Post B2fWE0YkYM6XT8cRdo by Suiseiseki@freesoftwareextremist.com
(DIR) More posts by Suiseiseki@freesoftwareextremist.com
(DIR) Post #B2fMUaAOw14WzjUjbM by mjg59@nondeterministic.computer
2026-01-26T04:46:56Z
4 likes, 3 repeats
The presumption that free software is sufficient or necessary to ensure all software you depend on is trustworthy is simultaneously naive and ignorant of what software is capable of. The only realistic way to develop trust in software is to trust the people who write it, and development processes associated with free software make that trust easier.
(DIR) Post #B2fMUpw6Ix8ju0vXX6 by mjg59@nondeterministic.computer
2026-01-26T04:49:45Z
0 likes, 0 repeats
But merely being free software isn't sufficient - software developed in a way that prevents arbitrary observers from witnessing design conversations may still be free software, but doesn't give us a strong reason to trust the developers. We all know how easy it is to hide dubious code in the open. The libxz backdoor was discovered by examining the binary and tracking that back to the source, not through source examination.
(DIR) Post #B2fUvRmB2Ru4QJU8ae by Suiseiseki@freesoftwareextremist.com
2026-01-26T06:26:55.661288Z
0 likes, 0 repeats
@mjg59 If it's proprietary software, it's most likely proprietary malware.If it's actually free software, it's most likely not malware.>We all know how easy it is to hide dubious code in the open.The libxz/libsystemd backdoor source code was not published - it was included as proprietary software without source code in the release archive - but it happened to be discovered early during execution.Maybe a enhanced generic version of deblob-check would be useful.
(DIR) Post #B2fWDzQuk0F5yXwfmy by mjg59@nondeterministic.computer
2026-01-26T06:29:07Z
0 likes, 0 repeats
@Suiseiseki No, nobody is checking whether something that appears to be test data is free software or not. That's not a thing anyone has ever done.
(DIR) Post #B2fWE0YkYM6XT8cRdo by Suiseiseki@freesoftwareextremist.com
2026-01-26T06:41:27.593716Z
0 likes, 0 repeats
@mjg59 The tests in deblob-check will check for test data and report them.Obviously one would need to manually check the test data and see if it's free software.For test data in Linux, deblob-check has reported it and it has been manually confirmed that such test data is proprietary and such therefore has been removed in Linux-libre.
(DIR) Post #B2fX5086shHLU5QZKS by mjg59@nondeterministic.computer
2026-01-26T06:42:08Z
0 likes, 0 repeats
@Suiseiseki Have you run it against the compromised xz repo? What would manual checking have told you?
(DIR) Post #B2fX51O6Cjf9NxuqtE by Suiseiseki@freesoftwareextremist.com
2026-01-26T06:51:02.348579Z
0 likes, 0 repeats
@mjg59 No, as I can't be bothered - I don't use systemd.Assuming the backdoor part was disguised in an array of numbers, manual checking with cpu_rec or whatever would have uncovered that such is CPU instructions.
(DIR) Post #B2fZcSFPYpWq9dvF0y by mjg59@nondeterministic.computer
2026-01-26T06:52:22Z
0 likes, 0 repeats
@Suiseiseki No, it wouldn't, because it was encrypted. Please try to ensure you know what you're talking about before talking.
(DIR) Post #B2fZcTXWkxc8A7PDtI by mjg59@nondeterministic.computer
2026-01-26T06:56:19Z
0 likes, 0 repeats
@Suiseiseki "Ah but why would test data be encrypted we could tell the difference because of the entropy" no, you couldn't, because the test data in question was supposed to be malformed compressed data and good compression and good encryption result in equivalent levels of entropy
(DIR) Post #B2fZcUP3XwQqq8RyKG by Suiseiseki@freesoftwareextremist.com
2026-01-26T07:19:26.676529Z
0 likes, 0 repeats
@mjg59 I'm not talking, I'm writing.Turns out that in that specific case, it could be hidden as compressed data that didn't look out of place.For test data that is compressed, the way to test it is to decompress it and see what it contains - of course you should be wary if you can't figure out how to decompress it (although that is extremely common to occur for compressed formats that don't use headers).
