Free, Libre, and Open Source Software Leftovers

posted by Roy Schestowitz on Aug 15, 2024

• Brandon ☛ Followgraph

  Thanks to Lou I came across Followgraph this evening. It's a cool little utility that uses publicly available info to look at who you are following on Mastodon and then it suggests people to follow based off of a couple of criteria: 1) you aren't following them and 2) you have followers that are following them. A list based on follower overlap is then created.

• University of Toronto ☛ Some thoughts on OpenSSH 9.8's PerSourcePenalties feature

  On the one hand, this new option is exciting to me because for the first time it lets us block only rapidly repeating SSH sources that fail to authenticate, as opposed to rapidly repeating SSH sources that are successfully logging in to do a whole succession of tiny little commands. Right now our perimeter firewall is blind to whether a brief SSH connection was successful or not, so all it can do is block on total volume, and this means we need to be conservative in its settings. This is a single machine block (instead of the global block our perimeter firewall can do), but a lot of SSH attackers do seem to target single machines with their attacks (for a single external source IP, at least).

• LWN ☛ Divvi Up: privacy-respecting telemetry aggregation

  There is ongoing discussion about the ethics and effectiveness of telemetry following some recent LWN articles that touched on Thunderbird's use of opt-out telemetry and planned metrics in Fedora. The Internet Security Research Group (ISRG), the nonprofit behind Let's Encrypt, has a potential solution to the problem of how to collect and aggregate telemetry without violating users' privacy. The scheme is based on a draft protocol being standardized with the Internet Engineering Task Force (IETF), and has an open-source implementation available.

  The ISRG's proposed solution is called Divvi Up. It's based on an existing research system from Stanford University called Prio. Unlike previous attempts to mitigate the privacy risks of telemetry with techniques like differential privacy, Prio ensures that as long as at least one participating server is honest, the aggregation servers learn "nearly nothing" about the users. In this case, "nearly nothing" is a cryptographic term of art which means that malicious servers can only learn a small and precisely bounded amount of information, depending on the choice of aggregation function. For simple sums and averages, malicious servers learn no additional information. Once the statistics have been aggregated by the servers, they can be made available publicly with no way to see or infer individual reports.

• LWN ☛ The complexity of BUSL transformation

  The Business Source License (BUSL) is a source-available license that "converts" to an open-source license after a period of time. In theory, this means that a few years after a version of a product is released under the BUSL, it becomes open source and is fair game for Linux distributions to package along with regular open-source projects. In practice, the license throws a few curveballs that require special consideration and caution, as the Fedora Project recently discussed.

  The concept of proprietary-to-open has been around for quite some time. For example, Aladdin Enterprises developed Ghostscript under a similar scheme from 2000 to 2006. The company's proprietary version, Aladdin Ghostscript, was released under the source‑available (and misnamed) Aladdin Free Public License first and then later as Ghostscript under the GPLv2. That, however, was a two‑step process where the source release was performed under a different name and a clear change of license.