Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Ubuntu derivatives ({L,X,K}ubuntu) are OK, while Ubuntu itself is not #334

Closed
sgtpep opened this Issue · 95 comments
@sgtpep

Suggest to add them to the list. They are pretty vanilla LXDE, Xfce, KDE based distros. They don't have Unity Dash and don't send any data to Canonical or third parties (except for submitting of crash report, which is optional).

@hasufell

Any such derivate is downstream of ubuntu and because of that potentially unsafe, even Mint (although they seem to repackage some things and also mind "LMDE").

@Danfun64

Trisquel is also a Ubuntu derivative. Under that logic (if i understand it correctly) shouldn't linux mint be replaced with lmde and trisquel with Gnewsence?

@hasufell

In my opinion probably yes, but that's just me. I wouldn't trust anything that comes from ubuntu or uses anything from ubuntu (and that's what derivates do).
Derivates usually don't have the resources to run their own repository of 30k+ packages, so they always end up using stuff from the original distro, although they might modify some things heavily.

@Danfun64

So...what should be done about ubuntu derivatives?

@hasufell

IMO all ubuntu derivates should be removed as well, because they can potentially also include spyware of the original distro without even knowing.
Since original ubuntu is already distrusted on this site, the logical conclusion is to distrust downstreams of ubuntu as well.
Mint might be an exception and need further investigation, but afaik it does not have an independent repository. (ofc LMDE is fine, because it uses debian testing repository and debian is not known to do weird things and has a strong ethical commitment... so maybe change Linux Mint to "Linux Mint Debian Edition")

@alexander-b

I agree with hasufell.

@Danfun64

And what of Trisquel? I think it uses it's own respiratories. Since it's ubuntu based, should it be removed as well?

@hasufell

from #trisquel on freenode:
<hasufell> Does trisquel mirror packages from ubuntu or package everything on it's own?
<hasufell> or a mix? and if so, what kind of mix
<c107> hasufell: mi
<hasufell> c107: mi?
<c107> hasufell: It's a mixture. It uses what it can from Ubuntu and repackages what isn't free.
<hasufell> ah
<hasufell> does it use debian packages as well?
<c107> hasufell: I haven't seen Debian hostnames, but I don't see why not.
<mtjm> there are packages from Debian
<mtjm> see the toutatis branch of http://devel.trisquel.info/gitweb/?p=package-helpers.git;a=summary

@nylira
Owner

Ubuntu's spyware is currently contained in the Unity desktop environment. Ubuntu derivatives using alternative desktop environments ({L,X,K}ubuntu) should be theoretically safe, although they may still contain non-free software.

However, for the casual visitor to PRISM Break, it's difficult to promote {L,X,K}ubuntu without seeming to promote Ubuntu itself. It's just one letter off, and searching for a flavor of Ubuntu will invariably lead you to the Ubuntu homepage due to fuzzy search logic and page rankings.

I think we should keep the OS list at status quo. Linux Mint and Trisquel should be retained as they're sufficiently distinguished from Canonical Ubuntu. Mint -- while not entirely free -- will be a good experience for first time Linux users, and Trisquel is the most usable completely free OS. {L,X,K}ubuntu will not be officially recommended because their names may unintentionally mislead users to Canonical version's of Ubuntu.

@hasufell

That's a logical flaw in the chain of trust. If you do not trust ubuntu (for whatever reason), you cannot trust distros that make use of ubuntu packages directly.

@nylira
Owner

Ubuntu Unity search and the proprietary Ubuntu One cloud service are problematic for user privacy and freedom. Neither of them are present in Mint or Trisquel.

As far as trust goes, Ubuntu packages are open source and freely available to be audited. If spyware is found in any other Ubuntu package, feel free to make an issue for it, and I can take down the affected distributions until they fix the problem.

@hasufell

While I understand your point of view, let me be a bit more verbose about mine.

Ubuntu is a corporation driven distribution and does not care about the free software or open source community (Greg K-H: “Ubuntu does not give back to the community“ on a kernel talk at google). While that alone is not a bad thing it completes the picture of Ubuntus goals (see bug #1 on ubuntu launchpad).

IMO, over the last few years Canonical has followed the exact same strategy of Microsoft: EEE (Embrace, Extend, Extinguish). That has shown in various ways where ubuntu has pushed technologies or created extensions (such as unity). The next step will be things like API war and might already start with the deal they have made with Valve.
Well, of course that is only guessing and I might be completely wrong.

But what is a fact is this: ubuntu has already betrayed it‘s users through their spying features and is clearly not aiming at full transparency and freedom as in free.
Because of this fact people should really think if this will remain the only occurence of nastyness. History has taught us and is telling us again right now that companies with that power and attitude will not stop at such a point, but just become more subtle. Free software for them is merely a utilty to build up to their own goals.

How can you trust someone who has already lied to you? What happened in Ubuntu is a very good reason to never trust them again as a whole, not just disregard a few features they provide. That would be inconsistent for people who appreciate free software and want control over what‘s happening on their computer.

Further: Ubuntu packages are technically not opensource. They are just binary packages, so they cannot be (open)source at the same time. That is a small but important difference. What they do is provide a source tarball along with their binary tarball. Who can tell me now if the source from tarball A matches the compiled binary of tarball B? You would have to decompile and analyze the whole code against the other... and that will be pretty difficult. So why should I install binary packages at all? Well, maybe because I trust the distributor. But we already realized that you cannot trust ubuntu distributors.

Now when we are talking about derivates we are technically talking about ubuntu as well. You cannot distinguish cleanly between them, because they always mirror packages directly from ubuntu, as an example for trisquel:
„Trisquel modifies/adds 156 source packages, 2 are imported from Debian, 4 from other repos“
see http://devel.trisquel.info/gitweb/?p=ubuntu-purge.git;a=blob;f=purge-precise;h=933576f24ae7e05292699aead015d3e88906ffe7;hb=HEAD for a list

That in fact means that over 99% of Trisquel is practically Ubuntu. How can I recommend Trisquel now when I already distrust Ubuntu? You say the malicious features have been removed? Well, does Trisquel or you know of all malicious features of ubuntu? No. Well, we could claim that for any distro no? Yes, but they have not betrayed their users yet, so there is still a small reason for trust.

That said... it is simply illogical to trust derivates who just import the majority of packages from ubuntu. While we cannot say „ubuntu distributes malware all over it‘s repository“, we can‘t really say the opposite either, because it already happened once.

If you recommend LMDE (which is purely based on debian) I would really have no objection, so please don‘t think I‘m one of the guys who start distro wars. I am concerned about security and users. There are other distros on your list that I do not like, but I would never claim that archlinux is not trustworthy.

@alexander-b

In addition to Julian's points, I would like to add that these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu. This means that their users are effectively at Ubuntu's mercy, and we cannot trust Ubuntu as they have proven to have unethical, anti-social interests.

@nylira
Owner

Thanks for your arguments @hasufell @alexander-b . While I've heard of most of these points already, some of them are new to me, and they've worked to convince me to your point of view.

„Trisquel modifies/adds 156 source packages, 2 are imported from Debian, 4 from other repos“
see http://devel.trisquel.info/gitweb/?p=ubuntu-purge.git;a=blob;f=purge-precise;h=933576f24ae7e05292699aead015d3e88906ffe7;hb=HEAD for a list

these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu

More dialogue here: https://trisquel.info/en/forum/fear-and-uncertainty-trisquel-70

So here's what's going to happen.

  • The Linux Mint recommendation will be updated to point at the LMDE distribution.
  • Trisquel will be replaced by gNewSense due to Canonical's philosophy and uncertain freedom with future versions of Ubuntu.
@nylira nylira referenced this issue from a commit
@nylira linux mint -> lmde #334 0994e9d
@nylira nylira referenced this issue from a commit
@nylira trisquel -> gnewsense #334 9ccc117
@nylira nylira referenced this issue from a commit
@nylira update os note #334 5d249d9
@nylira nylira closed this
@nylira nylira referenced this issue
Closed

Kubuntu #194

@melvincarvalho

How ironic that ubuntu is scratched from the list for ads in the dash which you can turn off. Yet this site promotes pages which link to google tracking, that you cant turn off

@hasufell

You do know that github has scripts and cross-site references for google-analytics as well, do you? Weird enough, but I can turn those off.

@Ashrael

Canonical is doing the Microsoft thing indeed! Right now I am still on Ubuntu, but I did tear out everything that looks like it's breaking my own privacy rules. I took out most of Unity (replaced it with classicmenu-indicator), all of UbuntuOne, apport, zeitgeist and a few other packages I can't remember right now. And I use a lot of add-ons in Firefox to protect my privacy... I do my best... But I can never be sure that there isn't some malicious piece of code somewhere, unless I check it all myself... Fat chance that's going to happen. Don't have the time or knowledge, and I guess no-one has any-more.

The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves. Also we have to redefine the standard on the internet from unencrypted to encrypted connections. Do you think Captain Kirk sends unencrypted messages? :) Or any sane person in the future? I think encryption should be standard in all electronic communications.

We need to start by identifying the suspect and privacy-breaking packages, and make a list of them. A few have already been named, but I am quite sure there's more. This at least gives users the chance to get rid of them on their current distro if they wish. Scripts could be made etc.

@hasufell

Yeah, but it is more safer and consequent to just completely distrust Ubuntu.

Debian is really not that much different in terms of maintenance, package manager, etc.

The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves.

People have already done that and it's better to join those efforts instead of just creating a new one. In the end... security in terms of virtual life, communication etc. never works without trust. But you should be radical on any disappointment you experience.

@melvincarvalho

This is such a double standard. If you are going to exclude ubuntu (which seems a massive over reaction) ... you should exclude sites that contain google spy ware. This whole exercise seems like a marketing campaign.

@hasufell

which seems a massive over reaction

I don't think so. Feel free to reply to my arguments at #334 (comment) and point out where I am wrong.

you should exclude sites that contain google spy ware

Can you be more specific?

@melvincarvalho

Go through the list and look for sites which track you using google analytics or pixel bugs or some other link to google, facebook etc. Just looking at the social section the first two I checked were pump.io and joindiaspora, both contain spyware, im sure there are many more.

@hasufell

im sure there are many more

Yes, github. Log out now. ;)

@melvincarvalho

@hasufell you prove my point ... actually many FLOSS projects use gitlab or gitorious, spyware is tolerable when it suits you personally but not when you want to attack something like ubuntu ... it's a double standard

@hasufell

I think that is overreacting. You can block those scripts and cross-site references with the browser addons mentioned on the main page.
Not everyone actually shares the FUD about google, so a lot of websites (even privacy oriented ones) do allow google-api or somesuch in one way or another.
If you don't want to visit any website that has any kind of reference to google... then the only thing you can do is to wget websites and browse them offline. Good luck.

Google might see you anyway, even if you do not use their services directly and block their scripts and cross-site references. That is beyond your control. However, I believe there is still gain by not using their services.

Also... for Ubuntu... there are A LOT of serious alternatives. So your argument is flawed twice, since you can a) choose an alternative distro and b) block google scripts and cross-site references from within your browser.

@ghost

I'm going to post this here because my other post was already closed.... :/

So, Ubuntu has a lot of serious alternatives. That's why you promote these alternatives.

iOS does not have a lot of serious alternatives. You could JB and block using a firewall to prevent some tracking and remove untrusted features. But that's about it.

Android does not have a lot of serious alternatives either and Cyanogenmod certainly isn't one. It's just open source - that's about it. It's ridiculous that you guys recommend it here!

Google is way more privacy invasive than Amazon because they have finally decided to merge their services from different platforms, ask for phone numbers repetitively and your real user name. It's hard to avoid their default enabled settings even in Chromium and Cyanogenmod.

I'd rather have an Amazon lense in Ubuntu enabled per default than tracking technologies in Cyanogenmod. The tracking here is worse becaue it's not like: "If I search in this box, I am tracked. So, I'll just avoid it." Or disable it entirely. Mobile phones have more features because they are multi purpose devices and more data is collected per default by Google to "improve" these services.

As of now, you should not recommend both iOS or Cyanogenmod - it gives a false sense of prism "break". Or if you recommend Cyanogenmod - you have even better reasons to support Ubuntu as an easy to use distro for beginners. Linux Mint brings a lot of junk with it.

@towolf

WTF, someone here put forward a lot of bullshit logic.

Let me play

It can be seen that many Ubuntu developers are at the same time Debian developers. Since Ubuntu is tainted by breach of trust and betrayal of its users it must be assumed that Debian is tainted by extension by retrograde upstream breach of trust and cross-pollination of betrayal through card-carrying, revolving door Ubuntu+Debian developers.

Please remove Debian ASAP.

@hasufell

It can be seen that many Ubuntu developers are at the same time Debian developers.

That time is long gone. Most debian devs abandoned ubuntu.

Since Ubuntu is tainted by breach of trust and betrayal of its users it must be assumed that Debian is tainted by extension by retrograde upstream breach of trust and cross-pollination of betrayal through card-carrying, revolving door Ubuntu+Debian developers.

That does not make sense to me. Debian has a very observant and strict community. If any developer would ever attempt to push in a package with fishy extensions and get caught (and he will), then he'll be banned forever.

The Ubuntu community doesn't even care. They just accept things that come.

On top of that you missed the main point: community vs corporate driven. Distributors in ubuntu might not even know what they are packaging, since you are not really required to read the source code of the package you are packaging. In that sense you cannot trust the distributor in his role as a distributor, because he is just doing his job.

@towolf
@hasufell

Do you really want to me make a list?

go on

I can just as well imply that Debian is untrustworthy by similar an-den-haaren-herbeigezogenen arguments

there are no such similar cases in debian

If you think DD scrutinize source code in every release you are deluded. There is no such thing. The Debian archive is vast.

I did not claim that. Read more carefully.

@towolf
@melvincarvalho

@towolf +1

This whole site is contradiction. View the source and you'll find a piece of code that says:

enableLinkTracking

It's all about promotion

@hasufell

I am not the maintainer of this site. I just posted my opinion here. You are free to disagree or even fork the website. It's open source. It takes one click, dude.

@hasufell

@melvincarvalho read the privacy policy, there is also a checkbox https://prism-break.org/privacy/

@sarciszewski

Linux Mint Debian Edition's installer does not make it easy for users to support Full Disk Encryption. While it my be better than Ubuntu's Amazon spyware, not being able to encrypt your hard drive means a lack of security-in-depth: Should Tor and your other privacy measures fail you, you're caught with your pants down and your computer unencrypted.

@fitojb

Wow, this site contradicts itself badly, and it’s being grossly and dangerously vague on its rationales to ban Ubuntu derivatives.

@jefelex

What about older UBU distros? I won't upgrade the ubu I am using due to the Amazon issue already raised, I also never trusted the Unity interface and don't use it with 11.04 - I trust that, I'm not throwing away my years of experience with Ubuntu because of an issue with a newer release - I trusted the old UBU and still do, I do not trust the newest editions because of the Unity issue, but in 2011, Ubu was good and I don't think I'll throw it now

@hasufell

What about older UBU distros?

might have lots of unfixed security bugs

@jefelex

it may, but they spent 2 years actively searching for and ironing out those bugs, so I figure it's pretty safe for me to use. If you want to be 100 percent safe, there is always unplug your internet, I use all the security things in firefox for tracking and all that - one way or another, if they want to find out who you are, they'll make a quick call to your ISP, or your neighbour if you are hacking their wireless - if you act enough to be on their radar, they know who you are anyway, that's whats good about face to face meetings, much more difficult to listen in!

@towolf
@hasufell

it may, but they spent 2 years actively searching for and ironing out those bugs

That is not correct for 11.04, because it is not a LTS release and is already not supported anymore.
10.04 is LTS and only servers are supported anymore. Also note that it runs kernel 2.6.32 which is ancient.

Dude you are a Gentoo maintainer. It has a pretty bad Geschmäckle that you are trying to exclude a "competitor" from the action with constructed sounding justifications.

I am only providing my opinion here and haven't found any reason in this thread to trust canonical. Claiming that I do this out of competitive reasons is funny, because I a) don't get any money for commenting here, nor for working on FOSS projects and b) recommend debian and other free distros at the same time. How does that compute?

@jefelex

That is what I like about 11.04 - it is not supported anymore. They spent at least 6 months ironing out bugs before it was released and at least 12 months ironing out more bugs until 12.04 was released - okay not quite 2 years. I don't even trust Canonical now, but I'm still using this product, 2.6.32 is ancient, but on my laptop, everything works, everything works on every other computer I own, and I don't have any problem with it. Works for me - I will never use any Ubu product after 11.04 because of the forced move from Gnome 2.

@hasufell

it is not supported anymore

that is not a plus in any way.

everything works

That's not enough to make it a recommendation.

@jpcchrist

I am new to this whole discussion and I have a few questions.

My primary OS is Windows 7, but I have duel booted Mint 14 on both my desktop and laptop 5 months ago. After reading this post I downloaded the Debian version of Mint and I am going to put it on my laptop. I would like to stop using Windows all together because of Prism and other privacy concerns, but my wife is not thrilled with the idea. She is not that computer savvy (I am not either but I am learning as much as I can), so she is a little intimidated by anything that is not windows. Could you all give me some resources that would help me to explain why it is important to stay away from Windows, Google, etc.? I don't want the government knowing all about me and my family, but this doesn't seem to be enough to convince her to try and make the switch.

Thanks for your help and advice.

@sarciszewski

If your wife still needs to use Windows, consider the following:
1. Get a copy of a Windows image from Softpedia http://www.softpedia.com/progDownload/Windows-7-Download-118183.html
2. Download VirtualBox
3. Create a virtual Windows 7 machine and use your old host Windows 7 serial key
4. ????
5. PROFIT!
(Also, it might be possible to force all of your VM's connections to use Tor. It's worth looking into)

@spiralofhope

@jpcchrist - Your concern has nothing to do with this topic, and needs to go somewhere else. http://catb.org/~esr/faqs/smart-questions.html

@amarildojr

Could someone say if there are risks on using 3 non-free apps?
I use Debian and the only non-free apps I use are: Steam; NVIDIA drivers (required for Steam, installed via Debian's Wiki); and Flash, because Gnash isn't working well atm.

Feel free to comment here and there -> http://www.wilderssecurity.com/showthread.php?t=352385

Regards, and stay safe.

@hasufell

There are a lot of reasons against steam:

  • you do not buy a game, but rent a license to play it which can be revoked at any time by valve
  • valve deletes/locks accounts if you buy a game from a giftshop which has a better price (even if the version is not in your country, so people got banned for trying to buy an uncut version which was 2$ cheaper)
  • almost no rights as a user
  • they heavily collect data and that makes sense for such a platform, because they want to improve their sales etc. I doubt this data is anonymous.
  • client is proprietary

For nvidia I personally think that is a rather old-fashioned closed source mindset as in: we want no one to compete with us. I doubt they collect user data through their driver and one could probably analyze that while looking for unexpected outgoing packages.

Flash in fact is a security hazard. The vulnerabilities are countless and some distros do warn the user explicitly that he has to use it at his own risk. And it is proprietary of course.

@ghost

I don't understand the differences between Fedora, openSUSE and Ubuntu on the community versus corporate driven point. Aren't they all backed by corporations?

@hasufell

Aren't they all backed by corporations?

no

@mxdpeep

what about Ubuntu 12.04.2 LTS + Gnome Session Fallback? there is NO Unity or Amazon Ads

@ghost

Looks like this is not about Amazon Ads since they won't even accept Trisquel. I feel bad for the people who never used an open source OS before and come across this page. LMDE is being announced as the easiest Linux distro out there which is far from true. Saying that you should not trust a distro just because it uses parts of Ubuntu goes against everything that open source and free software stands for.

I've read this entire discussion and I'm still trying to understand the reasons for all of this, since I still totally agree with the first comment by nylira:

"Ubuntu Unity search and the proprietary Ubuntu One cloud service are problematic for user privacy and freedom. Neither of them are present in Mint or Trisquel.

As far as trust goes, Ubuntu packages are open source and freely available to be audited. If spyware is found in any other Ubuntu package, feel free to make an issue for it, and I can take down the affected distributions until they fix the problem."

I understand and agree that Ubuntu spy it's users and so has no place on Prism Break, but I really think that Trisquel, Mint (not the Debian one. As I said, that thing is far from being easy) and even elementary OS are great for people who want to escape from Microsoft and/or Apple. I'm sorry if this is not the right place to post it but this video shows that even Richard Stallman, the most paranoid person alive, believes that you can remove the spyware from Ubuntu and use without fear: http://youtu.be/CP8CNp-vksc

@hasufell

As far as trust goes, Ubuntu packages are open source and freely available to be audited.

Those are binary packages, so they are not open source by definition. This is not being nitpicky... it is an important difference.

Since providing malicious software in binary form is ten times that easy as it is in source form (especially when a whole community is tracking every major source code change), you need an extra amount of trust towards your binary package distributor.

I personally do not see where that trust should come from regarding ubuntu packagers and the company that employs them.

@ghost

You keep saying that, but I still don't see a reason to believe on this "Ubuntu is not open source" argument. Is there any other sources where I can see a more explained and detailed sustaining that Ubuntu is not open source? I've been searching for more information about this topic since yesterday and can't seem to find any other reference about this.

Sorry if I'm being annoying but I really want to understand the differences and why the whole Internet considers Ubuntu free and open source software when that's not true.

@hasufell

"Ubuntu is not open source"

Nope, I did not say it like that. The devil is in the details. Binary packages are compiled. How do you know which source was compiled?

@towolf

hasufell, how do /you/ know that They did not implant a probe during your last dentist appointment?

/unsubscribe

@hasufell

hasufell, how do /you/ know that They did not implant a probe during your last dentist appointment?

That's difficult to fix. For the matter discussed here, it is easy to fix: don't use it.

@sarciszewski
@hasufell

Don't go to the dentist. There, fixed it. Enjoy your tooth rot.

That analogy is flawed. There is no alternative to "dentist". We are not talking about Linux in general, but only a single distribution.

@ghost

You say that we should not trust Canonical or any other OS that uses any piece of code from Ubuntu, but why should we trust you?

This is the second question that I make that you don't answer or answer giving zero sources or information on the subject. It seems weird to me that you immediately answer every joke and provocation but don't give any reason for us to trust you. I'm sorry, but you're just acting like a troll.

@hasufell

but why should we trust you?

Why do you need to trust me? Do you happen to use gentoo?

@hasufell

giving zero sources or information on the subject

Sources on what a binary file is? https://en.wikipedia.org/wiki/Binary_file

@ghost

No, I don't use Gentoo. You understood what I said, you just don't want to answer it. It's fine. You won. I'll give up. This site was a great idea, but this discussion here is just terribly sad. Unsubscribing too. :/

@hasufell

I think you don't understand the concept of packaging and what a packager is able to do to thousands of users. There is only one way to make this process TRANSPARENT: being a source distro and not providing precompiled packages at all (or really just optionally).

If that is not the case (like in ubuntu), then you need MORE trust to those packagers (and those behind them) than you would need to those that maintain build scripts which are public and human readable at all times (like it is the case in source distros).

Binary files are NOT human readable.

Those are basic concepts of computer science. I have no idea why you call any of that trolling or what I have to make more clear about this.

This is my personal opinion and I am investing a lot of free time in that concept of source distros. Although you can say that this is a problem in all binary distros... there is this small difference of Canonical politics (the link is here probably 10+ times) that makes me distrust them even more.
Before using a binary distro I'd like to know a few things:

  • I know and appreciate the community
  • I maybe know some devs and think they are upright
  • I know that their policies about packaging, code changes and working with upstreams whenever possible are very strict
  • I know that they are community-driven
  • I know that they follow their Code of Conduct and that they have a social contract
  • I know that there has NEVER been any incident about even the slightest form of spyware. NEVER.

Ubuntu does not score well on that check list.

@Inoki

Funny thing is you guys added OpenSuse to the list of trusted GNU/Linux distros, while you forget, that OpenSuse is being developed by Novell, which is being owned by Microsoft, but you exclude Ubuntu coz of "data leaks".

@Mailaender

Corrections: @openSUSE is developed by volunteers and just sponsored by https://www.suse.com which is part of http://www.attachmategroup.com/ (not Novell Inc.) which also owns Novell (not Microsoft). The SUSE Linux GmbH collaborates with Microsoft on things like interopability. https://www.suse.com/partners/alliance-partners/microsoft/

@Mailaender

The main reason with Ubuntu is probably the attitude of http://www.markshuttleworth.com/archives/1182 which offended people and let to press releases like http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do As a compromise I suggest you add Ubuntu with an * that tells people how to sudo apt-get remove unity-lens-shopping and it should be fine?

@hasufell

and it should be fine?

This is rather about the chain of trust and I don't see how removing a single package solves this problem. But I'm only speaking my mind here. This is not my website and not my decision.

@amarildojr

Honestly? I don't see why people give Canonical their trust votes. Today was a little spy-feature (AFAWK), who knows what tomorrow can bring. I recommend people not to use Ubuntu anymore.

@Inoki

Let's not be paranoid ok? I mean, every OS there is, be it proprietary or freeware, is being developed by somebody and whatever you use, you're at the mercy of that particular someone who created that OS.

I use Ubuntu, you can't prevent Big Brother from spying on you entirely even so, no matter what you do. Today everything is being monitored, everything, there's no real escape. Of course you can try, but you only avoid being spied on to certain extent, unless you're an uber-paranoid hacker geek.

@hasufell

I use Ubuntu, you can't prevent Big Brother from spying on you entirely even so, no matter what you do. Today everything is being monitored, everything, there's no real escape.

I feel that this is a pretty weak excuse. We have figured out in this thread that there is a difference between distros in terms of morale. This difference is also of a matter of principle. Fighting the current system involves not only education about computer science, internet and law-breaking of NSA etc., but also disesteeming services, people, companies, software etc. that do not care about your rights (especially privacy).

That there is no ultimate escape does not mean you just give up. There are two things that still work: a) encryption and b) making monitoring of metadata harder.

Users have a lot of passive power, but most do not see it.

@samrocketman

@hasufell +1 arguments. I spent the past half hour reading this thread in detail and I agree with the points you've made. Here's what I glean.

  • There's a significant difference between binary + source package distros vs source based distros in terms of truly being open source. It has definitely given me a different perspective on what I view as "open source" vs true freedom in software. Though I'd beg to differ on the technical feasibility of verifying binary packages. One could compile and use a checksum of the compiled binary vs what was provided. Of course one would need to obtain compile options used so this might not be as easy without disclosure of the build process from developers (I don't see why not).
  • Users definitely have control over what technologies they use (for instance I use openfire with family for all IM communication and it is encrypted). I have installed my certificate authority on all of their devices and sign my own certificates using that authority so the family has truly private communication from a trusted source. This goes for other services I provide them as well.
  • Just because they can do it doesn't mean they should do it. It's an ethical and moral issue. Those toting the Ubuntu chant don't seem to realize that.

While I understand the convenience vs Freedom issue I really wish Freedom was more convenient. It has vastly improved in recent years and will only get better. Education is the most difficult hurdle.

@felipeautran while I didn't agree with your arguments I truly enjoyed the Richard Stallman video.

Non-Disclaimer: I'm an Ubuntu user (Kubuntu technically).

@srmojuze

Agreed. For any user, avoid Ubuntu where possible. Where not possible, continue to evaluate other options. As for prism-break.org, indeed, agreed, Ubuntu should not be there. Doesn't mean all of us need to wipe Ubuntu from existence ~tomorrow~, but everything starts with awareness.

@Wipeout2097

Even this project is infested by Ubuntu fanboys. Unbelievable!

If you want Ubuntu to be approved, lobby and work for it's de-crapification and then come back.

@Inoki

Thing is, everything that gets more and more attention from the public will eventually become a commercial product with interest from the government and whoever will not want to co-operate will be shut down by force.

Period.

@amarildojr

"Thing is, everything that gets more and more attention from the public will eventually become a commercial product with interest from the government and whoever will not want to co-operate will be shut down by force.

Period."

Oh, so Linux hasn't been big yet, huh? (irony)

Nonsense. The same applies to people who say that Linux has less viruses because it's less adopted on the desktop market.

@Inoki

Look at how stupid someone can be. Of course my comment aimed at Linux getting bigger and bigger, but obviously I have to explain to those unable to comprehend.

Ubuntu always aimed to be commercial, everyone saw it coming, so of course there is more interest from 3rd parties, more marketing, more companies/investors/government interest, less privacy and I could go on.

What happened to Ubuntu can easily happen to any linux distro out there over time, just face it. I'm just wondering how many distros will end up on this list.

@amarildojr

No. You clearly don't realize that 'big' means 'not only in desktops'. If 'big' is your concern (or you just mean it in the desktop market) than I'm afraid you either don't know anything about Linux or is just pure ignorant.
Or, just stop using the web. Or just live in the woods.

@mxgms

The solution is:

sudo apt-get remove unity-lens-shopping

enough.

@amarildojr

I'd do more of a:

sudo apt-get remove --purge ubuntu from your computer

Heheheh =p

@saizai

FWIW: I suggest distinguishing between server and desktop OS.

Do you propose that ubuntu should be blacklisted as insecure for server usage?

@mxgms
@r5d r5d referenced this issue from a commit in r5d/prism-break
@nylira linux mint -> lmde #334 0208d13
@r5d r5d referenced this issue from a commit in r5d/prism-break
@nylira trisquel -> gnewsense #334 acf1f7a
@r5d r5d referenced this issue from a commit in r5d/prism-break
@nylira update os note #334 233ec2b
@YtvwlD

So, I've spent some time reading this thread. ( @hasufell )

(quotes aren't literal)

  • People can't know if the binary package matches the compiled form of the source package or if anything has been added.

    I agree to that.
    But this seems to fit to every distribution. Maintainers are able to manipulate packages. The only thing that might help is trust.
    And manipulation of packages breaks this trust.
    Which leads to...

  • If the trust is broken, don't use this distribution and do not recommend it to anybody.

    Right!
    But this kind of trust isn't broken. (Well, I don't know if it isn't. But I think that a possibly happened break of this trust hasn't been made public.)
    Up until now I haven't heard any news about package manipulation in Ubuntu.

  • Ubuntu ships with a "spyware".

    Well, it ships with a possibility to search on Amazon. This could be useful for the users and earn Canonical money. In theory.
    I think that it would be better to ask the users to enable this upon installation (or even do an opt-in). Yes.
    But it is no spyware.
    It is transparent and open-source. (The same goes for Ubuntu One.) The software that is installed on your computer is open-source. The service isn't. (Same as desura.)

So, it is a new service. And it may (possibly) harm your privacy. But it is easy to disable.
And while it might break your trust into some decisions of Mark Shuttleworth (Mir, anyone?), it clearly isn't a manipulation of packages. (This would indeed break any remaining trust.)

And thanks for reading this (surely too long) comment.

Non-Disclaimer (like @sag47): I use Lubuntu, Ubuntu with Razor-Qt and Ubuntu (Amazon lense enabled ;-) but without using the dash; as of 13.10 Ubuntu doesn't find the things I'm searching for anymore).

@escribelibre

https://www.gnu.org/philosophy/ubuntu-spyware.html

@elchi People can make an open source malware that destroys power grids; that does not not make it malware. What Ubuntu implemented is spyware, and RMS explains why:

When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical's servers. (Canonical is the company that develops Ubuntu.)

This is just like the first surveillance practice I learned about in Windows. My late friend Fravia told me that when he searched for a string in the files of his Windows system, it sent a packet to some server, which was detected by his firewall. Given that first example I paid attention and learned about the propensity of “reputable” proprietary software to be malware. Perhaps it is no coincidence that Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy various things from Amazon. Amazon commits many wrongs (see http://stallman.org/amazon.html); by promoting Amazon, Canonical contributes to them. However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it.

And:

Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn't occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.

Even if it were disabled by default, the feature would still be dangerous: “opt in, once and for all” for a risky practice, where the risk varies depending on details, invites carelessness. To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches, as earlier versions of Ubuntu did. A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.

Now, okay, so Ubuntu was not made to be a privacy-centric distro, right? Not even a security or free software distro. Just a general purpose distro for home users. So yes while Ubuntu has spyware by default, and yes we should shun Ubuntu and Canonical, I agree with the thread title that Ubuntu derives might be okay, because why not create a fork of Ubuntu that is more privacy centric and actually respects your freedom?

Free software gives users a chance to protect themselves from malicious software behaviors. Even better, usually the community protects everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has malicious code. Generally the next thing they do is release a corrected version of the program; with the four freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are free to do this. This is called a “fork” of the program. Soon the community switches to the corrected fork, and the malicious version is rejected. The prospect of ignominious rejection is not very tempting; thus, most of the time, even those who are not stopped by their consciences and social pressure refrain from putting malfeatures in free software.

Sorry for regurgitating the article ad verbatim, but I share that opinion and I think it is too extreme to throw out all Ubuntu derivatives by default (maybe just take them with a grain of salt), especially since Trisquel looks like a promising project. I'm burning a copy of that as I write this, so there.

You see, the option of a fully free operating system (provided it works with my hardware) trumps that of any OS even partially containing/tolerating obscuritan proprietary stuff, because with fully free and open source stuff, you at least have the comfort of 100% transparency!!! Translation: Trisquel might be Ubuntu-based, but it is still good because it is fully free and open. Not only that, but it is supported by the non-profit FSF instead of the for-profit company Canonical. The community might build off of Ubuntu's work and notoriety, but who's to say they have the same doomed future as Ubuntu? Besides, Ubuntu had nonfree programs by default. I think it's a difference of who is in charge of the project, who contributes to it.

@hasufell

How can you call it a fork if ~95% of a derivate just mirrors the packaged binaries from the ubuntu servers directly? They don't rebuild the whole stuff. That needs a lot of infrastructure and contributors.

@escribelibre

@hasufell It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop!

Most people will probably be fine. If Trisquel has any problems at all, I trust the community (especially as it receives more support) will iron them out; if it proves itself untrustworthy, the FSF withdraw its support and endorsement. Non-tech-savvy users should use Trisquel, if their hardware can support it, because it is easy to use and, relatively speaking, is better than whatever OS they have currently. Ideally, this means that if they bought a computer already running Trisquel, then they would be totally set, everything would just work, and they would have relative peace of mind knowing that they have a fully free platform.

Yes maybe packages should be distributed differently, but I don't think the average user knows how to run Gentoo. Maybe these criticisms should be brought to Trisquel so they can deal with it.

P.S:

That needs a lot of infrastructure and contributors.

And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better.

@YtvwlD

@escribelibre This "feature" should - at least - ask before it is used. I agree on this.

But how do you ( @hasufell ) get to the point that you aren't able to trust the Ubuntu binary packages? Implementing an open source client for a proprietary platform isn't package manipulation, is it?

@escribelibre

Furthermore, from a usability standpoint, adding gnewsense but not Trisquel kinda sucks; at least Trisquel works out of the box a lot more readily than gnewsense, making it easier to adopt.

@hasufell

It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop!

Nope, the argument was that Trisquel is a derivate and uses more than 90% of their packages directly from Ubuntu afair. All they do is "hack" on some packages and remove others due to license filtering. That's all. You still got all the ubuntu binaries, packaged by Canonical employees.

But I don't see why I have to reiterate all those arguments. It kind of makes me feel like a parrot.

And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better.

I don't see why I should if they are unwilling to switch to debian repositories.

@YtvwlD

@hasufell I understood that you don't trust the Ubuntu package maintainers.

I wonder why. Do you think that this (certainly wrong) decision broke your trust?
Die it even exist before that?

Is this Ubuntu specific Ort do you have no trust regarding an binary packages?

If you use distributions Wirth central package repositories you have to trust the maintainers - that's the whole point of package repositories.

You are free to compile everything on your own, but this is the same as, for example, OpenSuSE.

@vyp

But who's to say they have the same doomed future as Ubuntu?

Well I wouldn't call derivatives forks, they are still affected by upstream changes. Just like how Mark conceded to use systemd due to Debian's decision.

@samrocketman

@jumpwah Ubuntu uses upstart not systemd.

@vyp

@sag47 I meant the the decision to switch.

@alexander-b
@hasufell

Is this Ubuntu specific Ort do you have no trust regarding an binary packages?

Let's say "a lot less" instead of "no".

I know a lot of distro developers and some even personally. Over the years you get an idea about the different communities, their philosophy, their policies, their openness of decisions, general collaboration in the linux community etc. and about their history.
Ubuntu ranks bad in all of those points. It's mainly coporate-driven without open decision making, no honest philosophy about how to treat their users, almost no collaboration to the kernel and their policies seem to be profit-oriented only. That is MY opinion.

If you want to do the real thing... use a source distro.
But I would not claim that e.g. debian is untrustworthy, although I find a lot of their policies terrible from a QA pov. There are very few exceptions, like the debian openssl mess many years ago, but I doubt any of that was intentional... it was just idiots doing stuff without peer review (which is a sign of not-so-good policies/workflow).

But I am reiterating stuff again which I have already explained here in more detail. I'd be interested in counter-arguments, but have not found many interesting ones.

@MrTrebleClef

Hi Prism-Break, I have one question. Why did you remove the Linux Mint Debian Edition from the list of operating systems?

@vyp
vyp commented

@MrTrebleClef, search? #805

@MrTrebleClef

Thank you jumpwah, good info!

@mxdpeep

anyway - nobody forces any user to use Ubuntu Dash - it is default, but you can use Ubuntu without a simple run of the Dash

@alerque

This is a closed issue, and further comments are just flogging a dead horse.

If you have something to present that you think will change the course of this matter, please open a new issue for discussion. Present your case and explain what you think should happen to PRISM-Break as a result of whatever data and arguments you have to presented. Noting what circumstances have changed since this issue was closed would be a helpful addition. At that point a discussion can happen and a resolution can be reached. In the mean time there is nothing to be gained by further banter in this thread. No matter how salient a point you may have to make stemming from the above discussion, nothing will be accomplished by making it except annoying more people who track this project.

Thanks for understanding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.