Exposing Trojan Source exploits in Emacs
Exposing Trojan Source exploits in Emacs
Posted Nov 14, 2021 22:38 UTC (Sun) by khim (subscriber, #9252)In reply to: Exposing Trojan Source exploits in Emacs by pizza
Parent article: Exposing Trojan Source exploits in Emacs
> In other words, "Waah, it's too much work to adhere to the license of the software we chose to use!"
Indeed. But this nicely explains what kind of burden is placed on me if I want to release my software as free software, isn't it?
Yes, in some cases you have to shoulder that burden and release the sources. If you have been using copylefted software and for some reason modified it.
But in most cases much simpler practical solution is never change copylefted software (and use it like you would use proprietary software) and then you can avoid that burden completely.
That's what most software developers do most of the time and that's why most software is nonfree and would always be nonfree.
And, more importantly, there are nothing wrong with it: most software produced wouldn't ever benefit from source availability simply because there are not enough developers to look on it (heck, most of free software released on GitHub is never looked on by anyone except the author).
But if it makes sense for some software to be nonfree then this immediately shifts the discussion from that religious “all software must be free and anyone who thinks otherwise is heretic and should be burned” to a much more practical stance of “why do you think this particular piece of software must be free”. Which is, somehow, very hard to answer for most followers of that religion.
Which is really strange for me because most people who follow certain real religion (Buddhism, Christianity, Islam, etc) over the years have learned to respect people who are not following these. This, somehow, haven't happened with free software followers.
Posted Nov 14, 2021 23:03 UTC (Sun)
by pizza (subscriber, #46)
[Link] (9 responses)
I don't follow. You, as the software author, can do whatever you want with your own software. Release it, or not, under whatever terms you want. The only inherent "burdens" you'll face are what your local legal regime requires or what you explicitly sign up for.
Now if you base your software on someone else's software (ie creating a "derived work" in the process) then that someone else gets a say in what you can do with it. In pretty much every jurisdiction out there, the baseline permission is "nothing whatsoever" -- and that holds if the software is copyleft (gpl), permissive (bsd), or highly proprietary.
So, again, if you don't want to have to comply with a third party's licensing terms, don't use their software.
> That's what most software developers do most of the time and that's why most software is nonfree and would always be nonfree.
Got a citation for that? I'd think that "most software" is nonfree because its authors consider it competitively advantageous to treat it as a trade secret. That, or sheer apathy (as evidenced by GitHub's stats before they forced folks to pick a license for new repositories)
> Which is really strange for me because most people who follow certain real religion (Buddhism, Christianity, Islam, etc) over the years have learned to respect people who are not following these. This, somehow, haven't happened with free software followers.
As far as I am aware, nobody has ever committed mass slaughter in the name of a software license. The same cannot be said about "real" religions.
Posted Nov 14, 2021 23:53 UTC (Sun)
by khim (subscriber, #9252)
[Link] (8 responses)
I think some context of the discussion was lost. Let me remind what we talking about:
> The claim is that the concept of "intellectual property" applied to code is wrong. If I receive some code from you, then I own it and I don't need your permission to do things with it. You don't retain extra rights to that code by virtue of "copyright" that allows you to control what I do with that code after I've legally obtained it from you. That's what "free software" is about. That's the initial claim. And here is my answer: > > That's what "free software" is about. And then: > this would definitely create a burden for me: instead of just making sure I can, somehow, build it once and forget about it I'm now forced to create a nice package, would need to ensure it's buildable without tons of my own private scripts, it doesn't have paths specific to my system embedded and so on. With the rebuttal: > I certainly don't understand this. Why does releasing the software under a F/OSS license like the GPL require you to do all those things?
