Week 10, Mar 30
Me, Libreoffice and bugs
mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html
So here are those vulns: openssl.org/news/vulnerabilities.html. Two: CVE-2021-3449 and CVE-2021-3450
https://r0ml.medium.com/free-software-an-idea-whose-time-has-passed-6570c1d8218a
Lefkowitz really doesn't seem to like RMS. The "Free" here is specifically "Free/Libre". He regards the Gnu approach as fundamentally political.
Which is all good. But then he gets cranky:
But then Lefkowitz goes off the rails a bit, with the idea that software publishers should be liable for errors, and that should apply to FSF. Holding open-source contributors liable for bugs would have dire consequences.
And then Lefkowitz suggests that software privacy and security would be better addressed by government regulation. There is no way that is going to end well.
"The point being: large corporations and government agencies have always had the ability to get access to the source code of commercial software, and modify it if they wish. And if they have a good reason, they will do so. But usually, they don’t wish to."
Lefkowitz' idea about "public software" is, well, bizarre. Software is not like books. There's no point in a library-like check-out-and-return policy.
Yes. The business model is "open core". But thank you for yet another tedious reminder.
Open Source Security Foundation (OpenSSF)
In Week 3 I raised the issue of clang vs gcc, suggesting that maybe plugins to allow gcc to interface with non-GPL IDEs was the issue. Here's another article on that: https://lwn.net/Articles/629259.
It took many years before the GNU Compiler Collection (GCC) changed its runtime library exemption in a way that allowed for GCC plugins, largely because of fears that companies might distribute proprietary, closed-source plugins.
Ironically, emacs has lots of weird plugins.
But here's another issue:
Stallman is concerned that proprietary backends could take the [gcc abstract syntax tree] output and generate code from it.
This is an intense debate, because, as Perry Metzger noted:
Linux’s solution to this problem was to create a policy of never breaking userland applications. This means userland interfaces to the Linux kernel never change under any circumstances, even if they malfunction and have known bugs. That is worth reiterating. Linux maintains known bugs – and actively refuses to fix them. In fact, if you attempt to fix them, Linus will curse at you, as manifest by this email.
An article about Firefox from The Economist: economist.com/business/2019/07/20/what-open-source-culture-can-teach-tech-titans-and-their-critics.
The real point here is that Firefox is perhaps the best example of open-source software that works well for nontechnical users. LibreOffice comes close, but there are some rough edges. (Having you find bugs in LibreOffice is easy, by comparison with Firefox.)
The other open-source-for-the-masses issue is that open source software is easier to trust. Firefox gets a lot of money from Google for making google.com the default Firefox search engine. But, overall, Firefox isn't beholden to advertisers the way Chrome is.
It is a bit of a mystery why Microsoft never managed to leverage Internet Explorer / Edge into a browser that was highly trusted by users. Even Apple Safari never gained a reputation as a privacy-friendly browser. (That's partly because Apple has mixed feelings here; Apple promotes itself as highly protective of user privacy, but they also know just how much user data is worth.)
About that "given enough eyeballs, all bugs are shallow" thing ....
Pick up with fetchmail.