Software Freedom Conservancy

[RSS] Conservancy Blog

Displaying posts tagged Reproducible Builds

Hacker and Software Liberator

by Deb Nicholson on December 17, 2019

This week we are interviewing Mark Wielaard, one of the excellent people who is supporting our annual fundraiser by putting up matching funds. This year's match is our biggest yet! We've been challenged to match a total of $113,093. Donations help us support and protect free software alternatives and grow a bold software freedom movement where everyone is welcome.

Mark Wielaard addressing a group in front of a chalkboard

Photo at GNU Tools Cauldron 2017, courtesy of Mark Wielaard.

Mark Wielaard has a been a free software developer and advocate for a long time! He started out helping liberate Java as GNU Classpath maintainer and over the past twenty years, he has spoken publicly about his work to improve the experience of using critical free software tools including GCC and glibc and the DWARF debugging tools, elfutils and Valgrind. He's a senior principal software engineer at Red Hat working in the Engineering Tools group. Mark is passionate about building a software freedom movement that is inclusive and as bug-free as possible. He is not a huge fan of interviews, but generously agreed to answer a few questions for us anyway. Thanks, Mark!

1. What do you think is the biggest threat to software freedom today?

Centralized, non-open-standards based, communication and collaboration platforms. Personally I am perfectly happy using just email and irc. For all my personal needs I can now use my personal computer using free software. I have used a Firefox OS based phone in the past, but don't generally use a "smartphone". If you restrict yourself like that then it totally looks like we have won. There is this happy little community that has total control over their own computing. But it is a bubble. And it is getting harder and harder to get out. There are so many people who depend on communicating (and collaborating) with each other through these large centralized systems which only have proprietary (javascript) clients. It feels like it is getting harder and harder to bridge the gap.

2. What do you think free software projects should be paying more attention to over the next few years?

Besides figuring out what to do about those centralized communication/collaboration platforms I think Reproducible Builds (a Conservancy project) is really important. Even if you use only free software, you are still vulnerable to software supply chain attacks -- unless you audit and build all the software yourself. But everybody ultimately uses some binary builds produced by someone else. Reproducible Builds allow users to collaboratively "challenge" the provider of their binaries -- to trust, but verify.

3. Which Conservancy projects do you use?

As a hacker my current workflow is largely based around Git, Qemu, and Buildbot. But all Conservancy projects are useful (or just plain fun) in various situations. People really should check out the member list. If you used one of the projects and it was useful, consider hitting the Donate button.

4. Do you talk to family and friends about free software? If so, where do you usually start?

They will probably tell you I talk too much about it. These days it is easier because people very much realize they are no longer in control of their own computing devices. Sadly, software and computing have become synonymous with tracking and spyware. For their desktop or laptop I can mostly provide some free software solution. But not having much experience with mobile devices I often struggle to suggest good free software solutions there, except to suggest to avoid them if possible. Most people have become too dependent on their mobile devices to just not use them anymore.

5. Finally, what caused you to step up as a matcher for Conservancy this year?

Conservancy supports many software freedom causes and projects to which I could never productively contribute directly myself. Giving money is my indirect way to contribute. I believe it is important that Conservancy is supported by as many individuals as possible, so they can stay independent. Hopefully, the matching program inspires even more people to join, so that Conservancy can provide community projects a home where they can produce even more Software Freedom for all of us.

Participate in the match and have your donation doubled through the generosity of folks like Mark, today!

Tags: conservancy, Reproducible Builds, QEMU, software freedom for everyone

Conservancy News Round-up

by Deb Nicholson on May 28, 2019

May is for code releases! Check out these videos, blog posts from member projects, code releases and upcoming events.

Recent Videos and Podcasts

Deb's talk on Free Software/Utopia is up, on the Free software Foundation's MediaGoblin server.

Deb was also the guest of honor on Libre Lounge, Episode 19: Community Development with Deb Nicholson. Thanks to Chris and Serge for their dedication to free software and to Conservancy's work!

On Free as in Freedom, Karen and Bradley discuss two additional permissions that can be used to “backport” the GPLv3 Termination provisions to GPLv2 — the Kernel Enforcement Statement Additional Permission, and the Red Hat Cooperation Commitment.

Our Member Projects Have Been Busy

This summer's Outreachy interns were announced. "Congratulations to the 43 interns accepted to the Outreachy May 2019 to August 2019 round!"

phpMyAdmin -- along with several other Conservancy projects -- are excited about participating in Outreachy this round.

