programsconnectedtooneofour Contents currentcampaigns.Mostrecently, How and why the FSF drives free wefundedGNULibreJS,which software development ...... 1 meetsbothofthesecriteria(see Why we still need GnuPG. . . . 3 page 6). We also serve as a fiscal Nonfree digital drugs are a bad idea sponsor to several projects, ...... 4 allowingpeopletofundtheir Escaping the JavaScript trap with development. Because of the trust donorshaveintheFSF sintegrity, LibreJS...... 6 affiliationwiththeFSFmeansthat On the road with RMS...... 8 projectsarepotentiallyableto Howthetechteamhasbeen attract significant amounts of supporting you and GNU ....10 funding.Thisfall,forexample,a groupcalledHandshakegavea HowandwhytheFSF totalof$500,000tomultiple drivesfreesoftware projectssponsoredbytheFSF. development Second, the FSF provides direction to guide overall free software development. Working
hile much of the public Wattention the FSF receives focuses on our activist campaigns and our advocacy work, associate members who join the FSF as a way to give back for all the free software they use should feel confident that their support will indeed help produce more of that software. Here are three ways in which the FSF drives free software development. First, we directly fund development,fromourgeneral budget–especiallyprogramswe needforourownoperations,or with a committee of experts who PineappleFund,wearepoisedto solicit extensive feedback from the dedicateevenmoreresourcestoit. public, we maintain a High Priority Wemakethisaprioritybecause Projects list highlighting areas that ourmissionistoenableusers need more investment of resources everywheretolivefullyfreedigital and time ( ). We lives.Todothat, they must have recruit volunteers to work in these free software that does all of the and other areas, including placing thingstheywantandneedtodo. interns who are able to spend a few When free software does an months helping a project while excellent job meeting users needs, it learning skills that will lead them to helps prove proprietary software a lifetime of promoting and creating companies wrong, demonstrating that free software. Furthermore, we set we actually can have fully free high standards under our Respects computing. Using a free program is Your Freedom product certification also often the way people first get program that motivate development interested in learning more about how ( ). These standards unethically the software industry inspired Libreboot, the fully free typically treats them. Supporting free boot firmware project, and they software development is a double win: continue to encourage developers to it leads to programs we need while solve difficult problems. also boosting our advocacy and Third, we provide infrastructure campaigns work. used by thousands of contributors WhiletheFSFdoesn t to GNU and other free software currently employ anyone fulltime projects, including mailing list servers; todevelopsoftware,weinspireand a shell server; build machines; wikis; drive development in these software distribution; bug trackers; impactful ways. We re fortunate Web servers; virtual machines; and that donors are increasing their more. Not only do we provide all of commitmentsinthisarea;given this gratis, but we run it using free theimmensityofthetask,it s software on hardware we maintain, imperativethatweturnthose enabling developers to stay true to resources into successes that will their principles (see page 10). We also attract even more such provide legal infrastructure, managing commitments.Ourlongstanding copyright assignments for many reputationandskilledstaffallowus GNU packages, and enforcing the toprovidethetechnical, GNU General Public License to communications,andfundraising protect the free software commons. infrastructureenablinghackersto Inour2017fiscalyear,we focus on their area of expertise: the spentover$300,000supportingfree code.Youcanrestassuredthat software development in these yourdonationsandmemberships ways.Inournewfiscalyear, are an effective way to give back thanks to Handshake, as well as a andsupportfuturemuchneeded $1milliondonationfromthe freesoftwaredevelopment. WhywestillneedGnuPG itself,butratherinthewaythat someemailclientsdecrypt