Ubuntu derivatives ({L,X,K}ubuntu) are OK, while Ubuntu itself is not #334

Closed
sgtpep opened this Issue Jul 21, 2013 · 104 comments

Comments

Projects
None yet
@sgtpep
Contributor

sgtpep commented Jul 21, 2013

Suggest to add them to the list. They are pretty vanilla LXDE, Xfce, KDE based distros. They don't have Unity Dash and don't send any data to Canonical or third parties (except for submitting of crash report, which is optional).

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 23, 2013

Contributor

Any such derivate is downstream of ubuntu and because of that potentially unsafe, even Mint (although they seem to repackage some things and also mind "LMDE").

Contributor

hasufell commented Jul 23, 2013

Any such derivate is downstream of ubuntu and because of that potentially unsafe, even Mint (although they seem to repackage some things and also mind "LMDE").

@Danfun64

This comment has been minimized.

Show comment
Hide comment
@Danfun64

Danfun64 Jul 24, 2013

Trisquel is also a Ubuntu derivative. Under that logic (if i understand it correctly) shouldn't linux mint be replaced with lmde and trisquel with Gnewsence?

Trisquel is also a Ubuntu derivative. Under that logic (if i understand it correctly) shouldn't linux mint be replaced with lmde and trisquel with Gnewsence?

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 24, 2013

Contributor

In my opinion probably yes, but that's just me. I wouldn't trust anything that comes from ubuntu or uses anything from ubuntu (and that's what derivates do).
Derivates usually don't have the resources to run their own repository of 30k+ packages, so they always end up using stuff from the original distro, although they might modify some things heavily.

Contributor

hasufell commented Jul 24, 2013

In my opinion probably yes, but that's just me. I wouldn't trust anything that comes from ubuntu or uses anything from ubuntu (and that's what derivates do).
Derivates usually don't have the resources to run their own repository of 30k+ packages, so they always end up using stuff from the original distro, although they might modify some things heavily.

@Danfun64

This comment has been minimized.

Show comment
Hide comment
@Danfun64

Danfun64 Jul 24, 2013

So...what should be done about ubuntu derivatives?

So...what should be done about ubuntu derivatives?

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 24, 2013

Contributor

IMO all ubuntu derivates should be removed as well, because they can potentially also include spyware of the original distro without even knowing.
Since original ubuntu is already distrusted on this site, the logical conclusion is to distrust downstreams of ubuntu as well.
Mint might be an exception and need further investigation, but afaik it does not have an independent repository. (ofc LMDE is fine, because it uses debian testing repository and debian is not known to do weird things and has a strong ethical commitment... so maybe change Linux Mint to "Linux Mint Debian Edition")

Contributor

hasufell commented Jul 24, 2013

IMO all ubuntu derivates should be removed as well, because they can potentially also include spyware of the original distro without even knowing.
Since original ubuntu is already distrusted on this site, the logical conclusion is to distrust downstreams of ubuntu as well.
Mint might be an exception and need further investigation, but afaik it does not have an independent repository. (ofc LMDE is fine, because it uses debian testing repository and debian is not known to do weird things and has a strong ethical commitment... so maybe change Linux Mint to "Linux Mint Debian Edition")

@alexander-b

This comment has been minimized.

Show comment
Hide comment
@alexander-b

alexander-b Jul 24, 2013

Contributor

I agree with hasufell.

Contributor

alexander-b commented Jul 24, 2013

I agree with hasufell.

@Danfun64

This comment has been minimized.

Show comment
Hide comment
@Danfun64

Danfun64 Jul 24, 2013

And what of Trisquel? I think it uses it's own respiratories. Since it's ubuntu based, should it be removed as well?

And what of Trisquel? I think it uses it's own respiratories. Since it's ubuntu based, should it be removed as well?

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 24, 2013

Contributor

from #trisquel on freenode:
Does trisquel mirror packages from ubuntu or package everything on it's own?
or a mix? and if so, what kind of mix
hasufell: mi
c107: mi?
hasufell: It's a mixture. It uses what it can from Ubuntu and repackages what isn't free.
ah
does it use debian packages as well?
hasufell: I haven't seen Debian hostnames, but I don't see why not.
there are packages from Debian
see the toutatis branch of http://devel.trisquel.info/gitweb/?p=package-helpers.git;a=summary

Contributor

hasufell commented Jul 24, 2013

from #trisquel on freenode:
Does trisquel mirror packages from ubuntu or package everything on it's own?
or a mix? and if so, what kind of mix
hasufell: mi
c107: mi?
hasufell: It's a mixture. It uses what it can from Ubuntu and repackages what isn't free.
ah
does it use debian packages as well?
hasufell: I haven't seen Debian hostnames, but I don't see why not.
there are packages from Debian
see the toutatis branch of http://devel.trisquel.info/gitweb/?p=package-helpers.git;a=summary

@nylira

This comment has been minimized.

Show comment
Hide comment
@nylira

nylira Jul 24, 2013

Owner

Ubuntu's spyware is currently contained in the Unity desktop environment. Ubuntu derivatives using alternative desktop environments ({L,X,K}ubuntu) should be theoretically safe, although they may still contain non-free software.

However, for the casual visitor to PRISM Break, it's difficult to promote {L,X,K}ubuntu without seeming to promote Ubuntu itself. It's just one letter off, and searching for a flavor of Ubuntu will invariably lead you to the Ubuntu homepage due to fuzzy search logic and page rankings.

I think we should keep the OS list at status quo. Linux Mint and Trisquel should be retained as they're sufficiently distinguished from Canonical Ubuntu. Mint -- while not entirely free -- will be a good experience for first time Linux users, and Trisquel is the most usable completely free OS. {L,X,K}ubuntu will not be officially recommended because their names may unintentionally mislead users to Canonical version's of Ubuntu.

Owner

nylira commented Jul 24, 2013

Ubuntu's spyware is currently contained in the Unity desktop environment. Ubuntu derivatives using alternative desktop environments ({L,X,K}ubuntu) should be theoretically safe, although they may still contain non-free software.

However, for the casual visitor to PRISM Break, it's difficult to promote {L,X,K}ubuntu without seeming to promote Ubuntu itself. It's just one letter off, and searching for a flavor of Ubuntu will invariably lead you to the Ubuntu homepage due to fuzzy search logic and page rankings.

I think we should keep the OS list at status quo. Linux Mint and Trisquel should be retained as they're sufficiently distinguished from Canonical Ubuntu. Mint -- while not entirely free -- will be a good experience for first time Linux users, and Trisquel is the most usable completely free OS. {L,X,K}ubuntu will not be officially recommended because their names may unintentionally mislead users to Canonical version's of Ubuntu.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 24, 2013

Contributor

That's a logical flaw in the chain of trust. If you do not trust ubuntu (for whatever reason), you cannot trust distros that make use of ubuntu packages directly.

Contributor

hasufell commented Jul 24, 2013

That's a logical flaw in the chain of trust. If you do not trust ubuntu (for whatever reason), you cannot trust distros that make use of ubuntu packages directly.

@nylira

This comment has been minimized.

Show comment
Hide comment
@nylira

nylira Jul 24, 2013

Owner

Ubuntu Unity search and the proprietary Ubuntu One cloud service are problematic for user privacy and freedom. Neither of them are present in Mint or Trisquel.

As far as trust goes, Ubuntu packages are open source and freely available to be audited. If spyware is found in any other Ubuntu package, feel free to make an issue for it, and I can take down the affected distributions until they fix the problem.

Owner

nylira commented Jul 24, 2013

Ubuntu Unity search and the proprietary Ubuntu One cloud service are problematic for user privacy and freedom. Neither of them are present in Mint or Trisquel.

As far as trust goes, Ubuntu packages are open source and freely available to be audited. If spyware is found in any other Ubuntu package, feel free to make an issue for it, and I can take down the affected distributions until they fix the problem.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 24, 2013

Contributor

While I understand your point of view, let me be a bit more verbose about mine.

