Choose style:

Author Topic: FOSS: How it works, and what distinguishes it from closed source software  (Read 3448 times)

0 Members and 1 Guest are viewing this topic.

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3969
  • Karma: 361
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Hello Peppermint Forum,

Could anybody explain to me, in non-Stallmanian terms, the difference between free software, as from the Free Software Movement (not freeware), and open source software?  Doing so would deepen my understanding of the Linux environment in which I live and participate.  After several years of using Linux, I still draw a blank when trying to distinguish between free software and open source. :-\

What is the difference between free software and open source software?

Thank you.

perknh

perknh
« Last Edit: January 06, 2016, 09:51:44 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
I guess some would say "open source" is not as broad a term as "free/libre software", and that it could theoretically be used to describe anything where the source code is available, yet you don't necessarily have the freedom to modify and redistribute the software

Free/Libre software is said to include 4 freedoms:-

1) RUN - to run the program for any purpose.
2) STUDY - to study how the program works though availability of the source code
3) IMPROVE - to improve the software
4) REDISTRIBUTE - to hand out copies either of the original and/or your improved version

Only 2 and 3 of those freedoms necessarily require the source to be open .. so theoretically "open source" may not give you freedoms 1 and 4 (though it usually does)

In reality, they're both blanket terms that tend to overlap to varying degrees depending on the software and licenses.
« Last Edit: December 31, 2015, 05:42:12 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3969
  • Karma: 361
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
FOSS: How it works, and what distinguishes it from closed source software
« Reply #2 on: December 31, 2015, 05:22:17 pm »
Thank you, PCNetSpec,

What an excellent answer --one that I'm going to have mull over, or ponder, for a while!

Ideally, it sounds as if Richard Stallman is right:  in an ideal world, free software would be the way to go.

perknh

P.S.

On second thought, they may be times when not modifying the code might be a good thing.  I thinking particularity about security matters here.  Perhaps free software and open source software both have their place in this world.  ;)
« Last Edit: January 06, 2016, 09:52:08 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
In an ideal world it is, but there are currently real world situations where "open source" is a better description and overall goal/philosophy....

Take Peppermint (or Ubuntu), or Android for example, they may contain some licensed code that's proprietary (codecs, drivers, etc.) that would ultimately impose limitations on some of the 4 freedoms of "Free software", but where the software as a whole would be less than ideal without those components.

A *LOT* of people moan when they encounter a distro that refuse too to play mp3's for example because they're sticking to closely to their "no proprietary/binary blobs" ethos.

The problem is - It aint an ideal world ;)
« Last Edit: December 31, 2015, 05:39:05 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Quote
On second thought, they may be times when not modifying the code might be a good thing.  I thinking particularity about security matters here.  Perhaps free software and open source software both have their place in this world.  ;)

I have to disagree there perknh .. ALL code should be open and modifiable.

Take away the freedom to read the code and how do you KNOW it's secure
and
Take away the ability to modify, and how do you fix a security hole you discover (microsoft have proven that relying solely on the original developer to discover flaws and/or to fix known exploits in a timely manner  isn't a great idea).

And I don't want software I'm not allowed to modify for MY purposes .. heck I might want to intentionally make it insecure for testing purposes, honeytraps, etc. .. I want total freedom where I'm responsible for the changes.
« Last Edit: December 31, 2015, 05:55:01 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3969
  • Karma: 361
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
FOSS: How it works, and what distinguishes it from closed source software
« Reply #5 on: December 31, 2015, 06:27:41 pm »
In an ideal world it is, but there are currently real world situations where "open source" is a better description and overall goal/philosophy....

The problem is - It aint an ideal world ;)

You got that right! ;)

Quote
On second thought, they may be times when not modifying the code might be a good thing.  I thinking particularity about security matters here.  Perhaps free software and open source software both have their place in this world.  ;)

I have to disagree there perknh .. ALL code should be open and modifiable.

Take away the freedom to read the code and how do you KNOW it's secure
and
Take away the ability to modify, and how do you fix a security hole you discover (microsoft have proven that relying solely on the original developer to discover flaws and/or to fix known exploits in a timely manner  isn't a great idea).

And I don't want software I'm not allowed to modify for MY purposes .. heck I might want to intentionally make it insecure for testing purposes, honeytraps, etc. .. I want total freedom where I'm responsible for the changes.

