Mise à jour de la base de données, veuillez patienter...

We did it thanks to you. The Free Software Foundation (FSF) had another successful winter fundraiser this year. For us, 2017 ended on a high note, by blowing past our fundraising goal of $450,000 (USD). Thanks to your generosity, we have raised over $500,000 to power up the FSF and support software freedom in 2018.

What does $500,000 mean to the FSF? As we said in our emails and blog posts, these funds will turn into:

• Upgraded technical infrastructure for FSF staff and activities, as well as GNU projects;
• An updated fsf.org (yes, we're as excited as you!);
• Resources and education for those looking to be better free software citizens and users;
• Support for GPL compliance;
• Review and certification of hardware for our Respects Your Freedom program;
• Fighting for a DRM-free world with DefectiveByDesign;
• Resources concerning the dangers of proprietary software;
• LibrePlanet, the annual FSF conference;
• FSF staff and volunteer presence at events and conferences around the world.

To top it all off, we ended 2017 with over 5,000 FSF members -- more than ever before. As over 85% of our funding comes from donations and membership dues, these members are vital to the FSF. We are powered by donors, members, and volunteers like you -- all of the work of the FSF is accomplished with your help.

Again, thank you so much for your generosity. We're excited to see what we can do together in 2018.

Help improve the Free Software Directory by adding new entries and updating existing ones. Every Friday we meet on IRC in the #fsf channel on irc.freenode.org.

Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the Directory contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.

When a user comes to the Directory, they know that everything in it is free software, has only free dependencies, and runs on a free OS. With almost 16,000 entries, it is a massive repository of information about free software.

While the Directory has been and continues to be a great resource to the world for many years now, it has the potential to be a resource of even greater value. But it needs your help! And since it's a MediaWiki instance, it's easy for anyone to edit and contribute to the Directory.

This week's theme is organizing for the future. We'll be working on updating software that helps you organize and push for change, whether that's organizing your own life or leading a movement forward. We'll also be discussing how to organize and lead teams working on the Directory. Now is your chance to take charge and chart the future of the Directory!

If you are eager to help, and you can't wait or are simply unable to make it onto IRC on Friday, our participation guide will provide you with all the information you need to get started on helping the Directory today. There are also weekly Directory Meeting pages that everyone is welcome to contribute to before, during, and after each meeting.

Introduced just a few days ago, the FISA Amendments Reauthorization Act of 2017 attempts to both renew and expand Section 702 of the FISA Amendments Act. You can read the bill here. While the NSA's surveillance practices are supposed to be reserved for non-Americans, they use this bill to justify monitoring the electronic communication of Americans associated with non-citizens. The FSF opposes this bill, both for its apparent violation of Americans' Fourth Amendment protection against unreasonable search and seizure, and because it enables bulk surveillance by US government intelligence agents.

In addition to renewing Section 702, this bill also aims to expand its scope. As it stands, the NSA can collect emails both to and from a non-US person not living in the US. The messages are stored in databases that can be searched and read without a warrant, even when Americans are involved in the communications. The proposed expansion of Section 702 would make this ugly little loophole permanent, only requiring a warrant for such searches once a Federal Bureau of Investigation (FBI) or other intelligence agent has found enough information to launch a formal investigation.

Finally, the bill would renew an NSA practice that was abandoned last year: "about" collection. With this type of data collection, the NSA collects any digital communications -- not just communications that are "to" or "from" a targeted person, but simply "about" them (for example, an email between two other people that mentions the targeted person's name), making the collection even broader.

The Free Software Foundation sees this type of bulk surveillance as a freedom issue that can be resisted by using free software for email encryption, private Web browsing, and decentralized, trustworthy online systems. As the Internet has become increasingly centralized, more and more people have relinquished control over their computing to remotely hosted systems and to Service as a Software Substitute (SaaSS), remotely-hosted programs that exchange data with users to do computing that they could do on their own machines. In both cases, you cannot see what these servers are doing with your data -- and you have no way of verifying that the host is respecting your freedom. But these companies often submit to governments when they ask for your information, whether it's ostensibly to fight terrorism or to stop unauthorized copying. For more on why bulk surveillance is a software freedom issue and how to take action, read on.

Action in the United States

Those of you in the United States can call Congress today. Here's a call script:

Hello, I live in CITY, STATE. I am calling to urge you to vote against the FISA Amendments Reauthorization Act of 2017. The NSA and FBI should not be allowed to surveil Americans without a warrant, or to carry out bulk surveillance of anyone. Thank you for your time.

Who should you call?

• Find your Representative and call them.
• Dial the House of Representatives' switchboard at (202) 224-3121 and they will connect you.

Action for everyone

• Read more about why mass surveillance is a software freedom issue and what you can do about it.
• Encrypting our personal communication makes bulk surveillance more difficult and protects the people we communicate with, so if you don't already encrypt your emails, check out Email Self-Defense, our beginner's guide to email encryption.

