Re: GNU C Library as its own CNA?

[Alexandre Oliva <oliva@gnu.org>]

On Sep  6, 2023, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:

> Trying to revive this conversation since there haven't been any
> objections to this.

FWIW, I looked brienfly into GNU's becoming a CNA, and...  that didn't
look good.

The web site to as much as get information about the process was fully
javascrippled, which not only made the information inaccessible to me,
but made me realize that GNU shouldn't recommend anyone to use that web
site.

There are tow angles to that:

- JavaScript on web pages served by third parties is often nonfree
  software to boot, but even when it is licensed in freedom-respecting
  terms, the specific setting (served out by a remote server, run by a
  third party, for blind and unmodified execution on one's own computer)
  is analogous to Tivoization, that renders the software ultimately
  nonfree for users that run it that way

- JavaScript on web browsers opens a gratuitous and huge attack surface,
  that IMHO no self-respecting security professional should voluntarily
  expose, and no self-respecting security organization should impose on
  its users, especially those in charge of improving security.  It's an
  extremely poor example of promoting insecurity, as we all know that
  these sandboxes are porous and constantly threatened, and there's no
  defensible reason to require them to begin with.

I hope someone with access to that organization can pass on this
constructive criticism and recommend them to drop this self-defeating
requirements from their web pages, so that we can consider joining as a
CNA, whether as a package or as a project.

Thanks,

-- 
Alexandre Oliva, happy hacker                    https://FSFLA.org/blogs/lxo/
   Free Software Activist                           GNU Toolchain Engineer
Disinformation flourishes because many people care deeply about injustice but
very few check the facts.  Think Assange & Stallman.  The empires strike back