messages that would allow attackers to embed such messages inthecontextofmaliciously he use of GNU Privacy Guard craftedHTMLcode.After T(GPG) encrypted emails is decryption,loadingHTML important for political dissidents, elementsorclickingonlinkscould journalists, whistleblowers, and thenexfiltratethatdatatoremote those who need to protect the servers. Some users could work privacy of their messages. GPG is aroundthisproblembydisabling an essential tool for securely HTML rendering of emails, because encrypting and signing withoutloadingHTMLelements, communications, in order to thedatacouldnotbeexfiltrated. mitigate surveillance and However,forS/MIMEusers, impersonation. For some people, disabling HTML rendering alone their very life, and the lives of those wasnotentirelysecure.SomeGPG they love are at stake, so ensuring usersremainedatrisk,because that their communications are Apple sproprietaryemailclient secure is critical. Even for those of doesn tallowdisablingHTML us who do not have this level of renderingofemails. need, we should still aim to not TheElectronicFrontier simply hand over our private Foundation (EFF) published an information to whichever article about the vulnerability, surveillance states and email service drawingattentiontotheproblem, providers happen to be recording andcontroversiallyrecommended our communications. In addition, thatpeoplestopencryptingand ordinary everyday use of GPG helps decrypting emails within their to provide cover for others who emailclientsuntiltheissuewas need it the most. The FSF created resolved.Sincethattime,all the Email SelfDefense Guide at known attack vectors have been to patchedandresolvedinIcedove expand the practice of email andThunderbird,aswellas encryption. Enigmail, which isaGPG In May 2018, encryption and decryption plugin announced a vulnerability, dubbed forthoseemailclients.Asfaras EFAIL,forsomeemailclientsthat EFAIL is concerned, using GPG useGPGorS/MIMEtodecrypt withEnigmailshouldbesafe,as encryptedmessages.S/MIMEisan long as you and the people you are encryptionschemethatreliesupon correspondingwithareusingthe a certificate authority instead of latestversionofthepluginand peertopeer key signing.Inthe email client. Even if there are more caseofGPGencryptedemails,the unknownattackvectors,westill vulnerability was notinGPG believethatpeopleshoulduse GPG to protect their email and to andwritepatchesmaysharethem provide coverage for those who freelywitheveryone,andthose dependonitthemost,withthe patchesmayalsobeauditedby caveatthattherightanswershere anyonewhoknowshow.Onthe maydifferforpeoplewhobelieve otherhand,ifyouuseproprietary theyareormaybeindividually software, like Apple s bundled targetedbywellresourced emailclient,youmayhavetodeal surveillance. with antifeatures that compromise Foraddedsafety,youshould your security when opening still disable HTML rendering in encryptedemail,andyouareleft youremailclient.DisablingHTML unabletowriteandsharepatches renderingofemails should reduce tothatproprietarysoftware. theattacksurfaceofyouremail Thisattackrequiresthatwe client if future vulnerabilities are reach out to our friends to let them discovered. While disabling the knowhowtosecuretheiremail automatic loading of external communications,becauseboththe HTMLassets,anothercommon pastsendersandrecipientsof feature, will help to protect your IP encrypted emails are potential addressandotherinformation,itis targets of this attack. If you are notsufficienttomitigateEFAIL newtoGPGemailencryption, alone,becauseloadingassets usingGPGtoencryptyouremails manuallyremainspossible,andis is quite easy, and thereforeinsecure. Anotherpreventativemeasure containsastepbystepguidetoget that is not strictly necessary, if you youstarted. areusingthelatestversionof Enigmailandyouremailclient,is Nonfreedigitaldrugsarea to copy and paste links into a text badidea editorandtoeyeballthembefore followingthoselinks.Ifyouuse another email client, you should checktheproject sWebsite,or ripiprazole, also known as contactoneofitsmaintainers,to AAbilify, is an antipsychotic seehowwellit smitigatingknown drug used in the treatment of attacks against GPG encrypted schizophrenia and bipolar disorder. email. It s also a successful conjunctive (or TheEFAILvulnerabilityisjust addon) therapy for major another demonstration of the depressive disorder, and has been benefitsoffreesoftware:GPGand known to help bipolar individuals Enigmail are free software, and during major depressive episodes. their source code is available to be For some people, Abilify may be a auditedbyanyone,soresearchers lifesaving treatment. canfindsecurityholesandfix them.Researcherswhofindissues patient EscapingtheJavaScript trapwithLibreJS