Okay, then I'm still not understanding these concepts thoroughly enough.  Let's take an example of a secure, open source password manager.  If anyone who knows how can read and then modify the code, what is to stop a brilliant malicious hacker from the changing the code and then stealing lots of people's personal information?  Or, another example, since Linux is used on American nuclear submarines, wouldn't closing the code help keep malicious hackers from, say, taking over the sub?

PCNetSpec, this is what I'm not getting:  I don't see how free software could prevent something from going terribly wrong in the examples I have given above.  What safeguards are put in place in the world of free software that would prevent malicious hackers from committing such horrific deeds as the examples I've given above?

There would have to be safeguards here somewhere.  Safeguards, on the other hand, could smash my "second thought" argument to smithereens.  What are safeguards within free software (not open source) to keep the mad evil scientists from making our lives nothing less than pure and complete hell?  I ask this because if anyone who knows how to code, can do whatever they want with the code, couldn't this get us into a lot more trouble at times? 

Thank you,

perknh
« Last Edit: January 06, 2016, 09:52:32 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Quote
Okay, then I'm still not understanding these concepts thoroughly enough.  Let's take an example of a secure, open source password manager.  If anyone who knows how can read and then modify the code, what is to stop a brilliant malicious hacker from the changing the code and then stealing lots of people's personal information?  Or, another example, since Linux is used on American nuclear submarines, wouldn't closing the code help keep malicious hackers from, say, taking over the sub?

Sure someone could distribute a version of the password manager that contains malicious code, but they could do the same thing with closed source proprietary code (or some non connected code that just happens to have been crafted to appear to be the original) .. the problem is only the open sourced alternative would give you (and thousands of others) the opportunity to spot the malicious code.

In the Navy scenario, yeah maybe it'd be in their interests not to open source their specific patches .. but on the whole they benefit as much from the "many eyes" continually studying the code for bug/holes and fixing them as when they're found as anyone else .. or would you have them rely on Windows where they can't discover weaknesses specific to their useage themselves, and have to wait for patch tuesday for exploits to be addressed (the world would likely go radioactive on a monday)

Security through obscurity has been proven not to work .. if someone with malicious intent gets their hands on closed source software they may de able to decompile it and find weaknesses and security holes to exploit that the author was unaware of (ALL software has bugs), but that software doesn't benefit from thousands of people other than the author scanning it for bugs and helping fix them, so they're more likely to go unnoticed by everyone except someone with malicious intent
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
The short version...

ALL software contains bugs and vulnerabilities .. but would you rather trust them to be discovered and fixed by the software being open to scrutiny by thousands of people with a vested interest in discovering/fixing them, or trust a single person/company with a vested interest in keeping them quiet ?

in either case they WILL be discovered .. it's just a case of when, who by, and if they're exploited by the person that finds them before they're discovered/fixed/patched by someone without malicious intent.

Windows is closed source and is exploited more than any other OS, removing the "freedom" to study the code doesn't stop it being studied, it just removes the protection of "many eyes" .. nuff said ;)
« Last Edit: December 31, 2015, 07:41:41 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3969
  • Karma: 361
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
FOSS: How it works, and what distinguishes it from closed source software
« Reply #8 on: December 31, 2015, 07:23:38 pm »
Quote
Windows is closed source and is exploited more than any other OS, removing the "freedom" to study the code doesn't stop it being studied, it just removes the protection of "many eyes" .. nuff said ;) --PCNetSpec

Yes, I'm liking open source and free software more and more these days.  Lately, I've been fixated on Adobe Flash Player.  That closed source program isn't doing any of us any favors either!

That recent beautiful installation of Peppermint I did with everyone's help here, well it just went this afternoon from having Chromium (open source) browser to having Google Chrome --and all because of a dangerous, proprietary plugin called Adobe Flash Player. >:(

How I'd love to have "many eyes" examine the code that is making Adobe Flash Player tick.