(DIR) Post #B2fZjNbDF2s7lUQD3Y by mjg59@nondeterministic.computer
2026-01-26T04:51:30Z
2 likes, 0 repeats
Frankly: binaries are the thing that executes on your system and embody the truth of software behaviour, and with modern technology it's often *easier* to determine that truth through the binary than through the source code (throw the "login" app from Reflections on Trusting Trust into Ghidra and you'd learn the truth even if the source code wouldn't tell you that)
(DIR) Post #B2fZjWhDQ61NyiIdA8 by mjg59@nondeterministic.computer
2026-01-26T04:53:50Z
1 likes, 0 repeats
I believe that free software is vital. People should have control over everything that executes on their system. But let's not kid ourselves - even someone running linux-libre on a machine with open firmware on a custom fabbed RISC-V with no microcode hasn't verified every line of code they execute, and nor has the community as a whole
(DIR) Post #B2fZjfVqdjHBK43BC4 by mjg59@nondeterministic.computer
2026-01-26T04:57:06Z
0 likes, 0 repeats
At some point we have to trust that other humans won't just lie to us - and that's true whether the software is free or proprietary. Debian could modify mirrors to push a backdoored package to a specific IP address, but the people wit the ability to do that are well known to the community and we trust that they wouldn't. That's not a function of Debian being free software - that's a function of an open community
(DIR) Post #B2fZjnvfLcgJQSBuXw by mjg59@nondeterministic.computer
2026-01-26T04:58:30Z
2 likes, 0 repeats
Build communities. Find people you trust and place more faith in their recommendations. Don't trust anyone who says there's a magical solution here.
(DIR) Post #B2fZjwXXKhjC8DyGga by mjg59@nondeterministic.computer
2026-01-26T05:00:11Z
1 likes, 0 repeats
(And for the love of God ignore anyone who's telling you not to use Signal right now, every alternative is meaningfully worse for the vast majority of people)
(DIR) Post #B2fxjvKaE2fnHYR5CS by mjg59@nondeterministic.computer
2026-01-26T08:56:14Z
0 likes, 0 repeats
@lil5 Cool what do you think people on the street are carrying because it's not a fucking laptop
(DIR) Post #B2fxjx5lg60ikBWHNw by wolf480pl@mstdn.io
2026-01-26T11:49:42Z
0 likes, 0 repeats
@mjg59crazy idea: @lil5 can use XMPP and deltqchat even if vast majority of people don't
(DIR) Post #B2mSs5MV4rzMEjSoro by eighthave@social.librem.one
2026-01-28T13:26:08Z
0 likes, 0 repeats
@mjg59 I agree that free software alone is not enough to make trustworthy software, but I have to emphasize that free software is a requirement for trustworthy software. That unlocks key practices like reproducible builds, public audits, etc. Without all that, the only option is "hope they are doing the right thing".
(DIR) Post #B2mSs6s5SuqiuzFYjw by jas@fosstodon.org
2026-01-28T14:29:41Z
1 likes, 0 repeats
@eighthave @mjg59 I am a free/libre software supporter, but to play the devils advocate here, wouldn’t it be possible for Microsoft (or Apple, or…) to publicly post all their source code with recipes how to build them reproducibly etc to fulfill QA, security and auditing needs? They don’t have to change the license, just openly publish things to allow public audits. Today this is not realistic, but may happen.
(DIR) Post #B2mSsE2ymoinAnOrBo by eighthave@social.librem.one
2026-01-29T13:05:47Z
0 likes, 0 repeats
@jas @mjg59 Sure "source available" would be an improvement over secret source code, but that is only one piece of the puzzle. Free software means all users are free to fix and deploy issues on their own schedule, regardless of what the copyright holder thinks. That is also a key piece of delivering trustworthy software.
(DIR) Post #B2mSsFTbTJc1berdKK by jas@fosstodon.org
2026-01-29T14:18:25Z
0 likes, 0 repeats
@eighthave @mjg59 Indeed and the power control is the real problem that free software helps with. Open source misses this point, and is not different from proprietary software in this regard. This is a social issue more than technical. Free software may not even be sufficient - just consider the AOSP ecosystem, is it realistic for anyone but Google to sustain it?
(DIR) Post #B2mSsGSZocNwelOKMi by eighthave@social.librem.one
2026-01-29T14:38:24Z
1 likes, 0 repeats
@jas @mjg59 I agree, the focus must be on the four freedoms and user freedom. Unfortunately, Google has proven quite masterful at maintaining control even when working with free software. AOSP and Chromium are two key examples. The key is that Google makes sure it is the upstream, while suppressing things that shift the power to the developer community around it. With AOSP, there is a big enough community to maintain it without Google. That requires them all getting separately organized.
(DIR) Post #B2mTMSZ1NTqksqnuJE by DiamondMind
2026-01-29T15:12:24.086791Z
0 likes, 0 repeats
@jas @eighthave @mjg59 3 months ago, p saved the world by stopping the Samson Option, which is the worldwide nuclear fusion reactor meltdowns. The new spiritual age began on the morning of October 25th. The only reason any of you are even alive is because p hacked my father's mainframe and stopped the apocalypse. Otherwise this flat earth plane would have been destroyed by 100 million Celcius degree nuclear fusion heat. The MK-ULTRA FoxDie command was also aborted, otherwise I could feel my heart slowing down. If you are alive today, remember to thank a soldier or a Marine.