Librethreat Database

From Techrights

(Difference between revisions)
Jump to: navigation, search

Schestowitz (Talk | contribs)
(New page: '''Summary''': malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself) '''first entries''' == Tivoisation == Threat t...)
Newer edit →

Revision as of 03:33, 20 June 2019

Summary: malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself)

first entries



Threat type: License circumvention Affects: Devices, copyleft Recognised by: Most free software advcates Also recognised by FSF: Yes Summary: GPL2 not strong enough to prevent DRM/TPM from allowing device owners to change operating system in devices Mitigation: Migrate to GPL3 Examples: Tivo


Threat type: Hybrid (Marketing, Technology category) Affects: Privacy, freedom, control by the user Recognised by: Many Also recognised by FSF: Yes Summary: There is no cloud, only someone else's computer (so you have no control over your computing) Mitigation: To be very sceptical of / avoid relying on / boycott "cloud" solutions Examples: Adobe, Microsoft Github, countless others


Threat type: Broad category Affects: Free software development, stability and reliability, autonomy, organisational structure Summary: Disruption of POSIX, EEE of free software projects, Infiltration of organisations that offer free software Recognised by: Free Media Alliance, some critics of Systemd Also recognised by FSF: No Mitigation: Avoid / fork / replace / document examples of Redix in software, use Systemd-free distros, assist Hyperbola developers Examples: Pycon, Systemd

Infinite scrolling

Threat type: Semi-malicious UI design Affects: Mostly websites, Server-side software Summary: Deliberately addicitive design not only psychologically manipulates user to keep scrolling, also makes it difficult to navigate pages or reach bottom of page (when there is one.) Recognised by: Advocates of users, good design, ethics Also recognised by FSF: Unknown Mitigation: To boycott / avoid webpages that use infinite scrolling, create plugins that turn high-profile pages that use it into pages / demand old-fashioned paging as option from webmins Examples: Twitter, (includes some limited mitigation/option), Diaspora, many others

Gratuitous interdependency

Threat type: Semi-malicious design attack / development disruption Affects: Existing modularity, user freedom, free software development / packaging / vital software that lots of people rely on Summary: Grab lots of stable projects and deprecate/rework them into something more monolithic / EEE design tactics Recognised by: Steve Litt, Free Media Alliance, some critics of Systemd Also recognised by FSF: Very unlikely (or in very limited/historical context) Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics against high-profile free software projects Examples: Systemd, PulseAudio, GNOME (GNOME does not strictly depend on Systemd, these are three separate examples)

Framework attack

Threat type: Semi-malicious design attack / development disruption Affects: Free software development / UX / UI, sometimes for years at a time Summary: Replace mature and stable framework with new shiny and send devs scrabling to make reliable software work again Recognised by: Free Media Alliance Also recognised by FSF: No (except when the framework is non-free, of course) Mitigation: To be sceptical of unnecessary framework replacement, to maintain forks (if possible) of versions with old framework until new one is reliable / maintain LXDE Examples: Systemd, LibreOffice, LXQT (non-malicious example, can't blame them for not wanting GTK3)

Framework / dependency hijacking

Threat type: development disruption Affects: Free software development, stabilty, UX / UI, sometimes for years at a time Summary: Similar to framework attack, except that happens from inside a project and this happens upstream Recognised by: Anybody that doesn't like GNOME, people who prefer GTK2, Python2 users Also recognised by FSF: No (except when new versions of the framework become non-free, of course) Mitigation: Modest or conservative dependency usage / minimal design / design that is compatible with at least 2 or more frameworks, choice of two default configuations (one that gets as close as possible to the previous version to allow smoother transition) Examples: GTK3, Themed applications


The four freedoms allow unrestricted modification and redistribution of software.

This database is not about making the 4 freedoms invalid or less important.

This database is a list of attacks that could be used to disrupt or lower the quality of existing free software projects (Distributions, high-quality applications, organisations, and user freedom that is more abstract than the 4 freedoms.)

These attacks are not always a threat-- they depend on context and the level of mitigation. Being able to change and redistribute (and sometimes choose alternatives to) the software is a requirement for mitigating these attacks, but there is a categorical difference between "the problem can be solved because the source is right there" and "the problem does not exist." It exists until you can actually solve it, of course-- and until you or someone actually does.

Licensing cannot mitigate all of these attacks, because to try to mitigate all of these attacks in the license would interfere/clash with the 4 freedoms necessary to be a free software license.

These attacks can only be mitigated by the cost of freedom itself: eternal vigilance, free and open debate, plus educated, well-informed users. It also requires understanding and integrity on the part of developers.

Personal tools
Search entire domain