Thank you, PCNetSpec, for this interesting discussion.

perknh

« Last Edit: January 06, 2016, 09:52:57 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3969
  • Karma: 361
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
FOSS: How it works, and what distinguishes it from closed source software
« Reply #9 on: December 31, 2015, 09:19:15 pm »
You know, PCNetSpec, you've got the entire U.S. Department of Defense backing up your arguments within this thread. ;)

To anyone interested, scroll down to OSS and Security/Software Assurance/System Assurance/Supply Chain Risk Management within this link.  It is very, VERY, interesting:

http://dodcio.defense.gov/OpenSourceSoftwareFAQ.aspx#Q:_What_is_open_source_software_.28OSS.29.3F

I stand down immediately!

perknh
« Last Edit: January 06, 2016, 09:53:17 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
That's a well written and pretty comprehensive FAQ .. I'll bookmark that for the next person that asks.

Believe me, it's not just you that when first presented with the idea of freely available source code jumps to the conclusion "hey doesn't that help the attacker" .. I know I did at first .. actually being MORE secure because of source code publication can be a hard concept to grasp after years in the closed source camp ;)

I particularly like this excerpt:

Quote
Many perceive this openness as an advantage for OSS, since OSS better meets Saltzer & Schroeder's "Open design principle" ("the protection mechanism must not depend on attacker ignorance").

Thanks for the link perknh :)

[EDIT]

Quote
you've got the entire U.S. Department of Defense backing up your arguments within this thread.

Oh, I feel so much safer now .. does friendly fire apply to software ? .. only kiddin :)
« Last Edit: December 31, 2015, 09:53:54 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline GNULINUX

  • Member
  • ***
  • Posts: 986
  • Karma: 311
    • View Profile
  • Peppermint version(s): Peppermint Six (x64)
Nice topic!  8)

Another one liner: "Closed source is broken by design!"

I like the GNU/LINUX way!
Peppermint 6  (x64)   -   Windows 7 Ultimate SP1  (x64)
Running different OS flavors in VirtualBox, just for fun!

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3969
  • Karma: 361
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
FOSS: How it works, and what distinguishes it from closed source software
« Reply #12 on: January 05, 2016, 09:36:15 pm »
Nice topic!  8)

Another one liner: "Closed source is broken by design!"

I like the GNU/LINUX way!

Thank you, GNULINUX,

Yes, it is a very interesting subject!


Believe me, it's not just you that when first presented with the idea of freely available source code jumps to the conclusion "hey doesn't that help the attacker" .. I know I did at first .. actually being MORE secure because of source code publication can be a hard concept to grasp after years in the closed source camp ;)

@PCNetSpec

We know that we have a secure Linux distribution here, but what is keeping it this way --especially if anyone with knowledge of code can obtain our code, and then read and manipulate it?  Why aren't we always being attacked?  How do we make sure no malicious attackers are attacking our code, and how do they get their hands on Peppermint's code anyway?  Do we just give Peppermint's code away to anyone for the asking?

Yes, I'm convinced F.O.S.S. is the way to go, but I'm still trying to understand how this works.  When it comes to F.O.S.S. and security, the concept of free open source security, by its very nature, seems counterintuitive.  Security through free and open source code appears to be an oxymoronic idea (open security).  It sounds as if we are keeping our house safe (Peppermint) by making sure all the shades are up, and all the doors are open --to anyone anytime! :-\

Clearly this cannot be the case.

Here's what I'm thinking:  Peppermint has specified set of goals.  What we mean by manipulating the code within Peppermint is that anyone can do so if they adhere to Peppermint's specified objectives.  It's free and open, but not if you want to turn Peppermint into another Red Star OS.  If somebody wants to do that, other coders can and will step in and say "No way, José --you can't do that!  You're out of here!"  We have a variety of skill levels here, and of who has access to what --and this is to prevent harm to the distribution, or to prevent it from ever being taken over by some potentially very bad players.

It's free and open, but to various degrees to different people within the distribution.  All coders can get a shot at things, but no monkey business, or you're out! :)

This is how I imagine the process of developing free and open source software must work.  Am I getting close to understanding what makes F.O.S.S. such a powerful process for developing such excellent software?