Ubuntu is a corporation driven distribution and does not care about the free software or open source community (Greg K-H: “Ubuntu does not give back to the community“ on a kernel talk at google). While that alone is not a bad thing it completes the picture of Ubuntus goals (see bug #1 on ubuntu launchpad).

IMO, over the last few years Canonical has followed the exact same strategy of Microsoft: EEE (Embrace, Extend, Extinguish). That has shown in various ways where ubuntu has pushed technologies or created extensions (such as unity). The next step will be things like API war and might already start with the deal they have made with Valve.
Well, of course that is only guessing and I might be completely wrong.

But what is a fact is this: ubuntu has already betrayed it‘s users through their spying features and is clearly not aiming at full transparency and freedom as in free.
Because of this fact people should really think if this will remain the only occurence of nastyness. History has taught us and is telling us again right now that companies with that power and attitude will not stop at such a point, but just become more subtle. Free software for them is merely a utilty to build up to their own goals.

How can you trust someone who has already lied to you? What happened in Ubuntu is a very good reason to never trust them again as a whole, not just disregard a few features they provide. That would be inconsistent for people who appreciate free software and want control over what‘s happening on their computer.

Further: Ubuntu packages are technically not opensource. They are just binary packages, so they cannot be (open)source at the same time. That is a small but important difference. What they do is provide a source tarball along with their binary tarball. Who can tell me now if the source from tarball A matches the compiled binary of tarball B? You would have to decompile and analyze the whole code against the other... and that will be pretty difficult. So why should I install binary packages at all? Well, maybe because I trust the distributor. But we already realized that you cannot trust ubuntu distributors.

Now when we are talking about derivates we are technically talking about ubuntu as well. You cannot distinguish cleanly between them, because they always mirror packages directly from ubuntu, as an example for trisquel:
„Trisquel modifies/adds 156 source packages, 2 are imported from Debian, 4 from other repos“
see http://devel.trisquel.info/gitweb/?p=ubuntu-purge.git;a=blob;f=purge-precise;h=933576f24ae7e05292699aead015d3e88906ffe7;hb=HEAD for a list

That in fact means that over 99% of Trisquel is practically Ubuntu. How can I recommend Trisquel now when I already distrust Ubuntu? You say the malicious features have been removed? Well, does Trisquel or you know of all malicious features of ubuntu? No. Well, we could claim that for any distro no? Yes, but they have not betrayed their users yet, so there is still a small reason for trust.

That said... it is simply illogical to trust derivates who just import the majority of packages from ubuntu. While we cannot say „ubuntu distributes malware all over it‘s repository“, we can‘t really say the opposite either, because it already happened once.

If you recommend LMDE (which is purely based on debian) I would really have no objection, so please don‘t think I‘m one of the guys who start distro wars. I am concerned about security and users. There are other distros on your list that I do not like, but I would never claim that archlinux is not trustworthy.

Contributor

hasufell commented Jul 24, 2013

While I understand your point of view, let me be a bit more verbose about mine.

Ubuntu is a corporation driven distribution and does not care about the free software or open source community (Greg K-H: “Ubuntu does not give back to the community“ on a kernel talk at google). While that alone is not a bad thing it completes the picture of Ubuntus goals (see bug #1 on ubuntu launchpad).

IMO, over the last few years Canonical has followed the exact same strategy of Microsoft: EEE (Embrace, Extend, Extinguish). That has shown in various ways where ubuntu has pushed technologies or created extensions (such as unity). The next step will be things like API war and might already start with the deal they have made with Valve.
Well, of course that is only guessing and I might be completely wrong.

But what is a fact is this: ubuntu has already betrayed it‘s users through their spying features and is clearly not aiming at full transparency and freedom as in free.
Because of this fact people should really think if this will remain the only occurence of nastyness. History has taught us and is telling us again right now that companies with that power and attitude will not stop at such a point, but just become more subtle. Free software for them is merely a utilty to build up to their own goals.

How can you trust someone who has already lied to you? What happened in Ubuntu is a very good reason to never trust them again as a whole, not just disregard a few features they provide. That would be inconsistent for people who appreciate free software and want control over what‘s happening on their computer.

Further: Ubuntu packages are technically not opensource. They are just binary packages, so they cannot be (open)source at the same time. That is a small but important difference. What they do is provide a source tarball along with their binary tarball. Who can tell me now if the source from tarball A matches the compiled binary of tarball B? You would have to decompile and analyze the whole code against the other... and that will be pretty difficult. So why should I install binary packages at all? Well, maybe because I trust the distributor. But we already realized that you cannot trust ubuntu distributors.

Now when we are talking about derivates we are technically talking about ubuntu as well. You cannot distinguish cleanly between them, because they always mirror packages directly from ubuntu, as an example for trisquel:
„Trisquel modifies/adds 156 source packages, 2 are imported from Debian, 4 from other repos“
see http://devel.trisquel.info/gitweb/?p=ubuntu-purge.git;a=blob;f=purge-precise;h=933576f24ae7e05292699aead015d3e88906ffe7;hb=HEAD for a list

That in fact means that over 99% of Trisquel is practically Ubuntu. How can I recommend Trisquel now when I already distrust Ubuntu? You say the malicious features have been removed? Well, does Trisquel or you know of all malicious features of ubuntu? No. Well, we could claim that for any distro no? Yes, but they have not betrayed their users yet, so there is still a small reason for trust.

That said... it is simply illogical to trust derivates who just import the majority of packages from ubuntu. While we cannot say „ubuntu distributes malware all over it‘s repository“, we can‘t really say the opposite either, because it already happened once.

If you recommend LMDE (which is purely based on debian) I would really have no objection, so please don‘t think I‘m one of the guys who start distro wars. I am concerned about security and users. There are other distros on your list that I do not like, but I would never claim that archlinux is not trustworthy.

@alexander-b

This comment has been minimized.

Show comment
Hide comment
@alexander-b

alexander-b Jul 24, 2013

Contributor

In addition to Julian's points, I would like to add that these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu. This means that their users are effectively at Ubuntu's mercy, and we cannot trust Ubuntu as they have proven to have unethical, anti-social interests.

Contributor

alexander-b commented Jul 24, 2013

In addition to Julian's points, I would like to add that these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu. This means that their users are effectively at Ubuntu's mercy, and we cannot trust Ubuntu as they have proven to have unethical, anti-social interests.

@nylira

This comment has been minimized.

Show comment
Hide comment
@nylira

nylira Jul 24, 2013

Owner

Thanks for your arguments @hasufell @alexander-b . While I've heard of most of these points already, some of them are new to me, and they've worked to convince me to your point of view.

„Trisquel modifies/adds 156 source packages, 2 are imported from Debian, 4 from other repos“
see http://devel.trisquel.info/gitweb/?p=ubuntu-purge.git;a=blob;f=purge-precise;h=933576f24ae7e05292699aead015d3e88906ffe7;hb=HEAD for a list

these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu

More dialogue here: https://trisquel.info/en/forum/fear-and-uncertainty-trisquel-70

So here's what's going to happen.

  • The Linux Mint recommendation will be updated to point at the LMDE distribution.
  • Trisquel will be replaced by gNewSense due to Canonical's philosophy and uncertain freedom with future versions of Ubuntu.
Owner

nylira commented Jul 24, 2013

Thanks for your arguments @hasufell @alexander-b . While I've heard of most of these points already, some of them are new to me, and they've worked to convince me to your point of view.

„Trisquel modifies/adds 156 source packages, 2 are imported from Debian, 4 from other repos“
see http://devel.trisquel.info/gitweb/?p=ubuntu-purge.git;a=blob;f=purge-precise;h=933576f24ae7e05292699aead015d3e88906ffe7;hb=HEAD for a list

these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu

More dialogue here: https://trisquel.info/en/forum/fear-and-uncertainty-trisquel-70

So here's what's going to happen.

  • The Linux Mint recommendation will be updated to point at the LMDE distribution.
  • Trisquel will be replaced by gNewSense due to Canonical's philosophy and uncertain freedom with future versions of Ubuntu.

nylira added a commit that referenced this issue Jul 24, 2013

nylira added a commit that referenced this issue Jul 24, 2013

nylira added a commit that referenced this issue Jul 24, 2013

@nylira nylira closed this Jul 24, 2013

@nylira nylira referenced this issue Jul 25, 2013

Closed

Kubuntu #194

@melvincarvalho

This comment has been minimized.

