programsconnectedtooneofour Contents currentcampaigns.Mostrecently, How and why the FSF drives free wefundedGNUlibreJS,which software development . 1 meetsbothofthesecriteria(see Why we still need GnuPG. 3 page 6). We also serve as a fiscal Nonfree digital drugs are a bad idea sponsor to several projects, ..................4 allowingpeopletofundtheir Escaping the JavaScript trap with development. Because of the trust donorshaveintheFSF sintegrity, libreJS.................6 affiliationwiththeFSFmeansthat On the road with RMS......8 projectsarepotentiallyableto Howthetechteamhasbeen attract significant amounts of supporting you and GNU ....10 funding.Thisfall,forexample,a groupcalledHandshakegavea HowandwhytheFSF totalof$500,000tomultiple drivesfreesoftware projectssponsoredbytheFSF. development Second, the FSF provides direction to guide overall free software development. Working hile much of the public Wattention the FSF receives focuses on our activist campaigns and our advocacy work, associate members who join the FSF as a way to give back for all the free software they use should feel confident that their support will indeed help produce more of that software. Here are three ways in which the FSF drives free software development. First, we directly fund development,fromourgeneral budget–especiallyprogramswe needforourownoperations,or with a committee of experts who PineappleFund,wearepoisedto solicit extensive feedback from the dedicateevenmoreresourcestoit. public, we maintain a High Priority Wemakethisaprioritybecause Projects list highlighting areas that ourmissionistoenableusers need more investment of resources everywheretolivefullyfreedigital and time ( ). We lives.Todothat, they must have recruit volunteers to work in these free software that does all of the and other areas, including placing thingstheywantandneedtodo. interns who are able to spend a few When free software does an months helping a project while excellent job meeting users needs, it learning skills that will lead them to helps prove proprietary software a lifetime of promoting and creating companies wrong, demonstrating that free software. Furthermore, we set we actually can have fully free high standards under our Respects computing. Using a free program is Your Freedom product certification also often the way people first get program that motivate development interested in learning more about how ( ). These standards unethically the software industry inspired Libreboot, the fully free typically treats them. Supporting free boot firmware project, and they software development is a double win: continue to encourage developers to it leads to programs we need while solve difficult problems. also boosting our advocacy and Third, we provide infrastructure campaigns work. used by thousands of contributors WhiletheFSFdoesn t to GNU and other free software currently employ anyone full­time projects, including mailing list servers; todevelopsoftware,weinspireand a shell server; build machines; wikis; drive development in these software distribution; bug trackers; impactful ways. We re fortunate Web servers; virtual machines; and that donors are increasing their more. Not only do we provide all of commitmentsinthisarea;given this gratis, but we run it using free theimmensityofthetask,it s software on hardware we maintain, imperativethatweturnthose enabling developers to stay true to resources into successes that will their principles (see page 10). We also attract even more such provide legal infrastructure, managing commitments.Ourlong­standing copyright assignments for many reputationandskilledstaffallowus GNU packages, and enforcing the toprovidethetechnical, GNU General Public License to communications,andfundraising protect the free software commons. infrastructureenablinghackersto Inour2017fiscalyear,we focus on their area of expertise: the spentover$300,000supportingfree code.Youcanrestassuredthat software development in these yourdonationsandmemberships ways.Inournewfiscalyear, are an effective way to give back thanks to Handshake, as well as a andsupportfuturemuch­needed $1milliondonationfromthe freesoftwaredevelopment. WhywestillneedGnuPG itself,butratherinthewaythat someemailclientsdecrypt messages that would allow attackers to embed such messages inthecontextofmaliciously he use of GNU Privacy Guard craftedHTMLcode.After T(GPG) encrypted emails is decryption,loadingHTML important for political dissidents, elementsorclickingonlinkscould journalists, whistleblowers, and thenexfiltratethatdatatoremote those who need to protect the servers. Some users could work privacy of their messages. GPG is aroundthisproblembydisabling an essential tool for securely HTML rendering of emails, because encrypting and signing withoutloadingHTMLelements, communications, in order to thedatacouldnotbeexfiltrated. mitigate surveillance and However,forS/MIMEusers, impersonation. For some people, disabling HTML rendering alone their very life, and the lives of those wasnotentirelysecure.SomeGPG they love are at stake, so ensuring usersremainedatrisk,because that their communications are Apple sproprietaryemailclient secure is critical. Even for those of doesn tallowdisablingHTML us who do not have this level of renderingofemails. need, we should still aim to not TheElectronicFrontier simply hand over our private Foundation (EFF) published an information to whichever article about the vulnerability, surveillance states and email service drawingattentiontotheproblem, providers happen to be recording andcontroversiallyrecommended our communications. In addition, thatpeoplestopencryptingand ordinary everyday use of GPG helps decrypting emails within their to provide cover for others who emailclientsuntiltheissuewas need it the most. The FSF created resolved.Sincethattime,all the Email Self­Defense Guide at known attack vectors have been to patchedandresolvedinIcedove expand the practice of email andThunderbird,aswellas encryption. Enigmail, which isaGPG In May 2018, encryption and decryption plugin announced a vulnerability, dubbed forthoseemailclients.Asfaras EFAIL,forsomeemailclientsthat EFAIL is concerned, using GPG useGPGorS/MIMEtodecrypt withEnigmailshouldbesafe,as encryptedmessages.S/MIMEisan long as you and the people you are encryptionschemethatreliesupon correspondingwithareusingthe a certificate authority instead of latestversionofthepluginand peer­to­peer key signing.Inthe email client. Even if there are more caseofGPGencryptedemails,the unknownattackvectors,westill vulnerability was notinGPG believethatpeopleshoulduse GPG to protect their email and to andwritepatchesmaysharethem provide coverage for those who freelywitheveryone,andthose dependonitthemost,withthe patchesmayalsobeauditedby caveatthattherightanswershere anyonewhoknowshow.Onthe maydifferforpeoplewhobelieve otherhand,ifyouuseproprietary theyareormaybeindividually software, like Apple s bundled targetedbywell­resourced emailclient,youmayhavetodeal surveillance. with antifeatures that compromise Foraddedsafety,youshould your security when opening still disable HTML rendering in encryptedemail,andyouareleft youremailclient.DisablingHTML unabletowriteandsharepatches renderingofemails should reduce tothatproprietarysoftware. theattacksurfaceofyouremail Thisattackrequiresthatwe client if future vulnerabilities are reach out to our friends to let them discovered. While disabling the knowhowtosecuretheiremail automatic loading of external communications,becauseboththe HTMLassets,anothercommon pastsendersandrecipientsof feature, will help to protect your IP encrypted emails are potential addressandotherinformation,itis targets of this attack. If you are notsufficienttomitigateEFAIL newtoGPGemailencryption, alone,becauseloadingassets usingGPGtoencryptyouremails manuallyremainspossible,andis is quite easy, and thereforeinsecure. Anotherpreventativemeasure containsastep­by­stepguidetoget that is not strictly necessary, if you youstarted. areusingthelatestversionof Enigmailandyouremailclient,is Nonfreedigitaldrugsarea to copy and paste links into a text badidea editorandtoeyeballthembefore followingthoselinks.Ifyouuse another email client, you should checktheproject sWebsite,or ripiprazole, also known as contactoneofitsmaintainers,to AAbilify, is an antipsychotic seehowwellit smitigatingknown drug used in the treatment of attacks against GPG encrypted schizophrenia and bipolar disorder. email. It s also a successful conjunctive (or TheEFAILvulnerabilityisjust add­on) therapy for major another demonstration of the depressive disorder, and has been benefitsoffreesoftware:GPGand known to help bipolar individuals Enigmail are free software, and during major depressive episodes. their source code is available to be For some people, Abilify may be a auditedbyanyone,soresearchers lifesaving treatment. canfindsecurityholesandfix them.Researcherswhofindissues patient EscapingtheJavaScript trapwithlibreJS ost Web pages contain Mnonfree JavaScript programs that, like other nonfree programs, deny you freedom. The primary functionality of many sites won t work without running JavaScript. This includes almost all online shopping. Why is JavaScript so prevalent? Without it, Web sites arewrittensolelyinHTMLand similar markup languages that intentionallylackthefeaturesofa programminglanguage,andare limitedtoaspecificsetof behaviors.JavaScriptcan accomplish much more,andis oftenusedtoenhanceHTML. BecauseJavaScriptissoeasyto downloadandworks almost the sameoneverybrowser,ithas becomeoneofthemostpopular programming languages,