It downloads the binary over http on http://ring.cx, makes it susceptible to tampering. Is serving binaries over HTTP a GNU thing because the expectation is that you would check the signature?
Care to elaborate? http://ring.cx has a 301 forward to https://ring.cx, and all the downloads seem to use https as well. Where is it using plain http? Or was the forward added in the last hour?
Sure, although not in mainstream browsers if there's HSTS + HSTS preloading, which can be easily adopted by any site. Outside browsers, HSTS is usually not supported. It was actually implemented by wget, but without preloading, so it only works after first use which is much less useful.
While I'm sure it's well-intended, it does have a couple of fatal flaws.
* Lack of full forward secrecy means logged network logs can be decrypted in the future if an endpoint key is ever compromised.
* e2e encryption is optional, due to legacy SIP support. This is extremely dangerous as it will no doubt lead to false sense of security, with users assuming they're safe just because Ring is the program they're talking through.
Due to these two I cannot actually recommend it to anyone.
Note that Tox got these two right, and is a pretty active project which gets commits semi-daily, regardless of the nonsense about it being dead that some party seems to be spreading.
> e2e could be enforced for the DHT clients if the user states they aren't going to be using SIP though, right?
That needs user intervention, which implies his understanding of why it is necessary.
Here's a better idea, remove backwards compatibility. Perhaps they could release a separate SIP client under a different name. Just keep it away from Ring itself. Let Ring be actually secure.
The DHT system for identities is cool, but the thing that gets me is that they don't have support for SRTP with ZRTP, only SRTP with SDES. There's no perfect forward secrecy, and a bunch of other features that ZRTP has.
A more comparable thing to Signal is Matrix [1] and it's client Riot [2]. Theoretically, it has perfect forward secrecy. It's not as distributed as Ring is, but there is no centralized server as in Signal either.
Riot is also in F-Droid. So while not a GNU member, I find it sufficiently open and free.
A totally distributed approach with forward secrecy is Tox [3]. It needs a good code audit, though. And as in Ring, P2P causes data consumption issues in mobile.
the ID service in Matrix is optional, and should be called an 'ID mapping service', really. All it does is to map 3rd party IDs such as email addresses to decentralised matrix IDs. Currently it is a logically centralised service, and this is a major shortcoming: in future we intend to decentralise it as much as possible. This is Hard however, and we're kinda hoping that a decentralised equivalent to Keybase will come along and do the work for us :) Until then, you don't have to use the existing centralised thing if you don't like it :)
Has ring improved much? I remember a few months back it used 28gb of background data over LTE (which was fine since I'm uncapped) on my phone, and was less stable than sflphone, which would randomly stop registering occasionally.
I can recommend pjsip though, very reliable so long as you read its docs before writing a script to leverage it.
And most mobile clients use pjsip, at least non-commercial ones (aside from popular sipdroid). I don't know what Bria uses but if I lose signal it slams my battery. Unfortunately it also works best for my commercial line.
Csipsimple is an android implementation of the pjsip library. Taki is another for BB10. They are both fairly reliable. I don't know any on iOS (sry).
According to the docs, it gives you the option deep in the settings to add your own STUN and TURN servers. It seems like it doesn't ship with any preconfigured. That makes it a non starter for me.
GNU developer here (MediaGoblin lead developer). GNU projects get to decide whether or not to do copyright assignment to the FSF. As an example, MediaGoblin and Guix don't require copyright assignment, while Guile does.
I have interacted with Tox core devs, the exchange was not pleasant. The overlap between professional and mature (both in social and engineering aspects) seems to very slim in the security space.
There seems to be no browseable source code around, what are the implementation language(s)? I want to know whether the protocol implementations are written in a memory-safe language.
Is there a well-known discovery document or any other way to create shortcuts for the ringID? (i.e. mapping it somehow to web or email address) I doubt many fancy spelling ringIDs.
What's the advantage of being a GNU project these days? It seems like it ties you very strongly to the FSF's political opinions and in particular Richard Stallman's political opinions (e.g., eugenics) and restricts your technical decision-making options (e.g., limited plugin architecture, limited support for non-free OSes, mandatory support for things like GNUTLS), while not giving you very much in return - with the existence of GitHub and a wide variety of competitors, it's pretty easy to attract a healthy development community independent of GNU. What am I missing?
>seems like it ties you very strongly to the FSF's political opinions
Some are happy to be associated with the opinion that all software should be free.
>in particular Richard Stallman's political opinions (e.g., eugenics)
Richard Stallman's opinions, outside of the realm of free software, are irrelevant in the context of the GNU project. Throwing out eugenics like that feels manipulative to me.
>restricts your technical decision-making options
The next few paragraphs will explain why what you see as restrictions aren't seen the same way from the perspective of GNU developers.
>limited plugin architecture
You are of course referring to exposing the AST of GCC to other (possibly proprietary) programs, which was a GCC-specific issue. It doesn't broadly apply to everything. I help maintain GNU Guix, a project designed from the ground up to be as extensible as possible, and there has been no such issue. Nor does GNU Emacs have an issue with extensibility.
>limited support for non-free OSes
I think this is distorting the truth a bit. The point is that the focus of the GNU project is to develop a fully free operating system, and maintainers should focus their efforts accordingly. That doesn't mean that GNU software shouldn't work well on other, proprietary operating systems, and maintainers shouldn't reject patches from contributors that add or improve such support unless it adds a significant burden. Bottom line is: GNU software should work the best on the GNU system, which seems sensible to me. The GNU maintainer guidelines go into more detail about this topic.
>mandatory support for things like GNUTLS
Software in the GNU project should work well with or use other software in the GNU system. Again, those that participate in the GNU project think this is positive, because GNU should form a cohesive whole, just like MacOS or Windows should.
>while not giving you very much in return
GNU and the FSF give Guix a place to host many Git repos, space for a website, several mailing lists, a bug tracker, they colocate our hardware in their datacenter, give us virtual machines on their own servers, handle donations, and promote our releases. I think it's a pretty great deal given the project is philosophically aligned with the free software movement.
>With the existence of GitHub and a wide variety of competitors
I wouldn't call GitHub a competitor. GitHub is just a code hosting site, GNU is a unified project with a political mission.
> Richard Stallman's opinions, outside of the realm of free software, are irrelevant in the context of the GNU project.
But his entire point is that free software is a moral imperative, and that it is morally better to have no software at all than non-free software. How can you separate morality into parts?
And, if you do, where do you divide it? Are politics that affect what copyright laws may exist relevant? Are meta-politics like voting rights or styles of government or campaign finance relevant, if they affect how copyright laws get decided?
> the focus of the GNU project is to develop a fully free operating system, and maintainers should focus their efforts accordingly
Right. It seems to me that becoming a GNU project means that you are required to focus your efforts in certain ways. You are completely free to focus your efforts in those ways without being part of the GNU project, though. It simply restricts your options.
If you trust the GNU project to be better at you at finding the morally right thing to do, then it makes sense to ask GNU to restrict what you can do. As a churchgoer I totally understand why you might want to outsource your morality to a larger organization consisting of more people than you who think harder about things - but it matters a lot that you find the right organization, and that you can trust the people who run the organization to be making good moral choices in general. There are a number of churches where I do not, and I don't associate myself with them, no matter how much I agree with most of their views. Similarly, I find it hard to trust the future moral decision-making of someone who supports eugenics. If I support their current moral stances on free software (and, as it happens, I agree with the vast majority of what Stallman says about free software), I can always just adopt those stances as my own.
> I wouldn't call GitHub a competitor.
Sorry, that was unclear - I meant GitHub and GitHub's competitors (in case you philosophically disagree with GitHub). It gets you a lot of stuff self-service that years ago was much more easily had through affiliation with GNU, or Apache, or Red Hat, or someone else.
I concede that donations and marketing are things you get from GNU that you wouldn't get from GitHub etc. (Although I think many projects find that being on GitHub gives them visibility in a way that seems likely to make up for the lack of explicit marketing, depending on the project.)
Over half an hour before you posted, a project maintainer directly contradicted your post under this thread. The technical decision-making are made by the maintainers, not by the GNU project.
This is not news to me, but its the maintainer of a project that decide over their project. Its like how the CEO of Microsoft do not control what Apple do, nor vice verse. Two projects with different people in charge, makes different decision, and has different priorities.
The good thing about reading other posts is that you might realize that not every project is run the same way. If you have an axe to grind with GCC over their priorities, maybe you should try convince them that your priorities are more important than theirs, rather than complain in a HN thread that has nothing to do with having proprietary compiler modifications to GCC.
https://libreboot.org/gnu-insult/ (GNU maintainers telling a GNU maintainer they cannot take their project out of GNU, and it "is for the Saint IGNUcious to decide")
Stallman is the CEO, and maintainers are, at best, VPs. I have no axe to grind with the GCC maintainers over their priorities - I just wish they had the ability to follow their own priorities.
> RMS telling the GnuTLS maintainer they can't move their project out of GNU (and still call themselves GnuTLS.
Trademark is not technical decision-making. Hurd can not call themselves the linux kernel, blaming Linus for "restricting their technical decision-making options" when he would object. That a project do not want to rename themselves is understandable, but such is how trademark work.
> GCC maintainers want certain priorities, RMS (as member of the GCC steering committee) overrules
GCC does not have a GCC maintainer that decide over the project. It has a steering committee, similar to Debian technical committee, which designed role is to overrule maintainers. Stallman is also part of that committee, while other people of FSF is not. There is no requirement of GNU projects to have a steering committee, and no rules that dictate that Stallman must be part of the committee if one exist.
> Emacs maintainer threatening to fork Emacs (over the GCC decision)
Which they are allowed to do. Emacs was founded by Stallman and what is called "GNU Emacs", as a trademark issue, will likely continue rest with him. There is no "technical decision-making options" involved there, and the dispute is not about any code involving Emacs. If the fork ended up successful it would likely replace the code of GNU Emacs as has happened in the past.