Show comment
Hide comment
@melvincarvalho

melvincarvalho Jul 25, 2013

How ironic that ubuntu is scratched from the list for ads in the dash which you can turn off. Yet this site promotes pages which link to google tracking, that you cant turn off

How ironic that ubuntu is scratched from the list for ads in the dash which you can turn off. Yet this site promotes pages which link to google tracking, that you cant turn off

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 25, 2013

Contributor

You do know that github has scripts and cross-site references for google-analytics as well, do you? Weird enough, but I can turn those off.

Contributor

hasufell commented Jul 25, 2013

You do know that github has scripts and cross-site references for google-analytics as well, do you? Weird enough, but I can turn those off.

@Ashrael

This comment has been minimized.

Show comment
Hide comment
@Ashrael

Ashrael Jul 28, 2013

Canonical is doing the Microsoft thing indeed! Right now I am still on Ubuntu, but I did tear out everything that looks like it's breaking my own privacy rules. I took out most of Unity (replaced it with classicmenu-indicator), all of UbuntuOne, apport, zeitgeist and a few other packages I can't remember right now. And I use a lot of add-ons in Firefox to protect my privacy... I do my best... But I can never be sure that there isn't some malicious piece of code somewhere, unless I check it all myself... Fat chance that's going to happen. Don't have the time or knowledge, and I guess no-one has any-more.

The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves. Also we have to redefine the standard on the internet from unencrypted to encrypted connections. Do you think Captain Kirk sends unencrypted messages? :) Or any sane person in the future? I think encryption should be standard in all electronic communications.

We need to start by identifying the suspect and privacy-breaking packages, and make a list of them. A few have already been named, but I am quite sure there's more. This at least gives users the chance to get rid of them on their current distro if they wish. Scripts could be made etc.

Ashrael commented Jul 28, 2013

Canonical is doing the Microsoft thing indeed! Right now I am still on Ubuntu, but I did tear out everything that looks like it's breaking my own privacy rules. I took out most of Unity (replaced it with classicmenu-indicator), all of UbuntuOne, apport, zeitgeist and a few other packages I can't remember right now. And I use a lot of add-ons in Firefox to protect my privacy... I do my best... But I can never be sure that there isn't some malicious piece of code somewhere, unless I check it all myself... Fat chance that's going to happen. Don't have the time or knowledge, and I guess no-one has any-more.

The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves. Also we have to redefine the standard on the internet from unencrypted to encrypted connections. Do you think Captain Kirk sends unencrypted messages? :) Or any sane person in the future? I think encryption should be standard in all electronic communications.

We need to start by identifying the suspect and privacy-breaking packages, and make a list of them. A few have already been named, but I am quite sure there's more. This at least gives users the chance to get rid of them on their current distro if they wish. Scripts could be made etc.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 28, 2013

Contributor

Yeah, but it is more safer and consequent to just completely distrust Ubuntu.

Debian is really not that much different in terms of maintenance, package manager, etc.

The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves.

People have already done that and it's better to join those efforts instead of just creating a new one. In the end... security in terms of virtual life, communication etc. never works without trust. But you should be radical on any disappointment you experience.

Contributor

hasufell commented Jul 28, 2013

Yeah, but it is more safer and consequent to just completely distrust Ubuntu.

Debian is really not that much different in terms of maintenance, package manager, etc.

The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves.

People have already done that and it's better to join those efforts instead of just creating a new one. In the end... security in terms of virtual life, communication etc. never works without trust. But you should be radical on any disappointment you experience.

@melvincarvalho

This comment has been minimized.

Show comment
Hide comment
@melvincarvalho

melvincarvalho Jul 28, 2013

This is such a double standard. If you are going to exclude ubuntu (which seems a massive over reaction) ... you should exclude sites that contain google spy ware. This whole exercise seems like a marketing campaign.

This is such a double standard. If you are going to exclude ubuntu (which seems a massive over reaction) ... you should exclude sites that contain google spy ware. This whole exercise seems like a marketing campaign.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 28, 2013

Contributor

which seems a massive over reaction

I don't think so. Feel free to reply to my arguments at #334 (comment) and point out where I am wrong.

you should exclude sites that contain google spy ware

Can you be more specific?

Contributor

hasufell commented Jul 28, 2013

which seems a massive over reaction

I don't think so. Feel free to reply to my arguments at #334 (comment) and point out where I am wrong.

you should exclude sites that contain google spy ware

Can you be more specific?

@melvincarvalho

This comment has been minimized.

Show comment
Hide comment
@melvincarvalho

melvincarvalho Jul 28, 2013

Go through the list and look for sites which track you using google analytics or pixel bugs or some other link to google, facebook etc. Just looking at the social section the first two I checked were pump.io and joindiaspora, both contain spyware, im sure there are many more.

Go through the list and look for sites which track you using google analytics or pixel bugs or some other link to google, facebook etc. Just looking at the social section the first two I checked were pump.io and joindiaspora, both contain spyware, im sure there are many more.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 28, 2013

Contributor

im sure there are many more

Yes, github. Log out now. ;)

Contributor

hasufell commented Jul 28, 2013

im sure there are many more

Yes, github. Log out now. ;)

@melvincarvalho

This comment has been minimized.

Show comment
Hide comment
@melvincarvalho

melvincarvalho Jul 28, 2013

@hasufell you prove my point ... actually many FLOSS projects use gitlab or gitorious, spyware is tolerable when it suits you personally but not when you want to attack something like ubuntu ... it's a double standard

@hasufell you prove my point ... actually many FLOSS projects use gitlab or gitorious, spyware is tolerable when it suits you personally but not when you want to attack something like ubuntu ... it's a double standard

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Jul 28, 2013

Contributor

I think that is overreacting. You can block those scripts and cross-site references with the browser addons mentioned on the main page.
Not everyone actually shares the FUD about google, so a lot of websites (even privacy oriented ones) do allow google-api or somesuch in one way or another.
If you don't want to visit any website that has any kind of reference to google... then the only thing you can do is to wget websites and browse them offline. Good luck.

Google might see you anyway, even if you do not use their services directly and block their scripts and cross-site references. That is beyond your control. However, I believe there is still gain by not using their services.

Also... for Ubuntu... there are A LOT of serious alternatives. So your argument is flawed twice, since you can a) choose an alternative distro and b) block google scripts and cross-site references from within your browser.

Contributor

hasufell commented Jul 28, 2013

I think that is overreacting. You can block those scripts and cross-site references with the browser addons mentioned on the main page.
Not everyone actually shares the FUD about google, so a lot of websites (even privacy oriented ones) do allow google-api or somesuch in one way or another.
If you don't want to visit any website that has any kind of reference to google... then the only thing you can do is to wget websites and browse them offline. Good luck.

Google might see you anyway, even if you do not use their services directly and block their scripts and cross-site references. That is beyond your control. However, I believe there is still gain by not using their services.

Also... for Ubuntu... there are A LOT of serious alternatives. So your argument is flawed twice, since you can a) choose an alternative distro and b) block google scripts and cross-site references from within your browser.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 28, 2013

I'm going to post this here because my other post was already closed.... :/

So, Ubuntu has a lot of serious alternatives. That's why you promote these alternatives.

iOS does not have a lot of serious alternatives. You could JB and block using a firewall to prevent some tracking and remove untrusted features. But that's about it.

Android does not have a lot of serious alternatives either and Cyanogenmod certainly isn't one. It's just open source - that's about it. It's ridiculous that you guys recommend it here!

Google is way more privacy invasive than Amazon because they have finally decided to merge their services from different platforms, ask for phone numbers repetitively and your real user name. It's hard to avoid their default enabled settings even in Chromium and Cyanogenmod.

I'd rather have an Amazon lense in Ubuntu enabled per default than tracking technologies in Cyanogenmod. The tracking here is worse becaue it's not like: "If I search in this box, I am tracked. So, I'll just avoid it." Or disable it entirely. Mobile phones have more features because they are multi purpose devices and more data is collected per default by Google to "improve" these services.

As of now, you should not recommend both iOS or Cyanogenmod - it gives a false sense of prism "break". Or if you recommend Cyanogenmod - you have even better reasons to support Ubuntu as an easy to use distro for beginners. Linux Mint brings a lot of junk with it.

ghost commented Jul 28, 2013

I'm going to post this here because my other post was already closed.... :/

So, Ubuntu has a lot of serious alternatives. That's why you promote these alternatives.

iOS does not have a lot of serious alternatives. You could JB and block using a firewall to prevent some tracking and remove untrusted features. But that's about it.

Android does not have a lot of serious alternatives either and Cyanogenmod certainly isn't one. It's just open source - that's about it. It's ridiculous that you guys recommend it here!

Google is way more privacy invasive than Amazon because they have finally decided to merge their services from different platforms, ask for phone numbers repetitively and your real user name. It's hard to avoid their default enabled settings even in Chromium and Cyanogenmod.

I'd rather have an Amazon lense in Ubuntu enabled per default than tracking technologies in Cyanogenmod. The tracking here is worse becaue it's not like: "If I search in this box, I am tracked. So, I'll just avoid it." Or disable it entirely. Mobile phones have more features because they are multi purpose devices and more data is collected per default by Google to "improve" these services.

As of now, you should not recommend both iOS or Cyanogenmod - it gives a false sense of prism "break". Or if you recommend Cyanogenmod - you have even better reasons to support Ubuntu as an easy to use distro for beginners. Linux Mint brings a lot of junk with it.

@melvincarvalho

This comment has been minimized.

Show comment
Hide comment
@melvincarvalho

melvincarvalho Jul 28, 2013

@towolf

This comment has been minimized.

Show comment
Hide comment
@towolf

towolf Aug 8, 2013

WTF, someone here put forward a lot of bullshit logic.

Let me play

It can be seen that many Ubuntu developers are at the same time Debian developers. Since Ubuntu is tainted by breach of trust and betrayal of its users it must be assumed that Debian is tainted by extension by retrograde upstream breach of trust and cross-pollination of betrayal through card-carrying, revolving door Ubuntu+Debian developers.

Please remove Debian ASAP.

towolf commented Aug 8, 2013

WTF, someone here put forward a lot of bullshit logic.

Let me play

It can be seen that many Ubuntu developers are at the same time Debian developers. Since Ubuntu is tainted by breach of trust and betrayal of its users it must be assumed that Debian is tainted by extension by retrograde upstream breach of trust and cross-pollination of betrayal through card-carrying, revolving door Ubuntu+Debian developers.

Please remove Debian ASAP.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Aug 8, 2013

Contributor

It can be seen that many Ubuntu developers are at the same time Debian developers.

That time is long gone. Most debian devs abandoned ubuntu.

Since Ubuntu is tainted by breach of trust and betrayal of its users it must be assumed that Debian is tainted by extension by retrograde upstream breach of trust and cross-pollination of betrayal through card-carrying, revolving door Ubuntu+Debian developers.

That does not make sense to me. Debian has a very observant and strict community. If any developer would ever attempt to push in a package with fishy extensions and get caught (and he will), then he'll be banned forever.

The Ubuntu community doesn't even care. They just accept things that come.

On top of that you missed the main point: community vs corporate driven. Distributors in ubuntu might not even know what they are packaging, since you are not really required to read the source code of the package you are packaging. In that sense you cannot trust the distributor in his role as a distributor, because he is just doing his job.

Contributor

hasufell commented Aug 8, 2013

It can be seen that many Ubuntu developers are at the same time Debian developers.

That time is long gone. Most debian devs abandoned ubuntu.

Since Ubuntu is tainted by breach of trust and betrayal of its users it must be assumed that Debian is tainted by extension by retrograde upstream breach of trust and cross-pollination of betrayal through card-carrying, revolving door Ubuntu+Debian developers.

That does not make sense to me. Debian has a very observant and strict community. If any developer would ever attempt to push in a package with fishy extensions and get caught (and he will), then he'll be banned forever.

The Ubuntu community doesn't even care. They just accept things that come.

On top of that you missed the main point: community vs corporate driven. Distributors in ubuntu might not even know what they are packaging, since you are not really required to read the source code of the package you are packaging. In that sense you cannot trust the distributor in his role as a distributor, because he is just doing his job.

@towolf

This comment has been minimized.

Show comment
Hide comment
@towolf

towolf Aug 8, 2013

On Thu, 2013-08-08 at 16:44 -0700, Julian Ospald wrote:

    It can be seen that many Ubuntu developers are at the same
    time Debian developers.

That time is long gone. Most debian devs abandoned ubuntu.

Do you really want to me make a list? But I have other things to do.

So trust me, there’s a large overlap. In Universe developers at the very
least.

    Since Ubuntu is tainted by breach of trust and betrayal of its
    users it must be assumed that Debian is tainted by extension
    by retrograde upstream breach of trust and cross-pollination
    of betrayal through card-carrying, revolving door Ubuntu
    +Debian developers.

That does not make sense to me. Debian has a very observant and strict
community. If any developer would ever attempt to push in a package
with fishy extensions and get caught (and he will), then he'll be
banned forever.

That was copying your nonsensical style of tinfoil-cladded arguing. A
joke.

Extending that Amazon search to imply that all of Ubuntu is
untrustworthy is just ludicrous. I can just as well imply that Debian is
untrustworthy by similar an-den-haaren-herbeigezogenen arguments.

The Ubuntu community doesn't even care. They just accept things that
come.

WTF?

On top of that you missed the main point: community vs corporate
driven. Distributors in ubuntu might not even know what they are
packaging, since you are not really required to read the source code
of the package you are packaging. In that sense you cannot trust the
distributor in his role as a distributor, because he is just doing his
job.

If you think DD scrutinize source code in every release you are deluded.
There is no such thing. The Debian archive is vast.

And your "source code prevents any shenanigans" argument is highly
naive.

towolf commented Aug 8, 2013

On Thu, 2013-08-08 at 16:44 -0700, Julian Ospald wrote:

    It can be seen that many Ubuntu developers are at the same
    time Debian developers.

That time is long gone. Most debian devs abandoned ubuntu.

Do you really want to me make a list? But I have other things to do.

So trust me, there’s a large overlap. In Universe developers at the very
least.

    Since Ubuntu is tainted by breach of trust and betrayal of its
    users it must be assumed that Debian is tainted by extension
    by retrograde upstream breach of trust and cross-pollination
    of betrayal through card-carrying, revolving door Ubuntu
    +Debian developers.

That does not make sense to me. Debian has a very observant and strict
community. If any developer would ever attempt to push in a package
with fishy extensions and get caught (and he will), then he'll be
banned forever.

That was copying your nonsensical style of tinfoil-cladded arguing. A
joke.

Extending that Amazon search to imply that all of Ubuntu is
untrustworthy is just ludicrous. I can just as well imply that Debian is
untrustworthy by similar an-den-haaren-herbeigezogenen arguments.

The Ubuntu community doesn't even care. They just accept things that
come.

WTF?

On top of that you missed the main point: community vs corporate
driven. Distributors in ubuntu might not even know what they are
packaging, since you are not really required to read the source code
of the package you are packaging. In that sense you cannot trust the
distributor in his role as a distributor, because he is just doing his
job.

If you think DD scrutinize source code in every release you are deluded.
There is no such thing. The Debian archive is vast.

And your "source code prevents any shenanigans" argument is highly
naive.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Aug 8, 2013

Contributor

Do you really want to me make a list?

go on

I can just as well imply that Debian is untrustworthy by similar an-den-haaren-herbeigezogenen arguments

there are no such similar cases in debian

If you think DD scrutinize source code in every release you are deluded. There is no such thing. The Debian archive is vast.

I did not claim that. Read more carefully.

Contributor

hasufell commented Aug 8, 2013

Do you really want to me make a list?

go on

I can just as well imply that Debian is untrustworthy by similar an-den-haaren-herbeigezogenen arguments

there are no such similar cases in debian

If you think DD scrutinize source code in every release you are deluded. There is no such thing. The Debian archive is vast.

I did not claim that. Read more carefully.

@towolf

This comment has been minimized.

Show comment
Hide comment
@towolf

towolf Aug 9, 2013

On Thu, 2013-08-08 at 16:59 -0700, Julian Ospald wrote:

    Do you really want to me make a list?

go on

No, I don’t have time for this crap.

Your whole little website is fraught with mission creep and mixed
messages.

I will forget about it and not link to it. The idea was good though and
through you I found that posteo service, which is interesting.

towolf commented Aug 9, 2013

On Thu, 2013-08-08 at 16:59 -0700, Julian Ospald wrote:

    Do you really want to me make a list?

go on

No, I don’t have time for this crap.

Your whole little website is fraught with mission creep and mixed
messages.

I will forget about it and not link to it. The idea was good though and
through you I found that posteo service, which is interesting.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Oct 16, 2013

Contributor

I use Ubuntu, you can't prevent Big Brother from spying on you entirely even so, no matter what you do. Today everything is being monitored, everything, there's no real escape.

I feel that this is a pretty weak excuse. We have figured out in this thread that there is a difference between distros in terms of morale. This difference is also of a matter of principle. Fighting the current system involves not only education about computer science, internet and law-breaking of NSA etc., but also disesteeming services, people, companies, software etc. that do not care about your rights (especially privacy).

That there is no ultimate escape does not mean you just give up. There are two things that still work: a) encryption and b) making monitoring of metadata harder.

Users have a lot of passive power, but most do not see it.

Contributor

hasufell commented Oct 16, 2013

I use Ubuntu, you can't prevent Big Brother from spying on you entirely even so, no matter what you do. Today everything is being monitored, everything, there's no real escape.

I feel that this is a pretty weak excuse. We have figured out in this thread that there is a difference between distros in terms of morale. This difference is also of a matter of principle. Fighting the current system involves not only education about computer science, internet and law-breaking of NSA etc., but also disesteeming services, people, companies, software etc. that do not care about your rights (especially privacy).

That there is no ultimate escape does not mean you just give up. There are two things that still work: a) encryption and b) making monitoring of metadata harder.

Users have a lot of passive power, but most do not see it.

@samrocketman

This comment has been minimized.

Show comment
Hide comment
@samrocketman

samrocketman Oct 23, 2013

@hasufell +1 arguments. I spent the past half hour reading this thread in detail and I agree with the points you've made. Here's what I glean.

  • There's a significant difference between binary + source package distros vs source based distros in terms of truly being open source. It has definitely given me a different perspective on what I view as "open source" vs true freedom in software. Though I'd beg to differ on the technical feasibility of verifying binary packages. One could compile and use a checksum of the compiled binary vs what was provided. Of course one would need to obtain compile options used so this might not be as easy without disclosure of the build process from developers (I don't see why not).
  • Users definitely have control over what technologies they use (for instance I use openfire with family for all IM communication and it is encrypted). I have installed my certificate authority on all of their devices and sign my own certificates using that authority so the family has truly private communication from a trusted source. This goes for other services I provide them as well.
  • Just because they can do it doesn't mean they should do it. It's an ethical and moral issue. Those toting the Ubuntu chant don't seem to realize that.

While I understand the convenience vs Freedom issue I really wish Freedom was more convenient. It has vastly improved in recent years and will only get better. Education is the most difficult hurdle.

@felipeautran while I didn't agree with your arguments I truly enjoyed the Richard Stallman video.

Non-Disclaimer: I'm an Ubuntu user (Kubuntu technically).

@hasufell +1 arguments. I spent the past half hour reading this thread in detail and I agree with the points you've made. Here's what I glean.

  • There's a significant difference between binary + source package distros vs source based distros in terms of truly being open source. It has definitely given me a different perspective on what I view as "open source" vs true freedom in software. Though I'd beg to differ on the technical feasibility of verifying binary packages. One could compile and use a checksum of the compiled binary vs what was provided. Of course one would need to obtain compile options used so this might not be as easy without disclosure of the build process from developers (I don't see why not).
  • Users definitely have control over what technologies they use (for instance I use openfire with family for all IM communication and it is encrypted). I have installed my certificate authority on all of their devices and sign my own certificates using that authority so the family has truly private communication from a trusted source. This goes for other services I provide them as well.
  • Just because they can do it doesn't mean they should do it. It's an ethical and moral issue. Those toting the Ubuntu chant don't seem to realize that.

While I understand the convenience vs Freedom issue I really wish Freedom was more convenient. It has vastly improved in recent years and will only get better. Education is the most difficult hurdle.

@felipeautran while I didn't agree with your arguments I truly enjoyed the Richard Stallman video.

Non-Disclaimer: I'm an Ubuntu user (Kubuntu technically).

@saltysub

This comment has been minimized.

Show comment
Hide comment
@saltysub

saltysub Oct 26, 2013

Agreed. For any user, avoid Ubuntu where possible. Where not possible, continue to evaluate other options. As for prism-break.org, indeed, agreed, Ubuntu should not be there. Doesn't mean all of us need to wipe Ubuntu from existence tomorrow, but everything starts with awareness.

Agreed. For any user, avoid Ubuntu where possible. Where not possible, continue to evaluate other options. As for prism-break.org, indeed, agreed, Ubuntu should not be there. Doesn't mean all of us need to wipe Ubuntu from existence tomorrow, but everything starts with awareness.

@Wipeout2097

This comment has been minimized.

Show comment
Hide comment
@Wipeout2097

Wipeout2097 Oct 31, 2013

Even this project is infested by Ubuntu fanboys. Unbelievable!

If you want Ubuntu to be approved, lobby and work for it's de-crapification and then come back.

Even this project is infested by Ubuntu fanboys. Unbelievable!

If you want Ubuntu to be approved, lobby and work for it's de-crapification and then come back.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Oct 31, 2013

Thing is, everything that gets more and more attention from the public will eventually become a commercial product with interest from the government and whoever will not want to co-operate will be shut down by force.

ghost commented Oct 31, 2013

Thing is, everything that gets more and more attention from the public will eventually become a commercial product with interest from the government and whoever will not want to co-operate will be shut down by force.

@amarildojr

This comment has been minimized.

Show comment
Hide comment
@amarildojr

amarildojr Oct 31, 2013

"Thing is, everything that gets more and more attention from the public will eventually become a commercial product with interest from the government and whoever will not want to co-operate will be shut down by force.

Period."

Oh, so Linux hasn't been big yet, huh? (irony)

Nonsense. The same applies to people who say that Linux has less viruses because it's less adopted on the desktop market.

"Thing is, everything that gets more and more attention from the public will eventually become a commercial product with interest from the government and whoever will not want to co-operate will be shut down by force.

Period."

Oh, so Linux hasn't been big yet, huh? (irony)

Nonsense. The same applies to people who say that Linux has less viruses because it's less adopted on the desktop market.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Oct 31, 2013

Ubuntu always aimed to be commercial, everyone saw it coming, so of course there is more interest from 3rd parties, more marketing, more companies/investors/government interest, less privacy and I could go on.

What happened to Ubuntu can easily happen to any linux distro out there over time, just face it. I'm just wondering how many distros will end up on this list.

ghost commented Oct 31, 2013

Ubuntu always aimed to be commercial, everyone saw it coming, so of course there is more interest from 3rd parties, more marketing, more companies/investors/government interest, less privacy and I could go on.

What happened to Ubuntu can easily happen to any linux distro out there over time, just face it. I'm just wondering how many distros will end up on this list.

@amarildojr

This comment has been minimized.

Show comment
Hide comment
@amarildojr

amarildojr Oct 31, 2013

No. You clearly don't realize that 'big' means 'not only in desktops'. If 'big' is your concern (or you just mean it in the desktop market) than I'm afraid you either don't know anything about Linux or is just pure ignorant.
Or, just stop using the web. Or just live in the woods.

No. You clearly don't realize that 'big' means 'not only in desktops'. If 'big' is your concern (or you just mean it in the desktop market) than I'm afraid you either don't know anything about Linux or is just pure ignorant.
Or, just stop using the web. Or just live in the woods.

@mxgms

This comment has been minimized.

Show comment
Hide comment
@mxgms

mxgms Nov 1, 2013

The solution is:

sudo apt-get remove unity-lens-shopping

enough.

mxgms commented Nov 1, 2013

The solution is:

sudo apt-get remove unity-lens-shopping

enough.

@amarildojr

This comment has been minimized.

Show comment
Hide comment
@amarildojr

amarildojr Nov 1, 2013

I'd do more of a:

sudo apt-get remove --purge ubuntu from your computer

Heheheh =p

I'd do more of a:

sudo apt-get remove --purge ubuntu from your computer

Heheheh =p

@saizai

This comment has been minimized.

Show comment
Hide comment
@saizai

saizai Nov 5, 2013

FWIW: I suggest distinguishing between server and desktop OS.

Do you propose that ubuntu should be blacklisted as insecure for server usage?

saizai commented Nov 5, 2013

FWIW: I suggest distinguishing between server and desktop OS.

Do you propose that ubuntu should be blacklisted as insecure for server usage?

@mxgms

This comment has been minimized.

Show comment
Hide comment
@mxgms

mxgms Nov 6, 2013

No. I think that ubuntu is absolutely safe if well configured.

Enviado via iPhone

Em 05/11/2013, às 20:23, Sai notifications@github.com escreveu:

FWIW: I suggest distinguishing between server and desktop OS.

Do you propose that ubuntu should be blacklisted as insecure for server usage?


Reply to this email directly or view it on GitHub.

mxgms commented Nov 6, 2013

No. I think that ubuntu is absolutely safe if well configured.

Enviado via iPhone

Em 05/11/2013, às 20:23, Sai notifications@github.com escreveu:

FWIW: I suggest distinguishing between server and desktop OS.

Do you propose that ubuntu should be blacklisted as insecure for server usage?


Reply to this email directly or view it on GitHub.

@YtvwlD

This comment has been minimized.

Show comment
Hide comment
@YtvwlD

YtvwlD Mar 16, 2014

So, I've spent some time reading this thread. ( @hasufell )

(quotes aren't literal)

  • People can't know if the binary package matches the compiled form of the source package or if anything has been added.

    I agree to that.
    But this seems to fit to every distribution. Maintainers are able to manipulate packages. The only thing that might help is trust.
    And manipulation of packages breaks this trust.
    Which leads to...

  • If the trust is broken, don't use this distribution and do not recommend it to anybody.

    Right!
    But this kind of trust isn't broken. (Well, I don't know if it isn't. But I think that a possibly happened break of this trust hasn't been made public.)
    Up until now I haven't heard any news about package manipulation in Ubuntu.

  • Ubuntu ships with a "spyware".

    Well, it ships with a possibility to search on Amazon. This could be useful for the users and earn Canonical money. In theory.
    I think that it would be better to ask the users to enable this upon installation (or even do an opt-in). Yes.
    But it is no spyware.
    It is transparent and open-source. (The same goes for Ubuntu One.) The software that is installed on your computer is open-source. The service isn't. (Same as desura.)

So, it is a new service. And it may (possibly) harm your privacy. But it is easy to disable.
And while it might break your trust into some decisions of Mark Shuttleworth (Mir, anyone?), it clearly isn't a manipulation of packages. (This would indeed break any remaining trust.)

And thanks for reading this (surely too long) comment.

Non-Disclaimer (like @sag47): I use Lubuntu, Ubuntu with Razor-Qt and Ubuntu (Amazon lense enabled ;-) but without using the dash; as of 13.10 Ubuntu doesn't find the things I'm searching for anymore).

YtvwlD commented Mar 16, 2014

So, I've spent some time reading this thread. ( @hasufell )

(quotes aren't literal)

  • People can't know if the binary package matches the compiled form of the source package or if anything has been added.

    I agree to that.
    But this seems to fit to every distribution. Maintainers are able to manipulate packages. The only thing that might help is trust.
    And manipulation of packages breaks this trust.
    Which leads to...

  • If the trust is broken, don't use this distribution and do not recommend it to anybody.

    Right!
    But this kind of trust isn't broken. (Well, I don't know if it isn't. But I think that a possibly happened break of this trust hasn't been made public.)
    Up until now I haven't heard any news about package manipulation in Ubuntu.

  • Ubuntu ships with a "spyware".

    Well, it ships with a possibility to search on Amazon. This could be useful for the users and earn Canonical money. In theory.
    I think that it would be better to ask the users to enable this upon installation (or even do an opt-in). Yes.
    But it is no spyware.
    It is transparent and open-source. (The same goes for Ubuntu One.) The software that is installed on your computer is open-source. The service isn't. (Same as desura.)

So, it is a new service. And it may (possibly) harm your privacy. But it is easy to disable.
And while it might break your trust into some decisions of Mark Shuttleworth (Mir, anyone?), it clearly isn't a manipulation of packages. (This would indeed break any remaining trust.)

And thanks for reading this (surely too long) comment.

Non-Disclaimer (like @sag47): I use Lubuntu, Ubuntu with Razor-Qt and Ubuntu (Amazon lense enabled ;-) but without using the dash; as of 13.10 Ubuntu doesn't find the things I'm searching for anymore).

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Mar 16, 2014

https://www.gnu.org/philosophy/ubuntu-spyware.html

@Elchi People can make an open source malware that destroys power grids; that does not not make it malware. What Ubuntu implemented is spyware, and RMS explains why:

When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical's servers. (Canonical is the company that develops Ubuntu.)

This is just like the first surveillance practice I learned about in Windows. My late friend Fravia told me that when he searched for a string in the files of his Windows system, it sent a packet to some server, which was detected by his firewall. Given that first example I paid attention and learned about the propensity of “reputable” proprietary software to be malware. Perhaps it is no coincidence that Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy various things from Amazon. Amazon commits many wrongs (see http://stallman.org/amazon.html); by promoting Amazon, Canonical contributes to them. However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it.

And:

Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn't occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.

Even if it were disabled by default, the feature would still be dangerous: “opt in, once and for all” for a risky practice, where the risk varies depending on details, invites carelessness. To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches, as earlier versions of Ubuntu did. A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.

Now, okay, so Ubuntu was not made to be a privacy-centric distro, right? Not even a security or free software distro. Just a general purpose distro for home users. So yes while Ubuntu has spyware by default, and yes we should shun Ubuntu and Canonical, I agree with the thread title that Ubuntu derives might be okay, because why not create a fork of Ubuntu that is more privacy centric and actually respects your freedom?

Free software gives users a chance to protect themselves from malicious software behaviors. Even better, usually the community protects everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has malicious code. Generally the next thing they do is release a corrected version of the program; with the four freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are free to do this. This is called a “fork” of the program. Soon the community switches to the corrected fork, and the malicious version is rejected. The prospect of ignominious rejection is not very tempting; thus, most of the time, even those who are not stopped by their consciences and social pressure refrain from putting malfeatures in free software.

Sorry for regurgitating the article ad verbatim, but I share that opinion and I think it is too extreme to throw out all Ubuntu derivatives by default (maybe just take them with a grain of salt), especially since Trisquel looks like a promising project. I'm burning a copy of that as I write this, so there.

You see, the option of a fully free operating system (provided it works with my hardware) trumps that of any OS even partially containing/tolerating obscuritan proprietary stuff, because with fully free and open source stuff, you at least have the comfort of 100% transparency!!! Translation: Trisquel might be Ubuntu-based, but it is still good because it is fully free and open. Not only that, but it is supported by the non-profit FSF instead of the for-profit company Canonical. The community might build off of Ubuntu's work and notoriety, but who's to say they have the same doomed future as Ubuntu? Besides, Ubuntu had nonfree programs by default. I think it's a difference of who is in charge of the project, who contributes to it.

ghost commented Mar 16, 2014

https://www.gnu.org/philosophy/ubuntu-spyware.html

@Elchi People can make an open source malware that destroys power grids; that does not not make it malware. What Ubuntu implemented is spyware, and RMS explains why:

When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical's servers. (Canonical is the company that develops Ubuntu.)

