[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic downloading of non-free software by stuff in main



On Fri, Dec 01, 2017 at 06:09:12AM +0100, Adam Borowski wrote:
> On Thu, Nov 30, 2017 at 01:52:18PM +0000, Ian Jackson wrote:
> > Over the years, d-legal has discussed a number of packages which
> > automatically download non-free software, under some circumstances.
> > 
> > The obvious example is web browsers with extension repositories
> > containing both free and non-free software.
> > 
> > We have also recently discussed a media downloader/player which, when
> > fed a particular kind of url, will offer to automatically download a
> > proprietary binary-only protocol module to access the specified
> > proprietary web service.
> [...]
> > I would like to establish a way to prevent this.  (There are even
> > whole Debian derivatives who have as one of their primary goals,
> > preventing this.
> 
> No, those derivatives are damage.  While their hearts are in the right
> place, they cause data loss and security holes by at least making people on
> Intel and AMD machines use known-buggy microcode.

This is a different subject, though.  We had a discussion about software
supporting non-free hardware a while ago.  I'm still planning to propose a GR
for that, but have been distracted so it's taking a while.

What Ian is talking about is not "this software is non-free, but I need it
because I have hardware that won't run properly without it", but "this software
is non-free and my program from main just installs it on my computer".  Ian
didn't talk about hardware supporting software, so he didn't exclude it
explicitly, but I think we should do that.  Because with hardware you make
valid points, but they are irrelevant for pure software, such as the example of
a web browser downloading non-free add-ons.

I believe Ian's intent was to discuss the pure software problem (Ian, please
correct me if I'm wrong).  So if you want to talk about microcode and wifi
firmware, please do so in a different thread.

> Even Debian is not without fault here: for example, the ftpmasters accept
> such a blatantly non-free licence as AGPL[1] into main.

In today's digital environment, a lot of programs are moved from the user's
machine to a network service.  The purpose of the GPL is to give all downstream
users freedoms.  This can be circumvented by putting the code on a remote
server and never installing it on the user's machine, because the GPL only
talks about code that runs on the user's machine.  The AGPL fixes that problem
by requiring those hosting such programs to pass the freedoms on to their
networked users.  This is a necessary fix for a problem that didn't exist when
the GPL was originally written.

There may be some issues with the way it is written, but the fact that
networked users deserve the same rights as local users is self evident in
today's networked world.  So while you can advocate for minor modifications to
the license so that it becomes legally better, advocating against it entirely
is not reasonable IMO.

> [1]. AGPL fails FSF freedom 0: you can't reuse snippets of code from an
> AGPLed project in anything networked that has no, or cumbersome, ways to
> pass advertising statements to the user (such as, eg, an IMAP server).

The AGPL only says it must "prominently offer" an opportunity to receive the
source code.  I think it is possible to do this for example on the web site
that tells the users about the address of the server.  What "prominent" means
depends on how the service is normally used.  That's why they used such a
subjective description.

> It also fails the Dissident Test: take a blogging software with
> steganographic features, that you provide hosting for, for two classes of
> users: fellow dissidents, and public at large.  The former receive the code
> (both binaries and source), the latter do not.  Even revealing the existence
> of your changes is a serious risk for the life of you and your friends.
> Regular GPL has no such problems.

Yes, it does have these "problems" and they're the main difference between the
GPL and BSD-style licenses: the GPL requires users to have access to the source
code, so if you don't want your users to know that changes to the source were
made, you cannot let them run your code.

The AGPL closes the loophole that the GPL did not cover networked users.  But
if we take your example and run it locally (for example, make it a message
board on a multi-user machine that is used by students of a university in a
country with an oppressive regime), you have the exact same problem and with
your logic now the GPL is failing the dissident test.

I don't agree that it does.  For dissidents, just like anyone else, things are
easier without copyleft, because they are more free personally (at the cost of
the freedom of their users).  However, if they choose to host the software
without changes for the public and an extra copy with changes for fellow
dissidents, there should be no problem.

Thanks,
Bas

Attachment: signature.asc
Description: PGP signature


Reply to: