web technologies, open source, and security
It’s nice that someone is keeping track of projects that are changing licenses to the more restrictive GPLv3. This will make it easier for users to avoid installing software that’s less free than previous versions were.
Here’s the list of projects (at least their GPLv3 versions) I’m boycotting.
I’ve caught some flack for extolling the virtues and utility of GNU software while expressing my contempt for the Free Software Foundation (which oversees GNU) and its licensing.
So let me clarify a couple things. First, I have nothing at all against GNU software. It’s fantastic. I’ve no complaints about its operation. The list of GNU software on my Linux boxes would be very long: without GNU, there’s no functional Linux OS. I don’t limit myself to GNU’s utilities. I also use GNU’s C compiler, emacs, languages like GNU smalltalk and guile, utilities like wget, and so on.
I just as easily could rattle off the list of GNU software on my Windows, including emacs (you have to admit it’s a little more powerful than notepad). My problem isn’t with the software. The software is fantastic. I’m a fan of the software.
The problem is GPL, especially the GPLv3.
GPLv3 isn’t about software freedom. Software freedom was addressed in earlier versions of GPL. Some think all versions of GPL are too restrictive (I do). They favor licenses like BSD (without the advertising clause). And some software authors have even chosen to avoid copyright hassles altogether and made their code public domain.
If GPLv3 isn’t about software freedom, what is it about? It’s about restriction and rigid dogma. That’s right. The original GPLs were about freedom. The new one is about restriction.
The first restriction under GPLv3 is that software “freedom” should determine or otherwise impact hardware freedom. It does this via its “anti-tivoization” clause. This clause is targeted at a company that exceeded its obligations under earlier GPLs. The new GPL says companies like TiVo can’t encrypt their firmware, which is NOT part of the operating system (it’s in hardware-space), for any reason. Why do hardware vendors like TiVo encrypt firmware? There are many valid reasons. TiVo’s main reason is for security. They also don’t believe they should have to give competitors the benefit of their own research into their own hardware — their shareholders probably agree. Most companies don’t spend millions of dollars on development and then give their trade secrets to competitors. So the net result is TiVo’s customers and investors will suffer from GPLv3.
One of the reasons I’ve come to loathe Apple is because they engage in similar restrictions as GPLv3. Buy a copy (remember, you’re actually buying a license and not the software) of OS X. Try to install it on a non-Apple computer. It won’t let you. The license is for use on Apple hardware only.
This License allows you to install and use one copy of the Apple Software on a single Apple-labeled computer at a time. This License does not allow the Apple Software to exist on more than one computer at a time, and you may not make the Apple Software available over a network where it could be used by multiple computers at the same time. You may make one copy of the Apple Software (excluding the Boot ROM code) in machine-readable form for backup purposes only; provided that the backup copy must include all copyright or other proprietary notices contained on the original.
http://www.apple.com/legal/sla/macosx.html
There are ways to install it (driver support is better now that Apple has switched to Intel), but Apple’s legal team has pressured hosts to shut down sites showing how to install OS X on non-Apple computers. And since I hate lawyers, that’s all I care to say about the issue.
The second restriction on freedom relates to the anti-DRM features of GPLv3. The FSF claims that DRM restricts freedom, but they’re willing to restrict it themselves. The fact of the matter is, DRM exists because people don’t respect copyright laws. DRM doesn’t affect software. It affects data. Copyrighted data. You’re free to download whatever data you want so long as you’re willing to abide by the copyright or licensing offered by its owner(s). The data don’t change ownership when they’re on your machine.
FSF protects its own copyrights and licenses diligently. Very diligently. They pressure people all the time to comply with their license terms. Why can’t Sony? Why can’t BMI? Why can’t anyone else but FSF?
This is why I don’t like FSF. They used to be about software freedom. Now they’re for increased restrictions, and for reasons having less to do with software than hardware and data.
