Public Money Public Code: a good policy for FSFE and other non-profits?
floriansnow at fsfe.org
Sat Jun 16 17:10:37 UTC 2018
I think the inventory you propose can be interesting. If we do it, we
might want to include what Free Software people use so we can say to
others: "Here are tools that have proven useful to us in our work as a
non-profit organization." That might be useful to others.
Daniel Pocock <daniel at pocock.pro> writes:
> If the motion is revised to focus on something like "staff computers"
> and people reply that only the firmware is non-free but they don't
> tell us they are using non-free apps on their personal mobile phones
> to do FSFE stuff then they are not respecting the intention of the
I am sorry, but I cannot see any way in which we could regulate what
people do privately. What people do as part of their job for a Free
Software organization, yes, but there has to be a limit when it comes to
personal space. We do not want to run the FSFE like a police state that
checks people's every move.
> The motion should also apply to firmware. Think about some of the
> - printer firmware: many modern network printers are automatically
> phoning home to their manufacturer to report about usage and download
> - IP phones on your desk: how do you know the microphone can't be
> switched on remotely if it runs non-free firmware? In fact, such
> exploits are well known
Ok, that is a good point. What about (potentially malicious) circuitry?
Should we include that as well?
> Some organizations even generate these reports (or the skeleton of the
> report) automatically, extracting a list of all known MAC addresses from
> their switches and access points, installing management agents on every
> host with a function to detect all installed binaries and also observing
> all network connections and correlating them back to the respective
> binaries. Such data could be cross referenced with checksums of trusted
> binaries and the data could be annotated on a wiki page.
That sounds like a great way to not spend staff time on this. So I see
a path here to gather more support because spending limited staff time
on such an inventory is really a blocker. It looks like you are
familiar with some of those tools for generating reports and you would
certainly be qualified to do annotations or possibly write software to
automate the annotation process. Would you be willing to work on this?
More information about the Discussion