And a simple example: > Ask any company which tries to make FSF or SFC happy. It's not easy to provide “Corresponding Source” if you haven't planned to do that and haven't carefully built your workflow to make it deliverable. And now you say > I don't follow. You, as the software author, can do whatever you want with your own software. Release it, or not, under whatever terms you want. The only inherent "burdens" you'll face are what your local legal regime requires or what you explicitly sign up for. Well, sure, but that's not what we were talking about! We were talking about the idea that free software is about changing the rules of “intellectual property”: they are no longer applicable and if you got the code then you may do whatever you want with it! But that's not true! Free software is different not because I allow you to do anything you want with binary I gave you (that would be freewere, not free software), free software is different because I spend additional effort and now give not just binary code to use but source code to study and modify, too! And that definitely adds burden on me! Yes, today I can avoid all that by releasing software as binary, nonfree, proprietary one, but are talking about FSF-suggested nirvana, a world without nonfree software! There I wouldn't have such an option! > I'd think that "most software" is nonfree because its authors consider it competitively advantageous to treat it as a trade secret. That, or sheer apathy (as evidenced by GitHub's stats before they forced folks to pick a license for new repositories) The last one. 64% of companies outsource development of apps they need. All these small apps which mon-and-pop shops order? They are closed source simply because it's cheaper for them that way. They may get sources from freelancers, but they definitely don't want to spend time and effort to give it to some Joe Average and then fight with modifications done to their shop client. Even if you abolish the copyright — it wouldn't change the situation. In fact it would make it worse, not better. Copyright is, practically, non-existent in China. In theory it exists, but in practice it's enforced. The end result? Almost noone supplies software with sources! And binaries are thoroughly obfuscated, because it's not abnormal for someone to just grab piece of nice software (yes, binary, not source) and reuse it and claim it's their own creation. The whole thing is as far from nirvana imagined by free software zealots as it gets. > As far as I am aware, nobody has ever committed mass slaughter in the name of a software license. The same cannot be said about "real" religions. Are you trying to say that without that phase we would never reach the point when free software zealots would respect the rights of others? Because at time it feels as if the only reason they are not starting mass slaughter is the fact that they realize they are outnumbered and are not sure they would win.
Posted Nov 15, 2021 1:46 UTC (Mon)
by anselm (subscriber, #2796)
[Link] (7 responses)
Not necessarily. Nobody (certainly not the GPL) prevents you from throwing a set of half-finished sources over the fence as long as they correspond to the binary that you're distributing. Presumably people would prefer that you added a configure script, extensive and helpful comments in the code, and a nicely typeset manual, but if you don't then you don't. You are under no obligation to bend over backwards on behalf of others; if they have an itch they can scratch themselves.
Posted Nov 15, 2021 2:34 UTC (Mon)
by khim (subscriber, #9252)
[Link] (2 responses)
> You are under no obligation to bend over backwards on behalf of others; if they have an itch they can scratch themselves. I'm under obligation to provide “Corresponding Source”, though. And that, by itself, is pretty significant requirement. It may be hard to imagine that but significant percentage of developers out there have no idea what acronyms VCS or CI/CD even mean! I'm not sure if the majority of developers don't know about these or not, but most newgrads definitely have no idea. Now, you may say that it's failure of colleges that they don't teach students these important things, but the truth is: it's hard enough to teach people to write simple loops or algorithms with arrays! And if you, somehow, make nonfree software illegal then you would raise the bar than much higher. And yes, sure, of course: most of these apps made by newgrads or old-school guys who are still using 30 years old compiler are not that interesting, but… they are more common that you think. Trying to make them free in an effort to reach that world without nonfree software would definitely do more harm than good. P.S. About that 30 years old compiler… Not joking: when I discovered that certain software on ISS is compiled with a compiler based on reverse-engineered PL/1-86 compiler I wasn't sure whether to laugh or to cry… but it's not a joke, it's real… and if you think that guys who turn Windows 7 into real-time OS with binary-patch of Windows kernel (and then launch rockets to space with that… uhm… “thing”) would know or care about providing proper sources… then think again.
Posted Nov 15, 2021 10:02 UTC (Mon)
by anselm (subscriber, #2796)
[Link]
“Corresponding source” is “whatever I compiled on my machine to generate the binary I'm distributing”. There is no legal requirement whatsoever that this source code lives in a VCS or that the binary in question is generated using CI/CD. Few would disagree that both of these are nice, useful, and usually very desirable properties, but they're in no way mandatory in order to release a piece of binary code as “free software”.
Posted Nov 15, 2021 13:50 UTC (Mon)
by pizza (subscriber, #46)
[Link]
By your definitition, the FSF itself is in gross violation of its own license.
I'm sorry, but I'm going to take the FSF's word of the meaning and interpretation of their own licenses over yours.
Posted Nov 19, 2021 9:08 UTC (Fri)
by marcH (subscriber, #57642)
[Link] (3 responses)
Not, the GPL requires the ability to actually build from the source and to release any script, config file needed for that. No source code just for the show. This is a challenge when you have hardcoded dependencies on your environment.
Posted Nov 19, 2021 12:37 UTC (Fri)
by anselm (subscriber, #2796)
[Link] (2 responses)
You need to release the specific scripts, sources for dependencies not already provided by the operating system, etc. required to produce the binaries you're distributing, on your computer (or, in general, any computers for which you distribute binaries).
You're not required to proactively make the source compile on any other computers that might be more or less vaguely similar to yours but for which you don't personally supply binaries, and which might be missing dependencies that on your computer happen to come with the operating system. Many people, because they're nice and friendly, attempt to do so, anyway (e.g., by including “configure” scripts and the like) but it's not mandatory as far as the GPL is concerned. It's certainly not mandatory to keep the sources, scripts, etc. in a VCS or to include CI/CD configuration.
Posted Nov 19, 2021 14:26 UTC (Fri)
by khim (subscriber, #9252)
[Link] (1 responses)
> You need to release the specific scripts, sources for dependencies not already provided by the operating system, etc. required to produce the binaries you're distributing, on your computer (or, in general, any computers for which you distribute binaries). Let's consider a practical example. Suppose I'm using the compiler that was once disassembled from the original PL / I-86 by Digital Research and then was developed from that base for 30 years and then you have to use it in conjunction with binary-patched runtime. Everything without sources, of course: Digital Research never offered them and you are too cheap to buy license for OS sources from Microsoft. What am I supposed to release in that case? > You're not required to proactively make the source compile on any other computers that might be more or less vaguely similar to yours but for which you don't personally supply binaries, and which might be missing dependencies that on your computer happen to come with the operating system. That's strawman and you know it. I'm not talking about ability to compile sources on someone's else system. I'm talking about ability to compile them at all. I still vividly remember story when we were supposed to build certain recognition system for the police. The company which created hardware which we were supposed to use leased (not sold!) us “an SDK” which was comprised of two computers and four HDDs. One computer had Windows preinstalled and other had Linux preinstalled and all that was supposed to work in tandem because Visual Studio based build system was doing certain steps on Linux system (custom rules are very flexible as it turned out). Second pair of HDDs was backup supposed to be used if we would screw the first pair! I wouldn't even know what can be considered a “source code” in all that mess but I certainly knew for sure that if I would just keep things that I, personally, created then I wouldn't be able to build a binary. > It's certainly not mandatory to keep the sources, scripts, etc. in a VCS or to include CI/CD configuration. Sigh. We are going around in circles. Yes, it's not mandatory to use VCS and CI/CD systems. But if you are not doing it and not keeping the sources you have created nicely separated from other things that you have installed on your system, then question of what are the sources quickly becomes not easily answerable. I gave your couple of extreme examples, but even if you have something as simple as Delphi (or Microsoft Office) with bunch of components or extensions added to it then it's very easy to create a project which you can only open on your system. It wouldn't be possible to rebuild it on someone's else system, you couldn't even open it there! And very often you wouldn't be able to recreate the structure which you use for development since it includes components which you no longer can buy (that's why aforementioned “SDK” was leased to us, not sold).
Even if it is possible to actually separate the sources from the other things on your system it's not an easy task in many cases. It takes certain discipline to keep sources deliverable and it's much easier to go from that point to the proper combo of VCS and CI/CD system than to reach that point from “ground zero” where developer just does whatever it takes to deliver binary to the customer.
Posted Nov 19, 2021 15:37 UTC (Fri)
by anselm (subscriber, #2796)
[Link]
I don't think anyone would disagree that dealing with a product that has had the attention of a team of competent and experienced software developers with an unlimited budget is generally nicer than dealing with somebody's spare-time project that is held together with string and baling wire. But the point is that the GPL doesn't require professional-level software engineering. Even somebody's primitive spare-time project can be useful to other people if it is released as free software, however lacking in social graces it may be.
Exposing Trojan Source exploits in Emacs
> Indeed. But this nicely explains what kind of burden is placed on me if I want to release my software as free software, isn't it?
Exposing Trojan Source exploits in Emacs
> Absolutely not. Go back to the initial complaint: Microsoft released some code, it's downloadable and you can run and study it. You can even adopt it for your needs (it's bunch of regexps, really, practically speaking it's hard to say they can be copyrighted at all).
But according to free software zealots it's not enough: you have to do an additional work and make it possible to easily take that code and include it in your program. What gives you right to demand that?Exposing Trojan Source exploits in Emacs
free software is different because I spend additional effort and now give not just binary code to use but source code to study and modify, too!
And that definitely adds burden on me!
Exposing Trojan Source exploits in Emacs
Exposing Trojan Source exploits in Emacs
I'm under obligation to provide “Corresponding Source”, though. And that, by itself, is pretty significant requirement.
It may be hard to imagine that but significant percentage of developers out there have no idea what acronyms VCS or CI/CD even mean!
Exposing Trojan Source exploits in Emacs
Exposing Trojan Source exploits in Emacs
Exposing Trojan Source exploits in Emacs
Exposing Trojan Source exploits in Emacs
Exposing Trojan Source exploits in Emacs
It takes certain discipline to keep sources deliverable and it's much easier to go from that point to the proper combo of VCS and CI/CD system than to reach that point from “ground zero” where developer just does whatever it takes to deliver binary to the customer.