Conservancy News Round-up

by Deb Nicholson on April 17, 2019

Check out these videos, blog posts from member projects, code releases and upcoming events.

Recent Videos

• Bradley and Karen during their keynote at FOSDEM, "Can Anyone Live in Full Software Freedom Today? Confessions of Activists Who Try But Fail to Avoid Proprietary Software"
• Microblocks in use (it's in Catalan, but the smiling faces are understandable in any language!)
• Deb keynoted Gitmerge, "The Future of Free Software"
• Godot engine in use! These are from published games and games in development. Check out the Desktop / Console showreel and the Mobile Showreel.
• Bradley gave a talk at SCaLE, "If Open Source Isn't Sustainable, Maybe Software Freedom Is?" that got written up on LWN.
• The State of Godot address by Juan Linietsy

Our Member Projects Have Been Busy

• Outreachy getting ready for another round of interns! You can see the projects that are participating in this summer's program here.
• Lots of Reproducible Builds work in March
• Godot is receiving a MOSS Grant
• Inkscape's SCALE17x Hackfest 2019 launched plans for 1.0 release and more
• Recent Clojurists Together work funded through Conservancy

Some recent code releases:

• Homebrew 2.1.0 release
• Wine 4.6 release
• Twisted 19.2.0 release

What's coming up?

Catch up with staff:

• Deb speaks about governance at Open Source 101 on Thursday
• Swing by Bellingham to say hi to Bradley at our Linuxfest Northwest booth later this month
• Deb speaks about diversity at Red Hat Summit in May

Many of our projects have events coming up:

• Selenium Conf in Tokyo
• Ninth Annual RacketCon, plus Bradley will be there.
• Samba XP -- Karen is keynoting!
• One week blocks workshop for public school teachers, "Physical Computing with the BBC micro:bit"
• Teaching Open Source planning a summer POSSE meeting

Bonus news! GPLv3 code made the famous black hole picture possible. Congrats to Doctor Katie Bouman and her team!

[permalink]

Tags: conservancy, conferences, Godot, Reproducible Builds, Selenium, Outreachy, events, Clojars, inkscape, Hackfests, Racket

Do You Know Where Your Code Came From? If You Don't Have Source You Aren't Secure

by Pamela Chestek on April 4, 2019

I sometimes work for Conservancy assisting in their compliance work. Conservancy follows the Principles of Community-Oriented GPL Enforcement, enforcement principles published by Conservancy and the Free Software Foundation. As the process goes, Conservancy receives complaints from users about products whose sellers aren't meeting their GPL license obligations and Conservancy may investigate. Many of these complaints are for hardware devices with embedded code. The complaints are almost always are that there is free software on the device but that the source code is not available.

Conservancy will purchase the complained-of device and independently determine whether or not there is a GPL violation, including requesting the source code. This is where the rubber meets the road, particularly for embedded devices. In phone calls with the hardware manufacturer, the manufacturer will almost always say that they don't have the code on hand and need to get it from their factory or vendor.

When I hear this, I want to gasp out loud. I'm not gasping because I find the non-compliance so surprising (it's not), but that a manufacturer is shipping a device that it has not independently confirmed was manufactured as spec'd. A manufacturer designs a device, say a home security camera, and has outsourced the manufacturing to a factory. The factory may have subcontracted with someone else for the component, who may have contracted with yet another company for the firmware. Yet despite the length and opaqueness of the supply chain, the companies we buy from are not doing any due dligence on the products they are selling. When a company tells me they don't have the source code available, I add them to the list in my head of brands I will not buy.

This is not a trivial oversight. Doorbell cameras, security cameras, televisions, baby monitors, and home audio equipment have a view into the most intimate parts of our lives, and yet the manufacturers are not doing everything they can to ensure that our private lives stay private. The component manufacturer, the firmware manufacturer, the factory, or all of them, could be adding malicious code to the device and the vendor has not taken the simplest step of verifying the software on the device does only what it is supposed to do and nothing more.

And it's an easy problem to solve. All the company needs is the source code. There is now even a free software project, Reproducible Builds, that can be used to verify that the source code provided compiles to exactly the object code found on the device.

And guess what? By performing the far more critical task of ensuring that a manufactured device has not been compromised, the source code compliance problem has been solved too.

[permalink]

Tags: GPL, Reproducible Builds

Conservancy at LibrePlanet this Weekend

by Deb Nicholson on March 20, 2019

This weekend, the Free Software Foundation hosts its 11th annual LibrePlanet conference on March 23-24. The event takes place at the Stata Center at the Massachusetts Institute of Technology.

Our Director of Community Operations Deb Nicholson speaks on Sunday at 2:30 PM about Free Software/Utopia, or how the free software movement could be more successful by mirroring the kind of improved and empowering world we hope to build with software freedom. She will also be helping to run the Annual Members Meeting on Sunday during lunch.

LibrePlanet is free for FSF members. The weekend often includes several co-located free and open to the public events. You can find more information on the FSF's site.

[permalink]

Tags: conferences, events

Understanding LF's New “Community Bridge”

by Bradley M. Kuhn and Karen M. Sandler on March 13, 2019

Yesterday, the Linux Foundation (LF) launched a new service, called “Community Bridge” — an ambitious platform that promises a self-service system to handle finances, address security issues, manage CLAs and license compliance, and also bring mentorship to projects. These tasks are difficult work that typically require human intervention, so we understand the allure of automating them; we and our peer organizations have long welcomed newcomers to this field and have together sought collaborative assistance for these issues. Indeed, Community Bridge's offerings bear some similarity to the work of organizations like Apache Software Foundation, the Free Software Foundation (FSF), the GNOME Foundation (GF), Open Source Initiative (OSI), Software in the Public Interest (SPI) and Conservancy. People have already begun to ask us to compare this initiative to our work and the work of our peer organizations. This blog post hopefully answers those questions and anticipated similar questions.

The first huge difference (and the biggest disappointment for the entire FOSS community) is that LF's Community Bridge is a proprietary software system. §4.2 of their Platform Use Agreement requires those who sign up for this platform to agree to a proprietary software license, and LF has remained silent about the proprietary nature of the platform in its explanatory materials. The LF, as an organization dedicated to Open Source, should release the source for Community Bridge. At Conservancy, we've worked since 2012 on a Non-Profit Accounting Software system, including creating a tagging system for transparently documenting ledger transactions, and various support software around that. We and SPI both now use these methods daily. We also funded the creation of a system to manage mentorship programs, which now runs the Outreachy mentorship program. We believe fundamentally that the infrastructure we provide for FOSS fiscal sponsorship (including accounting, mentorship and license compliance) must itself be FOSS, and developed in public as a FOSS project. LF's own research already shows that transparency is impossible for systems that are not FOSS. More importantly, LF's new software could directly benefit so many organizations in our community, including not only Conservancy but also the many others (listed above) who do some form of fiscal sponsorship. LF shouldn't behave like a proprietary software company like Patreon or Kickstarter, but instead support FOSS development. Generally speaking, all Conservancy's peer organizations (listed above) have been fully dedicated to the idea that any infrastructure developed for fiscal sponsorship should itself be FOSS. LF has deviated here from this community norm by unnecessarily requiring FOSS developers to use proprietary software to receive these services, and also failing to collaborate over a FOSS codebase with the existing community of organizations. LF Executive Director Jim Zemlin has said that he “wants more participation in open source … to advance its sustainability and … wants organizations to share their code for the benefit of their fellow [hu]mankind”; we ask him to apply these principles to his own organization now.

The second difference is that LF is not a charity, but a trade association — designed to serve the common business interest of its paid members, who control its Board of Directors. This means that donations made to projects through their system will not be tax-deductible in the USA, and that the money can be used in ways that do not necessarily benefit the public good. For some projects, this may well be an advantage: not all FOSS projects operate in the public good. We believe charitable commitment remains a huge benefit of joining a fiscal sponsor like Conservancy, FSF, GF, or SPI. While charitable affiliation means there are more constraints on how projects can spend their funds, as the projects must show that their spending serves the public benefit, we believe that such constraints are most valuable. Legal requirements that assure behavior of the organization always benefits the general public are a good thing. However, some projects may indeed prefer to serve the common business interest of LF's member companies rather than the public good, but projects should note such benefit to the common business interest is mandatory on this platform — it's explicitly unauthorized to use LF's platform to engage in activities in conflict with LF’s trade association status). Furthermore, (per the FAQ) only one maintainer can administer a project's account, so the platform currently only supports the “BDFL” FOSS governance model, which has already been widely discredited. No governance check exists to ensure that the project's interests align with spending, or to verify that the maintainer acts with consent of a larger group to implement group decisions. Even worse, (per §2.3 of the Usage Agreement) terminating the relationship means ceasing use of the account; no provision allows transfer of the money somewhere else when projects' needs change.

Finally, the LF offers services that are mainly orthogonal and/or a subset of the services provided by a typical fiscal sponsor. Conservancy, for example, does work to negotiate contracts, assist in active fundraising, deal with legal and licensing issues, and various other hands-on work. LF's system is similar to Patreon and other platforms in that it is a hands-off system that takes a cut of the money and provides minimal financial services. Participants will still need to worry about forming their own organization if they want to sign contracts, have an entity that can engage with lawyers and receive legal advice for the project, work through governance issues, or the many other things that projects often want from a fiscal sponsor.

Historically, fiscal sponsors in FOSS have not treated each other as competitors. Conservancy collaborates often with SPI, FSF, and GF in particular. We refer applicant projects to other entities, including explaining to applicants that a trade association may be a better fit for their project. In some cases, we have even referred such trade-association-appropriate applicants to the LF itself, and the LF then helped them form their own sub-organizations and/or became LF Collaborative Projects. The launch of this platform, as proprietary software, without coordination with the rest of the FOSS organization community, is unnecessarily uncollaborative with our community and we therefore encourage some skepticism here. That said, this new LF system is probably just right for FOSS projects that (a) prefer to use single-point-of-failure, proprietary software rather than FOSS for their infrastructure, (b) do not want to operate in a way that is dedicated to the public good, and (c) have very minimal fiscal sponsorship needs, such as occasional reimbursements of project expenses.

Update on 2019-04-01: Community Bridge was also discussed on episode 0x65 of Free as in Freedom, which is available in mp3 format and ogg format.

[permalink]

Tags: conservancy, CLA, licensing