fully functional package. Thus it is not free software.
@@Bruno_Haible fair enough
I've read some of Stallman's writings back when I first started using Linux about 25 years ago. And I've always been one to lean toward pragmatism over dogmatism. And Stallman has always rubbed me as dogmatic. Being pragmatic means... use what meets your requirements, whether open or closed source. Since I'm a photographer, this would mean using Photoshop and Lightroom instead of GIMP and Darktable, respectively. (Mostly. There are some places where I do use GIMP.) Being dogmatic, on the other hand, is never not use open source, and if it what you've found doesn't meet your requirements, modify it so it does. Except, even though I'm also a software developer, I don't have the knowledge necessary to add features or functionality to GIMP to give parity to Photoshop.
If Stallman was pragmatic, he would accept things the way they are and its unlikely the open source movement would exist in the form it does today.
I've heard it said that all change is dependent on unreasonable men.
@@theParticleGod Being pragmatic means leaning toward what is practical. And a lot of Stallman's philosophies lean heavily away from practicality. Practical doesn't mean adhering to the status quo. It does mean that in considering changes to the status quo, you go for what is practical over dogmatic adherence to a particular philosophy. And dogmatic adherence is what Stallman desires, as evidenced in his word choice regarding snaps and flatpaks. I've seen similar language from militant vegans.
And with software, practicality means making what you write open source if you choose, but not requiring the same of everyone else if they don't have the same desire to do so. Which runs counter to what the GPL requires, which is why I've never agreed that the GPL has anything to do with "freedom". The Apache and MIT licenses are more free than the GPL. Practicality also means considering requirements and whether proprietary or open source software will meet those requirements - leaning toward open source since that tends to be free of cost - over ignoring requirements for a dogmatic adherence to "open source or nothing".
And as usual, YT has shadowhammered one of my comments.
Brodie, could you take the extra effort and look for it? It should show up when you sort everything 'by newest'.
Sometimes youtube just deletes a comment and I even I can't see it
@@BrodieRobertson I have plenty experience with that too. But right now It's still there. It just doesn't show up unless a) I'm logged in or b) I change how the comments are sorted.
I have a burning hatred for flatpak and snaps . Am some one who don't want my Linux to change but when the Linux completely changes then I'll drink my tears and move on
He's crazy, but he's our crazy.
Sounds like Stallman's getting old or replaced himself with an LLM.
IMO the only real valid use case for something like linux-libre is when building systems requiring extreme security and auditability, such as voting machines, or CI boxes for cryptocurrency software.
But in that case, even being free isn't enough; what you need is bootstrappable software that minimizes the amount of previously built binaries needed to rebuild the system from source (to prevent "trusting trust"-type attacks where the compiler injects unknown self-propagating code into its output). Guix is making good progress in this direction, but is IMO not quite there yet.
Free software is the key to the issue of "trusting trust" malicious software. You just write your own free software bootstrapping compiler and bootstrapping system that is "easy to verify". From there, the bootstrapping system will then bootstrap "the real system" and everything is good after that.
@@FreeSalesTips So long as you're writing and verifying your bootstrap compiler on a system that has untrusted binaries on it, those untrusted binaries get a chance to subvert verification. For example, your hex editor or disassembler could be showing you a clean version of the code, while the one that's actually executed is compromised.
@@NetRolller3D I don't understand why an untrustworthy binary is able to distinguish the difference between displaying clean code while at the same time, executing the hidden untrusted code. To me, that sounds as ridiculous as the fabled "evil bit".
Even assuming that was the case, I don't know how such code would even enter a computer that was being bootstrapped with a trusted bootstrapper sequence. I would assume that the bootstrapper sequence would be the only existence in the computer and its only purpose is to (retrieve and) bootstrap the more difficult-to-verify _primary software system_ .
@@FreeSalesTips The issue is with creating the trusted bootstrap image. By definition, you're creating this image on an untrusted (or less trusted) system, that wasn't yet fully bootstrapped from source. Therefore, the tools you use to create, verify and analyze the image (before using it) may potentially harbor Trusting Trust-style backdoors. For example, the C compiler might inject Ken Thompson's classic self-propagating payload into the bootstrap compiler, and then the analysis tools, themselves also subverted, recognize the payload, and hide it from view. To the developer and auditor, it looks like the bootstrap image is clean, with no payload propagating from the host system into the bootstrapped one - but in reality, the payload is there, just hidden.
