Librethreat Database
Summary: malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself)
Threat type: License circumvention
Affects: Devices, copyleft
Recognised by: Most free software advcates
Also recognised by FSF: Yes
Summary: GPL2 not strong enough to prevent DRM/TPM from allowing device owners to change operating system in devices
Mitigation: Migrate to GPL3
Examples: Tivo
Threat type: Hybrid (Marketing, Technology category)
Affects: Privacy, freedom, control by the user
Recognised by: Many
Also recognised by FSF: Yes
Summary: There is no cloud, only someone else's computer (so you have no control over your computing)
Mitigation: To be very sceptical of / avoid relying on / boycott "cloud" solutions
Examples: Adobe, Delete Github|Microsoft Github, countless others
Threat type: Broad category
Affects: Free software development, stability and reliability, autonomy, organisational structure
Summary: EEE of free software projects, Infiltration of organisations that offer free software
Recognised by: freelabs federation
Also recognised by FSF: Not officially, at least
Mitigation: PONIX! Also avoid / fork / replace / document examples of Punix in software, assist Hyperbola and Guix developers
Examples: Pending
Threat type: Broad category
Affects: Free software development, stability and reliability, autonomy, organisational structure
Summary: Disruption of POSIX, EEE of free software projects, Infiltration of organisations that offer free software
Recognised by: freelabs federation, some critics of Systemd
Also recognised by FSF: No
Mitigation: Avoid / fork / replace / document examples of Redix in software, use Systemd-free distros, assist Hyperbola developers
Examples: Pycon, Systemd
Threat type: Semi-malicious UI design
Affects: Mostly websites, Server-side software
Summary: Deliberately addicitive design not only psychologically manipulates user to keep scrolling, also makes it difficult to navigate pages or reach bottom of page (when there is one.)
Recognised by: Advocates of users, good design, ethics
Also recognised by FSF: Unknown
Mitigation: To boycott / avoid webpages that use infinite scrolling, create plugins that turn high-profile pages that use it into pages / demand old-fashioned paging as option from webmins
Examples: Twitter, wordpress.com (includes some limited mitigation/option), Diaspora, many others
Threat type: Semi-malicious design attack / development disruption
Affects: Existing modularity, user freedom, free software development / packaging / vital software that lots of people rely on
Summary: Grab lots of stable projects and deprecate/rework them into something more monolithic / EEE design tactics
Recognised by: Steve Litt, freelabs federation, some critics of Systemd
Also recognised by FSF: Very unlikely (or in very limited/historical context)
Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics against high-profile free software projects
Examples: Systemd, PulseAudio, GNOME (GNOME does not strictly depend on Systemd, these are three separate examples)
Threat type: Semi-malicious design attack / development disruption
Affects: Free software development / UX / UI, sometimes for years at a time
Summary: Replace mature and stable framework with new shiny and send devs scrabling to make reliable software work again
Recognised by: Steve Litt, freelabs federation
Also recognised by FSF: No (except when the framework is non-free, of course)
Mitigation: To be sceptical of unnecessary framework replacement, to maintain forks (if possible) of versions with old framework until new one is reliable / maintain LXDE
Examples: Systemd, LibreOffice, LXQT (non-malicious example, can't blame them for not wanting GTK3)
Threat type: development disruption
Affects: Free software development, stabilty, UX / UI, sometimes for years at a time
Summary: Similar to framework attack, except that happens from inside a project and this happens upstream
Recognised by: Anybody that doesn't like GNOME, people who prefer GTK2, Python2 users
Also recognised by FSF: No (except when new versions of the framework become non-free, of course)
Mitigation: Modest or conservative dependency usage / minimal design / design that is compatible with at least 2 or more frameworks, choice of two default configuations (one that gets as close as possible to the previous version to allow smoother transition)
Examples: GTK3, Themed applications
https://framasphere.org/uploads/images/scaled_full_1033d2f64866dafcd9b7.png
Threat type: development disruption, social
Affects: communication, software development, organisations
Recognised by: Some free speech advocates, some free software advocates, freelabs federation, Eric S. Raymond
Also recognised by FSF: Not necessarily (though the KIND guidelines suggest a possibility)
Summary: Can be abused to stifle and silence important feedback
Mitigation: Adopt more reasonable version, avoid altogether, address same problems that CoC aims to, but with more allowance for free speech and diversity of opinion
Examples: FreeBSD Code of Conduct
Threat type: development disruption, social
Affects: communication, software development, organisations
Recognised by: freelabs federation, Most free software advocates
Also recognised by FSF: Yes
Summary: Can silence important feedback or punish/hurt people just for their differences
Mitigation: Work together to help prevent and counteract discrimination
Examples: insisting any gender is ill-suited to coding or technology use/creation, harassing people for being trans
Threat type: Design attack/ design disruption / highly speculative
Affects: Security, maintainability, human software development
Summary: If AI is already being used to cut corners in engineering, it can be used to plan and assist the implementation of disruptive software redesign-- key points of stability can be determined and undermined, AI could be used to introduce weaknesses in overall design as well as code
Recognised by: Science fiction authors, perhaps
Also recognised by FSF: Not yet
Mitigation: Not much needed, it is largely hypothetical and proposed as a thought experiment-- it would be interesting though, for someone to create an AI that invents scenarios that threaten software freedom
Examples: only hypothetical ones-- suppose you had AI map out a software project as a video game, and then wanted to introduce "baddies" that gradually overwhelm developers-- AI can be used for planning, it can be used to drive enemy characters, it should be possible to use it for creating subtle and increasing disruption in software development http://www.primaryobjects.com/2015/11/06/artificial-intelligence-planning-with-strips-a-gentle-introduction/
Threat type: Development disruption, social
Affects: Communication, software development, organisations
Summary: Some FLOSS-related and non-free software-related companies have complementary non-profit and commercial organisations; that isn't the problem, though it is a problem when the co-opt charities to promote non-free software
Recognized by: Techrights, some public schoolteacher/activists, freelabs federation
Also recognized by FSF: At least as much as you would expect
Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics combined with public charity organisations
Examples: Influence and changes in both public education and OLPC
Threat type: Development disruption, social
Affects: Communication, software development, organisations
Summary: Deface Wikipedia, get called a bastard; but deface free software projects and take over related organisations, get named a "contributor" and people saying "it's not our problem"-- as the problems get larger, why are advocates getting quieter?
Recognized by: Techrights, freelabs federation, most likely some people from Dyne or Devuan also
Also recognized by FSF: To be determined
Mitigation: Avoid / boycott / document / stand against projects and companies that use EEE-like tactics against high-profile free software projects and organisations
Examples: Systemd, Many free software advocates
Threat type: Hybrid (technical restriction, design disuption, marketing, oem abuse)
Affects: Security, maintainability, privacy, freedom, control by the user
Summary: Some distros seem to be designed with building more restrictions into the user experience as a priority-- making GNU/Linux better simulate or act as a non-free platform. "Distros like this are the killshot for GNU/Linux, the triumph of Open Source over freedom" -- Ted MacReilly
Recognized by: freelabs federation
Also recognized by FSF: Yes, to the degree that they include non-free software
Mitigation: AVOID platforms that are more locked down than traditional GNU/Linux, document restrictions inherent and endemic to those platforms, encourage people to mitigate those restrictions and remove compromised features (F-droid, AOSP, Android without Google)
Examples: Chrome OS, Endless OS, Android, Elementary OS
Threat type: Technical restriction, design disuption
Affects: Security, privacy, freedom, control by the user
Summary: Handing control of the Linux kernel over to compromised developers could result in anti-features
Recognized by: freelabs federation, Techrights, others
Also recognized by FSF: One would hope they would treat fixing this as a priority if it happened
Mitigation: Reject DRM in other products to show a firm stance from users, expand Linux-libre scripts to remove Digital Restriction Malware
Examples: proposals for DRM in Linux kernel already exist
Threat type: Treacherous Anti-Free-Software organisation
Affects: Security, freedom, design
Summary: Corruption among high-profile people in GNOME so extensive, sustained that it should be considered a feature
Recognized by: Who agrees?
Disputed by: (let us know)
Also recognized by FSF: No, but Stallman did call de Icaza a traitor
Mitigation: Reduce reliance on software from GNOME, Examine corruption endemic to the project, Fight systemd, Make people more aware of the history of GNOME abuses, Reinstate Stallman, Kick GNOME out of the GNU project, Kick corrupt people out of GNOME.