DSL 4 uses dfm for desktop and file management. Previous versions used xtdesk for icons on the desktop and emelfm for file management (midnight commander is available in DSL 4 as well as previous versions). The change to dfm integrates the desktop and file management, which is definitely an improvement for those who run X.
I lobbied for a different direction for DSL. That direction would focus on increasing modularity. I saw that as a reasonable evolution.
The problem was in the execution. First, I was told DSL has to remain useful off the CD. I would’ve traded utility for updating the kernel and base libraries. I didn’t see this as a net loss considering how most users use MyDSL extensions to replace what DSL offers and DSL comes with a script that allows users to create their own MyDSL CDs. What I proposed wasn’t too far from this.
Second, I would’ve moved desktop management to rox. This was shot down over issues related to older hardware and too many inodes from rox’ application directories. The developers also didn’t seem to like the fact that the executables would no longer be called by their normal names but rather AppRun. All of’em!
I didn’t see that as a hindrance at all, particularly when considered in the context of my previous point about modularity.
My solution isn’t unreasonable or impractical.
Since the applications would all be bundled up in their own directories, users who install (frugal or hard drive) could discard them in favor of applications they prefer. You use thunderbird instead of sylpheed? Delete sylpheed, install thunderbird. This increases modularity. It also takes care of the question about inodes because each application is only one file until it’s loaded. That would reduce inode concerns since everything for, say, xmms would be isolated in /opt/Apps/xmms instead of spread throughout /usr like it is now. And it would stay one file (xmms.whatever) until loaded via click by the user.
There are two issues related to handling things that way, particularly console applications and applications that compile into separate binaries. They could be handled pretty much the same way they are now, via shell scripts. In the case of an application with multiple binaries, it also could be compiled without altering the bindir so that the binaries would be in (e.g.) /opt/Apps/foo/bin and then wrappers could be set up in ../foo.
It will take more thinking and a bit more work. I have a running start with it. I think the long and short of it is that it can be done.
I see that OS News is having some issues with their ads. This brings up a set of peeves I have about advertising on websites. I hate visiting websites that spawn popups, use Flash to serve ad content that slows down my computer, use animation where none is needed and where I don’t want any, and that otherwise reroute content in such a way that browsing on older computers is a chore.
Before I go further, please don’t tell me that I’m preventing someone from making a profit. That’s crap. The example I give below about popup workarounds involves the website of a service run by my ISP, which is also my cable provider. They’re still a very profitable company without the fractions of pennies I might deny them by keeping ads from their own sites out of my face. My service from them isn’t “free” at all and they shouldn’t expect users to both pay for service and experience the indignity of their popup ads, of their crazy flashing advertisements, or of anything else that detracts from finding news articles. I would go with one of the “free” dialups if I wanted to be bombarded with such advertising.
I’ve written previously about FlashBlock and NoScript for Firefox. These are excellent tools to help conform websites to a user’s standards. Sometimes, though, they’re not enough.
Most browsers now allow users to block popups universally. I have popups blocked universally. Always have since I’ve been able to do that (and haven’t given up using text browser yet because of that and similar issues). Some sites, though, resort to workarounds that ignore what the user wants. An example of this is one of my local news sites, which is operated by my cable provider/ISP. Their news site — not the ISP’s, but their local news channel’s — spawns a popup from casalemedia on every fresh hit. I already blocked images from casalemedia. I still had the @*#$ popup every time I hit the news site, it only included scant text.
That isn’t acceptable. I should be able to control what I load even if I hit someone else’s website. I’d already done that with OS News because some of the ads served were a total abortion. I tried to do the same with the aforementioned news site. I also wanted to do more and conform websites more to my tastes than to someone else’s revenue streams.
I looked around and found another Firefox extension called Block Site. This one lets the user designate site blocking as the user sees fit. This is excellent for blocking sites that do nothing but serve ads for other sites. It also is able to block sites (like casalemedia) completely. It runs both whitelist/blacklist so a user can designate sites according to his or her desires. My blacklist is growing. I’ve blocked casalemedia, as well as the ads from yimg (Yahoo), and even Google Syndication.
Now I hit a site and I get more content than ads — I have more control over what loads and what doesn’t. I don’t think that’s a bad thing at all. I know there are people, including the operators of my favorite sites, who think it’s not a good thing. Maybe if they’d exercise more control over what appears on their sites people wouldn’t take such actions.
Are there any drawbacks, aside from screwing a few websites out of a few cents? The download page for Block Site says there can be issues of speed if your sites list is large. I think, though, that’s a fair trade off. After all, it takes time to load www.whatever.com and its ads from adservers like www.a-holeadvertising.com and then display them in Flash, popups, etc. I haven’t experienced any noticeable delays yet and my blacklist is getting quite large.
This one’s almost as an improvement over the previous video, and it’s a little more instructional in that it shows the script, chmod, etc., and has some graphics. I know it’s crappy and goes too fast. I’m just a geek, not a threat to Spielberg.
More site management issues… I’m either going to start from scratch or at least re-edit the export file and then re-import it. I’ve fixed a few links but the rest will break next time my old host goes down (which will be sooner than later if their recent history is any indication). I’ll fix the images while I’m at it since those are still linked to the old site.
Here are the posts I made about DSL 4.0 on my other blog site. The other host’s issues with uptime and configuring MySQL present too much difficulty in exporting. Too bad, but their problems are why I moved the blog here in the first place.
I didn’t know what Robert Shingledecker had in mind for the next version of DSL beyond a major kernel upgrade and changes that would affect (improve) user-friendliness, but DSL 4.0 now available in alpha. This version now uses kernel 2.4.34.1, and it has some major interface changes that should make it more user-friendly for people coming over from other operating systems.
My initial impressions are mostly positive.
The biggest change users will first notice is that it boots into JWM by default with a dfm desktop in place of xtdesk icons. JWM will probably be appreciated more by people less familiar with Linux because it has the more traditional menu button on the left and task bar across the bottom. Users who want to use fluxbox can designate that at boot (desktop=fluxbox) or switch from JWM to fluxbox by clicking exit and choosing switch to fluxbox.
The choice of dfm over xtdesk means DSL now has a drag and drop desktop. That’s quite an accomplishment for a 50 MB distro. I’m not a big fan of dfm, but it fits in very well with the DSL ethos. It’s light and functional, and it just gets the job done.
My only doubt about dfm in DSL is how it’s also replacing emelfm. One of the things I’ve appreciated about DSL versions prior to 4.0 is how emelfm can be configured as users see fit. A user can personalize emelfm by setting up function buttons. I set mine up with everything from encryption/decryption tools to opening files in applications launched in particular ways. Users can always create their own scripts and then launch them from the desktop or from dfm filers (or whatever they’re called; I’m used to rox terms for that), but I don’t know what the reaction is going to be by people who prefer double-paned managers like mc (still included with DSL 4.0) and emelfm.
Using dfm as a desktop manager means that right-click menus (used by both JWM and fluxbox) are defunct so long as dfm is running. Instead, right-clicking operates the dfm menu. I don’t like anything that takes over the entire desktop. This is one of the reasons I stopped using gworkspace in GNUStep-based environments, which would be my second choice behind rox if there weren’t a 50 MB restriction on DSL. You can quit dfm and regain access; I added entries (one for normal user, the other for opening as root) in .jwmrc to restart dfm from the menu.
It’s not all bad. One of the nicer things is that dfm’s MIME-type handling allows DSL to be configured so it’s point-and-click. That includes MyDSL extensions. Open up the filer window where your extensions are, double click, run. It can’t get much easier than that.
