On Sat, Jun 16, 2018 at 09:50:42AM +0200, Daniel Pocock wrote: ...
In this particular thread, another staff member, Erik, has written "I propose you trust us that we use Free Software always and that this is minimum 95%, including our phones, landlines, printers etc." and that leaves open the question about the other 5%
well, some if he already mentioned.
I didn't try to write the motion with lots of little rules and things because I was hoping people would approach the question maturely. If the motion is revised to focus on something like "staff computers" and people reply that only the firmware is non-free but they don't tell us they are using non-free apps on their personal mobile phones to do FSFE stuff then they are not respecting the intention of the motion
well...if they are their personal phone, we have little power to tell them what to do with them?
The motion should also apply to firmware. Think about some of the following:
- printer firmware: many modern network printers are automatically
phoning home to their manufacturer to report about usage and download updates.
- IP phones on your desk: how do you know the microphone can't be
switched on remotely if it runs non-free firmware? In fact, such exploits are well known
thats true, however: * some if that can quite easyly be mitigated by other methos * with some of that, can you tell me an completly free alternative at the moment that really works in practice? for example, as far as i know there is only one GSM basbend processor for which there is a free firmware, and none for UMTS and LTE. * even if you have source code under a free license that claims that it is whats running on your device, that might not help you there, as it is usually hard to check if that's really the code that's running on it (and it is the only code...there might always be stuff hidden)
Some organizations even generate these reports (or the skeleton of the report) automatically, extracting a list of all known MAC addresses from their switches and access points, installing management agents on every host with a function to detect all installed binaries and also observing all network connections and correlating them back to the respective binaries. Such data could be cross referenced with checksums of trusted binaries and the data could be annotated on a wiki page.
yes, there are organizations that do that, and to some degree even use this information as part of the automated procedure to determinate if a givven user is allow some information from the device this person is currently using to login and might tell them "no not with this device" or "install security updates before you are allowed to do this".
now, this is proably a good idea in a big organitation and might even scale quite well once you have it in place in a big company (one can cut back on other measures if you treat everything as hostile), however we don't have that kind if infrastructure and could not keep it running if we had it, as this would mean that we would have to invest a substantial amount of our funds just for the infrastructure for our very few employees and would not be able to do much else.
why do i single out employees here: we have a lot of volunteers who invest time and money to further the cause of free software, however we can hardly force on them what devices they are using (and very few of them would aggree to any kind of automatic inventarization of the private computers, for obvious reasons).
what i can say is that as far as what is installed on our servers, yes we are as clean as possible (we are mostly working with donated hardware these days, so there are some limitations when it comes to software to interact with suff like raid controllers).
and yes, i would protest strongly if i as an administrator would be asked to install propritery software to provide services on our infrastructure.
so the big questions in the end are:
should we have the goal to run only free software as far as practical and always aim to increase the ratio? yes, imho we must do that.
should we stop all work until we find a way to be 100%? i don't think so.
especialy with external services (that might even run auite a lot of free software in the back, but unless it's agpl this changes little for you) you always have to evalute if it is a good idea to use it, as apart from the question of free software there is also the problem of privacy and other related stuff that is quite important to a big part of our community.
regards, albert
ps: yes printers of course also have a special meaning for free software, but still we have to get work done
pps: desclaimer: yes i do have quite some insight on what's going on our servers, as i have been doing part of the adminstration work for some years now, howver i have no direct insight on what people are doing on laptops and/or other devices in the berlin office, as i'm not there all that often