This is just like the first surveillance practice I learned about in Windows. My late friend Fravia told me that when he searched for a string in the files of his Windows system, it sent a packet to some server, which was detected by his firewall. Given that first example I paid attention and learned about the propensity of “reputable” proprietary software to be malware. Perhaps it is no coincidence that Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy various things from Amazon. Amazon commits many wrongs (see http://stallman.org/amazon.html); by promoting Amazon, Canonical contributes to them. However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it.

And:

Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn't occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.

Even if it were disabled by default, the feature would still be dangerous: “opt in, once and for all” for a risky practice, where the risk varies depending on details, invites carelessness. To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches, as earlier versions of Ubuntu did. A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.

Now, okay, so Ubuntu was not made to be a privacy-centric distro, right? Not even a security or free software distro. Just a general purpose distro for home users. So yes while Ubuntu has spyware by default, and yes we should shun Ubuntu and Canonical, I agree with the thread title that Ubuntu derives might be okay, because why not create a fork of Ubuntu that is more privacy centric and actually respects your freedom?

Free software gives users a chance to protect themselves from malicious software behaviors. Even better, usually the community protects everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has malicious code. Generally the next thing they do is release a corrected version of the program; with the four freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are free to do this. This is called a “fork” of the program. Soon the community switches to the corrected fork, and the malicious version is rejected. The prospect of ignominious rejection is not very tempting; thus, most of the time, even those who are not stopped by their consciences and social pressure refrain from putting malfeatures in free software.

Sorry for regurgitating the article ad verbatim, but I share that opinion and I think it is too extreme to throw out all Ubuntu derivatives by default (maybe just take them with a grain of salt), especially since Trisquel looks like a promising project. I'm burning a copy of that as I write this, so there.

You see, the option of a fully free operating system (provided it works with my hardware) trumps that of any OS even partially containing/tolerating obscuritan proprietary stuff, because with fully free and open source stuff, you at least have the comfort of 100% transparency!!! Translation: Trisquel might be Ubuntu-based, but it is still good because it is fully free and open. Not only that, but it is supported by the non-profit FSF instead of the for-profit company Canonical. The community might build off of Ubuntu's work and notoriety, but who's to say they have the same doomed future as Ubuntu? Besides, Ubuntu had nonfree programs by default. I think it's a difference of who is in charge of the project, who contributes to it.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Mar 16, 2014

Contributor

How can you call it a fork if ~95% of a derivate just mirrors the packaged binaries from the ubuntu servers directly? They don't rebuild the whole stuff. That needs a lot of infrastructure and contributors.

Contributor

hasufell commented Mar 16, 2014

How can you call it a fork if ~95% of a derivate just mirrors the packaged binaries from the ubuntu servers directly? They don't rebuild the whole stuff. That needs a lot of infrastructure and contributors.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Mar 16, 2014

@hasufell It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop!

Most people will probably be fine. If Trisquel has any problems at all, I trust the community (especially as it receives more support) will iron them out; if it proves itself untrustworthy, the FSF withdraw its support and endorsement. Non-tech-savvy users should use Trisquel, if their hardware can support it, because it is easy to use and, relatively speaking, is better than whatever OS they have currently. Ideally, this means that if they bought a computer already running Trisquel, then they would be totally set, everything would just work, and they would have relative peace of mind knowing that they have a fully free platform.

Yes maybe packages should be distributed differently, but I don't think the average user knows how to run Gentoo. Maybe these criticisms should be brought to Trisquel so they can deal with it.

P.S:

That needs a lot of infrastructure and contributors.

And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better.

ghost commented Mar 16, 2014

@hasufell It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop!

Most people will probably be fine. If Trisquel has any problems at all, I trust the community (especially as it receives more support) will iron them out; if it proves itself untrustworthy, the FSF withdraw its support and endorsement. Non-tech-savvy users should use Trisquel, if their hardware can support it, because it is easy to use and, relatively speaking, is better than whatever OS they have currently. Ideally, this means that if they bought a computer already running Trisquel, then they would be totally set, everything would just work, and they would have relative peace of mind knowing that they have a fully free platform.

Yes maybe packages should be distributed differently, but I don't think the average user knows how to run Gentoo. Maybe these criticisms should be brought to Trisquel so they can deal with it.

P.S:

That needs a lot of infrastructure and contributors.

And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better.

@YtvwlD

This comment has been minimized.

Show comment
Hide comment
@YtvwlD

YtvwlD Mar 16, 2014

@escribelibre This "feature" should - at least - ask before it is used. I agree on this.

But how do you ( @hasufell ) get to the point that you aren't able to trust the Ubuntu binary packages? Implementing an open source client for a proprietary platform isn't package manipulation, is it?

YtvwlD commented Mar 16, 2014

@escribelibre This "feature" should - at least - ask before it is used. I agree on this.

But how do you ( @hasufell ) get to the point that you aren't able to trust the Ubuntu binary packages? Implementing an open source client for a proprietary platform isn't package manipulation, is it?

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Mar 16, 2014

Furthermore, from a usability standpoint, adding gnewsense but not Trisquel kinda sucks; at least Trisquel works out of the box a lot more readily than gnewsense, making it easier to adopt.

ghost commented Mar 16, 2014

Furthermore, from a usability standpoint, adding gnewsense but not Trisquel kinda sucks; at least Trisquel works out of the box a lot more readily than gnewsense, making it easier to adopt.

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Mar 16, 2014

Contributor

It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop!

Nope, the argument was that Trisquel is a derivate and uses more than 90% of their packages directly from Ubuntu afair. All they do is "hack" on some packages and remove others due to license filtering. That's all. You still got all the ubuntu binaries, packaged by Canonical employees.

But I don't see why I have to reiterate all those arguments. It kind of makes me feel like a parrot.

And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better.

I don't see why I should if they are unwilling to switch to debian repositories.

Contributor

hasufell commented Mar 16, 2014

It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop!

Nope, the argument was that Trisquel is a derivate and uses more than 90% of their packages directly from Ubuntu afair. All they do is "hack" on some packages and remove others due to license filtering. That's all. You still got all the ubuntu binaries, packaged by Canonical employees.

But I don't see why I have to reiterate all those arguments. It kind of makes me feel like a parrot.

And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better.

I don't see why I should if they are unwilling to switch to debian repositories.

@YtvwlD

This comment has been minimized.

Show comment
Hide comment
@YtvwlD

YtvwlD Mar 17, 2014

@hasufell I understood that you don't trust the Ubuntu package maintainers.

I wonder why. Do you think that this (certainly wrong) decision broke your trust?
Did it even exist before that?

Is this Ubuntu specific or do you have no trust regarding an binary packages?

If you use distributions with central package repositories you have to trust the maintainers - that's the whole point of package repositories.

You are free to compile everything on your own, but this is the same as, for example, OpenSuSE.

YtvwlD commented Mar 17, 2014

@hasufell I understood that you don't trust the Ubuntu package maintainers.

I wonder why. Do you think that this (certainly wrong) decision broke your trust?
Did it even exist before that?

Is this Ubuntu specific or do you have no trust regarding an binary packages?

If you use distributions with central package repositories you have to trust the maintainers - that's the whole point of package repositories.

You are free to compile everything on your own, but this is the same as, for example, OpenSuSE.

@vyp

This comment has been minimized.

Show comment
Hide comment
@vyp

vyp Mar 18, 2014

Collaborator

But who's to say they have the same doomed future as Ubuntu?

Well I wouldn't call derivatives forks, they are still affected by upstream changes. Just like how Mark conceded to use systemd due to Debian's decision.

Collaborator

vyp commented Mar 18, 2014

But who's to say they have the same doomed future as Ubuntu?

Well I wouldn't call derivatives forks, they are still affected by upstream changes. Just like how Mark conceded to use systemd due to Debian's decision.

@samrocketman

This comment has been minimized.

Show comment
Hide comment
@samrocketman

samrocketman Mar 18, 2014

@jumpwah Ubuntu uses upstart not systemd.

@jumpwah Ubuntu uses upstart not systemd.

@vyp

This comment has been minimized.

Show comment
Hide comment
@vyp

vyp Mar 18, 2014

Collaborator

@sag47 I meant the the decision to switch.

Collaborator

vyp commented Mar 18, 2014

@sag47 I meant the the decision to switch.

@alexander-b

This comment has been minimized.

Show comment
Hide comment
@alexander-b

alexander-b Mar 18, 2014

Contributor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 17/03/14 21:16, elchi wrote:

If you use distributions Wirth central package repositories you
have to trust the maintainers - that's the whole point of package
repositories.
This is not true for source-based package managers and repositories.


Alexander
alexander@plaimi.net
https://secure.plaimi.net/~alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMoJg4ACgkQRtClrXBQc7VLEwD/brHEO8lnSluG7phPq00RXUBR
3122wHmC2O9MU216OqsA/1fCfr6PZoeqmQipAJem4FLdjbN7HLhn56vVnw3/Xs7u
=HJbO
-----END PGP SIGNATURE-----

Contributor

alexander-b commented Mar 18, 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 17/03/14 21:16, elchi wrote:

If you use distributions Wirth central package repositories you
have to trust the maintainers - that's the whole point of package
repositories.
This is not true for source-based package managers and repositories.


Alexander
alexander@plaimi.net
https://secure.plaimi.net/~alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMoJg4ACgkQRtClrXBQc7VLEwD/brHEO8lnSluG7phPq00RXUBR
3122wHmC2O9MU216OqsA/1fCfr6PZoeqmQipAJem4FLdjbN7HLhn56vVnw3/Xs7u
=HJbO
-----END PGP SIGNATURE-----

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Mar 18, 2014

Contributor

Is this Ubuntu specific Ort do you have no trust regarding an binary packages?

Let's say "a lot less" instead of "no".

I know a lot of distro developers and some even personally. Over the years you get an idea about the different communities, their philosophy, their policies, their openness of decisions, general collaboration in the linux community etc. and about their history.
Ubuntu ranks bad in all of those points. It's mainly coporate-driven without open decision making, no honest philosophy about how to treat their users, almost no collaboration to the kernel and their policies seem to be profit-oriented only. That is MY opinion.

If you want to do the real thing... use a source distro.
But I would not claim that e.g. debian is untrustworthy, although I find a lot of their policies terrible from a QA pov. There are very few exceptions, like the debian openssl mess many years ago, but I doubt any of that was intentional... it was just idiots doing stuff without peer review (which is a sign of not-so-good policies/workflow).

But I am reiterating stuff again which I have already explained here in more detail. I'd be interested in counter-arguments, but have not found many interesting ones.

Contributor

hasufell commented Mar 18, 2014

Is this Ubuntu specific Ort do you have no trust regarding an binary packages?

Let's say "a lot less" instead of "no".

I know a lot of distro developers and some even personally. Over the years you get an idea about the different communities, their philosophy, their policies, their openness of decisions, general collaboration in the linux community etc. and about their history.
Ubuntu ranks bad in all of those points. It's mainly coporate-driven without open decision making, no honest philosophy about how to treat their users, almost no collaboration to the kernel and their policies seem to be profit-oriented only. That is MY opinion.

If you want to do the real thing... use a source distro.
But I would not claim that e.g. debian is untrustworthy, although I find a lot of their policies terrible from a QA pov. There are very few exceptions, like the debian openssl mess many years ago, but I doubt any of that was intentional... it was just idiots doing stuff without peer review (which is a sign of not-so-good policies/workflow).

But I am reiterating stuff again which I have already explained here in more detail. I'd be interested in counter-arguments, but have not found many interesting ones.

@MrTrebleClef

This comment has been minimized.

Show comment
Hide comment
@MrTrebleClef

MrTrebleClef Jul 6, 2014

Hi Prism-Break, I have one question. Why did you remove the Linux Mint Debian Edition from the list of operating systems?

Hi Prism-Break, I have one question. Why did you remove the Linux Mint Debian Edition from the list of operating systems?

@vyp

This comment has been minimized.

Show comment
Hide comment
@vyp

vyp Jul 7, 2014

Collaborator

@MrTrebleClef, search? #805

Collaborator

vyp commented Jul 7, 2014

@MrTrebleClef, search? #805

@MrTrebleClef

This comment has been minimized.

Show comment
Hide comment
@MrTrebleClef

MrTrebleClef Jul 8, 2014

Thank you jumpwah, good info!

Thank you jumpwah, good info!

@mxdpeep

This comment has been minimized.

Show comment
Hide comment
@mxdpeep

mxdpeep Oct 17, 2014

anyway - nobody forces any user to use Ubuntu Dash - it is default, but you can use Ubuntu without a simple run of the Dash

mxdpeep commented Oct 17, 2014

anyway - nobody forces any user to use Ubuntu Dash - it is default, but you can use Ubuntu without a simple run of the Dash

@alerque

This comment has been minimized.

Show comment
Hide comment
@alerque

alerque Oct 17, 2014

Contributor

This is a closed issue, and further comments are just flogging a dead horse.

If you have something to present that you think will change the course of this matter, please open a new issue for discussion. Present your case and explain what you think should happen to PRISM-Break as a result of whatever data and arguments you have to presented. Noting what circumstances have changed since this issue was closed would be a helpful addition. At that point a discussion can happen and a resolution can be reached. In the mean time there is nothing to be gained by further banter in this thread. No matter how salient a point you may have to make stemming from the above discussion, nothing will be accomplished by making it except annoying more people who track this project.

Thanks for understanding.

Contributor

alerque commented Oct 17, 2014

This is a closed issue, and further comments are just flogging a dead horse.

If you have something to present that you think will change the course of this matter, please open a new issue for discussion. Present your case and explain what you think should happen to PRISM-Break as a result of whatever data and arguments you have to presented. Noting what circumstances have changed since this issue was closed would be a helpful addition. At that point a discussion can happen and a resolution can be reached. In the mean time there is nothing to be gained by further banter in this thread. No matter how salient a point you may have to make stemming from the above discussion, nothing will be accomplished by making it except annoying more people who track this project.

Thanks for understanding.

@ghost ghost referenced this issue Mar 20, 2015

Closed

[Mail Servers] Mail-in-a-Box #1249

@skrzyp skrzyp referenced this issue in Tracerneo/marzeniehakera Dec 5, 2015

Merged

Zamiana ubuntu na xubuntu #7

@dolohow

This comment has been minimized.

Show comment
Hide comment
@dolohow

dolohow Apr 23, 2016

Now the Ubuntu 16.04 ships with Amazon spyware turned off by default.

dolohow commented Apr 23, 2016

Now the Ubuntu 16.04 ships with Amazon spyware turned off by default.

@alerque

This comment has been minimized.

Show comment
Hide comment
@alerque

alerque Apr 25, 2016

Contributor

Please consider locking this issue for the reasons I cited above. It was closed three years ago, almost everything has been repeated several times, and if anything productive or actionable comes up on the topic that's actually new it needs to be dealt with in an issue specific to whatever is being brought up. Meanwhile people can't seem to let this thread alone.

Contributor

alerque commented Apr 25, 2016

Please consider locking this issue for the reasons I cited above. It was closed three years ago, almost everything has been repeated several times, and if anything productive or actionable comes up on the topic that's actually new it needs to be dealt with in an issue specific to whatever is being brought up. Meanwhile people can't seem to let this thread alone.

@Zegnat Zegnat locked and limited conversation to collaborators Apr 25, 2016

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Apr 25, 2016

Collaborator

This issue is now locked. Please open separate issues for separate operating systems. Do note that we will probably stay sceptical about Canonical's Ubuntu for a while longer.

Collaborator

Zegnat commented Apr 25, 2016

This issue is now locked. Please open separate issues for separate operating systems. Do note that we will probably stay sceptical about Canonical's Ubuntu for a while longer.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.