ost Web pages contain Mnonfree JavaScript programs that, like other nonfree programs, deny you freedom. The primary functionality of many sites won t work without running JavaScript. This includes almost all online shopping. Why is JavaScript so prevalent? Without it, Web sites arewrittensolelyinHTMLand similar markup languages that intentionallylackthefeaturesofa programminglanguage,andare limitedtoaspecificsetof behaviors.JavaScriptcan accomplish much more,andis oftenusedtoenhanceHTML. BecauseJavaScriptissoeasyto downloadandworks almost the sameoneverybrowser,ithas becomeoneofthemostpopular programming languages, and many complex programs have been createdwithit,includingGoogle Docs. The dark side of JavaScript, however,includesmanyofthe standardabusesthatcancome with nonfree software:forinstance, one common functionofnonfree JavaScriptistorecordyouractions whilelookingataWebpage ( ),oftenusedto identifyandprofileyou.Anethical Websitedoesnotknowwhoyou areuntilyoutellthem.Identifying and profiling users without their consentisahuge violation of your JavaScript, make sure they know privacy,butitisunfortunately aboutthisissue. verycommon. The program GNU LibreJS Make free replacement programs detects nonfree JavaScriptinpages for nonfree JavaScript. Sometimes youvisitandblocksit,preventing this includes reverse engineering itfromrunningandthussaving theexistingJavaScriptsothe youfromgivingupyourfreedom replacement will work with a ( ).LibreJSis specific Web site. IceCat includes includedintheGNUIceCat someextensionsthatarefree browser,andisavailableasanadd JavaScriptreplacementsforspecific onforFirefoxandAbrowser. Web sites. The FSF, with the help Blocking JavaScript is already of an intern, Alyssa Rosenzweig, is morecommonthanyouthink– close to recommending a replacement adblockers often block JavaScript for nonfree JavaScript for making programs coming from domains payments with PayPal called that serve ads, since these Pagamigo ( ). programsareusuallymalwareor unnecessary. But just blocking ad Improve JavaScript tools so they related JavaScript is not good facilitatecreatingLibreJSvalidated enough. We need the freedom to run, sites. For instance, JavaScript tools edit, contribute to, and share the whichcompactsourcecodeshould software we use. You can find out be improved so they automatically more about our Free JavaScript providethelocationofthesource campaign at . codetoLibreJS. This issue desperately needs moreaction.Herearesomethings GeneralJavaScript development youcando: learningresourcesalsoneed contributions to include teaching InstallanduseLibreJS. developershowtomaketheircode freeforusers. Ask Web site owners to stop including nonfree JavaScript. In Firefox 57, released in mostcases,aWebsiteshouldnot November 2017, switched to a new requirerunninganyJavaScriptat API for extensions called all in order to use it, as the WebExtensions. For LibreJS to functionalityoftheWebsitedoes work with this new API, it required notjustifyrequiringyoutoruna an almost complete rewrite. As I program.AnyJavaScriptthatis write this, LibreJS 7.18.0 was includedshouldbemadefreeand recently released. It has major validatedwithLibreJS. improvements and is even better than before the rewrite, including a When someone recommends you more intuitive interface and much gotoasitewithnonfree faster source code checking. Our contractor, Giorgio Maone, English.Histravelstookhimto theauthorofNoScript,hasbeen twentysix different cities, across helpinguswithalotof ten countries. improvements to LibreJS. The new InAprilandMay,he versions are compatible with participatedintwoeventsin modernMozillabasedbrowsers Canada.InOttawa,Ontario,he that use the WebExtensions