Ring, officially a GNU package(blog.savoirfairelinux.com) |
Ring, officially a GNU package(blog.savoirfairelinux.com) |
> respects freedoms and privacy of its users
It downloads the binary over http on http://ring.cx, makes it susceptible to tampering. Is serving binaries over HTTP a GNU thing because the expectation is that you would check the signature?
* Lack of full forward secrecy means logged network logs can be decrypted in the future if an endpoint key is ever compromised.
* e2e encryption is optional, due to legacy SIP support. This is extremely dangerous as it will no doubt lead to false sense of security, with users assuming they're safe just because Ring is the program they're talking through.
Due to these two I cannot actually recommend it to anyone.
Note that Tox got these two right, and is a pretty active project which gets commits semi-daily, regardless of the nonsense about it being dead that some party seems to be spreading.
Either way, I don't use SIP so that feature isn't a dealbreaker for me.
That needs user intervention, which implies his understanding of why it is necessary.
Here's a better idea, remove backwards compatibility. Perhaps they could release a separate SIP client under a different name. Just keep it away from Ring itself. Let Ring be actually secure.
Source repositories located at https://gerrit-ring.savoirfairelinux.com/#/admin/projects/ (Uses gerrit!)
https://www.silentcircle.com/products-and-solutions/technolo...
A more comparable thing to Signal is Matrix [1] and it's client Riot [2]. Theoretically, it has perfect forward secrecy. It's not as distributed as Ring is, but there is no centralized server as in Signal either.
Riot is also in F-Droid. So while not a GNU member, I find it sufficiently open and free.
A totally distributed approach with forward secrecy is Tox [3]. It needs a good code audit, though. And as in Ring, P2P causes data consumption issues in mobile.
[2] https://riot.im/
Just saying.
I can recommend pjsip though, very reliable so long as you read its docs before writing a script to leverage it.
And most mobile clients use pjsip, at least non-commercial ones (aside from popular sipdroid). I don't know what Bria uses but if I lose signal it slams my battery. Unfortunately it also works best for my commercial line.
Csipsimple is an android implementation of the pjsip library. Taki is another for BB10. They are both fairly reliable. I don't know any on iOS (sry).
Edit: You could also get the IPs of all the people trying to contact the target.
Remember GNU requires transferring rights to the FSF, which many aren't comfortable with.
I personally favor tox, because ec25519 and full forward secrecy. Also, not fond of SIP.
I heard tox needs a code review. Has its security been verified in any way?
P.S. I couldn't find any browseable source either, so I cloned their repo.
Some are happy to be associated with the opinion that all software should be free.
>in particular Richard Stallman's political opinions (e.g., eugenics)
Richard Stallman's opinions, outside of the realm of free software, are irrelevant in the context of the GNU project. Throwing out eugenics like that feels manipulative to me.
>restricts your technical decision-making options
The next few paragraphs will explain why what you see as restrictions aren't seen the same way from the perspective of GNU developers.
>limited plugin architecture
You are of course referring to exposing the AST of GCC to other (possibly proprietary) programs, which was a GCC-specific issue. It doesn't broadly apply to everything. I help maintain GNU Guix, a project designed from the ground up to be as extensible as possible, and there has been no such issue. Nor does GNU Emacs have an issue with extensibility.
>limited support for non-free OSes
I think this is distorting the truth a bit. The point is that the focus of the GNU project is to develop a fully free operating system, and maintainers should focus their efforts accordingly. That doesn't mean that GNU software shouldn't work well on other, proprietary operating systems, and maintainers shouldn't reject patches from contributors that add or improve such support unless it adds a significant burden. Bottom line is: GNU software should work the best on the GNU system, which seems sensible to me. The GNU maintainer guidelines go into more detail about this topic.
>mandatory support for things like GNUTLS
Software in the GNU project should work well with or use other software in the GNU system. Again, those that participate in the GNU project think this is positive, because GNU should form a cohesive whole, just like MacOS or Windows should.
>while not giving you very much in return
GNU and the FSF give Guix a place to host many Git repos, space for a website, several mailing lists, a bug tracker, they colocate our hardware in their datacenter, give us virtual machines on their own servers, handle donations, and promote our releases. I think it's a pretty great deal given the project is philosophically aligned with the free software movement.
>With the existence of GitHub and a wide variety of competitors
I wouldn't call GitHub a competitor. GitHub is just a code hosting site, GNU is a unified project with a political mission.
>What am I missing?
Hopefully I've helped answer this question.
But his entire point is that free software is a moral imperative, and that it is morally better to have no software at all than non-free software. How can you separate morality into parts?
And, if you do, where do you divide it? Are politics that affect what copyright laws may exist relevant? Are meta-politics like voting rights or styles of government or campaign finance relevant, if they affect how copyright laws get decided?
> the focus of the GNU project is to develop a fully free operating system, and maintainers should focus their efforts accordingly
Right. It seems to me that becoming a GNU project means that you are required to focus your efforts in certain ways. You are completely free to focus your efforts in those ways without being part of the GNU project, though. It simply restricts your options.
If you trust the GNU project to be better at you at finding the morally right thing to do, then it makes sense to ask GNU to restrict what you can do. As a churchgoer I totally understand why you might want to outsource your morality to a larger organization consisting of more people than you who think harder about things - but it matters a lot that you find the right organization, and that you can trust the people who run the organization to be making good moral choices in general. There are a number of churches where I do not, and I don't associate myself with them, no matter how much I agree with most of their views. Similarly, I find it hard to trust the future moral decision-making of someone who supports eugenics. If I support their current moral stances on free software (and, as it happens, I agree with the vast majority of what Stallman says about free software), I can always just adopt those stances as my own.
> I wouldn't call GitHub a competitor.
Sorry, that was unclear - I meant GitHub and GitHub's competitors (in case you philosophically disagree with GitHub). It gets you a lot of stuff self-service that years ago was much more easily had through affiliation with GNU, or Apache, or Red Hat, or someone else.
I concede that donations and marketing are things you get from GNU that you wouldn't get from GitHub etc. (Although I think many projects find that being on GitHub gives them visibility in a way that seems likely to make up for the lack of explicit marketing, depending on the project.)
I can't think of anything.
> and in particular Richard Stallman's political opinions (e.g., eugenics)
Utter nonsense. Being part of GNU doesn't imply agreeing with every word Stallman utters on any topic.
> restricts your technical decision-making options
Very real (see gcc and frontend/backend separation) and a very good reason to stay away.
Did you just miss davexunit post?
Of course it doesn't. But associating yourself with GNU is, very straightforwardly, associating yourself with Stallman. What is the advantage of doing so?
If there is such an advantage, then yeah, I think it's totally fair to dissociate yourself from his political views. But it seems to me like joining GNU is solely a political statement and a sign of agreement with Stallman's views on morality (since he frames free software / computing freedom as a moral issue). I don't know why anyone would want to make that statement unless they actually want to be associated with his political and moral views. That's all I'm asking. Is there another reason to associate yourself with GNU?
Some believe that's not necessary a bad thing.
"A new noninvasive test for Down's syndrome will eliminate the small risk of the current test.
"This might lead more women to get tested, and abort fetuses that have Down's syndrome. Let's hope so! It is very wrong to intentionally subject a person to life with a serious disability, given the option to abort and try again."
If you don't, they come from 4chan. So yeah...
But they got accepted into GSoC as a mentor project, so they can't all be bad.
Stallman's view on this is not controversial at all.
GNU's views on software. Stallman's just the figurehead for these. I don't care what his opinions are outside of this, nevermind agree or disagree.
> Is there another reason to associate yourself with GNU?
As I said, I can't think of any in the first place. But I'm still glad GNU and FSF do exist, and that their views are so extreme.
If they weren't, then a much softer position would be called extreme instead. The world would be worse for it.
What good is reading his post when you can see how core GNU projects are actually run?
This is not news to me, but its the maintainer of a project that decide over their project. Its like how the CEO of Microsoft do not control what Apple do, nor vice verse. Two projects with different people in charge, makes different decision, and has different priorities.
The good thing about reading other posts is that you might realize that not every project is run the same way. If you have an axe to grind with GCC over their priorities, maybe you should try convince them that your priorities are more important than theirs, rather than complain in a HN thread that has nothing to do with having proprietary compiler modifications to GCC.
Except that's not true once you've made your project a GNU project, which is exactly my point.
https://lists.gnu.org/archive/html/gnutls-devel/2012-12/msg0... (RMS telling the GnuTLS maintainer they can't move their project out of GNU)
https://lwn.net/Articles/629259/ (GCC maintainers want certain priorities, RMS overrules)
https://lists.gnu.org/archive/html/emacs-devel/2015-01/msg00... (Emacs maintainer threatening to fork Emacs if he cannot make the technical decisions he wants to make)
https://libreboot.org/gnu-insult/ (GNU maintainers telling a GNU maintainer they cannot take their project out of GNU, and it "is for the Saint IGNUcious to decide")
Stallman is the CEO, and maintainers are, at best, VPs. I have no axe to grind with the GCC maintainers over their priorities - I just wish they had the ability to follow their own priorities.
Maintainers of low-impact projects have more leeway. If your project matters to GNU/FSF leadership, you will have less freedom to make your own decisions.
It's as simple as that.
I don't really need this part about "complain in an HN thread that has nothing to do." I'm totally uninterested in being demeaned for trying to explain a point you don't like. Please try to avoid personal attacks and understand that the GCC maintainers already expressed this desire and did work toward it and were denied this choice for political reasons. This situation is directly and unequivocally related to the discussion at hand.
Trademark is not technical decision-making. Hurd can not call themselves the linux kernel, blaming Linus for "restricting their technical decision-making options" when he would object. That a project do not want to rename themselves is understandable, but such is how trademark work.
> GCC maintainers want certain priorities, RMS (as member of the GCC steering committee) overrules
GCC does not have a GCC maintainer that decide over the project. It has a steering committee, similar to Debian technical committee, which designed role is to overrule maintainers. Stallman is also part of that committee, while other people of FSF is not. There is no requirement of GNU projects to have a steering committee, and no rules that dictate that Stallman must be part of the committee if one exist.
> Emacs maintainer threatening to fork Emacs (over the GCC decision)
Which they are allowed to do. Emacs was founded by Stallman and what is called "GNU Emacs", as a trademark issue, will likely continue rest with him. There is no "technical decision-making options" involved there, and the dispute is not about any code involving Emacs. If the fork ended up successful it would likely replace the code of GNU Emacs as has happened in the past.
> GNU Libreboot changes name to Libreboot
Again, trademark and no technical decision-making options. Libreboot is now one project, and GNU libreboot might be one. People can fight about who is the fork and who is the original, but it has no technical-decision aspects to it. Both projects can write code and add any feature they wish.
The only thing that Stallman and FSF decide is about the GNU project and the GNU trademark. Technical aspects in each project is the maintainers or what ever community structure that they have chosen. Some are committee based, other a BDFL or project maintainer, and some are just flat structure of several maintainer each holding only one vote in the decision process. Simple projects generally has a single maintainer and can make all the technical-decisions themselves.
GCC is run by a committee which stated role is to overrule maintainers (https://gcc.gnu.org/steering.html). It has nothing to do with Ring, nor does Ring have a steering committee. If ring had a steering committee, and if stallman was part of that committee, then he would be part of the technical-decision making process. But he is not, nor is FSF, and there is no such committee for Ring.
'stonogo and I believe that the points you are making are incorrect. That is not a personal attack, an assuming that you must be correct and need to help us understand is a great way to pull the argument back down into personal attacks.
So, why does GCC have a steering committee and Ring not? Is it possible that Ring could have a steering committee in the future? Can that happen without the enthusiastic consent of the maintainers?
> Is it possible that Ring could have a steering committee in the future? Can that happen without the enthusiastic consent of the maintainers?
A steering group, or for that matter any form of leadership structure can only pop into existence if the project itself decide to create one. If we look at the announcement of the GCC steering group:
"From its initial conception, the egcs project [now GCC] has strived to organize itself
in a manner which prevents any particular individual or company from having control
over the project.
To that end, when the project was formed several individuals were contacted to
make decisions for the GCC project. These individuals come from a variety of
backgrounds and represent various groups with an interest in the long term health of GCC.
We feel it is in the best interest of the GCC project at this time to turn this
informal group into an official steering committee, and to make public its membership.