The solution is to use a minimal binary seed (less than 512 bytes is the goal for most such projects), and then design the bootstrap sequence such that it permits auditing _on the bootstrapped system_ as early as possible - for example, the initial seed might print out any code it compiles or interprets, before executing it, with the printout logged in some secure way (e.g. on analog tape or paper). This way, on the target system, no code is able to execute, and potentially hide its tracks, before it becomes available for auditing - with the exception of the seed binary, whose minimal size ensures that there's no space to hide a payload.
@@NetRolller3D So for this to happen, there must be a sequence of treacherous software that specifically identifies a particular signature of treachery and then hide all that treasonous code in some undefined circumstance while also executing in some undefined circumstance.
So I was right, we just write our own bootstrapping sequence that is feasible to verify. Publish that sequence as free software and everybody can benefit from this countermeasure of Trusting Trust.
To me it looks like Stallman answered the questions adequately. He could have said, "Yes I have heardof snaps and flatpaks" and left it at that. Instead he gave a little bit of context from his perspective. The single source of truth is never going to work in reality, because it'll just become +1 standard everyone has to care about (or not care). Package management is pretty well established and works well for the vast majority of users, already for decades at this point. Trying to come up with yet another standard is the real waste of time here. OBS is just an example of bad dev practices, and no maintainer should need to change their ways to accommodate for this, and it's fine to compile programs yourself when the situation calls for it. I also think Stallman is a bit too extreme about using free software only, but he makes reasonable points.
I hate arguments about DRM, I am a games dev for the Dreamcast and Windows PCs.
After people asked for a DRM free Linux version, I gave it to them in a neatly pack tar.gz, and of my 52 Linux users, only 4 of them bought it.
Piracy morals aside, I'm an indie dev with a VERY small budget, it can and will put me out of a job if no one buys my games so I can allocate a bigger budget to them.
It's honestly put me off making Linux ports for a while.
For context, my budget is £32 and a multipack of miso soup. It kinda stings to put in all the effort to make it work on a plethora of complicated distros, only for them to not support me in return.
For further context, the Dreamcast is one of the most easy to pirate for consoles ever, and even that has less pirated players on it; of which there are 12.
The statistics are drawn from Steam stats, sales from my own Amazon page, and the universal servers I use for online play.
Performance stats show the legitimate and illegitimate copies, as well as the system specifications and OS.
I plan to have the dedicated linux server close down since it's causing me to lose money for every new player on there and just have them connect via the Windows one, and if that no longer works, then I may just nixx the Linux ports indefinitely and bring them to MacOS instead. (If Apple approves me at least).
RMS is... purist, see this in his perspective. And that attitude was once very relevant and shaped the entire software industry.
This attitude still matters, open source software is generally safer for user.
But the job is well done, nearly every software developer prefer to use open source components and tools to make software, and they would not consider anything else. Using closed software technology when building own software is so big risk.
So we see that there are kind of two castes of people, developers and non-developers. Non-developers need that software is easy to run and use, developers do what they want and fix things.
There was time when people were intimidated open source software, that they take away developers jobs and make impossible to make business. But what happened? Those software building blocks are often made open source license that are even more free than GPL, there are more need developers than ever, and nearly all essential software is open source.
So it looks like everyone is won here.
Sounds like Stallman is just getting old & cranky. It happens even to the best of us.
Mr Toenail munchies
He munches them with source
yummy yummy yummy
three times a day
Now there's toenail deluxe takeaway
i use fedora silverblue, only things i can install are webapps and flatpaks
Actually, if you look through a lot of his claims over the years, especially around various kinds of software like discord. He makes It claims entirely without any proof whatsoever a lot.
There are many things Stallman is out of touch because he ideologically refuses to use non-free stuff. Probably, in this case, he heard about flatpaks/snaps and saw that the only thing they can do that you can't normally do is distribute proprietary software. Stallman probably views them as analogous to wine bottles/proton since they're a way of bundling a package with libraries and stuff.
Personally, I think Stallman is right but for the wrong reasons. In an ordinary Linux setup, if a library has a security issue then you just update the library package and you're done. However, in a setup that uses containers like this you have to do a wack-a-mole hunt to find out which containers have the problematic library and update each one separately (basically like working in a Windows environment). In general, I think it does not make sense to use these containers EXCEPT when dealing with proprietary software since it is considered normal and encouraged for proprietary software to rely on outdated libraries (only update if something breaks). This is especially the case with video games, where ideally you want to be able to put out a game and have it just work forever without any maintenance. So, imo, it's not that these can only be used for proprietary software, but rather that that's the only use case that is really worth the risk. In particular, your argument about using these to have a "single source of truth" really means "let's have a ton of different versions of the same libraries on our systems" which is, imo, really dangerous.