What is the role of the Free/Open Source Software movement for the prospects of wide availability of computing with meaningful user control.
Over the last thirty years, a huge amount of volunteer and paid work has been devoted to developing Free Software with the aim of promoting users’ civil freedom in computing.
Why then, to date, is no end-user computing device available at any cost which would give the user meaningful confidence that its computing is not completely compromised undetectably at insignificant cost and risk?
Why is no end-user device available today that does NOT contain at least some “critical” software/firmware components that (a) are not nearly sufficiently verified relative to complexity? or (b) are non-verifiable in its source code (without NDA) or even proprietary?
What should be the free software community priorities and short and long-term objectives in a Post-Snowden World?
Free/Open Source Software, while providing important civil freedom, does not directly improve trustworthiness of a software application or stack, in comparison to that whose source code is merely publicly-verifiable without NDA. At times, on the contrary, it has constrained available business models in ways that prevented the sustainable attraction of the very large resources necessary to guarantee a sufficiently-extreme auditing relative to complexity.
Nonetheless, an adequate new standard may need to very strictly mandate Free/Open Source Software and firmware, with few and/or temporary exceptions for non-critical parts, because it strongly promotes incentives for open innovation communities, volunteer expert auditing and overall ecosystem governance decentralisation.
These, in turn, substantially contribute to IT actual and perceived security, and promotes an ecosystem that is highly-resilient to very strong economic pressures, as well as short- and long-term changing technological, legislative and societal contexts.
Most importantly, without the very active and well meaning participation (paid and not paid) of many of the world-best IT security experts and “communities”, it would be unlikely to achieve a sufficiently-extreme necessary auditing intensity and quality, relative to complexity that is needed to achieve the project aims. Without such participation, it would be unlikely that a project even with a budget of over hundreds of millions of euros could have reasonable expectations to prevent successful remote attacks from the numerous and varied entities, which have access to remote vulnerabilities that are regularly devised, commissioned, acquired, purchased or discovered, by entities that are extremely well-financed, have unprecedented accumulated skill-sets and often low or inexistent actual liability.