API, tookpartinapublicdiscussion includingtherecentlyreleased with Joseph Potvin, executive GNUIceCat60 directoroftheXalgorithms ( ).LibreJSis Foundation,aboutafreesoftware nowmuchfasterandmorerobust, solutiontothedebacleofthe andweareworkingonfurther Phoenixpaysystem,theCanadian improvements to make licensing government spayrollprocessing taggingeasierforWebdevelopers. system,whichreliesonnonfree LibreJS has one core developer software.Phoenixwasrolledoutin andisimprovingquickly,butit 2016,andhasaffectedpaymentto couldusehelpwithfurther over200,000government development,includingfeatures employees, and costtheCanadian suchasinternationalizationofthe government over $1.2 billion. userinterface,supportforrunning Potvinsettheambitiousgoalof onAndroidandChromium,and providingafreesoftwaresolution betterdocumentation,more withinayear,settinganexcellent testing,anddebugging.Ifyouwant example for why governments tohelpwiththesetasks,please shouldusefreesoftwareexclusively. subscribeandwritetothemailing RMSthenheadedtothe listat . University of Quebec in Montreal (UQAM)forthefifthcolloquiumof theAdte,anonprofitthatpromotes free/libre educational resources in higher education. There, he delivered the keynote speech, OntheroadwithRMS Educationandfreedom. FrommidMaytoearlyJune, he was in South America. In Brazil hespokeatCampusPartyBahía, he past six months have been inSalvadordeBahía,atthe Tcharacteristically busy for FSF InstitutoFederaldeSãoPaulo,in president Richard Stallman (RMS). Araraquara, on the Pato Branco He gave thirty speeches, spoke at campus of the Universidade eight conferences, keynoted one TecnológicaFederaldoParaná,and conference, and took part in two attheUniversidadedeSãoPaulo. panels. A little over half of his RMS also toured Argentina, talks were in Spanish, a couple in starting in Misiones Posadas, French, and the rest were in speakingto,amongothers,elected officialsfromtheprovince.Hethen spokeattheUniversidadde Tucumán,whichawardedhiman honorarydoctorate,andatthe UniversidadTecnológicaNacional in Mendoza, whose graduates make up half of Argentina s engineering degreeholders,andwhichawarded himanhonoraryprofessorship,its highesthonor.Next,heheadedto Río Cuarto, Córdoba, before headingtotheAutonomousCityof BuenosAires,wherehegavetwo speeches: Freesoftware: Sovereigntyandtechnological independence, at the Instituto Universitariodela PolicíaFederal, and Copyright vs community, at the Centro Cultural de la privacyandanonymity, atthe CooperaciónFlorealGorini,for NextGenerationCitiesconference, gcoop,afreesoftwarecooperative. in Amsterdam, the Netherlands, HeendedhisvisittoArgentina beforereturningtoSpaintospeak withaspeechattheUniversidad attheUniversidaddeJaén. NacionaldeLaPlata,andanother BackintheUnitedStates,in inMardelPlata. New York City, RMS took part in AfterabriefrespiteinBoston, thetheeleventhHOPE(Hackers RMSheadedtoBarcelona,Spain, On Planet Earth) conference, fortwoevents.Atthefirst,Maker drivinghomethepointthat we Faire,hehadapublicconversation mustlegislatetoblockcollectionof with Francesca Bria, the Barcelona personaldata. CityCouncilchiefoftechnology, InAugust,heheadedtoChile titled Digitalcities,digital forsevenspeeches:inSantiagode freedom, digital privacy. Next, he Chile,atboththeUniversidadde deliveredaspeechatthe ChileandattheUniversidad UniversitatPolitècnicade TecnológicadeChileINACAP;in Catalunya. During his visit to Rancagua; in Valdivia, both Spain,healsospokeremotelyfor privately, for regional authorities, theseventhNoSpyKonferenz, andpublicly,attheCentrode which was taking place in EstudiosCientíficos;atthe Stuttgart,Germany. UniversidadCatólicade He then both gave a speech and Valparaíso,inValparaíso;andat satonapanel titled Smart city, the Universidad Técnica Federico spycity?Avenuesformakinga Santa María Sede Viña del Mar, in city smart while respecting Quilpué. RMSendedthesummerin infrastructurethatincludesthe Brussels,Belgium,wherehetook systems at the Foundation s office partinthefirsteditionof as well as over a hundred virtual EduCode, giving his speech machines on a handful of servers at Controlyourcomputer,soasnot three different data centers. Our tobecontrolled! machines host the GNU Project, So far this