> GNU Libreboot changes name to Libreboot
Again, trademark and no technical decision-making options. Libreboot is now one project, and GNU libreboot might be one. People can fight about who is the fork and who is the original, but it has no technical-decision aspects to it. Both projects can write code and add any feature they wish.
The only thing that Stallman and FSF decide is about the GNU project and the GNU trademark. Technical aspects in each project is the maintainers or what ever community structure that they have chosen. Some are committee based, other a BDFL or project maintainer, and some are just flat structure of several maintainer each holding only one vote in the decision process. Simple projects generally has a single maintainer and can make all the technical-decisions themselves.
The GCC issue itself is not the point. It serves as a direct counterexample to the claims you and he are making about how GNU projects are run.
Maintainers of low-impact projects have more leeway. If your project matters to GNU/FSF leadership, you will have less freedom to make your own decisions.
It's as simple as that.
I don't really need this part about "complain in an HN thread that has nothing to do." I'm totally uninterested in being demeaned for trying to explain a point you don't like. Please try to avoid personal attacks and understand that the GCC maintainers already expressed this desire and did work toward it and were denied this choice for political reasons. This situation is directly and unequivocally related to the discussion at hand.
You don't need to use personal attacks just because I'm trying to explain a point you don't like. I am only trying to help you understand.
GCC is run by a committee which stated role is to overrule maintainers (https://gcc.gnu.org/steering.html). It has nothing to do with Ring, nor does Ring have a steering committee. If ring had a steering committee, and if stallman was part of that committee, then he would be part of the technical-decision making process. But he is not, nor is FSF, and there is no such committee for Ring.
Sorry, 'stonogo was not making a personal attack. The personal attack was this sentence: "If you have an axe to grind with GCC over their priorities, maybe you should try convince them that your priorities are more important than theirs, rather than complain in a HN thread that has nothing to do with having proprietary compiler modifications to GCC." Calling something an "axe to grind" is an argument over the making of the argument, not a response to the argument itself. (As is calling something "a point you don't like", as opposed to a matter of disagreement.) See also http://paulgraham.com/disagree.html .
'stonogo and I believe that the points you are making are incorrect. That is not a personal attack, an assuming that you must be correct and need to help us understand is a great way to pull the argument back down into personal attacks.
So, why does GCC have a steering committee and Ring not? Is it possible that Ring could have a steering committee in the future? Can that happen without the enthusiastic consent of the maintainers?
"being demeaned for trying to explain a point you don't like" was a personal attack, since there was no intention of demeaning. The statement in your quote text was that this is not the place for criticizing GCC over what their steering group has decide, as neither Ring or the GNU project was involved in that internal decision between GCC steering committee and GCC maintainers (a steering committee which is made from current and historical GCC maintainers).
> Is it possible that Ring could have a steering committee in the future? Can that happen without the enthusiastic consent of the maintainers?
A steering group, or for that matter any form of leadership structure can only pop into existence if the project itself decide to create one. If we look at the announcement of the GCC steering group:
"From its initial conception, the egcs project [now GCC] has strived to organize itself
in a manner which prevents any particular individual or company from having control
over the project.
To that end, when the project was formed several individuals were contacted to
make decisions for the GCC project. These individuals come from a variety of
backgrounds and represent various groups with an interest in the long term health of GCC.
We feel it is in the best interest of the GCC project at this time to turn this
informal group into an official steering committee, and to make public its membership.
> Utter nonsense. Being part of GNU doesn't imply agreeing with every word Stallman utters on any topic.
Of course it doesn't. But associating yourself with GNU is, very straightforwardly, associating yourself with Stallman. What is the advantage of doing so?
If there is such an advantage, then yeah, I think it's totally fair to dissociate yourself from his political views. But it seems to me like joining GNU is solely a political statement and a sign of agreement with Stallman's views on morality (since he frames free software / computing freedom as a moral issue). I don't know why anyone would want to make that statement unless they actually want to be associated with his political and moral views. That's all I'm asking. Is there another reason to associate yourself with GNU?
> But it seems to me like joining GNU is solely a political statement and a sign of agreement with Stallman's views on morality (since he frames free software / computing freedom as a moral issue).
GNU's views on software. Stallman's just the figurehead for these. I don't care what his opinions are outside of this, nevermind agree or disagree.
> Is there another reason to associate yourself with GNU?
As I said, I can't think of any in the first place. But I'm still glad GNU and FSF do exist, and that their views are so extreme.
If they weren't, then a much softer position would be called extreme instead. The world would be worse for it.
Sure. I'm not saying it is; you're welcome to implement that choice voluntarily. What's the benefit of being required to make that choice as part of being a GNU project?
"A new noninvasive test for Down's syndrome will eliminate the small risk of the current test.
"This might lead more women to get tested, and abort fetuses that have Down's syndrome. Let's hope so! It is very wrong to intentionally subject a person to life with a serious disability, given the option to abort and try again."
> respects freedoms and privacy of its users
It downloads the binary over http on http://ring.cx, makes it susceptible to tampering. Is serving binaries over HTTP a GNU thing because the expectation is that you would check the signature?