On Sun, Mar 03, 2013 at 09:40:22AM +0100, Alessandro Rubini wrote:
I think the freedom and rights of all and every citizen of the European Union must be strictly observed in any transaction, and that freedom and those rights should be the priority over the profit of companies and corporations who may have intended to impose their interests.
While I sympathise, reality is exactly the other way round. The profit, the companies and the holy "marketplace" are the most important things out there.
Yes the lesson I learnt the only time I spent significant time trying to prevent a small part of law becoming worse (and seeing our friends succeed for "once", but business continuing "as usual") is that nobody cares about law.
Nowadays they are already building hardware (like in chips) that
1- need propietary software to boot, which even must be signed by certain keys before the boot CPU accepts to start the application CPU.
2- (but SMM is not new) have privileged software running "below" the OS with more access to the system than the OS itself (just as the OS under applications has more control than the applications). It appears that "they" (who?) sense too much force from free software and react by allowing it in a layer as long as there's an underlaying layer out of user control than can control the user controlled layer. In a positive view, this is a recognition of the success of free software, even in the form of an scalation of repression.
3- Even advertise remote management whereby a remote administrator (sufficiently blessed by the controllers of the keys) can inspect, monitor, alter, repair, etc. the computer from internet
4- Establish (even in W3C) "standards" to exclude user controlled software from content/services/connectivity
5- Then there's the continuing trend of featuritis, planned obsolesce and secrecy to enlarge the burden for reverse engineering and to prevent availability of alternative free software for current hardware.
I mean it is becoming incresingly irrelevant that nobody sells hardware without an OS or with free software preinstalled, if they are increasingly building hardware that simply can't run without propietary software or pushing services that will be inaccessible from freedom respecting systems.
I apologise for not having had time to read this thread in all detail, and don't mean to hitchhike it with off-topic, but I believe secure boot and similar is quite related, because once the hardware is incapable of running user selected software, the commercialisation of the hardware with or without the software the user does not want becomes moot. We used to assume one problem was many users didn't know their computer could run something else, due to the overwhelming commercialisation modes, disinformation, FUD, etc. but for new computers they are increasingly building them so that the user misconception becomes fact.
Unfortunately, I don't think these aims are considered important nowadays by the general public or the decision makers. While I can't make specific examples, when I listen to the news I always have the feeling things are going the other way and everyone is happy about that.
ACK, for example: the next batch of GTA04 phone is being cancelled due to lack of preorders (a phone as freedom respecting as possible, albeit with optional propietary wifi, bluetooth, 3D drivers and closed hardware parts including the GSM chip, yet much more open than any other phone I know).
I heard somewhere that one study set up to measure how much contract legalese internet users did not read when using online services, and reached the conclusion that an average internet user should dedicate some 70 days a year in reading the terms of use and similar clauses of all the web services they use. They apparently don't care to read them, even less to negotiate them, or even to reject the services because of their terms. So they may be similarly inclined about software licences. Sorry I don't have the quote handy.
So, even against my own feelings, maybe it is more convenient to point people to the inconveniences they live and relate them to the powers that be and the lack of users power / freedom, that to just enlightem about licence clauses who nobody really believe they're worth anything. Not simple though. And the worst inconveniences are yet to come.
So, the right path to attack the problem you describe is requesting a split of the contract. Since we users (and even the decision makers) know very well that we *own* the laptop but only have limited rights on the software we get, we can request to sign two different contracts. One item is *sold* and the other is *licensed*. We need to remind that to customers (to prevent "piracy" and "raising awareness" about the issue, yo know), so software companies may have a harder time fighting this than other, stronger, proposals.
Undocumented hardware and hardware that enforces signatures on boot software isn't exactly hardware users "own". And hardware users can own is arguably extinct or almost so.
While I have no direct experience, I think the "preferred" OS is even installed or unlocked or whatever the first time you turn on the computer (maybe software vendors want to remind users that that's own copy that cannot be lent to others, or something similar).
I thought so too, I don't have the experience either, but was told by some people from that French NGO against racketiciels that this is not so in practice, they said in France shops often install software and accept licenses in behalf of the users before selling PCs, arguably because consumers find that too confusing (maybe confusing to understand the terms, and outraging to know them), or because it is necessary or convenient to install further software the shop wants installed.
My impression was that the practice of selling most of the PCs (at least for consumers) was already illegal with the status quo, but nobody was acting against this particular violation. I'm not sure it is really illegal because I believe you can sell second hand software in the EU, so maybe the licensor is the shop and then sells the licenses second hand somehow, which I'm not sure is OK with the terms of the license, but may might be ok with the enforceable terms of the license, but might be lacking sufficent proof of acceptance by the end user of the transferred license... Too complex for me.
Unfortunately, and I'll conclude, this technological market is disappearing, and we are late as usual. The desktop pc is marginal already (but there you can buy os-less parts) and the laptop it going to be marginal pretty soon. Most modern computing devices are already one-vendor-only things like microwave ovens, and their are sold as appliances rather then general-purpose computers (again, not me: this time is Cory Doctorow). So maybe Renzo's idea is sound and worth following, but maybe it would be wasted time because by the time we achieve the result that market place would be inexistent already.
ACK, but note that the os-less parts com with propietary firmware which has control over the whole system, and which can't be replaced either for lack of alternatives or for signature checks by those same parts.
So let me add some links to almost recent news on signed boot and PCs:
Hispalinux, an Spanish association is dennouncing secure boot to the UE (also in reuters and slashdot and I guess elsewhere). I'm not sure it will achieve much, but I thank them for trying, I think it's the proper thing to do.
Matthew Garret seems to think it's not very useful and says the EU has already accepted it (I suspect the argument goes that secure boot is optional for x86 and MS does not have a monopoly on ARM, so antitrust law may not apply directly to MS).
http://mjg59.dreamwidth.org/23817.html
It appears that signed boot might be compulsory in the computers the USA administration buys, if this NIST recommendation is binding. I have only browsed it and don't know enough about the USA to judge its weight, it appears to not require exactly UEFI secure boot, but some general signed boot mechanism.
http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011....
The W3C seems to accept DRM schemes in web standards, though some draft EME specification for browser plugins used to decrypt content (which would not standarize the software itself, because DRM can't be truly interoperable and is incompatible with effective software freedom, but would give standard buzzwords to new DRM stacks, which could use remote attestation to force signed binaries for popular services and advance social acceptance)
You can sign here against this