MicroBlocks presented at ROBOLOT, an educational robotics conference held in Catalan. The video of their panel is about 75% Catalan and 25% English, so feel to skip around or brush up on your Catalan.

The Godot team attended GDC, aka the "Game Developers Conference" in San Francisco reported on their improved name recognition at this year's event.

The folks at Reproducible Builds, shared" that security and software supply chain attacks were in the news and that this was a busy month for their distro work.

Some recent code releases:

Etherpad merged in a big chunk of code to improve recovery from brief server outages. "The resulting code is 15% smaller than before, and is also much easier to comprehend."

What's coming up?

Catch up with staff:

Karen keynotes sambaXP on June 5th at 10:15 local time in Göttingen, Germany.

Bradley will be at the Ninth Annual RacketCon in Salt Lake City, Utah, where he will give a talk titled, "Conservancy and Racket: What We Can Do Together!"

Many of our projects have events coming up:

In addition to the aforementioned sambaXP and RacketCon...

First talks are announced for Selenium's upcoming London conference, tickets are available now.

North Bay Python has announced their dates for this year's event, November 2 & 3, 2019. Talk submissions will open soon!

Tags: conservancy, Wine, GPL, Kallithea, Google Summer of Code, Member Projects, Godot, Reproducible Builds, QEMU, Selenium, Outreachy

Conservancy News Round-up

by Deb Nicholson on April 17, 2019

Check out these videos, blog posts from member projects, code releases and upcoming events.

Recent Videos

Our Member Projects Have Been Busy

Some recent code releases:

What's coming up?

Catch up with staff:

Many of our projects have events coming up:

Bonus news! GPLv3 code made the famous black hole picture possible. Congrats to Doctor Katie Bouman and her team!

Tags: conservancy, conferences, Godot, Reproducible Builds, Selenium, Outreachy, events, Clojars, inkscape, Hackfests, Racket

Do You Know Where Your Code Came From? If You Don't Have Source You Aren't Secure

by Pamela Chestek on April 4, 2019

I sometimes work for Conservancy assisting in their compliance work. Conservancy follows the Principles of Community-Oriented GPL Enforcement, enforcement principles published by Conservancy and the Free Software Foundation. As the process goes, Conservancy receives complaints from users about products whose sellers aren't meeting their GPL license obligations and Conservancy may investigate. Many of these complaints are for hardware devices with embedded code. The complaints are almost always are that there is free software on the device but that the source code is not available.

Conservancy will purchase the complained-of device and independently determine whether or not there is a GPL violation, including requesting the source code. This is where the rubber meets the road, particularly for embedded devices. In phone calls with the hardware manufacturer, the manufacturer will almost always say that they don't have the code on hand and need to get it from their factory or vendor.

When I hear this, I want to gasp out loud. I'm not gasping because I find the non-compliance so surprising (it's not), but that a manufacturer is shipping a device that it has not independently confirmed was manufactured as spec'd. A manufacturer designs a device, say a home security camera, and has outsourced the manufacturing to a factory. The factory may have subcontracted with someone else for the component, who may have contracted with yet another company for the firmware. Yet despite the length and opaqueness of the supply chain, the companies we buy from are not doing any due dligence on the products they are selling. When a company tells me they don't have the source code available, I add them to the list in my head of brands I will not buy.

This is not a trivial oversight. Doorbell cameras, security cameras, televisions, baby monitors, and home audio equipment have a view into the most intimate parts of our lives, and yet the manufacturers are not doing everything they can to ensure that our private lives stay private. The component manufacturer, the firmware manufacturer, the factory, or all of them, could be adding malicious code to the device and the vendor has not taken the simplest step of verifying the software on the device does only what it is supposed to do and nothing more.

And it's an easy problem to solve. All the company needs is the source code. There is now even a free software project, Reproducible Builds, that can be used to verify that the source code provided compiles to exactly the object code found on the device.

And guess what? By performing the far more critical task of ensuring that a manufactured device has not been compromised, the source code compliance problem has been solved too.

Tags: GPL, Reproducible Builds

Next page (older) »

[1] 2

Connect with Conservancy on Mastodon, Twitter, pump.io, Facebook, and YouTube.

Main Page | Contact | Sponsors | Privacy Policy | RSS Feed

Our privacy policy was last updated 25 May 2018.