Public Money Public Code: a good policy for FSFE and other non-profits?

• Previous message (by thread): Public Money Public Code: a good policy for FSFE and other non-profits?
• Next message (by thread): Public Money Public Code: a good policy for FSFE and other non-profits?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jun 16, 2018 at 09:50:42AM +0200, Daniel Pocock wrote:
...
> 
> In this particular thread, another staff member, Erik, has written "I
> propose you trust us that we use Free Software always and that this is
> minimum 95%, including our phones, landlines, printers etc." and that
> leaves open the question about the other 5%
well, some if he already mentioned.
> 
> I didn't try to write the motion with lots of little rules and things
> because I was hoping people would approach the question maturely.  If
> the motion is revised to focus on something like "staff computers" and
> people reply that only the firmware is non-free but they don't tell us
> they are using non-free apps on their personal mobile phones to do FSFE
> stuff then they are not respecting the intention of the motion
well...if they are their personal phone, we have little power to
tell them what to do with them?

> 
> The motion should also apply to firmware.  Think about some of the
> following:
> 
> - printer firmware: many modern network printers are automatically
> phoning home to their manufacturer to report about usage and download
> updates.
> 
> - IP phones on your desk: how do you know the microphone can't be
> switched on remotely if it runs non-free firmware?  In fact, such
> exploits are well known
thats true, however:
* some if that can quite easyly be mitigated by other methos
* with some of that, can you tell me an completly free alternative
  at the moment that really works in practice? for example, as far
  as i know there is only one GSM basbend processor for which there
  is a free firmware, and none for UMTS and LTE.
* even if you have source code under a free license that claims that
  it is whats running on your device, that might not help you there,
  as it is usually hard to check if that's really the code that's
  running on it (and it is the only code...there might always be
  stuff hidden)

> 
> Some organizations even generate these reports (or the skeleton of the
> report) automatically, extracting a list of all known MAC addresses from
> their switches and access points, installing management agents on every
> host with a function to detect all installed binaries and also observing
> all network connections and correlating them back to the respective
> binaries.  Such data could be cross referenced with checksums of trusted
> binaries and the data could be annotated on a wiki page.
yes, there are organizations that do that, and to some degree even
use this information as part of the automated procedure to
determinate if a givven user is allow some information from the
device this person is currently using to login and might tell them
"no not with this device" or "install security updates before you
are allowed to do this".

now, this is proably a good idea in a big organitation and might
even scale quite well once you have it in place in a big company
(one can cut back on other measures if you treat everything as
hostile),
however we don't have that kind if infrastructure and could not keep
it running if we had it, as this would mean that we would have to
invest a substantial amount of our funds just for the infrastructure
for our very few employees and would not be able to do much else.

why do i single out employees here:
we have a lot of volunteers who invest time and money to further the
cause of free software, however we can hardly force on them what
devices they are using (and very few of them would aggree to any
kind of automatic inventarization of the private computers, for
obvious reasons).

what i can say is that as far as what is installed on our servers,
yes we are as clean as possible (we are mostly working with donated
hardware these days, so there are some limitations when it comes to
software to interact with suff like raid controllers).

and yes, i would protest strongly if i as an administrator would be
asked to install propritery software to provide services on our
infrastructure.

so the big questions in the end are:

should we have the goal to run only free software as far as
practical and always aim to increase the ratio?
yes, imho we must do that.

should we stop all work until we find a way to be 100%?
i don't think so.

especialy with external services (that might even run auite a lot of
free software in the back, but unless it's agpl this changes little
for you) you always have to evalute if it is a good idea to use it,
as apart from the question of free software there is also the
problem of privacy and other related stuff that is quite important
to a big part of our community.


regards,
albert


ps: yes printers of course also have a special meaning for free
software, but still we have to get work done

pps: desclaimer: yes i do have quite some insight on what's going on
our servers, as i have been doing part of the adminstration work for
some years now, howver i have no direct insight on what people are
doing on laptops and/or other devices in the berlin office, as i'm
not there all that often
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20180616/ade5d68a/attachment.sig>

• Previous message (by thread): Public Money Public Code: a good policy for FSFE and other non-profits?
• Next message (by thread): Public Money Public Code: a good policy for FSFE and other non-profits?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]