![[RSS]](/static/img/feed-icon-14x14.2168a573d0d4.png){kind=icon}
Conservancy BlogDisplaying posts
tagged conservancy
by on February 1, 2022
Inspired by the log4j situation, The White House recently met with Big Tech on the issue of security vulnerabilities in FOSS used in the nation's infrastructure. While we are glad these issues have received attention at the highest levels of the administration, we are concerned that representation in these discussions is skewed. Hobbyists, and communities organized around public interest and consumer rights, who both use and develop a large portion of FOSS, were not represented. Additionally, the entities represented at the meeting were biased toward copyleft-unfriendly organizations. Unsurprisingly, these entities focused on Software Bill of Materials (SBOM) as a panacea for the problem of FOSS security. While SBOMs are a useful small step toward hardening the nation's software infrastructure, we believe the proper solution is to favor copylefted FOSS.
Consumers must have access to source code, the right to modify and reinstall it (or hire anyone they'd like in the free market to do so). Without these rights, businesses, individuals, and the government — all of whom rely on software as part of their critical infrastructure — cannot identify and repair security vulnerabilities. Furthermore, the widespread incorporation of non-copyleft FOSS, which companies can and do proprietarize, creates a false sense of security — as many users may not realize that “FOSS inside” (as listed on their SBOM) does not mean the software is any better than proprietary software.
Our open letter to the White House which addresses our concerns is included in full below, and is also available as a PDF:
Dear President Biden, Deputy Advisor Neuberger, Director Inglis, et al:
Firstly, we appreciate very much that your administration has taken the issue of the log4j software vulnerability so seriously, and also appreciated President Obama’s efforts to take the OpenSSL vulnerability (so-called “HeartBleed”) seriously during his administration. While we at the Software Freedom Conservancy believe deeply that Free and Open Source Software (FOSS) is a better and more reliable method to develop software, we also readily acknowledge that no method of software development is perfect. (Flaws can and do occur.) However, sound planning — which includes meaningful investment in infrastructure — will not only limit potential vulnerabilities, but is also essential to respond to them adequately when they do inevitably occur.
As you likely agree, our nation’s infrastructure and national security — both of which increasingly depend on software — demand this type of care and attention. While we are pleased that your administration has taken some basic steps to focus on this critical issue, we send this open letter to request necessary improvements to the current methodology that your administration is using to address the issue of software security vulnerabilities in FOSS. In short, your administration has taken a great first step — one which the for-profit software industry has embraced — but we have deep concerns. We expect the powerful technology industry to resist the mandatory steps necessary to ensure the security of FOSS. This is due to the basic fact that the necessary changes mean that companies and their shareholders will have to live with more modest profits if your administration demands the necessary changes to ensure cybersecurity for FOSS.
Your meeting earlier this month included some important entities, but unfortunately was biased in one specific direction. Specifically, we observed that the meeting only included representatives from companies and organizations that prefer a specific form of FOSS — the form of FOSS that allows entities to change the software into their own proprietary technology. Roughly speaking, there are two forms of FOSS: non-copylefted FOSS, which allows vendors to take the publicly available software and make trade-secret changes; and copylefted FOSS, which — by contrast — is licensed in a manner that requires full disclosure of all source code (and the necessary means to repair vulnerabilities in that software) to customers. Non-copyleft FOSS has a fatal flaw: it can easily be incorporated into a proprietary product — including with modifications that may introduce vulnerabilities. Vendors can keep all details about those changes secret from everyone — including their customers and the government. Furthermore, a company may disclose that the software is based on a particular FOSS project, which perpetuates a false sense of security. Consumers will often assume that since it’s labeled as FOSS, that the key benefits of FOSS de-facto apply — such as easily auditing the software themselves (or hire an third-party firm) to examine the software for vulnerabilities and/or repair discovered vulnerabilities. However, if that FOSS is not under a copyleft license, there are no such guarantees. Imagine what can happen when a vendor goes out of business while the customer (who could be the federal government itself) still relies on that software for essential infrastructure.
As one of the leading organizations dedicated to FOSS, we believe it is extremely important to share our expertise at this critical moment. We reiterate our sincere appreciation for your administration’s interest and promulgation of Software Bill Of Materials requirements. On the surface, this is a small step in the right direction. We fear, however, that, without meaningful and informed improvements, it merely serves as camouflage and creates a false sense of security. A simple list of software included will give only vague clues as to how to repair vulnerabilities of a vendor’s software. No existing SBOM formats actually require full disclosure of software source code — nor means for its modification — to the customers who receive, use, and rely on it. Having an SBOM for your non-copylefted, proprietary software is like having a list of parts that you know are under the hood of your car, but discovering that the manufacturer has welded the hood shut, and forced you to sign an agreement that they could sue you for millions of dollars if you attempt to open it. The car may look safe and secure from the outside, but there is no way to know if the car is safe, reliable and, maintainable.
We are pleased to note that many software companies do chose to use copyleft licenses responsibly and provide the necessary source code; they serve as model citizens for other companies. Interestingly, the early positive revolution of FOSS in the software industry occurred precisely because copylefted FOSS was originally the more common form of FOSS; companies who seek higher profits and control of their customers have campaigned to limit the amount of copylefted FOSS developed. The history behind this is politically intriguing and not unique to FOSS. We see tech companies wielding power in problematic ways in other areas, too. Specifically, they have spent the last few decades pressuring hobbyist creators and small businesses to abandon copyleft licenses. As a result, non-copylefted FOSS is much more commonplace now than ever before (and the reason why this is such a critical issue). We at the Software Freedom Conservancy urge your administration to carefully consider the larger context of software cybersecurity—particularly as it relates to FOSS. We also offer up our guidance and expertise, and hope you will make room for additional seats at the table as you continue discussions and make decisions of this magnitude.
At the White House Meeting on Software Security on January 13, 2022, Big Tech was well-represented, and even overrepresented since it primarily included companies that are considered anti-copyleft. (Indeed, some Microsoft executives in the past have even called copyleft licensing “against the American Way” and a “cancer” on the software industry.) Yet, it is common knowledge in the technology sector that key components of our nation’s software infrastructure, such as Linux and the GNU Compiler Collection, were initially written by hobbyists and activists under copyleft licenses. Hobbyists and activists, who are the founders of FOSS, deserve a seat at the table—alongside Big Tech companies and their trade associations—as you continue to discuss these important national cybersecurity issues. The Software Freedom Conservancy is proud to serve and and give a voice to these hobbyist and activities, and we are also willing to recommend other organizations, academics, and individuals if you feel we’re not an ideal fit but nevertheless do want to diversify your committees on FOSS cybersecurity.
More generally, we ask that your administration reconsider how it solicits advice on these matters from technologists, and that you not succumb to the monoculture of opinion and manufactured consent from large technology companies and their trade associations. We appreciate that in other areas, your administration has valued inclusivity and actively seeks input from experts who disagree with the status quo. We believe you are truly interested in working on meaningful solutions to this critical issue facing our nation, and thank you for your consideration of our points raised in this letter.
Sincerely,
Bradley M. Kuhn
Policy Fellow, Software Freedom Conservancy
by on January 3, 2022
The second of our series of interviews with donors, we have another longtime Software Freedom Conservancy supporter (and former employee!) Tony Sebro. Tony recently served as Deputy and Interim General Counsel to the Wikimedia Foundation and is now General Counsel at Change.org. We "sat down" with him to talk a bit about us and what he's excited about right now.
Software Freedom Conservancy: “Why do you care about software freedom?”
Tony Sebro: “For one, I am inspired by people dedicating their time, creative energy, and technical talents to the public interest. I am also impressed by what they produce: FOSS communities have created some of the most important, innovative, and irreplaceable products that societies rely on. ”
SFC: “What do you appreciate about Software Freedom Conservancy?”
TS: “I appreciate that Conservancy supports the creation of ethical technology from multiple vantage points. Conservancy supports FOSS developer communities through services, education, and mentorship. Conservancy supports end users by defending their rights. And, Conservancy advocates for groups underrepresented in technology by providing them with gateways into FOSS communities -- which, in turn, infuses these communities with fresh talent.”
SFC: “What's got you most excited from the past year of our work?”
TS: “While I am intrigued to see what happens with the lawsuit against Vizio, I am most excited by Outreachy's continued growth, as evidenced by the record number of interns admitted into the December 2021 cohort. I admit, I'm biased. :) ”
SFC: “you think we are doing a good job reaching a wider audience and do you see us at places you expect?”
TS: “I got a good chuckle out of seeing Karen and Bradley pop up in this recent NFT project.”
SFC: “What other (non-tech) organizations are you supporting this year?”
TS: “My wife and I support other charities, as well as our local church.”
SFC: “You were Software Freedom Conservancy's second employee! What are your thoughts about how the organization has changed and grown since the beginning of your involvement in the organization?”
TS: “Conservancy has grown in virtually every direction! More projects; more commentary and scholarship. Greater investment in diversity, equity, and inclusion. Conservancy has also expanded into providing resources to educate tech employees about their employment rights.”
SFC: “Until recently, you were Deputy General Counsel at Wikimedia. Did the principles of software freedom impact your work there?”
TS: “Certainly! Free knowledge isn't just freely-licensed content, it should also be freely consumed. The Wikimedia Foundation hosts Wikipedia and its other free knowledge projects on a FOSS stack. The public can inspect the code, and can trust that Wikimedia isn't hiding anything that would bias or pervert the editorial decisions of the communities who maintain the project content Wikimedia hosts.”
SFC: “As a former employee, a member of the board of directors and as an organizer of Outreachy you've participated in many facets of Software Freedom Conservancy and have such a unique perspective. What are you most proud of? What do you think the organization should do in the future?”
TS: “I enjoyed providing advice and counsel to the various member projects -- getting to understand their specific cultures and needs. Outreachy continues to have a special place in my heart. That said: my favorite part of working at Conservancy was the deep conversations about ideology and strategy that I'd have with Karen, Bradley, and Denver. The team cares deeply about the work they do, and their passion for the mission was and is infectious.”
SFC: “Congratulations on starting your role at change.org! What can we look forward to seeing you work on there?”
TS: “Change.org's mission is to empower individuals to make a difference, and more than 450 million people use the platform to amplify their voice. I am leading the Legal & Policy department, which includes the organization's legal, trust and safety, platform policy and public policy functions.”
by on December 27, 2021
This fundraising season we were incredibly fortunate to be supported by so many individuals. In addition to our large anonymous donors, we had a few people contribute to bump up the number. One of donors was a board member, Mark Galassi, who runs The Institute for Computing in Research. We asked him a few questions about free software and his passion and motivations for interdisciplinary research.
Software Freedom Conservancy: “Why do you care about software freedom?”
Mark Galassi: “I started working on developing software for others to use in 1984. At that time my brother and some friends of ours worked to develop a public access UNIX system so that people who were not in a university or big company could have the joy of doing advanced computing.
Soon after a fellow student at Reed College pointed me to the birth of the free software movement, and its goal and principle perfectly matched what I thought was important for the world.
A robust idea can last a long time, and more than 35 years later I feel that just as strongly.”
SFC: “What is it that you see Software Freedom Conservancy does that other groups are not?”
MG: “Conservancy is firmly focused on the importance of software freedom, while at the same time carrying out practical steps to allow it to flourish. It also expands and adapts its role as new areas become relevant to software freedom, as the embracing of Outreachy and the Institute for Computing in Research have shown.
I'm not sure if I would say that other organizations are not doing important things: we benefit from other orgs in various ways. But combining stewardship and principle and adaptation is hard work, and I think that only Conservancy takes it on in full.”
SFC: “How do you see our role amongst the various FOSS organizations?”
MG: “I think that Conservancy should lead other FOSS organizations in a few ways. At least:
SFC: “Do you think we do a good job standing up to the organizations with more corporate funding?”
MG: “Yes. The current action against Vizio's violations renews that clarity.”
SFC: “What's got you most excited from the past year of our work?”
MG: “I am particularly excited by Conservancy's picking up of the Institute for Computing in Research (2021 was our first full year as part of Conservancy). This addition of a focus on free software in the academic world will be important: the free software movement was born in the research and university world, and I believe that academic research should be the steady keel of the free software movement.”
SFC: “Have you been involved with any of our member projects in the past?”
MG: “Yes: I have used many of Conservancy's member projects over the years, and I am co-founder of the Institute for Computing in Research.”
SFC: “What other (non-tech) organizations are you supporting this year?”
MG: “I donate a bit to my college, and I donate to Planned Parenthood, but Conservancy and the Institute are where I donated the most this year.”
SFC: “Why did you start the Institute for Computing in Research? How did you wind up teaching kids these important skills?”
MG: “I have loved my career so much that it seems impossible.
Here is how that happened:
I entered the world of physics just at the time when computing was becoming a key part of research (since then this has extended to all other academic areas). The free software movement was born at the same time. Being a free software developer, I was in a position to promote the use of FOSS in research, and to really love the research work because I did not have to use proprietary software.
When you love something so much, you want to pass on the recipe that makes it work so well -- in my case that has been the use of advanced software development based on free software, applied to academic research.”
SFC: “As the chair of Software Freedom Conservancy's board, what unique place do you think we have in the field of FLOSS organizations?”
MG: “I enjoy serving on the board, and my fellow board members are a cross-section of all that is amazing in the world of research and development.
But more than us, I think that our staff has the real angle on what's important: in many ways they teach us what is happening and what should happen in the world. So maybe one of the coordinates of our "unique place" is that Karen and Bradley have created a staff of world class thought leaders who also do detailed practical work.”
SFC: “You are a strong proponent of interdisciplinary research, what avenues do you think free software has to help promote both academic and civil freedom?”
MG: “Ahhh, the academic side is an easy one: research software can only be free software, for all the reasons that makes science honest. This is already mostly true, but we need to go the rest of the way.
You also ask about civil freedom. What is also quite clear to me is that corporate control and vendor lock-in are real problems in any society. They are the cause of a good amount of economic and cultural alienation. Most of this lock-in is in software, and software freedom is our strongest tool against that.”
SFC: “Given your academic background, what are your thoughts on projects like Reproducible Builds and the effects it might have on reproducibility in the academic community?”
MG: “Reproducible builds is one of the coolest projects we have in Conservancy - both its fundamental idea, and the impressive intelligence of the people working on it. Much of its motivation comes from the security angle, but a sign of a deep project is that other important angles naturally come up. In my case, for example, I talk to members of the project regularly to get advice on how to improve reproducibility in research software. They also help me think about how to frame those issues.”
by on November 30, 2021
Yesterday, we received from Vizio their first official response in our pending litigation against Vizio for their copyleft license violations. So, what was their response?
Did Vizio release the source code — as the GPL and LGPL require — for the modified versions of Linux, alsa-utils, GNU bash, GNU awk, BusyBox, dmesg, findutils, dmsetup, GNU tar, mount and selinux found in their TV’s firmwares? No.
Did Vizio propose a CCS candidate for us to review, provide them with additional feedback, so that we could help them get consumers who bought their TVs the source code they deserve? Nope.
Did Vizio argue that we had erred, and in fact, none of those programs we list above appear in their firmware? Not that either. (Unlikely though — after all, they surely know those programs are in their firmware!)
Instead, Vizio filed a request to “remove” the case from California State Court (into US federal court), which indicates Vizio's belief that consumers have no third-party beneficiary rights under copyleft! In other words, Vizio’s answer to this complaint is not to comply with the copyleft licenses, but instead imply that Software Freedom Conservancy — and all other purchasers of the devices who might want to assert their right under GPL and LGPL to complete, corresponding source — have no right to even ask for that source code.
That’s right: Vizio’s filing implies that only copyright holders, and no one else, have a right to ask for source code under the GPL and LGPL. While we expected Vizio held this position (since they ultimately ignored us during our discussions with them in years past), Vizio has gone a disturbing step further and asked the federal United States District Court for the Central District of California to agree to the idea that not only do you as a consumer have no right to ask for source code, but that Californians have no right to even ask their state courts to consider the question!
Vizio’s strategy is to deny consumers their rights under copyleft licenses, and we intend to fight back.
We believe in complete transparency of the copyleft compliance process, and so encourage everyone to read the filings. We’ve even paid the Pacer fees and used the Recap browser plugin, so that all the documents in the case are freely available via the Recap project archives.
Software Freedom Conservancy’s annual fundraiser is happening right now! Please help us continue our work by becoming a Sustainer. Donate now and have your donation matched by a group of generous individuals who care deeply about software freedom.
Next page (older) » « Previous page (newer)
1 2 3 4 5 6 7 [8] 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52