Thank you,

perknh
« Last Edit: January 06, 2016, 09:53:37 pm by perknh »
[T]here are a lot of people happily running Peppermint ICE which hasn't been receiving ANY updates for a while now .. and I personally would STILL consider that MUCH more secure than any version of Windows with up-to-date AV/Anti-malware ;)

--  PCNetSpec, Cornwall, Eng.  Dec 03, 2013 5:18 pm

Offline AndyInMokum

  • Global Moderator
  • Hero
  • *****
  • Posts: 4889
  • Karma: 1058
  • "Keep on Rockin' in the Free World"
    • View Profile
  • Peppermint version(s): PM 9 & PM 10 (64-bit)
Hi perknh, the key to Linux is its permissions structure.  Anyone can look at the Source Code.  If you wanted it, you can go and download it.  You'll be able to read it, copy it but you'll not be able to alter it or manipulate it, until you've taken ownership of it; you know, chown -R etc.  Once this is done, you'll be able to make your modifications.  However, you now own a modified code.  This is why you'll not be able to apply it back to the Source.  You've taken ownership and it no longer belongs to the Source's owner.  You don't have permission to write it back to the Source.  Only the developers will be able to do this because they have that ownership.  You will need the root password to apply any changes, as will anyone wishing/needing to make any changes to the Source Code you downloaded/copied, taken ownership and modified.  The root password/phrase is going to be a lot more complex than 123 or password too.  It's this permissions structure that allows FOSS movement to work.  It allow many eyes to read the code and report back on it with fixes when vulnerabilities are found.  It's then up to the developers to test, publish and apply the fix.  If they don't do it swiftly, all hell will break loose and reputations will be damaged.  In an earlier post I mentioned, "progress by mutual cooperation".  Using this system of permissions allows this concept to work.  It's extremely elegant.

In the closed source world, we don't have this luxury.  Only the original owners have permission to read, copy or write.  There's no chance of taking ownership.  Development of the code is restricted to a very small handful of developers.   For the most part, we the consumer have no idea of what's contained in the code.  We've no idea if there're are vulnerabilities and if they're being address in a timely manner.  We have no idea of what malware has been deliberately added to the code.  Also because we don't actually own the software.  We have little to no input to which direction any development will take.  We are left to trust the integrity of large corporations and the will of their shareholders.  I know who I'm going to place my trust in  ;).
Backup! Backup! Backup! If you're missing any of these -  you ain't Backed Up!
For my system info please L/click HERE.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Getting malicious code into the supply chain of  default trusted repositories would in itself be nearly impossible  .. any code added to the repos MUST be submitted and open sourced so can be (and is)  peer reviewed first, then unless you're part of the project you simply don't have permission or the GPG keys to upload it to the repos in the first place, and if you somehow managed to hack your way in and modify some existing code it would immediately be recognised because its cryptographic signature and hash sum would change .. and if you somehow managed to slip past that barrier, the code is open to to "many eyes" and common to everyone so would quickly be spotted and rectified.
(this is why you're consistently told not to step outside the default repos for your software)

Now let's try the same thing with the the Microsoft model...

Peer review of software is impossible as it's mainly closed source and Microsoft don't control the supply chain .. their users have to download it from sources they don't know they can trust from all over the web
Sure the Microsoft code itself is pretty secure, but if someone managed to hack their servers and keys how do you know if they'd spot and rectify it quickly.

Third party software in the Linux world has to make it into the repos, so is open to the same review process then signing as project developed code, In the Windows world it is not.

Understand this .. being closed source is NOT a means of protecting the code from being attacked, you don't need to have the source code to figure out if something has weaknesses, you can just probe its responses to input until you find a hole, or you can disassemble the binary (which won't give you the original source code, but it'll likely give you something close enough) .. the ONLY thing closing the source does is make it nearly impossible for "many eys" review. Add to that the total lack of any security in the supply chain and the fact that third party software arrives in executable binary format which can self execute making system wide changes without user input / password, and you end up with the Windows ecosystem.

Niether model is totally  impervious to attack, in fact even kernel.org has been hacked (but was spotted quickly because of cryptographic signatures) .. it's just more difficult in the open source world, and is recognised /rectified quicker .. and you as a user can KNOW this as you can check the code yourself.
(if the same thing happened at Microsoft you can be pretty sure they'd not tell you about it as they'd see it as reputation damaging .. in the open source world there'd be no point in kernel.org trying to hide it, they can't because the code is open, so reputations rest on the fast response and making sure it doesn't happen again .. think about that for a while ;))

Questions ? ;)

[EDIT]

Sure there's a possible scenario where a disgruntled package maintainer who does have the repo GPG keys could inject malicious code (though this equally applies to the closed source world), but because of the open source nature and "many eyes" able to review the code it would be quickly spotted, quickly rectified, and his reputation destroyed.
« Last Edit: January 06, 2016, 06:43:14 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec