[Dev] Users vs distro responsability, Was: Criteria beyond FSDG compliance for Parabola and third party repositories?

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Fri Dec 23 08:53:55 GMT 2022


On Thu, 22 Dec 2022 17:08:52 -0500
bill-auger <bill-auger at peers.community> wrote:

> not to mention that that parabola as a power-user distro, does
> not really want protect the user from oneself - i think myself
> and freemor agree, the "take-home message" should be "Parabola
> protects users primarily, by teaching them how to protect
> themselves, and providing clean tools and a clean base
> environment in which to do so"
I've another point of view on that which probably ends up with more
or less the same result.

Basically for me it's more about finding ways that can work:
- For instance, it would be almost impossible for individual users to
  take a non-FSDG compliant distribution (like Gentoo or Arch Linux for
  instance) and manage to use it in an FSDG compliant way.

  If they try to do that they would basically have to do the same work
  than other FSDG compliant distribution do, and given the amount of
  work, it's probably not doable by a single person completely alone.

  So here we do need collaboration, and so having certified
  distributions where people can report FSDG compliance issues and also
  participate to help fix them can more or less work (with the caveat
  that things aren't perfect, but we can at least work to improve the
  situation).

- In another hand we cannot make an alternate internet with FSDG
  versions of everything, so here teaching users that they are on their
  own is better.

So I think there is a bit of both, some things are best done in the
distribution, some are best done through education, other through
certification (like RYF), and it's often a good idea when trying to
fix a problem to see where work to fix it need to happen. And in many
cases we need to combine multiple things (like certification +
distribution work + education) to make it manageable for people.

> maybe freemor will like to look that over and/or improve or
> expand that article - freemor has been the most adamant about
> that aspect of parabola - explaining the rather low limitations,
> to how any distro can protect its users, especially debunking
> the common security paranoia support questions (such as: each
> user must define a "threat model" and be somewhat vigilant - the
> distro can not do that those things for everyone)
Part of it is probably due to the fact that we do not have an infinite
number of contributors with an infinite amount of time, and part of it
is also because security is very subjective. 

Here too, the distribution could decide which part of the security it's
responsible for and which part it's not by educating users. For
instance:
- Some security solutions are transparent to most users, like
  compilation flags such as -fstack-protector-strong. So if these
  security solutions are lightweight enough, a distribution can decide
  to be a little more slow in exchange for more security against some
  classes of attacks. And generally speaking free software contributors
  can contribute in that area. Distributions also do similar tradeoffs
  for other cases anyway (like use zstd vs xz for packages).

- Some security solutions have other tradeoffs than speed vs security,
  and there it does really require a threat model for each users or at
  least for classes of users. 

  For instance, Parabola could add support for some boot integrity
  protection on some ARM devices (like the USB armory for instance), but
  the downside is that the user could be locked out of their own
  devices if they loose the key signing the bootloader for instance. So
  we can't take a decision like that for our users if the distribution
  is meant to be general purpose enough.

  Another example would be to have a public computer without passwords
  at a location where multiple people live and trust each other, and
  enable anyone to fix things when there are problems. So having a way
  to disable passwords can also be useful there.

  Another example is that "users shound't write passwords on paper"
  works best for companies and not necessarily for individuals that
  can in some cases rely on the safety of the places they live in. And
  here the distribution is not involved in that.

  For all these cases, user education (if you enable boot integrity
  protection you'll most likely break your device) + good documentation
  (how to disable passwords) can work + some light threat modeling
  (what happens if my computer is stolen?) can probably work for many
  situations.

> parabola users even need to know how to protect themselves
> against parabola (learn about  makepkg, keep a liveISO and learn
> about pacstrap, etc) - there are no guarantees from parabola or
> any upstream - this month has been a specially wild ride -
> parabola has been broken in 3-4 rather serious ways this month -
> probably every parabola user hit at least one snag this month 
> 
> over-all, some "Parabola 101" primer would be helpful - eg: to
> update the obsolete "beginners guide" - ie: "what parabola can
> do for users" is a much shorter list and is less important than
> "what parabola users can (and must) do each for oneself" 

What about [[Parabola survival guide]]?
- It would tell how to reinstall Parabola in case something goes wrong.
  It would also have advise for different use cases, like for people
  that don't want to use liveISO we'd advise to have more than one
  Parabola installation on the computer. We'd could also add tips for
  installing pacman-static etc there.
- It would also tell what the users need to know about to stay safe
  (like update often).
- It would point to other articles for more in depth knowledge.

The article [[How does Parabola protects users against nonfree
software]] is more for potential users to understand what Parabola
protects against, and for end users, and also for contributors (like bug
reporters and people sending PKGBUILDs or patches) to understand what
is and isn't a bug.

For instance if a given person has this article in mind, she might not
send a bugreport anymore about removing all the web browsers because
Facebook isn't a free network service, or for removing software
interacting with iphones because the iphone (technically another
computer) runs nonfree software.

Some users might be able to survive using Parabola without knowing how
it protects them against nonfree software, but they'd absolutely need
to know how to repair it, how to keep the system updated, etc. 

So having both separate, and maybe use a tiny subset of [[How does
Parabola protects users against nonfree software]] in [[Parabola
survival guide]] might work best.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20221223/82a922c6/attachment.sig>


More information about the Dev mailing list