The base icons really don’t have much aesthetic appeal, especially considering the current trends in bloated desktop experience. The rationale of using these particular icons fits in with what DSL is. And what it’s not. This isn’t Ubuntu or some other distro that uses heavyweight libraries and has tons of eye appeal. Some of us sickos actually like old school icons, though. User experience should include getting things done, not being mesmerized by flipping 3D virtual desktops and gobs of transparency that all ends up requiring more RAM than do the applications included with the distro. It shouldn’t be too difficult for users to throw together icons to customize their systems. I’m going to try to convert a couple sets I have for rox to xpm some time this week and package them for DSL 4.
DSL can still be extended and customized very easily to fit in with the user’s demands rather than the crazy aesthetic ambitions of developers, graphic card vendors, and shops selling RAM upgrades.
Overall, I think this is a very good direction for DSL to take. It adds function and convenience without adding bloat. That means it remains accessible to people with the hardware they already have, even if it’s pretty “old.” Old DSL fans shouldn’t feel too betrayed by the substantive changes, and new users should feel more “at home” with them.
I haven’t had much time to play around with DSL 4.0 beyond getting it set up to suit my tastes. I did a standard hard drive install on a 450 MB partition. The install uses about half that.
What changes do I make? First, I hate booting straight into X — I like to start X when I’m ready. So I edit /etc/inittab so it starts in run level 3.
The second set of changes is security-oriented. I edit ssh_conf and sshd_conf to prevent root log-in and password log-ins. If you use ssh, you should know how to set up and use keys. Otherwise, you may as well use telnet (telnet-ssl is more secure than ssh because it uses signed certificates instead of keys but that’s a topic for another day). If I’m not going to use SSH, I reassign its port to something much higher than 22. I also configure my firewall.
Third, I change the intervals for tunefs.
Fourth, I change the host name. I don’t have anything against the default “box,” but I often have three or more computers running simultaneously. Each partition gets its own host name.
Finally, I edit configuration files. I don’t like scroll bars on my terminal windows and I like them tinted so they don’t absorb colors from any background (I usually use a solid color or something with very little distraction in it). I also change torsmo’s colors to they don’t jump out at me.
Still on my to-do list: Copy my AppRun wrapper scripts from rox for use in DSL 4. Bundle alternative icon sets. I also need to check out the tripl-frontend version of loopaes in Testing, but I need to check if it’s compatible with the new kernel.
I’ve had a little more time to get my DSL 4 test partition set up the way I want. I’ve been adding MyDSL extensions to see what works and compiling stuff while away and while I sleep. No major problems so far.
I’ve made some aesthetic changes. I don’t like bottom task bars and menu buttons. Fortunately, DSL 4 updates JWM so the tray can be moved and resized. I put my tray on top (where I believe it belongs). I also changed the colors to something a little “happier” than my standard shades of grey solid colors. 
Then again, I’ve compiled screen-4.0.3 so I don’t have to run X at all on the poor old Pentium Pro. Amazing how much more responsive it is in the console regardless of how many apps are running.
edit: If anyone wants to change the tray to appear on top, edit the line beneath “additional tray attributes” that has x and y coordinates so it’s like this:
<Tray valign=”top” halign=”center” height=”24″>
———
update: 25 July 2007 - More updates on DSL 4 to come, including a better quality video.
A vulnerability affecting iPhones and Mac computers running Safari (not Windows versions of Safari) has been announced by Independent Security Evaluators. The proof of concept has been disclosed to Apple along with a proposed patch.
When the iPhone’s version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user’s mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker.
Sounds like lots of fun. The POC will be demonstrated at Black Hat USA next week in Las Vegas.
I last exported my blog for back-up a couple weeks ago so I’ll have to wait for my former host to get up so I can recover the last few posts I made there. I’ll set up my blogroll and links later. I’ll also have to re-categorize my pages when I get a chance.
It looks like everything else is up and working well — sign of a smooth transition thanks to great software. My hat’s off to WordPress for making the best blogging software, period.
The idea for the video was only to show that a simple shell wrapper (just using bsetbg in this example to change backgrounds) can simplify certain tasks. I know there are people who loathe WIMP, but there’s more to life than the console. When done right, WIMP is a tool rather than a hindrance.
