Software Freedom After Trump
byon December 29, 2016
I’ll say it: it’s been rough since the election. Like so many other people, I was thrown into a state of reflection about my country, the world and my role in it. I’ve struggled with understanding how I can live in a world where it seems facts don’t matter. It’s been reassuring to see so many of my friends, family and colleagues (many of them lawyers!) become invigorated to work in the public good. This has all left me with some real self-reflection. I’ve been passionate about software freedom for a long time, and while I think it has really baffled many of my loved ones, I’ve been advocating for the public good in that context somewhat doggedly. But is this issue worth so much of my time? Is it the most impactful way I can spend my time?
Karen Sandler delivers her keynote at this year’s OSCon EU
I think I was on some level anticipating something like this. I started down this road in my OSCON EU keynote entitled “Is Software Freedom A Social Justice Issue,” in which I talked about software freedom ideology and its place relative to social justice issues.
This time, like when I was doing the soul searching that led to the OSCON EU talk, I kept coming back to thinking about my heart and the proprietary software I rely on for my life. But what’s so powerful about it is that my heart is truly a metaphor for all of the software we rely on. The pulse of our society is intertwined with our software and much of it is opaque from scrutiny and wholly under the control of single companies. We do not have ultimate control of the software that that we need the most.
After all of this deep reflection, the values and the mission of software freedom has never seemed more important. Specifically, there are a few core pieces of Conservancy’s mission and activities that I think are particularly relevant in this era of Trump.
Defending the integrity of our core infrastructure
One the things I’ve focused on in my advocacy generally is how vulnerable our core infrastructure is. This is where we need software freedom the most. We need to make sure that we are doing our best to balance corporate and public interests, and we need to be able to fix problems when they arise unexpectedly in our key systems. If we’ve learned anything from Volkswagen last year, it’s that companies may be knowingly doing the wrong thing, covering it up while also promoting corporate culture that makes it extremely unlikely that employees may come forward. We need to have confidence in our software, be able to audit it and be able to repair it when we detect vulnerabilities or unwanted functionality like surveillance.
Software freedom, and copyleft in particular, helps us keep the balance. Conservancy is dedicated to promoting software freedom, defending our licenses and supporting many of our member projects that are essential pieces of our infrastructure.
It may feel like we’ve entered into a world where facts don’t matter but we at Conservancy disagree. Conservancy is committed to transparency, both in the development of software that can be trusted, but also in our own operations. We’re committed to helping others understand complex topics that other people gloss over, as well as shedding light on our own financial situation and activities. (This end-of-year giving season I recommend you carefully read the Form 990s of all of the organizations you consider donating to, including ours—check out how money much the top people make and think about what the organizations accomplish with the amount of resources they have available to them.)
While hate and exclusion are on the rise, it’s more important than ever to make sure that our own communities do the right thing. I’m proud to have Conservancy host and to also personally help run Outreachy, making sure that many of the groups that are now feeling so marginalized have opportunities to succeed. Additionally, software freedom democratizes access to technology, which can (in time) empower disenfranchised communities and close digital divides.
Because together, we get it
Perhaps most importantly, unethical software is something that everyone is vulnerable to, but most don’t understand it at all. You need a certain level of expertise just to understand what software freedom is let alone why it’s so important. There are many things we can and should work on, but if we don’t keep our focus on software freedom the long term consequences will be dire. Software freedom is a long-term cause. We must work towards sound infrastructure and look after the ethical underpinnings of the technology we rely on, because if we don’t, who will?
We can’t just be reactive. We have to build the better world.
Please join me in doubling your efforts to promote software freedom. Help Conservancy continue its important mission and become a Supporter now.
Debian’s Luke Faraone on Why He’s a Conservancy Supporter
byon December 28, 2016
Luke Faraone is a Debian developer involved in our Debian Copyright Aggregation Project. He’s also a Conservancy Supporter because, in his words, Conservancy is “one of the best defenders of the ideals of free software.” Join Luke as a Conservancy Supporter today to help sustain that important work through 2017.
New CPUs, GPUs, and faster migrations: QEMU looks forward to 2017
byon December 27, 2016
This series covers new developments and exciting projects taken on by Conservancy member projects. To learn more about Conservancy member projects, or the non-profit infrastructure support and services offered by the Conservancy, check out Conservancy’s Projects page. Please support Conservancy so we can continue to help all this important software.
The cloud—the great modern technology buzzword. Even those who don’t think of themselves as technical users have heard the phrase and perhaps even benefited from it. Though there are many proprietary cloud providers, OpenStack is the most popular FLOSS cloud software platform, powering massive web sites like Overstock.com and PayPal. What you might not know is that Conservancy member project QEMU is at the heart of OpenStack, and the project is proud to support them.
QEMU is a FLOSS project that makes it possible to emulate one hardware platform on another hardware platform and/or run multiple virtual machines (VMs) on a single physical machine. QEMU is just one of the many great FLOSS communities that Conservancy supports and I was lucky enough to be able to interview several of QEMU’s main contributors to ask them about their project, its future, and how Conservancy supporters have helped them succeed! In my interview with Stefan Hajnoczi, one of several QEMU subsystem maintainers and a contributor to the project since 2010, he said that the project benefits from Conservancy’s infrastructure, legal and community support.
An important moment in the life of any FLOSS project is when it adopts a structure that can outlast any single individual. Stefan says that Conservancy has helped QEMU make that trasition. Conservancy provides the infrastructure for holding domain names, hosting the project’s website, handling the project’s finances and accepting tax-free donations.