fall, he s spoken at FSF campaigns, and services for the Istituto Italiano di Tecnologia, the community. This gets us inGenoa,Italy,andattheIllinois hundreds of task requests every Institute of Technology, in month, and this year we met our Chicago,Illinois,andsatonthe goal by resolving over 2,800 tasks Bits, bots, andourbiome: and keeping the number of pending Technologyandtech power panel tasks under 150. attheBioneersConference,inSan Wemadegoodprogressonthe Rafael,California. GNUHopeclusterproject,a See foralist modernserverstackthatis of RMS s confirmed engagements. replacing our main infrastructure. Please write to Since its deploymentatthe to extend hima beginningoftheyear,wehavenow speakinginvitation. increaseditsstoragecapacity, improved the network design, and hardenedthefirewall.Thanksto Howthetechteamhas thatgainedcapacity,wewereable beensupportingyouand to decommission the biggest server GNU of the old stack, Pyxis, a venerable machinewhichhadbeenhosting some critical infrastructure – including and he tech team at the FSF is in – and that had started to show its Tcharge of maintaining and age by overheating and crashing. extending a large set of Wealsohadsomehardwareand networkincidentsthatcausedabit ofdowntime,buttheywere resolvedwithoutanydataloss. We also launchedanimproved forumforFSFassociatemembers at , poweredbyfree software called Discourse( ). Thisisadedicatedspacewhere memberscanmeet,communicate, and collaborate with each other. You llbeabletologinusingthe sameCentralAuthentication Service (CAS) account that you performance improvements to the usedtosetupyourmembership. site. We encourage you to log in, check Forthefall,we recollaborating itout,andgettheconversation with UC Berkeley s Blueprint going. program to writeaphone Over the springandsummer application that will offer a way to wewelcomedagreatgroupof make small, convenient donations collaborators,includingfour totheFSF,andhelpmembers talented interns and an keeptrackofFSFnews,blogposts, independentcontractor(seepage6 and petition action alerts. We re for info about our contractor’s alsostartingwithtworemote work).Duringthespring,aspart interns, Hrishikesh BarmanandLei ofourmentorshipinternship Zhao, who will be helping us to program with GNU, Darshan Kadu improve our system monitoring, workedcloselywiththeGIMP andwhowillcontributetoLibreJS projecttoupdatetheJPEG2000 andotherprojects. plugintouseOpenJPEGasits Allthisworkispartofour backendlibrary.Hiscodewas neverending effort to bring better releasedinGIMP2.10.0. toolsandsupporttothe Next,duringthespring,ouron community so our advocacy work siteinternAlyssaRosenzweig canbebetterheard,andmuch documented the state of free needed free software can be software compatibility with single developed.Werelyonyour board ARM computers, designed a support and contributions, both fully free remote management through donations and through deviceforservers,anddevelopeda internwork.Weacceptinternsfour tool to make PayPal payments times a year; if you are interested withoutnonfreeJavaScript inapplying,seethelatestschedule ( ).Wealso at .For welcomed two Outreachy interns, informationaboutbeinganintern SonaliSinghalandDavidHedlund, throughOutreachy,see whobothdidimportantworkon . theFreeSoftwareDirectory ( ).Sonali addedimagestoDirectoryentries, improved our Semantic MediaWiki templates,andupgradedthesiteto themostrecentlongtermsupport version.Davidmadechangesto scriptsthatupdatethesitewith informationaboutpopularfree Mozillaextensions,made adjustments to our license naming format,andresearched DonatetotheFSFwithBitcoin 12DaJbqw5SZTh5DJuEMgr9oPMermG h8cF9
Copyright 2018 FreeSoftwareFoundation,Inc.
Thearticlesinthis are individuallylicensedundertheCreative CommonsAttributionNoDerivative Works4.0license.
PublishedtwiceyearlybytheFree SoftwareFoundation,51Franklin Street,5thFloor,Boston,MA02110 1335,(617)5425942
This wasproducedusingall freesoftware,includingScribusand GIMP.
Photocredits: Page1:PhotobyMollydeBlanc, CreativeCommonsAttribution ShareAlike4.0International. Page5:IllustrationbyDana Morgenstein,CreativeCommons AttributionShareAlike4.0 International. Page9:PhotobyAdte.ca,Creative CommonsAttributionShareAlike4.0 International.