From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eggs.gnu.org (eggs.gnu.org [IPv6:2001:470:142:3::10]) by sourceware.org (Postfix) with ESMTPS id CDE083858C78 for ; Wed, 6 Sep 2023 18:35:16 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CDE083858C78 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gnu.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gnu.org Received: from linux-libre.fsfla.org ([2001:470:142:5::54] helo=free.home) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qdxMx-0002gE-Fw; Wed, 06 Sep 2023 14:35:15 -0400 Received: from livre (livre.home [172.31.160.2]) by free.home (8.15.2/8.15.2) with ESMTPS id 386IZ3C6206615 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 6 Sep 2023 15:35:03 -0300 From: Alexandre Oliva To: Siddhesh Poyarekar Cc: GNU C Library Subject: Re: GNU C Library as its own CNA? Organization: Free thinker, not speaking for the GNU Project References: <1f5a1295-36d1-ab5e-86ec-1e91acefc63f@gotplt.org> <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> Errors-To: aoliva@lxoliva.fsfla.org Date: Wed, 06 Sep 2023 15:35:03 -0300 In-Reply-To: <8f303953-3e5e-582f-ab4b-d3d0911f3be2@gotplt.org> (Siddhesh Poyarekar's message of "Wed, 6 Sep 2023 07:40:22 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.84 X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sep 6, 2023, Siddhesh Poyarekar wrote: > Trying to revive this conversation since there haven't been any > objections to this. FWIW, I looked brienfly into GNU's becoming a CNA, and... that didn't look good. The web site to as much as get information about the process was fully javascrippled, which not only made the information inaccessible to me, but made me realize that GNU shouldn't recommend anyone to use that web site. There are tow angles to that: - JavaScript on web pages served by third parties is often nonfree software to boot, but even when it is licensed in freedom-respecting terms, the specific setting (served out by a remote server, run by a third party, for blind and unmodified execution on one's own computer) is analogous to Tivoization, that renders the software ultimately nonfree for users that run it that way - JavaScript on web browsers opens a gratuitous and huge attack surface, that IMHO no self-respecting security professional should voluntarily expose, and no self-respecting security organization should impose on its users, especially those in charge of improving security. It's an extremely poor example of promoting insecurity, as we all know that these sandboxes are porous and constantly threatened, and there's no defensible reason to require them to begin with. I hope someone with access to that organization can pass on this constructive criticism and recommend them to drop this self-defeating requirements from their web pages, so that we can consider joining as a CNA, whether as a package or as a project. Thanks, -- Alexandre Oliva, happy hacker https://FSFLA.org/blogs/lxo/ Free Software Activist GNU Toolchain Engineer Disinformation flourishes because many people care deeply about injustice but very few check the facts. Think Assange & Stallman. The empires strike back