Conservancy also helps QEMU when the rare legal issue arises. “It’s difficult for any open source project that doesn’t have lots of funds to get legal clarity,” says Mr. Hajnoczi, and QEMU’s many different uses make legal clarity particularly important for the project.
QEMU is a widely used project and accepts contributions from a variety of sources, from corporate developers to hobbyists. Corporate and FLOSS projects of all kinds integrate and modify QEMU because its utility and flexibility make it a great foundation on which to build solutions for their end users’ problems. This means that QEMU is often mixed with software distributed under several different licenses. Because so many end users benefit from QEMU’s integration in these solutions, there are plenty of people who can report potential license violations that QEMU and Conservancy work together to resolve.
Although it’s already an invaluable resource in the corporate world, in other FLOSS communities and for many end users, the QEMU project is not slowing down! 2017 is shaping up to be a very productive year for QEMU and it could not sustain its growth without support for the user and developer community by Conservancy.
In 2017, QEMU will advance their support for the ARM and RISC-V architectures. Full support for these architectures is vital. The heart of almost every mobile phone is an ARM processor, and the chip is even starting to be used in datacenter servers because of its power efficiency. RISC-V is a completely open architecture specification developed by a consortium whose members include Google, Microsoft, Nvidia, IBM, and HP Enterprises, among others. The goal is to develop RISC-V to work in a variety of contexts, from high-performance computing to computer science and engineering education.
In 2017 QEMU also plans improvements in the software’s ability to move running systems between different computers without pausing execution, called live migration. QEMU has supported live migration since 2010 but plans on expanding support for this feature in the new year. This work will make it possible for administrators to immediately shift a VM to another physical machine without having to wait for the VM’s utilization to reach a certain level, a limitation that exists today.
Finally, 2017 will also bring new support for QEMU’s ability to virtualize graphics processing units (GPUs). These days many artificial intelligence and machine learning software tools are being written to take advantage of GPUs. Virtualizing those resources in the way that QEMU already virtualizes a CPU, hard drive or network card would reduce the total amount physical resources required for GPU-intensive applications by sharing the resources efficiently.
These advances are all driven by QEMU’s community of developers and users. Conservancy helps QEMU foster that community by providing hardware and software resources for Internet hosting and facilitating the nuts and bolts of its participation in Google Summer of Code and Outreachy. The work from developers mentored through those projects has pushed QEMU into new areas. Conservancy has worked with QEMU to make it as easy as possible for both mentors and mentees to work together productively.
Since its founding in 2004, QEMU has made a huge technical and social impact thanks to its role in facilitating cloud deployments. Its incredible success so far is only overshadowed by its future. Conservancy looks forward to continuing to work with QEMU as it expands and grows in 2017 and beyond.
Report from the 2016 Reproducible Builds Summit
byon December 26, 2016
A couple of weeks ago I was at the Reproducible Builds Summit in Berlin. Over sixty representatives from all kinds of projects came together for three days to share information and ideas, plan solutions, and even squeeze in a little time to hack. It was my first real opportunity to dive into this work. I learned a ton, even enough to chip in a little, and I’m looking forward to working more on reproducible builds from here on out.
When we talk about reproducible builds, what we mean is a build process that produces the exact same binary every time you run it with the exact same inputs (like source code versions and compiler settings). If you’re interested in the details, check out the definition on the Reproducible Builds site—a bunch of folks hammered that out during the Summit.
You might think most build processes would be reproducible most of the time, but often the binaries include small inputs that are hard to reproduce, such as timestamps or build paths. Much of the work toward reproducible builds so far has focused on improving the inputs: removing inputs that aren’t really necessary to the final product, and better recording the ones that are. Once that’s done, most build processes are as reproducible as you’d expect. There’s still more to do there, but there’s enough of a foundation that we can start seeing some benefits from reproducible builds. Many of the discussions at the Summit were about planning those next steps.
Conservancy is really excited to help reproducible builds. Having a clear and trusted link from source code to binary helps the community in many different ways:
- The most obvious is security. When builds are reproducible, everyone can check for themselves that binaries they download actually come from the expected source code. We can demonstrate that unwanted code isn’t being added to distributors’ binaries, either accidentally or maliciously.
- A reproducible build is a documented build. When everyone can see exactly what inputs and build steps generated a binary, everyone can review and comment on that build process. It becomes easier to find binaries with “bad” inputs (like a version of a library with a critical bug) and plan an upgrade process for them.
- Reproducible builds can make license compliance easier for binary distributors. When a free software license requires distributors to provide source code, sometimes it can take a little work for them to figure out exactly what the right source code is. For example, if they have three versions of a development library installed on their build system, how do they know for sure which one went into the binary and should be included in the source code release? Reproducible builds record the answer unambiguously, in a format that can make it simple to put all the source code together.
We’ll reap the most benefits if there’s support at every level of the stack. Debian kickstarted the reproducible builds effort, and at the Summit there was a lot of great discussion about reaching out to other communities. Right now the focus is on other package distributors, so it was great to see representatives from Fedora, openSUSE, F-Droid, and Nix there. But our discussions also recognized the need for outreach to other projects that can play a role in this work, like build tools and other software that generates binaries that get shipped to users (such as filesystems or bytecode compilers). If you’re involved in a project like that, I encourage you to join us on the general mailing list for reproducible builds and introduce yourself. The more people working on this, the merrier!
Many thanks to all the Summit organizers for planning and running a productive working space. I’m already looking forward to the next reproducible builds meeting.