a3nm's blog

High priority free software projects

— updated

The Free Software Foundation just sent out an email asking for feedback about their list of High Priority Free Software Projects. As they said, "we encourage you to publish your thoughts independently (e.g., on your blog) and send a us a link". So I thought I'd answer. I'm an FSF member (just to support them; I'm not actively involved in anything), but of course my answer does not carry any special weight.

The points of this list are not really given in any specific order. The first three points cover most of the situations where I use proprietary software, so it's a bit geared towards my own needs and those of people around me. It excludes things like video games, because I feel that video games are works of art and not just software: it seldom makes sense to replace them by a free alternative, like you wouldn't replace a copyrighted movie with an "alternative" to that movie. The last two points are less about software proper, and about more general issues.

Developing an alternative to Skype

I use Skype to communicate with remote colleagues (aka coauthors, in researcher parlance). It is the only solution used by people around me for conference calls, except when they can't get Skype to work, in which case they sometimes switch to Google Hangouts, which is not really better as it may require a non-free browser plugin and in any case requires a Google account (so you cannot self-host it).

As Skype is not federated or interoperable either, you must use the Skype client to talk to Skype users, which makes it especially hard to replace Skype with a free alternative. (Back in the days of text messaging, I was able to switch from MSN Messenger to alternative clients because the protocol had been reverse-engineered, but it seems like this has not been done for Skype.)

To replace Skype, I would need a drop-in replacement that just works and that I could try to advertise. I tried to find such a solution some time ago, and tested various SIP clients in this hope, and couldn't find anything suitable. Skype is not even perfect, in fact, and sometimes does not work, but it works much more often than the alternatives.

Of course, as SIP is federated, SIP clients need you to open a SIP account before you can use them (some of them facilitate this process); this is an additional complication as compared to Skype, but OK, it is unavoidable, and you have to register for Skype as well. But then, the interface of these clients is ugly and ridiculously hard to understand even for experienced computer users. Worse, even when both parties are using the same client, it usually doesn't work. The call doesn't go through, there is no sound or distorted sound, the connection fails, etc. Worse, there are often no helpful error messages, logs, or other debug information to troubleshoot the problem.

There are a lot of hard problems to address to make a solution that works. If both users are behind NAT, you need NAT traversal. Sadly, with existing solutions, it doesn't work, even if you are root on a public server that you could use to relay the traffic. Also, if the connection is flaky, you want to avoid gaps in the audio. I suspect that Skype is fairly clever behind the scenes, as I sometimes hear it buffer speech during network hiccups and then send it and make up for the lag by speeding up speech and skipping blanks, so you don't miss anything. All of this is not so trivial.

Relying on Skype means relying on proprietary software, but it also means relying on a non-federated and non-interoperable protocol (and thus contributing to the network effect), and it also poses a security issue because there is no secrecy on the contents of Skype chats (as opposed to, say, SIP with ZRTP). In fact, the CNRS, the largest governmental French research organisation, which is related to my employer, recommends against the use of Skype. Yet such recommendations are ignored by all researchers I know, even when they are personally committed to the principles of free software: they need to work with other researchers who use Skype, and have no usable alternative to advertise.

What's needed: Developing a Skype alternative that works, both with a usable interface and the required backend features. Maybe WebRTC is a promising direction.

Developing and promoting an alternative to Dropbox

Some of my coworkers (not the majority) are starting to use Dropbox to collaborate on documents, instead of version control systems (VCSes), because it is easier. So I use Dropbox when I need to collaborate with other people who do, and I have no drop-in self-hosted replacement to offer.

Using Dropbox in this context is essentially laziness, as the complexity of setting up a VCS usually pays off in terms of added power: computing and reviewing diffs, using blame, having commit messages, branching, proper conflict handling, etc. Yet, in some contexts the hassle of updating, committing, and pushing manually, is not worth it, and it is better to automatically sync changes because there will often be no conflicts and little need to review old versions.

I would also need such a system to synchronize data between my machines. Manual rsync (or cronjobs) often suffice, sometimes VCSes are the right tool, yet sometimes automatic sync is all you want; especially on phones where manual solutions are impractical. So far I have resisted the temptation of using Dropbox for this, but I would be interested in a tool that would have the convenience of Dropbox.

This is not so obvious to engineer. It should rely on inotify or offer a FUSE FS to avoid polling for changes and sync with no noticeable lag (which excludes Unison). It should offer file access when you are offline (which excludes sshfs-based solutions). It should use bandwidth sparingly and avoid retransferring existing content (even doing this across files with different names, which is fine in theory but not done, e.g., by rsync). It should run also on Android so I can sync data with my phone. It should ideally rely on a VCS to resolve conflicts automatically when possible, and to offer sensible tools for manual resolution when needed (although the situation should occur rarely: only, e.g., when changing the same file on two different machines with one of them offline). I want a tool that solves only this problem and solves it well (which excludes ownCloud). Also, it should have good documentation and tutorials, which excludes git-annex (I still haven't understood whether it does what I want or not).

What's needed: Developing a Dropbox alternative that is easy to use, and document how to use it.

Making mobile phones usable with free software

Most Android applications are proprietary and distributed through the proprietary Play Store. The only libre alternative that I know of is F-Droid, and I use it exclusively, but it has about 1,300 apps listed as of this writing, whereas Google Play has a thousand times more. What is more, many proprietary apps are hard to replace, because they are designed to access the backend of specific services (train companies, banks, postal services, even public institutions, etc.): there are many such services, and they often don't have a public API.

Even forgetting about the apps, it is essentially impossible to avoid proprietary software on mobile phones. At the operating system (OS) level, Android used to be touted as open. Now the visible face of Android is riddled by proprietary Google applications. The pure open-source side of Android, AOSP, is barely keeping up. I use CyanogenMod to have Android without the proprietary Google stuff, but it has many limitations. For instance, the TextSecure SMS encryption service cannot be used without the proprietary Google Mobile Services, even though it is itself open-source (and bundled with CyanogenMod).

In any case, CyanogenMod does not solve the problem of proprietary drivers and firmware. The Replicant project does, but currently supports only 12 devices, and only partially (for none of them is both telephony and GPS suppported, for instance). At least it's a start, but hard to use for now. Then there is the issue of the radio firmware: to my knowledge the only libre implementation is OsmocomBB, with very narrow device support and no 3G. This is especially worrying: the radio firmware has unrestricted access to the entire phone and is constantly connected to an untrusted network. Replicant developers have found suspicious things there, and more may be lurking.

What's needed: Supporting the development of libre radio firmware alternatives, and of Replicant (or maybe the solution lies with other phone OSes entirely, such as Firefox OS). Support the development of F-Droid. Campaign so that people understand that not everyone is using Android or iOS, and that it is important to provide an alternative to non-portable apps (e.g., a good website).

Fighting back OS bundling and warranty exclusions

In France, as in many countries, most PCs are bundled with a Microsoft Windows license, even though it is illegal to bundle the sale of a service (the license) with a good (the hardware). Thus, when buying my Lenovo Yoga 13, I could not avoid buying a Windows license with it, and could not get it refunded from the manufacturer (Lenovo). (I had looked for comparable OS-free machines that I could buy instead, but the choice was too limited.) Of course, bundling does not apply only to Windows, but also to Apple computers. You can buy Mac OS separately, so it is not a free service, and it is bundled with the machine (even though it is leased to you by the same company that is selling you the hardware and does not expect you to run a different OS).

Going to the courts is not a realistic option: a Linux user sued Lenovo France in 2007 and the case is still open. The latest episode is a February 2014 ruling by the Cour de Cassation (French's last resort court) which cancelled a previous verdict and requested that the affair be judged a third time.

Advocates of bundling contend that customers cannot install operating systems themselves (and of course everyone uses Windows), so bundling is justified. The obvious counter-argument is that you could sell the hardware and sell separately an activation code for the preinstalled OS. In fact, now that Windows licenses need to be activated with Microsoft through the Internet, this solution would be essentially trivial to implement. Yet nothing has changed.

A related problem is the question of warranty. PC manufacturers tried for some time to avoid offering hardware warranty to users which had installed a different OS. Now mobile phone manufacturers will argue that jailbreaking, or installing a different Android, will void your warranty. I believe there should be a clear separation between the hardware and the software, and warranty should be offered on the hardware no matter which software is run. (For cases where buggy software could damage the hardware: if the hardware cannot withstand what the software asks it to do, it is its job to avoid getting damaged.)

Last, installing alternative OSes on computers and phones is blocked by technical measures: UEFI for computers, various locking mechanisms for phones...

What's needed: Legal support to consumers seeking reimbursement of bundled software, especially through collective means such as class action whenever possible. (There is a French support group but I'm not sure how active it is. At any rate, I could not get definite information about whether Lenovo France offers refunds for Windows 8 licenses (they don't).) Lobby for investigations into this practice using competition laws, like the Windows Media Player case in the EU. Help consumers who were denied warranty claims for a hardware problem because of the software that they run, lobby against technical restrictions and document ways to circumvent them.

Proprietary software and centralized computing

This is not at all a software project, just a closing comment about a battle that needs to be fought, which is distinct from the question of free software, but as least as important, in my opinion.

With the advent of customer broadband connections, it became clear that people would be tempted to use remote servers to perform their computing and store their data, even at the expense of their freedom. This switch back from personal computers to dumb terminals is well underway, and does not seem to stop. In this light, the original concerns against proprietary software seem quite tame in comparison with cloud computing. Yes, you cannot know what a proprietary program does, it could have a backdoor and give evil people access to your data, it may save your files in a proprietary format that nothing else can read, so you can't switch and your colleagues have to use the same program. However, in the cloud, you don't even know which software is running or when it changes, the data is already in the hands of others, and you may not even be able to retrieve it at all, so you are stuck and anyone working with you is stuck as well.

Ironically, with newer devices such as phones and tablets and Chromebooks, more people are using free software, without realizing it. Of course, there are proprietary vendor-specific programs and drivers, but the core is often free. Sometimes there are technical restrictions against tinkering with the device, but sometimes there aren't. Yet people do not know or care, because what matters to them is not the device, but the remote services.

To users, this is normal: they are entrusting their computing to specialists, like they do with their electricity, their food, their housing, and so many aspects of their life. Still this is not right: people are still expected to have their own opinions, their own vote, their privacy, and people's electronic trails are more and more entangled with their private thoughts and actions... Yes, computing is less vital, but it is a finer-grained power mechanism, so it is really dangerous to give it up.

Proprietary software, and centralized computing, are two different threats at two different levels, but I find the second one maybe more worrying than the first. For the first one, free software has scored some big victories. For the second one it's not even clear which alternative model we can propose...

comments welcome at a3nm<REMOVETHIS>@a3nm.net