Examples: Supporting and promoting Mono, de Icaza's treachery and defecting to Microsoft, Stormy Peters defecting to Microsoft, de Blanc's conflict of interest (OSI, Debian) creating systemd dependencies, taking money for "defending" from patent attacks in a way that harms GNOME and Free Software simultaneously.
More information: https://debian.community/mollamby-conflict-of-interest-privacy/ https://debian.community/fragmentation-and-maturity-in-debian/ https://debian.community/feed.xml
Threat type: Social, Economic, Organisational
Affects: Organisational stability, social standing of developers and free software leaders
Summary: Mainstream media (MSM) attacking free software developers and leaders with a very modern attack based on the contemporary ways in which consumers read and share news stories; deliberate dishonesty is a key factor
Recognized by: Lawrence Lessig, freelabs federation
Also recognized by FSF: At least a small but significant part of it
Mitigation: at least boycott sources that use Clickbait for character assassination and to imply things that would traditionally set off a defamation suit if said outright
Examples: Forbes, Vice coverage of rms in 2019
Threat type: Design attack / development disruption
Affects: User freedom, free software development, security
Summary: Harmful features that affect the user even if they reinstall the operating system
Recognized by: Techrights, Mark Shuttleworth, freelabs federation, free software advocates
Also recognized by FSF: Yes
Mitigation: Avoid / boycott / research / modify / document such hardware
Examples: Lenovo firmware payloads, ACPI vulnerabilities and exploits
Threat type: Hybrid (Surveillance, Marketing)
Affects: Privacy, freedom, control by the user
Recognised by: ?
Also recognised by FSF: ?
Summary: Modern universities have unethical practices that include requiring students to install malicious and privacy-destroying software on their PC's.
Mitigation: Find universities that don't use this software; replace academia with something that actually respects human rights
Examples: > 1000 campuses across the world and growing
NOTE:
The four freedoms allow unrestricted modification and redistribution of software.
This database is not about making the 4 freedoms invalid or less important.
This database is a list of attacks that could be used to disrupt or lower the quality of existing free software projects (Distributions, high-quality applications, organisations, and user freedom that is more abstract than the 4 freedoms.)
These attacks are not always a threat-- they depend on context and the level of mitigation. Being able to change and redistribute (and sometimes choose alternatives to) the software is a requirement for mitigating these attacks, but there is a categorical difference between "the problem can be solved because the source is right there" and "the problem does not exist." It exists until you can actually solve it, of course-- and until you or someone actually does.
Licensing cannot mitigate all of these attacks, because to try to mitigate all of these attacks in the license would interfere/clash with the 4 freedoms necessary to be a free software license.
These attacks can only be mitigated by the cost of freedom itself: eternal vigilance, free and open debate, plus educated, well-informed users. It also requires understanding and integrity on the part of developers.
Tivoisation
Cloud
Punix
Redix
Infinite scrolling
Gratuitous interdependency
Framework attack
Framework / dependency hijacking
https://framasphere.org/uploads/images/scaled_full_1033d2f64866dafcd9b7.png
Code of Conduct
Bigotry, hate, discrimination
AI-assisted software engineering
Co-opting charities
Apathy
Appliance-like Distributions
Digital Restrictions, other malware in kernel
GNOME
Clickbait defamation
Malicious hardware and firmware
Academia
NOTE:
The four freedoms allow unrestricted modification and redistribution of software.
This database is not about making the 4 freedoms invalid or less important.
This database is a list of attacks that could be used to disrupt or lower the quality of existing free software projects (Distributions, high-quality applications, organisations, and user freedom that is more abstract than the 4 freedoms.)
These attacks are not always a threat-- they depend on context and the level of mitigation. Being able to change and redistribute (and sometimes choose alternatives to) the software is a requirement for mitigating these attacks, but there is a categorical difference between "the problem can be solved because the source is right there" and "the problem does not exist." It exists until you can actually solve it, of course-- and until you or someone actually does.
Licensing cannot mitigate all of these attacks, because to try to mitigate all of these attacks in the license would interfere/clash with the 4 freedoms necessary to be a free software license.
These attacks can only be mitigated by the cost of freedom itself: eternal vigilance, free and open debate, plus educated, well-informed users. It also requires understanding and integrity on the part of developers.