I am not a PureOS user, but recently some of us in #fsf on Libera.Chat were discussing free-software-only flatpak repos, and someone mentioned the PureOS repo [1]. When using flathub with --subset=floss , you’ll still see software that is free but downloads and runs nonfree software at runtime. We were hopeful PureOS would not have this problem. While looking through the full list of software I noticed “WhatsAppForLinux” (com.github.eneshecan.WhatsAppForLinux), and I was curious, so I looked into it, and it kind of looks like this is a wrapper for nonfree software [2].
I’m still not completely sure, so I opened a discussion on GitHub [3]. Is the software is a wrapper for the nonfree WhatsApp app, and if so should it be removed from PureOS flatpak repo? It looks to me like it should be removed.
[1] pureos.flatpakrepo
[2] webkit_web_view_load_uri(*this, WHATSAPP_WEB_URI); is in the source code, and this page suggests JavaScript is run by default.
[3] Side note: Registration on GitHub used to be possible without nonfree software, using some scripts I wrote, but it is currently broken. Please let me know if you are interested in this script; that would give me a reason to place higher priority on fixing it.
Whenever something is easy, that probably means FSF should stop endorsing it. I bought a librem 14 and I use it very often. Great experience. Surely this means, big big governments, CIA, FBI, NSA, DMS, they are all inside my Librem 14, because it was too easy for me to get it like this and it’s actually useful, which means they would have to attack it to ensure nothing is ever FSF endorsed that any normal person actually uses.
What I’m saying is paranoid nonsense. But what if it’s not?
So, maybe Purism will fix Whatsapp flatpak, but also aren’t there probably worse offenders hiding in plain sight?
The application uses WebKit to connect to WhatsApp Web, which then appears as if you are using Safari on a MacOS device. If WhatsApp Web uses proprietary JavaScript, then WhatsAppForLinux should be removed from the PureOS Flatpak remote.
Follow-up question: should I report the nonfree software download on an issue tracker? I thought to try https://tracker.pureos.net/ but I don’t see a way to register (except with LDAP, but I couldn’t seem to figure out what that is).
Probably. It’s probably a government conspiracy. Convincing everyone of mathematical validity of their encryption and making it ubiquitous, while simultaneously thwarting it with a quantum machine (or other secretly known hole in the math) would be genius. They would not only be able to decrypt your actions today, but also the history of all your “private” connections across long distance through all time. All HTTPS, all SSH connections, all commands and passwords issued on those connections, for your lifetime…
Meanwhile, TLS protects corporate interests from the prying eyes of hobbyists who want to know what messages their own machines are sending home, because the hobbyists don’t have the backdoor.
I couldn’t hardly design a better dystopia if I tried.
SSH doesn’t use TLS. It of course has its own theoretical / conspiracy / paranoid questions. They are just different questions, since it is a different protocol and has a different cryptographic basis.
On a blackbox computer, yes.
Bear in mind though that even if you can access the message text before it reaches TLS, the message may not be meaningful to you i.e. if the application transforms the message in complex and difficult ways before passing it to the TLS encryption layer.