/g/ had a good idea for once:
We need a third option to the dichotomy between the fascist commie NIH philosophy of the FSF and the boot-licking brown-nosing philosophy of the OSI.
>OSI: in an ideal world, all software should be libre, but good software is more important than libre software, so when proprietary software is better than libre software, it should be able to cannibalize the libre software to make itself even better
>FSF: libre software is more important than good software, and therefore libre software is ALWAYS better than proprietary alternatives, no matter how many features are missing, and anyone who uses proprietary software should be harassed until they change their mind, and libre software should never promote proprietary software, not even for interoperability
What's the commonality that necessitates this dichotomy?
It's the fact that both the OSI and the FSF respect laws around proprietary software.
>OSI: those laws are kind of unethical, but it's okay if you want to license under them and steal our shit, your work is better after all
>FSF: those laws are unethical, so if you're going to license under them, then the only way to simultaneously avoid breaking them and retain user freedoms is to not use your software or even acknowledge its existence
I present the MAOSS. An idea for a gang of criminal e-thugs who use violence to force proprietary licensors to forfeit their IPs against their will so that users don't have to choose between software that works and software that respects their freedoms.
>oh, you're going to license your work under a proprietary license? *rips terms of service in half*
>*decompiles your work, neuters it of anti-features, and redistributes the libretized version as a component of other freedom-respecting libre work without your permission*
>oh what's that, you're gonna sue us? lol *brings flamethrower to court*
>*casually murders major proprietary software vendors in cold blood and burgles their laptops*
I like this idea. How do I sign up?
Maybe educate yourself on what the FSF is before you spread lies about it being "fascist" or obsessed with NIH.
i know this is a /g/ copypasta but its actually based
The absolute state of retards.
Childish understanding of the OSI, the FSF, and anarchism.
why are stirneroids always dumbfuck memers
Why is the problem that we don't have access to the code which is privately owned? Isn't it rather that 3-5 of the world's largest corporations are those private owners? – that they suck up nearly all wealth created by all code, even the code created by FSF/OSI enthusiasts?
I'm so tired of the unreflective libertarianism of both FSF and OSI. Folks need to stop fetishizing freedom of information for its own sake. Freedom of people from their exploitation by capital is more important than whether you get to use a better closed-source pdf editor or whatever tf.
More Marx, less Musk please
It's not the problem. The problem is that today you are almost certainly forced by circumstance to run proprietary software, which means giving up control over your computing. Free Software is not required to make source code publicly available, only to provide it to the user of said software. The source code is provided to ensure that the user has control over their computing, that they don't have to surrender their computer to whoever owns that piece of software.
Thanks for clarifying, but still, I don't quite understand why the problem is how I'm "forced by circumstance to run proprietary software", rather than that I'm forced by circumstance to provide free labor to Google, Amazon, and Big Tech. Don't get me wrong, I'm a big FOSS advocate and user, but I'm far more worried about the proletarianization of the world by new forms of cybernetic exploitation than I am about freedom of information or software per se.
I don't think it is *the* problem, but it is a problem nevertheless.
What do you mean by the "free labour" that you give to Big Tech? Like this? http://wagesforfacebook.com/
Yes, AGPL is Google-repellant
>>4811>so that Porky can't use it for his clouds and walled gardens.
Ohnooooooo Porky promised he wouldn't secretly use your code, what will he do????
I think your retarded satire is pretty oudated, the smart enough big corps like Google, Microsoft, AMD… are all trying to appeal to the open source crowd (while rejecting actual free software, of fucking course).
FSF is mostly fine, SV keeps neutering the licenses - I think it loses in the message it chooses to spread of some liberal free speech thing when the core of free software is that work - as Marx points out - is social and wage labour etc gets in the way of that until it becomes alien to the worker. THe point of FSF (and RMS at least gets this though markets it wrong) is to build a community of hackers working on useful stuff that they love - ie socially useful labor (communism)
its free code auditing lol
Does anyone actually spend their free time reading random code on the net?
yea tons lol though some of the culture has shifted to sec researchers trying to make a name for themselves
Are you seriously asking that?
I'm seriously asking because there seems to be a myth that programmers read source code on its own (i.e., not as part of modifying it or doing code review for patches) but in practice nobody actually seems to do it. As far as I know, most security issues are found by automated means (fuzzing, static analysis, etc.) done by corporate entities and not by eager amateurs. Maybe it's different with black hats but corporations usually don't benefit from that. Do you have any proof that people are actually doing free code audits in their free time or do you just feel that it is plausible that they do?
GPL violations still happen.
Part of the reason corporations release source code is marketing, imbeciles eat up "open source" bullshit even when the software is actually proprietary (see the case of Visual Studio Code). But more importantly it is to let other corporations work on their software. Outside of the GNU sphere of influence, most contributions are actually coming from people who are paid to do it.
…Yes? That doesn't contradict what I said and I'm already aware of it.
First it's "GPL is antirevolutionary somehow", then it's "GPL can't be held up", then it's "acshually they go open source so retards audit them for free".
That was a reply to a post that claimed that big corporations uphold license conditions. I pointed out that in many cases they do not. Why are you so upset about it?
based, this just sold me on the agpl
Well first off static analysis is just staring at code, ie not automated and what tools do exist are extremely limited and only help for small CTF syle programs. As for is it auditing or code checkins its both, any large gnu project will have core developers checking code before its merged. As for the pure audit style analysis thats mostly sec researcher domain to find bugs.
t. actual security researcher
A lot technically do but don't uphold the 'spirit' of the project Apple (BSD Kernel + Mach) releases source code 6 months to a year late and claims iOS (basically the same kernel + some more ARM macros) isn't released because Apple says it's 'different enough' They aren't in violation technically but its universally seen as kinda a shitty move
It's more than just marketing shit, OSing core components into Linux or whatever improves stability for the company - vmware is a pretty good example - things that aren't so reliant on outside technology are usually kept proprietary and fall into security by obscurity which is really just a matter of time before someone runs IDA on it
>>4838> with human analysis being called program understanding,
literally no one calls it this outside of maybe corporate environments. its universally understood static analysis is staring at decompilation and source code while dynamic is running a debugger on it.
CS names are so academic technically a 4096 byte page is a kebibyte or whatever but everyone just says kilobyte because it doesnt sound retarded
4 kilobyte i mean vs 4 kibibyte
and if you think all bugs are found with > just fuzzing those are usually low hanging fruit on code that was never audited - look at googleprojectzero theres no 'automated tool' in the world that will find obscure mach reference bugs
It's a pretty common term, I've never heard it called anything else. I'm 100% certain that this is how it is used in both academy and "industry".
Find a single security researcher on twitter that says they found their bug with 'program understanding' lmao
I'm not claiming that's how all are found but that that is the most common thing. Project Zero is a corporate entity who are paid to do security research, they don't count as free code audit.
I'm talking about professional developers, not hipsters from your favourite circlejerk.
stop moving the goal post i said that those type of bugs are found with heavy source auditing not some limited tool that some grad students built or the sec firms peddle as snake oil
thats the fucking industry you moron, its twitter
I recommend reading the whole thread before you accuse others of moving the goal posts.
The self-promotion industry maybe, but not software engineering.
>>4849> lol its jsut marketing yall dumb> bugs are found with automated tools> actually they arent> muh hipster circlejerk
wtf did i miss
The original claim was that corporations release source code to trick poor unsuspecting developers into doing a full source code audit without any monetary compensation.
The reality is that they don't, some corporations might run their automatic shit for low hanging fruit but that's it. They have other reasons to release source code.
Yeah those other reasons are 1) improve code stability through fucking auditing (any company driver on linux) 2) opening the source for other researchers to more easily look at it (which is the god damn security industry) 3) nefarious hijinks to take over FOSS projects
If you are just going to redefine what auditing is to an extremely narrow range of the above then im out
GPL and copyright like creative commons needs to stop pandering to the libertarian crowd imo and just go full we support a communist version of work (no wage labor, community sharing) and not the free beer or marketability to MS circlejerk. But yea GPL will win
Code reviews are not code audition, I don't think anyone would claim that. I understand that you are a "security researcher" and never actually worked as a software engineer, so you will just have to accept that people who work closer to the whole development process use more sophisticated vocabulary to describe it.
Regarding your points:
1. They don't care about the maintainer's opinion, they upstream their shit to mainline because it is much easier to maintain it once there. Patches outside the tree are very prone to bitrot.
2. They don't care about your "research", they have their internal security processes that code have to go through before being published, they believe it to be already secure. They know that if you find something you will publicise it, which is bad PR for them.
3. That might be a reason for contributing to existing projects, but not for releasing their own source code.
But all of this is besides the point. The original claim was that corporations release their shit to trick hobbyists to do code audits for them for free, exploiting them. I think we can agree that this is not typical, and if any corporation counts on it, they will be very disappointed.
I was a software developer for 5 years, your 'sophisticated vocabulary' reeks of elitism and pedantry like all of your posts.
1) Proving my point, attaching it to the main project and not having to maintain a 10 year old fork improves stability
2) Yea free labor from sec researchers PR hit is negligible
3) i didnt mean backdoor shit, look at what MS attaches to the linux kernel
The point was there is free labor attached to open sourcing code which companies indirectly or directly take advantage of, I'm sorry it doesn't meet your definition of code auditing or whatever
I want to see a paramilitary wing of the FSF, a "Software Liberation Front" (SLF) that plants bombs in front of Google, Microsoft and Oracle offices and takes hostages in exchange for the source code being released under copyleft licenses.
if you do find it send me the recuitment application at [email protected]
oh, sorry. didn't mean to post such a serious post on a glowie site.
But for real though, send me that shit.
would have really liked the source code to that
Is this really what Static Analysis is? I've taken a class on static analysis and its all about analyzing OO code for object oriented quality metrics like McCall's model, Chidamber and Kemerer metrics, etc. Maybe it has a different meaning in software/quality engineering from security
Doing posting is peak praxis.
Free software terrorism thank god I wasn't the only one thinking about bricking some corporate servers and giving proprietary vendors free trips to the pit.
This must be incorporated to the agenda of the communist party. The freedom of the working class shall be complete.
Unique IPs: 1