Juha Saarinen: Can software ever be free?

Photo / 123RF

OPINION:

No matter how you slice it, software is where it's at. None of your IT gear works without it.

What's more, there is no better way to "do" software than making sure it's free and open source. That way you can harness the knowledge and experiences of millions of developers and users, which is why proprietary software houses, namely ones that would normally charge for their code and keep it under wraps, now go down the open route.

Using FOSS-ware might be the most effective and efficient solution, not to mention the cheapest as the developers usually don't get paid for their work. You still need to know what you're doing though, and not run someone else's code on your systems without checking to see what it does first.

For example, last week, security vendor JFrog found more than 200 malicious packages with code the developers use to build web applications. That's how you build apps quickly, by using libraries and packages from trusted sources (ideally!) so you don't have to take ages reinventing the wheel.

A simple "typosquatting" attack vector took advantage of some administrators entering commands a tiny bit incorrectly. This would then proceed to download the incorrect and malicious packages. There are security measures to prevent that from happening, but enough people don't implement them to make that kind of attack worthwhile.

In a similar fashion, developers using packages that depend on a very popular sub-package with genuinely good tools got a shock about a week ago when they found the code for the latter had been subverted.

The developer of the sub or nested package was understandably upset and angered by Russia's invasion of Ukraine, and decided to do something about it.

He added a module, "peacenotwar", that would trigger on systems geolocated to Russia and Belarus and print out protest messages. Earlier versions of "peacenotwar" would also delete file content and replace them with a heart icon.

The code doing that was obfuscated and not easy to spot, and the developer's actions have really opened up a big can of worms. Leaving aside that blind trust of someone's code is a bad idea (see above), the "protestware" struck at the heart of the FOSS ideology.

On the face of it, if you write code or have the rights to it, you should be able to have final say in how it's used, by whom, where and when, right?

That's not how easy it is, unfortunately. Free and open source is very much an ideological construct. If it's open to anyone, there's no walking back from that political statement by adding usage restrictions.

If you do, the software is no longer free and open. FOSS licences are explicitly written to ensure that "freedom zero" and to avoid capture, especially by commercial interests who could otherwise assert rights software and sue users to smithereens.

In other words, if Russians want to use open source software for any purposes, as in computer controlled weapons systems that kill and maim civilians, they are entitled to do so. So's anyone else, and it doesn't matter how vile and opprobrious their views are.

This might sound like angels dancing on the head of a pin kind of argument, and in practical terms it probably is. It's hard to imagine a developer facing any other consequences than being shunned, if s/he writes protestware. Because the source code is available, and anyone can modify it (if they know how to) any usage limitations written into the software can be removed.

Remember though that FOSS is a very powerful technological concept that underpins just about all of the Internet, its applications and the devices connected to it.

It is however FOSS, so how would you enforce wartime sanctions like the ones applied on Russia currently? Obviously, you can't do direct business like paid-for support contracts with Russian and Belarus entities; where do you draw the line though? Kick out people you suspect to be Russian from developer mailing lists, and online open source code repositories? Would that even be possible?

This is yet another fascinating intersection of humanity and machines, and a tough nut to crack. It's not clear that there's a pragmatic and workable solution that'll produce free code with restrictions, without tanking the whole FOSS concept.