With security issues like the Spectre and Meltdown vulnerabilities discovered in Intel chips in early 2018, it became more important than ever to talk about the necessity of software freedom in these deeply embedded technologies. Thanks to Denis GNUtoo Carikli, we have a new basis for that conversation in this article.

The Intel Management Engine is a tool that ships with Intel chipsets, purportedly to ease the job of system administrators. But in reality, it is another restriction on user freedoms, imposed by a company, and used to control your computing.

Carikli offers a moderately technical explanation of what's happening with Management Engine, the ways in which it restricts rather than empowers users, and how it violates the four freedoms of free software.

Carikli may be best known for his work on the Replicant project, which he co-founded with Aaron Williamson, Bradley Kuhn, and Grazlano Sorbaioli. He has also worked on a number of free BIOS/UEFI including coreboot and serialICE.

The Management Engine¹ (frequently abbreviated as ME) is a separate computer within Intel computers, which denies users control by forcing them to run nonfree software that cannot be modified or replaced by anyone but Intel. This is dangerous and unjust. It is a very serious attack on the freedom, privacy, and security of computer users.

The Management Engine started to appear in Intel computers around 2007².

At first, it was designed to help system administrators and other employees to remotely manage computers³, and was advertised as a computer feature for business customers. It could, for instance, be used to remotely:

• Power the computers on and off.

• Boot computers from remote storage located on the system administrator's machine or on a server, and take control of the computer that way⁴.

• Retrieve and store various serial numbers that identify the computer hardware.

Over time, Intel imposed the Management Engine on all Intel computers, removed the ability for computer users and manufacturers to disable it, and extended its control over the computer to nearly 100%. It even has access to the main computer's memory.

It now constitutes a separate computing environment that is designed to deny users the control of their computer. It can even run applications that implement Digital Restrictions Management (DRM)⁵. See Defective by Design to learn why DRM is bad.

The remote administration is done through applications running inside the Management Engine, such as AMT (Active Management Technology)⁶. AMT gives remote system administrators the same control they would have if sitting in front of the computer⁷. AMT can also control Intel Ethernet interfaces and WiFi cards to filter or block network traffic from going in or out of the computer⁸.

Intel has gone as far as to use a free operating system and convert it to nonfree software to attack its users' freedom: The license⁹ of the operating system they use does not give users rights to the source code under a free license, nor does it ensure users' rights to run modified versions of that code on the Management Engine.

We could correct all these problems if the users were able to run fully free software on the Management Engine, or at least, make it not run any code, effectively disabling it. The former is impossible because the Management Engine will only run code that is cryptographically signed by Intel¹⁰. This means that unless someone finds a flaw in the hardware that enables users to bypass the signature check, users are effectively denied the ability to install the software they wish in the Management Engine.

To prevent free operating systems from being subverted into an instrument that makes attacking users' freedom cheaper and easier, it is important to license their components under the GNU GPLv3 or later whenever possible. This keeps the software free and prevents hardware manufacturers from denying end users the ability to run modified versions of the software. See how to choose a license for your own work to learn about the best licensing strategies to maximize users' freedom, and in which cases licenses other than the GPLv3 might be suitable.

Despite all Intel's efforts to make the Management Engine inescapable, software developers have had some success with preventing it from loading code. For instance, the Libreboot project disables the Management Engine by removing all the code that the Management Engine is supposed to load on some Thinkpad computers manufactured in 2008, including the R400, T400, T400s, T500, W500, X200, X200s, and X200T.

Also, many Intel computers manufactured in 2006 have the ancestor of the Management Engine which is disabled from the start, such as the Lenovo Thinkpads X60, X60s, X60 Tablet and T60, and many more.

A free software program named intelmetool¹¹ is capable of detecting if the Management Engine is absent or disabled. With more recent hardware, it is not yet possible to fully disable the Management Engine, as some of the hardware needs to be initialized by it. It is however possible to limit the amount of nonfree software running on the Management Engine by removing parts of the code and/or by configuring it to not run some code¹².

Independently from the Management Engine, other issues affect computers users in very similar ways:

• Many computers use nonfree boot software (like BIOS or UEFI or equivalent) and/or require it to be cryptographically signed by the hardware manufacturer This raises similar concern for the freedom, privacy, and security of computer users because the boot software is responsible for loading the operating system, and has more control over the computer than the operating system. This issue also affects computers using other architectures such as ARM¹³.

• AMD¹⁴ computers made after 2013 also have a separate computer within the computer, called PSP (Platform Security Processor), which has similar issues.

Because of Intel's attack on users' freedom, to avoid being denied freedom, privacy, and security, computer users wanting to use a machine with an Intel processor must use older computers with no Management Engine, or whose Management Engine is disabled.

Whenever companies follow Intel's path, we will need to design our own hardware to keep being able to escape such attacks on freedom, by ensuring that users can run fully free software on it. This will also create the necessary building blocks that will enable users to benefit from hardware freedoms¹⁵ in the future, when manufacturing technologies are easily available to end users.

For more information on the Intel Management Engine, see:

• Intel & ME, and why we should get rid of ME

• "Active Management Technology": The obscure remote control in some Intel hardware

References:

1. Also called SPS (Server Platform Services) on servers and TXE (Trusted Execution Engine) on some mobile or low power devices.

2. For more information about the history of the Management Engine, see pages 27, 28, and 29 of the 2014 book Platform Embedded Security Technology Revealed, by Xiaoyu Ruan (ISBN 978-1-4302-6571-9), at Springer.

3. The remote management can be done through an application that is running inside the Management Engine. Various applications exist for that, and the best known is called AMT (Active Management Technology).

4. This functionality is part of AMT, and is known as SOL/IDE redirect.

5. For more information about Digital Restrictions Management and the Management Engine, see from page 191 until the end of chapter 8 (Hardware-Based Content Protection Technology) of the book Platform Embedded Security Technology Revealed, by Xiaoyu Ruan (ISBN 978-1-4302-6571-9) at Springer.

   This chapter tries to justify the usage of Digital Restrictions Management (DRM). DRM is totally unacceptable as it requires the users not to be in control of their computers to effectively prevent them from exercising their legal rights (such as fair use, or being able to copy published works). That chapter clearly shows the link between preventing users from controlling their hardware and effective DRM.

   FSF's Defective by Design campaign has resources to take actions against DRM.

6. AMT is often available on Intel computers designed for business customers, and not on computers designed for consumers. When available, there are often BIOS or UEFI settings to turn it off, but as they are implemented by nonfree software, there is no easy way to know what such settings really do, or to know what the consequences of turning AMT on or off that way really are.

7. This functionality is part of AMT, and is called System Defense. For more detail about that see Intel's System Defense description and Intel's documentation on how it works.

8. To do that, Intel used VNC (Virtual Network Computing), a standard protocol to remotely administrate computers, by relaying keyboard, mouse, and display over a network. Many free software programs implementing such protocols can also do that, and can be found in the free software directory.

9. Here, Intel recently started to use Minix, a free software operating system released under various BSD licenses.

   BSD licenses are weak free software licenses that don't prevent software from being used to mistreat users (by removing the freedoms it came with).

   Some parts of Minix are released under the Original BSD license, or modified versions of it. This issue makes it impossible to combine such software with software licensed under the GNU GPL licenses. To avoid that issue it is better to choose other weak licenses as explained in this article about the modified BSD license.

10. This means that, through cryptography, the hardware manufacturer (for instance Intel) decides which code can run on that hardware.

11. See intelmetool, an utility for reporting the Management Engine status.

12. This can be done with the me_cleaner program. Also, Purism's Librem 13 v2 and Librem 15 v3, sold after 19 October 2017, have already had that done; for machines sold earlier, and the Librem 13 v1, the build_coreboot.sh program can do it. You can also do it with Coreboot 4.6 by enabling the option named "Strip down the Intel ME/TXE firmware." Note that Coreboot is not entirely free software itself. More generally, you can use the me_cleaner program to do this for any Intel computer that has the Management Engine. For more detail about how me_cleaner works see Positive Technologies's article named "Disabling Intel ME 11 via undocumented mode"; me_cleaner's documentation on how it works; and me_cleaner's documentation on the HAP and the AltMeDisable bits.

13. ARM is a computer hardware architecture that is commonly found in small and mobile devices such as smartphones and tablets.

14. AMD is a company that makes computer hardware which is mostly equivalent to Intel hardware, and can replace it, as it can run the same operating systems and applications with no or very few changes.

15. For more details on hardware freedom, see the article on Free Hardware and Free Hardware Designs.

(as of December 23, 2017):

• auctex-12.1
• gama-1.21
• global-6.6.1
• glpk-4.64
• gnuastro-0.5
• gnucash-2.6.19
• gnuhealth-3.2.9
• gnupg-2.2.4
• gnustep-back/gui-0.26.0
• guile-2.2.3
• guile-cv-0.1.8
• libcdio-1.1.0
• libmicrohttpd-0.9.58
• libunistring-0.9.8
• linux-libre-4.14.7-gnu
• nano-2.9.1
• parallel-20171222
• tar-1.30
• tramp-2.3.3

For announcements of most new GNU releases, subscribe to the info-gnu mailing list: https://lists.gnu.org/mailman/listinfo/info-gnu.

To download: nearly all GNU software is available from https://ftp.gnu.org/gnu/, or preferably one of its mirrors from https://www.gnu.org/prep/ftp.html. You can use the URL https://ftpmirror.gnu.org/ to be automatically redirected to a (hopefully) nearby and up-to-date mirror.

A number of GNU packages, as well as the GNU operating system as a whole, are looking for maintainers and other assistance: please see https://www.gnu.org/server/takeaction.html#unmaint if you'd like to help. The general page on how to help GNU is at https://www.gnu.org/help/help.html.

If you have a working or partly working program that you'd like to offer to the GNU Project as a GNU package, see https://www.gnu.org/help/evaluation.html.

As always, please feel free to write to us at maintainers@gnu.org with any GNUish questions or suggestions for future installments.