From: Alexandre Oliva <oliva@gnu.org>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
Cc: GNU C Library <libc-alpha@sourceware.org>
Subject: Re: GNU C Library as its own CNA?
Date: Wed, 06 Sep 2023 15:35:03 -0300 [thread overview]
Message-ID: <orzg1zb160.fsf@lxoliva.fsfla.org> (raw)
In-Reply-To: <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> (Siddhesh Poyarekar's message of "Wed, 6 Sep 2023 07:40:22 -0400")
On Sep 6, 2023, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
> Trying to revive this conversation since there haven't been any
> objections to this.
FWIW, I looked brienfly into GNU's becoming a CNA, and... that didn't
look good.
The web site to as much as get information about the process was fully
javascrippled, which not only made the information inaccessible to me,
but made me realize that GNU shouldn't recommend anyone to use that web
site.
There are tow angles to that:
- JavaScript on web pages served by third parties is often nonfree
software to boot, but even when it is licensed in freedom-respecting
terms, the specific setting (served out by a remote server, run by a
third party, for blind and unmodified execution on one's own computer)
is analogous to Tivoization, that renders the software ultimately
nonfree for users that run it that way
- JavaScript on web browsers opens a gratuitous and huge attack surface,
that IMHO no self-respecting security professional should voluntarily
expose, and no self-respecting security organization should impose on
its users, especially those in charge of improving security. It's an
extremely poor example of promoting insecurity, as we all know that
these sandboxes are porous and constantly threatened, and there's no
defensible reason to require them to begin with.
I hope someone with access to that organization can pass on this
constructive criticism and recommend them to drop this self-defeating
requirements from their web pages, so that we can consider joining as a
CNA, whether as a package or as a project.
Thanks,
--
Alexandre Oliva, happy hacker https://FSFLA.org/blogs/lxo/
Free Software Activist GNU Toolchain Engineer
Disinformation flourishes because many people care deeply about injustice but
very few check the facts. Think Assange & Stallman. The empires strike back
next prev parent reply other threads:[~2023-09-06 18:35 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 15:56 Siddhesh Poyarekar
2023-07-28 16:09 ` Florian Weimer
2023-07-28 16:11 ` Siddhesh Poyarekar
2023-07-28 16:41 ` Joseph Myers
2023-07-28 17:28 ` Paul Eggert
2023-09-06 11:41 ` Siddhesh Poyarekar
2023-09-06 12:33 ` Florian Weimer
2023-09-06 16:00 ` Paul Eggert
2023-09-06 16:33 ` Florian Weimer
2023-09-06 17:04 ` Paul Eggert
2023-07-31 17:42 ` Siddhesh Poyarekar
2023-09-06 11:40 ` Siddhesh Poyarekar
2023-09-06 18:35 ` Alexandre Oliva [this message]
2023-09-06 18:57 ` Siddhesh Poyarekar
2023-09-06 19:02 ` Paul Eggert
2023-09-06 22:01 ` Alexandre Oliva
2023-09-07 0:56 ` Siddhesh Poyarekar
2023-09-07 3:27 ` Alexandre Oliva
2023-09-07 10:48 ` Siddhesh Poyarekar
2023-09-07 15:46 ` Florian Weimer
2023-09-07 17:14 ` Alexandre Oliva
2023-09-08 10:58 ` Siddhesh Poyarekar
2023-09-10 16:57 ` Alexandre Oliva
2023-09-11 7:46 ` Florian Weimer
2023-09-11 12:59 ` Carlos O'Donell
2023-09-11 9:58 ` Siddhesh Poyarekar
2023-09-11 12:47 ` Carlos O'Donell
2023-09-12 11:40 ` Siddhesh Poyarekar
2023-09-12 13:15 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=orzg1zb160.fsf@lxoliva.fsfla.org \
--to=oliva@gnu.org \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).