/tech/ - Tech

Technology.

catalog
Mode: Reply
Name
E-mail
Subject
Message

Max message length: 8192

Files

Max file size: 80.00 MB

Max files: 5

Password

(used to delete files and postings)

Misc

Remember to follow the rules


(53.33 KB 340x313 1602646040132.png)
MAOSS: Militant Anarchist Open Source Society Comrade 10/15/2020 (Thu) 23:26:14 No. 5488
/g/ had a good idea for once: We need a third option to the dichotomy between the fascist commie NIH philosophy of the FSF and the boot-licking brown-nosing philosophy of the OSI. >OSI: in an ideal world, all software should be libre, but good software is more important than libre software, so when proprietary software is better than libre software, it should be able to cannibalize the libre software to make itself even better >FSF: libre software is more important than good software, and therefore libre software is ALWAYS better than proprietary alternatives, no matter how many features are missing, and anyone who uses proprietary software should be harassed until they change their mind, and libre software should never promote proprietary software, not even for interoperability What's the commonality that necessitates this dichotomy? It's the fact that both the OSI and the FSF respect laws around proprietary software. >OSI: those laws are kind of unethical, but it's okay if you want to license under them and steal our shit, your work is better after all >FSF: those laws are unethical, so if you're going to license under them, then the only way to simultaneously avoid breaking them and retain user freedoms is to not use your software or even acknowledge its existence I present the MAOSS. An idea for a gang of criminal e-thugs who use violence to force proprietary licensors to forfeit their IPs against their will so that users don't have to choose between software that works and software that respects their freedoms. >oh, you're going to license your work under a proprietary license? *rips terms of service in half* >*decompiles your work, neuters it of anti-features, and redistributes the libretized version as a component of other freedom-respecting libre work without your permission* >oh what's that, you're gonna sue us? lol *brings flamethrower to court* >*casually murders major proprietary software vendors in cold blood and burgles their laptops*
>>5514 It's not the problem. The problem is that today you are almost certainly forced by circumstance to run proprietary software, which means giving up control over your computing. Free Software is not required to make source code publicly available, only to provide it to the user of said software. The source code is provided to ensure that the user has control over their computing, that they don't have to surrender their computer to whoever owns that piece of software.
>>5517 Thanks for clarifying, but still, I don't quite understand why the problem is how I'm "forced by circumstance to run proprietary software", rather than that I'm forced by circumstance to provide free labor to Google, Amazon, and Big Tech. Don't get me wrong, I'm a big FOSS advocate and user, but I'm far more worried about the proletarianization of the world by new forms of cybernetic exploitation than I am about freedom of information or software per se.
(261.42 KB 1048x1024 smug_gnu.png)
Reminder to all anons in here: license your stuff under the AGPL or the SSPL so that Porky can't use it for his clouds and walled gardens. Disregard Stirnerites and radlibs peddling unproven tactics, uphold Marxist-Stallmanist thought.
>>5518 I don't think it is *the* problem, but it is a problem nevertheless. What do you mean by the "free labour" that you give to Big Tech? Like this? http://wagesforfacebook.com/
>>5520 Yes, AGPL is Google-repellant
>>5519 >so that Porky can't use it for his clouds and walled gardens. Ohnooooooo Porky promised he wouldn't secretly use your code, what will he do????
>>5524 I think your retarded satire is pretty oudated, the smart enough big corps like Google, Microsoft, AMD... are all trying to appeal to the open source crowd (while rejecting actual free software, of fucking course).
>>5488 FSF is mostly fine, SV keeps neutering the licenses - I think it loses in the message it chooses to spread of some liberal free speech thing when the core of free software is that work - as Marx points out - is social and wage labour etc gets in the way of that until it becomes alien to the worker. THe point of FSF (and RMS at least gets this though markets it wrong) is to build a community of hackers working on useful stuff that they love - ie socially useful labor (communism)
>>5525 its free code auditing lol
>>5527 Does anyone actually spend their free time reading random code on the net?
>>5528 yea tons lol though some of the culture has shifted to sec researchers trying to make a name for themselves
>>5527 Yeah, exactly. >>5528 Are you seriously asking that?
>>5531 >>5529 I'm seriously asking because there seems to be a myth that programmers read source code on its own (i.e., not as part of modifying it or doing code review for patches) but in practice nobody actually seems to do it. As far as I know, most security issues are found by automated means (fuzzing, static analysis, etc.) done by corporate entities and not by eager amateurs. Maybe it's different with black hats but corporations usually don't benefit from that. Do you have any proof that people are actually doing free code audits in their free time or do you just feel that it is plausible that they do?
>>5525 GPL violations still happen. Part of the reason corporations release source code is marketing, imbeciles eat up "open source" bullshit even when the software is actually proprietary (see the case of Visual Studio Code). But more importantly it is to let other corporations work on their software. Outside of the GNU sphere of influence, most contributions are actually coming from people who are paid to do it.
(1.74 MB 300x290 1497707017283.gif)
>>5534 ...Yes? That doesn't contradict what I said and I'm already aware of it. First it's "GPL is antirevolutionary somehow", then it's "GPL can't be held up", then it's "acshually they go open source so retards audit them for free".
>>5536 That was a reply to a post that claimed that big corporations uphold license conditions. I pointed out that in many cases they do not. Why are you so upset about it?
Unless you can provide any concrete proof that "free code audits" are a common thing and corporations count on it when open sourcing their shit, I'm going to doubt it. In any corporation I worked it was not once even brought up when considering what to open-source and what to keep proprietary. It sounds like another of those bullshit legends that you faggots come up with not because it actually happens but because you want it to happen so you can feel super smart about uncovering a conspiracy that never actually existed. Honestly this /tech/ board is second only to /g/ in terms of brainrot.
>>5520 based, this just sold me on the agpl
>>5533 Well first off static analysis is just staring at code, ie not automated and what tools do exist are extremely limited and only help for small CTF syle programs. As for is it auditing or code checkins its both, any large gnu project will have core developers checking code before its merged. As for the pure audit style analysis thats mostly sec researcher domain to find bugs. t. actual security researcher
>>5539 A lot technically do but don't uphold the 'spirit' of the project Apple (BSD Kernel + Mach) releases source code 6 months to a year late and claims iOS (basically the same kernel + some more ARM macros) isn't released because Apple says it's 'different enough' They aren't in violation technically but its universally seen as kinda a shitty move
>>5540 It's more than just marketing shit, OSing core components into Linux or whatever improves stability for the company - vmware is a pretty good example - things that aren't so reliant on outside technology are usually kept proprietary and fall into security by obscurity which is really just a matter of time before someone runs IDA on it
>>5543 >t. actual security researcher Yeah I highly doubt that if you are not even familiar with static code analysis. https://en.wikipedia.org/wiki/Static_program_analysis > The term is usually applied to the analysis performed by an automated tool
>>5546 > with human analysis being called program understanding, literally no one calls it this outside of maybe corporate environments. its universally understood static analysis is staring at decompilation and source code while dynamic is running a debugger on it. CS names are so academic technically a 4096 byte page is a kebibyte or whatever but everyone just says kilobyte because it doesnt sound retarded
>>5547 4 kilobyte i mean vs 4 kibibyte
>>5547 and if you think all bugs are found with > just fuzzing those are usually low hanging fruit on code that was never audited - look at googleprojectzero theres no 'automated tool' in the world that will find obscure mach reference bugs
>>5547 It's a pretty common term, I've never heard it called anything else. I'm 100% certain that this is how it is used in both academy and "industry".
>>5550 Find a single security researcher on twitter that says they found their bug with 'program understanding' lmao
>>5549 I'm not claiming that's how all are found but that that is the most common thing. Project Zero is a corporate entity who are paid to do security research, they don't count as free code audit.
>>5551 I'm talking about professional developers, not hipsters from your favourite circlejerk.
>>5552 stop moving the goal post i said that those type of bugs are found with heavy source auditing not some limited tool that some grad students built or the sec firms peddle as snake oil
GPL will win.
>>5553 thats the fucking industry you moron, its twitter
>>5554 I recommend reading the whole thread before you accuse others of moving the goal posts.
>>5556 The self-promotion industry maybe, but not software engineering.
>>5557 > lol its jsut marketing yall dumb > bugs are found with automated tools > actually they arent > muh hipster circlejerk wtf did i miss
>>5559 The original claim was that corporations release source code to trick poor unsuspecting developers into doing a full source code audit without any monetary compensation. The reality is that they don't, some corporations might run their automatic shit for low hanging fruit but that's it. They have other reasons to release source code.
>>5560 Yeah those other reasons are 1) improve code stability through fucking auditing (any company driver on linux) 2) opening the source for other researchers to more easily look at it (which is the god damn security industry) 3) nefarious hijinks to take over FOSS projects If you are just going to redefine what auditing is to an extremely narrow range of the above then im out
>>5555 GPL and copyright like creative commons needs to stop pandering to the libertarian crowd imo and just go full we support a communist version of work (no wage labor, community sharing) and not the free beer or marketability to MS circlejerk. But yea GPL will win
>>5561 Code reviews are not code audition, I don't think anyone would claim that. I understand that you are a "security researcher" and never actually worked as a software engineer, so you will just have to accept that people who work closer to the whole development process use more sophisticated vocabulary to describe it. Regarding your points: 1. They don't care about the maintainer's opinion, they upstream their shit to mainline because it is much easier to maintain it once there. Patches outside the tree are very prone to bitrot. 2. They don't care about your "research", they have their internal security processes that code have to go through before being published, they believe it to be already secure. They know that if you find something you will publicise it, which is bad PR for them. 3. That might be a reason for contributing to existing projects, but not for releasing their own source code. But all of this is besides the point. The original claim was that corporations release their shit to trick hobbyists to do code audits for them for free, exploiting them. I think we can agree that this is not typical, and if any corporation counts on it, they will be very disappointed.
>>5563 I was a software developer for 5 years, your 'sophisticated vocabulary' reeks of elitism and pedantry like all of your posts. In order: 1) Proving my point, attaching it to the main project and not having to maintain a 10 year old fork improves stability 2) Yea free labor from sec researchers PR hit is negligible 3) i didnt mean backdoor shit, look at what MS attaches to the linux kernel The point was there is free labor attached to open sourcing code which companies indirectly or directly take advantage of, I'm sorry it doesn't meet your definition of code auditing or whatever
>>5543 >what is formal verification?
I want to see a paramilitary wing of the FSF, a "Software Liberation Front" (SLF) that plants bombs in front of Google, Microsoft and Oracle offices and takes hostages in exchange for the source code being released under copyleft licenses.
(982.62 KB 3024x4032 starcraftsource.jpg)
>>5622 Also that faggot who found this and returned it to Blizzard. Death to all traitors.
>>5622 if you do find it send me the recuitment application at [email protected]
>>5626 oh, sorry. didn't mean to post such a serious post on a glowie site. But for real though, send me that shit.
>>5625 would have really liked the source code to that
>>5547 Is this really what Static Analysis is? I've taken a class on static analysis and its all about analyzing OO code for object oriented quality metrics like McCall's model, Chidamber and Kemerer metrics, etc. Maybe it has a different meaning in software/quality engineering from security
>>>/b/ Doing posting is peak praxis.

Delete
Report

no cookies?