Ubuntu derivatives ({L,X,K}ubuntu) are OK, while Ubuntu itself is not #334
Comments
|
Any such derivate is downstream of ubuntu and because of that potentially unsafe, even Mint (although they seem to repackage some things and also mind "LMDE"). |
|
Trisquel is also a Ubuntu derivative. Under that logic (if i understand it correctly) shouldn't linux mint be replaced with lmde and trisquel with Gnewsence? |
|
In my opinion probably yes, but that's just me. I wouldn't trust anything that comes from ubuntu or uses anything from ubuntu (and that's what derivates do). |
|
So...what should be done about ubuntu derivatives? |
|
IMO all ubuntu derivates should be removed as well, because they can potentially also include spyware of the original distro without even knowing. |
|
I agree with hasufell. |
|
And what of Trisquel? I think it uses it's own respiratories. Since it's ubuntu based, should it be removed as well? |
|
http://packages.trisquel.info/toutatis/database/mysql-client Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com |
|
from #trisquel on freenode: |
|
Ubuntu's spyware is currently contained in the Unity desktop environment. Ubuntu derivatives using alternative desktop environments ({L,X,K}ubuntu) should be theoretically safe, although they may still contain non-free software. However, for the casual visitor to PRISM Break, it's difficult to promote {L,X,K}ubuntu without seeming to promote Ubuntu itself. It's just one letter off, and searching for a flavor of Ubuntu will invariably lead you to the Ubuntu homepage due to fuzzy search logic and page rankings. I think we should keep the OS list at status quo. Linux Mint and Trisquel should be retained as they're sufficiently distinguished from Canonical Ubuntu. Mint -- while not entirely free -- will be a good experience for first time Linux users, and Trisquel is the most usable completely free OS. {L,X,K}ubuntu will not be officially recommended because their names may unintentionally mislead users to Canonical version's of Ubuntu. |
|
That's a logical flaw in the chain of trust. If you do not trust ubuntu (for whatever reason), you cannot trust distros that make use of ubuntu packages directly. |
|
Ubuntu Unity search and the proprietary Ubuntu One cloud service are problematic for user privacy and freedom. Neither of them are present in Mint or Trisquel. As far as trust goes, Ubuntu packages are open source and freely available to be audited. If spyware is found in any other Ubuntu package, feel free to make an issue for it, and I can take down the affected distributions until they fix the problem. |
|
While I understand your point of view, let me be a bit more verbose about mine. Ubuntu is a corporation driven distribution and does not care about the free software or open source community (Greg K-H: “Ubuntu does not give back to the community“ on a kernel talk at google). While that alone is not a bad thing it completes the picture of Ubuntus goals (see bug #1 on ubuntu launchpad). IMO, over the last few years Canonical has followed the exact same strategy of Microsoft: EEE (Embrace, Extend, Extinguish). That has shown in various ways where ubuntu has pushed technologies or created extensions (such as unity). The next step will be things like API war and might already start with the deal they have made with Valve. But what is a fact is this: ubuntu has already betrayed it‘s users through their spying features and is clearly not aiming at full transparency and freedom as in free. How can you trust someone who has already lied to you? What happened in Ubuntu is a very good reason to never trust them again as a whole, not just disregard a few features they provide. That would be inconsistent for people who appreciate free software and want control over what‘s happening on their computer. Further: Ubuntu packages are technically not opensource. They are just binary packages, so they cannot be (open)source at the same time. That is a small but important difference. What they do is provide a source tarball along with their binary tarball. Who can tell me now if the source from tarball A matches the compiled binary of tarball B? You would have to decompile and analyze the whole code against the other... and that will be pretty difficult. So why should I install binary packages at all? Well, maybe because I trust the distributor. But we already realized that you cannot trust ubuntu distributors. Now when we are talking about derivates we are technically talking about ubuntu as well. You cannot distinguish cleanly between them, because they always mirror packages directly from ubuntu, as an example for trisquel: That in fact means that over 99% of Trisquel is practically Ubuntu. How can I recommend Trisquel now when I already distrust Ubuntu? You say the malicious features have been removed? Well, does Trisquel or you know of all malicious features of ubuntu? No. Well, we could claim that for any distro no? Yes, but they have not betrayed their users yet, so there is still a small reason for trust. That said... it is simply illogical to trust derivates who just import the majority of packages from ubuntu. While we cannot say „ubuntu distributes malware all over it‘s repository“, we can‘t really say the opposite either, because it already happened once. If you recommend LMDE (which is purely based on debian) I would really have no objection, so please don‘t think I‘m one of the guys who start distro wars. I am concerned about security and users. There are other distros on your list that I do not like, but I would never claim that archlinux is not trustworthy. |
|
In addition to Julian's points, I would like to add that these Ubuntu-derived distributions simply do not have the manpower to possibly audit all the packages they inherit (or sometimes even directly mirror) from Ubuntu. This means that their users are effectively at Ubuntu's mercy, and we cannot trust Ubuntu as they have proven to have unethical, anti-social interests. |
|
Thanks for your arguments @hasufell @alexander-b . While I've heard of most of these points already, some of them are new to me, and they've worked to convince me to your point of view.
More dialogue here: https://trisquel.info/en/forum/fear-and-uncertainty-trisquel-70 So here's what's going to happen.
|
|
How ironic that ubuntu is scratched from the list for ads in the dash which you can turn off. Yet this site promotes pages which link to google tracking, that you cant turn off |
|
You do know that github has scripts and cross-site references for google-analytics as well, do you? Weird enough, but I can turn those off. |
|
Canonical is doing the Microsoft thing indeed! Right now I am still on Ubuntu, but I did tear out everything that looks like it's breaking my own privacy rules. I took out most of Unity (replaced it with classicmenu-indicator), all of UbuntuOne, apport, zeitgeist and a few other packages I can't remember right now. And I use a lot of add-ons in Firefox to protect my privacy... I do my best... But I can never be sure that there isn't some malicious piece of code somewhere, unless I check it all myself... Fat chance that's going to happen. Don't have the time or knowledge, and I guess no-one has any-more. The best shot we all are going to have at a safe O.S. and privacy is to pool our knowledge and mental resources and create one ourselves. Also we have to redefine the standard on the internet from unencrypted to encrypted connections. Do you think Captain Kirk sends unencrypted messages? :) Or any sane person in the future? I think encryption should be standard in all electronic communications. We need to start by identifying the suspect and privacy-breaking packages, and make a list of them. A few have already been named, but I am quite sure there's more. This at least gives users the chance to get rid of them on their current distro if they wish. Scripts could be made etc. |
|
Yeah, but it is more safer and consequent to just completely distrust Ubuntu. Debian is really not that much different in terms of maintenance, package manager, etc.
People have already done that and it's better to join those efforts instead of just creating a new one. In the end... security in terms of virtual life, communication etc. never works without trust. But you should be radical on any disappointment you experience. |
|
This is such a double standard. If you are going to exclude ubuntu (which seems a massive over reaction) ... you should exclude sites that contain google spy ware. This whole exercise seems like a marketing campaign. |
I don't think so. Feel free to reply to my arguments at #334 (comment) and point out where I am wrong.
Can you be more specific? |
|
Go through the list and look for sites which track you using google analytics or pixel bugs or some other link to google, facebook etc. Just looking at the social section the first two I checked were pump.io and joindiaspora, both contain spyware, im sure there are many more. |
Yes, github. Log out now. ;) |
|
@hasufell you prove my point ... actually many FLOSS projects use gitlab or gitorious, spyware is tolerable when it suits you personally but not when you want to attack something like ubuntu ... it's a double standard |
|
I'd do more of a: sudo apt-get remove --purge ubuntu from your computer Heheheh =p |
|
FWIW: I suggest distinguishing between server and desktop OS. Do you propose that ubuntu should be blacklisted as insecure for server usage? |
|
No. I think that ubuntu is absolutely safe if well configured. Enviado via iPhone
|
|
So, I've spent some time reading this thread. ( @hasufell ) (quotes aren't literal)
So, it is a new service. And it may (possibly) harm your privacy. But it is easy to disable. And thanks for reading this (surely too long) comment. Non-Disclaimer (like @sag47): I use Lubuntu, Ubuntu with Razor-Qt and Ubuntu (Amazon lense enabled ;-) but without using the dash; as of 13.10 Ubuntu doesn't find the things I'm searching for anymore). |
|
https://www.gnu.org/philosophy/ubuntu-spyware.html @Elchi People can make an open source malware that destroys power grids; that does not not make it malware. What Ubuntu implemented is spyware, and RMS explains why:
And:
Now, okay, so Ubuntu was not made to be a privacy-centric distro, right? Not even a security or free software distro. Just a general purpose distro for home users. So yes while Ubuntu has spyware by default, and yes we should shun Ubuntu and Canonical, I agree with the thread title that Ubuntu derives might be okay, because why not create a fork of Ubuntu that is more privacy centric and actually respects your freedom?
Sorry for regurgitating the article ad verbatim, but I share that opinion and I think it is too extreme to throw out all Ubuntu derivatives by default (maybe just take them with a grain of salt), especially since Trisquel looks like a promising project. I'm burning a copy of that as I write this, so there. You see, the option of a fully free operating system (provided it works with my hardware) trumps that of any OS even partially containing/tolerating obscuritan proprietary stuff, because with fully free and open source stuff, you at least have the comfort of 100% transparency!!! Translation: Trisquel might be Ubuntu-based, but it is still good because it is fully free and open. Not only that, but it is supported by the non-profit FSF instead of the for-profit company Canonical. The community might build off of Ubuntu's work and notoriety, but who's to say they have the same doomed future as Ubuntu? Besides, Ubuntu had nonfree programs by default. I think it's a difference of who is in charge of the project, who contributes to it. |
|
How can you call it a fork if ~95% of a derivate just mirrors the packaged binaries from the ubuntu servers directly? They don't rebuild the whole stuff. That needs a lot of infrastructure and contributors. |
|
@hasufell It seems completely polarizing to dump Trisquel based on one malfeature that Ubuntu had which is not even present in Trisquel. Trisquel does not even have the annoying Unity desktop! Most people will probably be fine. If Trisquel has any problems at all, I trust the community (especially as it receives more support) will iron them out; if it proves itself untrustworthy, the FSF withdraw its support and endorsement. Non-tech-savvy users should use Trisquel, if their hardware can support it, because it is easy to use and, relatively speaking, is better than whatever OS they have currently. Ideally, this means that if they bought a computer already running Trisquel, then they would be totally set, everything would just work, and they would have relative peace of mind knowing that they have a fully free platform. Yes maybe packages should be distributed differently, but I don't think the average user knows how to run Gentoo. Maybe these criticisms should be brought to Trisquel so they can deal with it. P.S:
And this is why everyone should give a rare distro like Trisquel (fully free and easy to use for end users) their support. With more support, they can do things like that, and it will get better. |
|
@escribelibre This "feature" should - at least - ask before it is used. I agree on this. But how do you ( @hasufell ) get to the point that you aren't able to trust the Ubuntu binary packages? Implementing an open source client for a proprietary platform isn't package manipulation, is it? |
|
Furthermore, from a usability standpoint, adding gnewsense but not Trisquel kinda sucks; at least Trisquel works out of the box a lot more readily than gnewsense, making it easier to adopt. |
Nope, the argument was that Trisquel is a derivate and uses more than 90% of their packages directly from Ubuntu afair. All they do is "hack" on some packages and remove others due to license filtering. That's all. You still got all the ubuntu binaries, packaged by Canonical employees. But I don't see why I have to reiterate all those arguments. It kind of makes me feel like a parrot.
I don't see why I should if they are unwilling to switch to debian repositories. |
|
@hasufell I understood that you don't trust the Ubuntu package maintainers. I wonder why. Do you think that this (certainly wrong) decision broke your trust? Is this Ubuntu specific or do you have no trust regarding an binary packages? If you use distributions with central package repositories you have to trust the maintainers - that's the whole point of package repositories. You are free to compile everything on your own, but this is the same as, for example, OpenSuSE. |
Well I wouldn't call derivatives forks, they are still affected by upstream changes. Just like how Mark conceded to use systemd due to Debian's decision. |
|
@jumpwah Ubuntu uses upstart not systemd. |
|
@sag47 I meant the the decision to switch. |
|
-----BEGIN PGP SIGNED MESSAGE----- On 17/03/14 21:16, elchi wrote:
Alexander iF4EAREIAAYFAlMoJg4ACgkQRtClrXBQc7VLEwD/brHEO8lnSluG7phPq00RXUBR |
Let's say "a lot less" instead of "no". I know a lot of distro developers and some even personally. Over the years you get an idea about the different communities, their philosophy, their policies, their openness of decisions, general collaboration in the linux community etc. and about their history. If you want to do the real thing... use a source distro. But I am reiterating stuff again which I have already explained here in more detail. I'd be interested in counter-arguments, but have not found many interesting ones. |
|
Hi Prism-Break, I have one question. Why did you remove the Linux Mint Debian Edition from the list of operating systems? |
|
@MrTrebleClef, search? #805 |
|
Thank you jumpwah, good info! |
|
anyway - nobody forces any user to use Ubuntu Dash - it is default, but you can use Ubuntu without a simple run of the Dash |
|
This is a closed issue, and further comments are just flogging a dead horse. If you have something to present that you think will change the course of this matter, please open a new issue for discussion. Present your case and explain what you think should happen to PRISM-Break as a result of whatever data and arguments you have to presented. Noting what circumstances have changed since this issue was closed would be a helpful addition. At that point a discussion can happen and a resolution can be reached. In the mean time there is nothing to be gained by further banter in this thread. No matter how salient a point you may have to make stemming from the above discussion, nothing will be accomplished by making it except annoying more people who track this project. Thanks for understanding. |
ghost
mentioned this issue
|
Now the Ubuntu 16.04 ships with Amazon spyware turned off by default. |
|
Please consider locking this issue for the reasons I cited above. It was closed three years ago, almost everything has been repeated several times, and if anything productive or actionable comes up on the topic that's actually new it needs to be dealt with in an issue specific to whatever is being brought up. Meanwhile people can't seem to let this thread alone. |
|
This issue is now locked. Please open separate issues for separate operating systems. Do note that we will probably stay sceptical about Canonical's Ubuntu for a while longer. |
and others
Suggest to add them to the list. They are pretty vanilla LXDE, Xfce, KDE based distros. They don't have Unity Dash and don't send any data to Canonical or third parties (except for submitting of crash report, which is optional).
The text was updated successfully, but these errors were encountered: