Project

General

Profile

Freedom Issue #3010

telegram-desktop: Has extra term that conflict with the GPL and freedom 0

maddox - 3 months ago - . Updated 2 months ago.

Status:
not-a-bug
Priority:
discussion
Assignee:
% Done:

100%


Description

This is huge privacy issue. I could even generate the phone numbers, like large number of users and put it in my addressbook, sooner or later I would know who is on Telegram and be able to contact them.

I was not on Telegram, I have signed up only to research the latest Facebook database leak.

Just because I have signed up once, I have got large number of messages of various people who knew this number during and before me, some contacted me by email and requested Telegram sessions, that was very surprising, I find it huge privacy issue.

IMHO, telegram-desktop and all telegram packages should be removed from Parabola for reason that network provider behind it is a company we know nothing about it.

Can we host our own Telegram server? If this cannot be answered with YES, and if such server is not in Parabola, then this software shall be removed.


Files

LICENSE (35 KB) LICENSE freemor, 2021-04-10 10:45 AM

History

#1

Updated by oaken-source 2 months ago

  • Status changed from unconfirmed to not-a-bug

maddox wrote:

This is huge privacy issue. I could even generate the phone numbers, like large number of users and put it in my addressbook, sooner or later I would know who is on Telegram and be able to contact them.

This argument is flawed, because addresses are not 'leaked' because you are able to guess them. you could equally send SMS to randomly generated phone numbers and get the same results. Additionally, telegram accounts without an associated phone number exist.

I was not on Telegram, I have signed up only to research the latest Facebook database leak.

Just because I have signed up once, I have got large number of messages of various people who knew this number during and before me, some contacted me by email and requested Telegram sessions, that was very surprising, I find it huge privacy issue.

Again, this is akin to people sending letters to your home address because they knew the person who lived there before you and didn't get the message that they have moved out. you can choose not to reply.

IMHO, telegram-desktop and all telegram packages should be removed from Parabola for reason that network provider behind it is a company we know nothing about it.

By that logic, we would also need to remove DNS, TCP/IP, etc. The network is a service you consume that is outside of your personal computing, so proprietary software services don't harm your personal freedom of computing. you can choose not to use them. And parabola currently has no policy against free client software that consumes proprietary services. I would need to look up the official stance of the FSF on this topic, but I seem to remember RMS saying something similar.

Can we host our own Telegram server? If this cannot be answered with YES, and if such server is not in Parabola, then this software shall be removed.

This should be possible, since the client and the API are open and accessible. I don't think anyone has bothered yet, but I may be wrong. I don't think it is reasonable to segregate our users from the main telegram network though.

I agree that there are privacy issues at play here. But privacy issues are separate from freedom issues. If you value your privacy, then do not install telegram-desktop, but I do not currently see a freedom issue here that warrants modification or removal of telegram-desktop from the distribution.

#2

Updated by maddox 2 months ago

Issue #3010 has been updated by oaken-source.

Status changed from unconfirmed to not-a-bug

maddox wrote:

This is huge privacy issue. I could even generate the phone numbers, like large number of users and put it in my addressbook, sooner or later I would know who is on Telegram and be able to contact them.

This argument is flawed, because addresses are not 'leaked' because
you are able to guess them. you could equally send SMS to randomly
generated phone numbers and get the same results. Additionally,
telegram accounts without an associated phone number exist.

Argument is lexically flawed, but substance is there. I am not
expressing myself well. I have clearly described the surprise. As a
good programmer you may not be able to enter yourself into the
viewpoint I had upon the negative experience. People are drawn into
free OS for a reason, and that reason is not to promote relationship
with vendors, which is the only purpose of that application.

I was not on Telegram, I have signed up only to research the latest Facebook database leak.

Just because I have signed up once, I have got large number of messages of various people who knew this number during and before me, some contacted me by email and requested Telegram sessions, that was very surprising, I find it huge privacy issue.

Again, this is akin to people sending letters to your home address
because they knew the person who lived there before you and didn't
get the message that they have moved out. you can choose not to
reply.

That is not akin. It would be akin when a person moves to new area of
another town, and then post office informs all other people from
previous town who knew your house by sending them letter about your
new position. That would be akin. There is activity to inform those
who know your number that you are now member. That IS serious privacy
issue. I wish you would be more insightful regardless if you
personally use Telegram or not.

IMHO, telegram-desktop and all telegram packages should be removed from Parabola for reason that network provider behind it is a company we know nothing about it.

By that logic, we would also need to remove DNS, TCP/IP, etc. The
network is a service you consume that is outside of your personal
computing, so proprietary software services don't harm your personal
freedom of computing. you can choose not to use them. And parabola
currently has no policy against free client software that consumes
proprietary services. I would need to look up the official stance of
the FSF on this topic, but I seem to remember RMS saying something
similar.

Logic requires data, and you do not take enough data into account.

DNS system may be well used internally, and I have set it up several
times. Nobody forbids you to build local area networks or town
networks by using DNS, TCP/IP -- everybody is free, and there are
numerous software for that. Nobody dictates that DNS, TCP/IP has to be
used with the mainstream Internet. That is why Internet is free.

In contrast Telegram network is just one company, and software for
Telegram network has the only purpose to build a stronger relation
with the vendor.

I have read today what RMS said, and I have sent response to that. It
is not relevant to the inclusion of software package in free software
distribution. It is relevant to software as such, as it is free
software. But IMHO, it does not deserve place in Parabola.

Unless under following conditions:

- That Parabola packages one of Telegram protocol servers that may be
self-contained without using the vendor named Telegram

- That telegram-desktop, as changed software, may be used to establish
relation with any of self-hosted or chosen servers.

I would then say, that software is not packaged with the sole purpose
to promote relation to privacy abusive vendor, and can be used with
our own self-hosted servers.

Can we host our own Telegram server? If this cannot be answered
with YES, and if such server is not in Parabola, then this
software shall be removed.

This should be possible, since the client and the API are open and
accessible. I don't think anyone has bothered yet, but I may be
wrong. I don't think it is reasonable to segregate our users from
the main telegram network though.

https://github.com/nebula-chat/telegramd

I have seen more of it today, I cannot find a link. I cannot trust
that software enough, but maybe there is such software.

It is not me only who complained on this. By deviating the essence of
the conversation, it is very easy to make it forgotten.

We have here clash of definitions, but instead of looking into
definitions, we better look into the substance and events taking
place. Why we distribute software in free OS-es? We distribute the
software that people may have freedom to have self-contained
functional software useful with or without any external vendors.

Distributing package that is exclusively promoting relationship to
external vendor defeats that purpose.

That means that a DVD with Parabola cannot be installed in Uganda,
because telegram-server package does not exist and people cannot
connect locally, but telegram-desktop requires relationship to vendor
for the software to work. User is not free.

Substance of it is that user is not free. FSDG are not complete, that
is work in development. We have to think by the principles we
learnt. I do not mind if you use telegram-desktop, I just mind that it
has, for now, no place in free software distribution for the reason
that user is not free.

Practically, in Uganda, Telegram is blocked, unless we pay the tax to
access the vendor (Telegram).

But would there be possibility to access any server, user would be
free, as then software may be modified in the sense to be useful for
the user.

There is no point in saying that software is free because user may
modify it to do what user wish and want, when it is not in the essence
so, it is tied to the relationship to vendor. Thus user is not free.

We speak of communication and privacy, when privacy is in danger that
issue is related to freedom directly, as user does not have freedom to
limit the privacy by modifying the software.

We have to look at things as human who analyse things, not just as
robots who verify the license and include the software, that is
exactly what other distributions are doing.

According to FSDG, a distribution should be complete in themselves and
ready to use. If I have `prosody` package and XMPP clients, I am free
to install it on my network, thus distribution, not a single package,
is free in itself, I can use it, with or without Internet, I can
install XMPP on local area network.

With only one package with the sole purpose to promote vendor, user is
not free, as user cannot do what user wish and want to have it
functional. For example, I cannot change the server hostname
(Telegram) that software works. This defeats the purpose of having the
Freedom 0 practically.

I agree that there are privacy issues at play here. But privacy
issues are separate from freedom issues.

They are not separate, but you may consider them separate.

If you cannot modify software to protect your privacy, then how is
that not a freedom issue?

If you value your privacy, then do not install telegram-desktop,

Is not like that. Because I value my privacy and freedom, I have
installed Parabola. We do not speak of a single software package,
rather of a distribution as whole. Would I be now in Arch Linux, I
would not be at all arguing with you about this, as that is quite a
different community with different goals.

but I do not currently see a freedom issue here that warrants
modification or removal of telegram-desktop from the distribution.

You do not see, I can understand, as you look from only one
aspect. There are maybe viewpoints to consider, world is changing, it
is not only what it was in 1986. There are reasons why we build
federated social networks, why we promote self-hosted
applications and users' freedom in network.

Would we always look limited on the users' freedom, we would never
have the AGPL license. You are not required to think within
boundaries. Do not look in the license, look into the substance or
essence of the events taking place. Licenses do not grow out of
nothing, RMS looked into substances.

It is true that we do not need to think of network service as
non-free, it is service, but I do not speak of network service, I
speak if the essence if user of Parabola distribution have true
freedom to modify software that it works -- and that freedom is not
there, regardless of the license, user cannot change server host name
to point out to own server.

In the browser it is possible, IRC, XMPP, Mumble, Matrix, Tox, email
clients. We can change the server, but in telegram, not, and maybe
also in `weechat` packages.

This is my opinion, I don't mind if it clashes with RMS's or FSF
opinion. It is for thinking.

Main question is:

Can user modify the software how one wish and wants, and change the
host name to one's own server, for the own self-hosted network, so
that software still works?

Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://rms-support-letter.github.io/

#3

Updated by maddox 2 months ago

As this issue is related to free software I am also sending it to
Libreplanet mailing list.

Issue:
https://labs.parabola.nu/issues/3010

More comments on Telegram freedom issues: =========================================

- there are several Telegram related packages in Parabola, not just
one;

- Review terms for API here: https://core.telegram.org/api/terms

Terms dictate that user cannot modify software how user wants, thus
those Terms are in direct contradiction to the GPL3 software, thus I
consider Telegram application non-free as additional terms are
introduced limiting user to modify Telegram how user wish and wants,
and for whatever purpose user wish and want.

Those limitations are following:

- third party clients must comply with following:

- modifier has to observe these Terms of Services which are in
conflict with the GPL3

- API terms dictate that any modification to Telegram software MUST
allow connection to other Telegram users, this contradicts GPL3 --
as for example, I would like to use chat software to contact
non-Telegram users, which are on different server, with compatible
API, GPL3 allows me to do so, Telegram does not allow me.

- It is forbidden to interfere with the basic functionality of
Telegram. This includes but is not limited to: making actions on
behalf of the user without the user's knowledge and consent,
preventing self-destructing content from disappearing, preventing
last seen and online statuses from being displayed correctly,
tampering with the 'read' statuses of messages (e.g. implementing a
'ghost mode'), preventing typing statuses from being sent/displayed,
etc. -- I would like to be chaning these features to something
different, but I am not allowed. GPL3 allows me, but additional
Terms apply there which do not allow me, which in effect defeat the
purpose of the GPL3.

- You must obtain your own api_id for your application. -- I don't
want, I want software to function without getting API key from
vendor. I need freedom 0.

- We offer our API free of charge, but your users must be aware of the
fact that your app uses the Telegram API and is part of the Telegram
ecosystem. This fact must be featured prominently in the app's
description in the app stores and in the in-app intro if your app
has it. -- We do not use "ecosystem" as term. Hypothetically, I do
not want to tell users that it uses Telegram API and I do not want
to have application that becomes part of Telegram "ecosystem" and do
not want to make it prominent. Those are all contradictory terms
that impact GPL3 freedom 0.

- To avoid confusion, the title of your app must not include the word
“Telegram”. An exception can be made if the word “Telegram” is
preceded with the word “Unofficial” in the title. -- So when I
change it, I should not be naming it that way. But when I change
XMPP application or IRC, I can still call it XMPP, IRC something.

- You must not use the official Telegram logo for your app. Both the
Telegram brand and its logo are registered trademarks protected by
law in almost every country. -- because official Telegram logo is
included in the telegram-desktop software, this renders software
non-free. This may be allowed by GPL3, but one may get a feeling of
intentions of the vendor.

- If you decide to monetize your app, you must clearly mention all the
methods of monetization that are used in your app in all its app
store descriptions -- I do not want to clearly mention it, it is in
the source code that will be available for people to inspect
it. Those are hypothetical statements to show contradictions with
freedom zero in GPL3 and Terms of usage of API, that directly
prevent users to modify software how they wish and want.

- Breach of terms

,---- | 4.1. If your app violates these terms, we will notify the Telegram | account responsible for the app about the breach of terms. 4.2. If | you do not update the app to fix the highlighted issues within 10 | days, we will have to discontinue your access to Telegram API and | contact the app stores about the removal of your apps that are using | the Telegram API in violation of these terms. | | We reserve the right to expand these terms and guidelines as the need | arises. We will inform client developers of such changes via an in-app | notification to their accounts connected to the app in question.
`----

That means that contradictory, not GPL3 complying additional terms on
GPL3 are imposed as software will not function how user wish and want
in case that supplementary Terms are not respected.

Additional future proprietary terms are imposed onto GPL3 as Telegram
vendor reserves the right to change the Terms in future how vendor
wish and wants.

Thus Telegram applications are not free as additional limiting terms
are imposed onto users.

More viewpoints to consider for removal of this package from Parabola: ======================================================================

High priority projects for FSF: Decentralization, federation, and
self-hosting
https://www.fsf.org/campaigns/priority-projects/decentralization-federation

Ways to help

Self-hosting of services or service nodes allows the individual
more control over the security and nature of their information
storage and is a social contribution to building networks that
serve rather than undermine communities

We are not helping this purpose if we promote centralized network
named Telegram.

Let us change telegram-desktop to use our own self-hosted
telegram-server, which is to be renamed, then we shall allow such
package, otherwise it should not be there. It should be in the
blacklist.

Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://rms-support-letter.github.io/

#4

Updated by bill-auger 2 months ago

FWIW, when this package first entered the system, i wanted to
remove it, for essentially the same reasons you are arguing
for; but several parabola users wanted to use it - that is the
only reason it is still available - otherwise, i would have
removed it 2 years ago - that would have been entirely on my
personal opinion though - another parabola dev could have let it
back in

FWIW, i just checked trisquel, guix, and pureos - they all have
this program, and several other telegram clients - hyperbola does
not - maybe you would prefer hyperbola

if there were a libre server for this program; you probably
would not be complaining about it - i believe you have stated
that explicitly - but, that would not dismiss the same argument -
any server which the client connects to, would have all of the
same freedom and privacy concerns as the proprietary one, for
everyone who connects to it, except for the one person who hosts
it - the same is true for XMPP, IRC, or anything else - no one
has any software freedom while using someone else's server, and
no guarantee of privacy either - but that is no reason to purge
all clients from the repos - people should know, that software
freedom and privacy are going to severely limited, tenuous, or
totally forfeited, as an inevitable consequence of using any
network services; and they accept any risks, merely by
connecting to them

i think the most we we do, if it can be shown that it has
unreasonable privacy issues, would be to put it on the
your-privacy blacklist - there is no imperative to do so
though - the FSDG does not require distros to protect anyone's
privacy - that is something extra, that parabola tries to do;
but it is impossible in practice - people should know that -
the only way to protect one's privacy on the internet, is
through educated decisions and self-restraint from sweet
temptations

as a general rule, we prefer much more to educate people about
computer usage, than to protect them from ignorance - it is much
more effective - putting it on the public blacklist with a clear
rationale, is really the best we can do, generally - otherwise
people will use this stuff anyways, with no warnings from anyone

#5

Updated by bill-auger 2 months ago

As this issue is related to free software I am also sending it to
Libreplanet mailing list.

sure, its always good to get more eyes on an issue

it is really not a software freedom issue though - the issue
you are concerned with, is regardless of proprietary vs libre

it is entirely related to the ethics of the server admins, and
the education (or lack thereof) of it's users - for that reason,
spreading the word is the best thing to do - but, try to avoid
confusing people by conflating freedom, privacy, and security -
those are three different things; and people should not expect
any of them, while using someone else's server

#6

Updated by freemor 2 months ago

The Telephone number issue is a well know issue with Telegram. A little research before using an application can go a long way.

Even if someone created a free server. IIRC telegram (company) has stated flat out the they would not federate with it.

But I think a point that is being missed here is that, if the client is libre software then the clear course of action is to alter the client not to require a Telephone #. I'm rather surprised that a desktop client would or that people would enter a telephone # into a chat service on a non phone device.

The problem is that your modified client would probably get banned from the server pretty quickly. And thus end up being a lot of work for nothing.

The phone # issue is not the only issue with Telegram. They rolled their own crypto. I haven't heard of it being broken yet but then I've also not seen serious cryptographers do an audit of it.

As long as the client has the 4 freedoms I see no reason for it not to remain. While I'd never recommend anyone use it. It still has for people that wanted to study it or work on a fork etc.

Now if it's lacking the 4 freedoms then chuck it in the dust bin.

This question/argument of non-free services/servers comes up a lot here. We do not host the proprietary server code. And just as we do not cripple the browsers we package so that they can't talk to the hundreds of websites running proprietary back ends because that's not what libre software is about. We shouldn't kick a bit of client software out if it follows the 4 freedoms.

The initial complaint here was a privacy one. That is different from a libre software issue. And tho Parabola does tweak software to fix privacy issues at times that is usually things like the program phoning home with telemetry in the background that was not clearly stated as a function of the application.

With Telegram this is not the case their privacy policy clearly states that this would happen

3.4. Phone Number and Contacts

Telegram uses phone numbers as unique identifiers so that it is easy for you to switch from SMS and other messaging apps and retain your social graph. We ask
your permission before syncing your contacts.

We store your up-to-date contacts in order to notify you as soon as one of your contacts signs up for Telegram and to properly display names in notifications.
We only need the number and name (first and last) for this to work and store no other data about your contacts.

Our automatic algorithms can also use anonymized sets of phone numbers to calculate the average number of potential contacts an unregistered phone number may
have on Telegram. When you open the 'Invite friends' interface, we display the resulting statistics next to your contacts to give you an idea of who could
benefit most from joining Telegram.

You can always stop syncing contacts or delete them from our servers in Settings > Privacy & Security > Data Settings.

    If you are using Android, Telegram will ask you for permission to access your phone call logs (READ_CALL_LOG). If you grant this permission, Telegram will
    be able verify your account by transmitting a phone call instead of asking you to enter a code. Telegram uses this permission only to confirm receipt of
    the confirmation call by verifying the number in the call log.

It is not the job of Parabola's maintainers to protect people from themselves. Privacy is a personal responsibility. It is up to the user to make informed choices about the privacy trade-off that they are comfortable with.

Discussions here on Parabola around what chat client to use are always geared to fully free services such as mumble, SIP, XMPP, JAMI (p2p sip), Tox, Etc.

Complaining that Telegram does exactly what they stated in their Privacy Policy and thus should be banned is akin top claiming that The Javascript and webgl features in browsers allow people to be tracked and so the browsers should be banned or have that functionality stripped out.

#7

Updated by maddox 2 months ago

Issue #3010 has been updated by freemor.

The Telephone number issue is a well know issue with Telegram. A
little research before using an application can go a long way.

There is more to it, it is not just privacy. I am not sure if you have
seen, IMHO GPL3 non-compliant additional terms on how application may
be modified, that impair freedom zero for this package.

Even if someone created a free server. IIRC telegram (company) has
stated flat out the they would not federate with it.

It would not be my intention to federate with Telegram, rather to make
federated network without Telegram vendor.

But I think a point that is being missed here is that, if the client
is libre software then the clear course of action is to alter the
client not to require a Telephone #. I'm rather surprised that a
desktop client would or that people would enter a telephone # into a
chat service on a non phone device.

Which is not permitted, as by their additional API terms that prevent
modification of client how user wish and wants.

The problem is that your modified client would probably get banned
from the server pretty quickly. And thus end up being a lot of work
for nothing.

Thus this is impairment to freedom zero.

As long as the client has the 4 freedoms I see no reason for it not
to remain. While I'd never recommend anyone use it. It still has for
people that wanted to study it or work on a fork etc.

I don't think so, as additional terms could dictate some issues, but
not prevent user to modify software as user wish and wants. This is
the case here. None of their additional terms are related to term
"additional terms" as in GPL3, but limit user or programmer to change
the software as how programmer would wish.

This question/argument of non-free services/servers comes up a lot
here. We do not host the proprietary server code. And just as we do
not cripple the browsers we package so that they can't talk to the
hundreds of websites running proprietary back ends because that's
not what libre software is about. We shouldn't kick a bit of client
software out if it follows the 4 freedoms.

Browser that may access plethora of various servers is not comparable
to software which only purpose is to build relationship to vendor,
which vendor has released software as GPL3 while taking care to impair
the freedom of users with additional terms on how such software cannot
be modified.

Browser licenses with their additional terms, do not dictate nothing
that impairs GPL3, or impairs in its sense. For example Mozilla policy
on trademarks is quite in alignment with GPL3, but Mozilla does not
dictate how browser should work when user wish to modify it, it can
work anyhow, there are no limits.

For this package, and any other package using Telegram API, additional
terms are API terms, which automatically limit Freedom 0 so that user
cannot modify software as one wish and want with the additional threat
to lose friends, connections, legal threats, and to be banned on the
network. There are clear consequences if user wish to modify sofware
how user wish and want.

It would be useful to understand this statement by asking your
personal attorney to review the GPL3, and review API terms which are
thus in conflict with the GPL3, to confirm if that conflict exist or
not. From GPL3 view point, we may do with software what we want, but
functionality will cease, that is not practical freedom.

Those are related subjects.

With Telegram this is not the case their privacy policy clearly
states that this would happen

It may state, I do believe so. But if you say this is legal, I say it
is not legal and not legal in many jurisdictions. Consent is not given
automatically just because somewhere Terms exist and vendor wish or
demands that user has given consent. I have not given consent in my
particular case and privacy breach have taken place.

Essey on hyperlink contracting:
https://www.lexology.com/library/detail.aspx?g=3fb7ee02-d677-498c-be71-a89c8f97e9b7

We have to admit that Telegram is very peculiar software as compared
to all other available chat software in free OS such as Parabola.

It is not the job of Parabola's maintainers to protect people from
themselves.

Well, I think you are at the point, but statement is wrong. IMHO it is
exactly the desire of free OS developers to give users full
freedom. If, for example, there would be proprietary software in
Parabola, users would not necessarily act, they could not maybe easily
find it out.

Please review this RMS's article:
https://www.gnu.org/philosophy/free-sw.html

Quote =====

The freedom to run the program as you wish, for any purpose
(freedom 0).

COMMENT: to get to the point, I have stated GPL3 is in conflict with
Telegram's API terms. As `telegram-desktop` is vendor's product,
published by Telegram company -- and they as company, impair users'
freedom with additional terms as demonstrated. Do we have freedom to
modify software to be functional how we wish and want? For example,
can we modify hostname in the software that we can communicate with
the software beyond the promotion of relationship to vendor?

In XMPP, IRC, WWW, Browsers, any kind of chat clients, we may modify
anything we wish, how we wish. Only in this software it is not
possible because there is vendor lock.

The freedom to study how the program works, and change it so it
does your computing as you wish (freedom 1). Access to the source
code is a precondition for this.

COMMENT: Here is same, I would like to use this software on my own
servers, but I cannot, it will not do computing as I wish, despite the
access to the source, because it is legally impaired with additional
API terms.

The freedom to redistribute copies so you can help others (freedom
2).

The freedom to distribute copies of your modified versions to
others (freedom 3). By doing this you can give the whole community
a chance to benefit from your changes. Access to the source code
is a precondition for this.

A program is free software if it gives users adequately all of these
freedoms. Otherwise, it is nonfree. While we can distinguish various
nonfree distribution schemes in terms of how far they fall short of
being free, we consider them all equally unethical.

COMMENT: I do not see how users have adequately these freedoms with
this package.

In any given scenario, these freedoms must apply to whatever code we
plan to make use of, or lead others to make use of. For instance,
consider a program A which automatically launches a program B to
handle some cases. If we plan to distribute A as it stands, that
implies users will need B, so we need to judge whether both A and B
are free. However, if we plan to modify A so that it doesn't use B,
only A needs to be free; B is not pertinent to that plan.

COMMENT: The above scenario explains this situation precisely, with
the difference that program B is launched on vendor's server, and
program A (telegram-desktop) is not allowed to be modified in a way to
communicate with people outside of the vendor's server. See API terms,
that impair GPL3.

Privacy is a personal responsibility.

Well, you wish to say, contributors in free OS have no obligations,
blah blah -- but that is true, nobody has true legal obligation, we
have moral obligations to help people. Statement is useless. There are
many privacy researchers, we cannot just close both eyes and say "it
is your responsibility". You are legally free to do so, but I decline
and I take responsibility to tell others about privacy issues.

It is up to the user to make informed choices about the privacy
trade-off that they are comfortable with.

I have given good example that I could not make informed choice, maybe
you missed to read it. And I was flaming surprised on what happened!

After all, privacy issue we may put on side, what is not here at hand
is impairment of GPL3 by additional API terms.

Complaining that Telegram does exaclty what they stated in their
Privacy Policy and thus should be baned is akin top claiming that
The Javascript aand webgl features in browsers allow people to be
tracked and so the browsers should be banned or have that
functionality stripped out.

It is not akin.

As with browser user decides which hostname to connect to, there is
choice. With Telegram, user cannot decide it, neither is allowed to
modify the program in such way not to communicate with other Telegram
users.

#8

Updated by oaken-source 2 months ago

maddox wrote:

Quote =====

The freedom to run the program as you wish, for any purpose
(freedom 0).

COMMENT: to get to the point, I have stated GPL3 is in conflict with
Telegram's API terms. As `telegram-desktop` is vendor's product,
published by Telegram company -- and they as company, impair users'
freedom with additional terms as demonstrated. Do we have freedom to
modify software to be functional how we wish and want? For example,
can we modify hostname in the software that we can communicate with
the software beyond the promotion of relationship to vendor?

Please provide clarification why you think the telegram APIs terms are in conflict with the GPL. Cite the relevant sections of the GPL and the TOS. Citing the four freedoms is not enough, because these are philosophical. The license text is legally binding. So claims of GPL violations need to be founded in the legal text.

The freedom to study how the program works, and change it so it
does your computing as you wish (freedom 1). Access to the source
code is a precondition for this.

COMMENT: Here is same, I would like to use this software on my own
servers, but I cannot, it will not do computing as I wish, despite the
access to the source, because it is legally impaired with additional
API terms.

You can change the client software as you wish, including adding the capability to connect to modified servers. I don't see the issue here.

The freedom to redistribute copies so you can help others (freedom
2).

The freedom to distribute copies of your modified versions to
others (freedom 3). By doing this you can give the whole community
a chance to benefit from your changes. Access to the source code
is a precondition for this.

A program is free software if it gives users adequately all of these
freedoms. Otherwise, it is nonfree. While we can distinguish various
nonfree distribution schemes in terms of how far they fall short of
being free, we consider them all equally unethical.

COMMENT: I do not see how users have adequately these freedoms with
this package.

In any given scenario, these freedoms must apply to whatever code we
plan to make use of, or lead others to make use of. For instance,
consider a program A which automatically launches a program B to
handle some cases. If we plan to distribute A as it stands, that
implies users will need B, so we need to judge whether both A and B
are free. However, if we plan to modify A so that it doesn't use B,
only A needs to be free; B is not pertinent to that plan.

COMMENT: The above scenario explains this situation precisely, with
the difference that program B is launched on vendor's server, and
program A (telegram-desktop) is not allowed to be modified in a way to
communicate with people outside of the vendor's server. See API terms,
that impair GPL3.

You have identified the relevant difference yourself here. Since Program B is launched on a server, and that server is a) outside of your personal computing and b) provides a communication service to the program (compare: https://www.gnu.org/philosophy/who-does-that-server-really-serve.en.html), this is a) not in violation with any of the four freedoms, which deal with your personal freedom of computing, and b) it's also not SaaSS.

Telegram as a company have every right to dictate how you, as a consumer of their service, use their computing. (within reason of course, regarding issues of privacy laws etc.)

Privacy is a personal responsibility.

Well, you wish to say, contributors in free OS have no obligations,
blah blah -- but that is true, nobody has true legal obligation, we
have moral obligations to help people. Statement is useless. There are
many privacy researchers, we cannot just close both eyes and say "it
is your responsibility". You are legally free to do so, but I decline
and I take responsibility to tell others about privacy issues.

This paragraph to me makes it clear that you are very personally invested in this issue, which means you are arguing from an emotional rather than a rational perspective. Please understand that we have to keep focussed on the technical facts while evaluating the very serious allegations that have been raised here. Becoming emotional does generally not help in such a discussion.

#9

Updated by freemor 2 months ago

  • Status changed from not-a-bug to unconfirmed
  • Subject changed from telegram-desktop: phone number is released to other telegram users having the phone number in their addressbook to telegram-desktop: Has extra term that conflict with the GPL and freedom 0
  • Tracker changed from Privacy Issue to Freedom Issue

I changed this to a freedom issue. And Set it back to unconfirmed. I'll take a look at the licence later today is I get a chance. But depending on the terms it may require more eyes then mine.

If the extra terms only relate to interacting with the Telegram API that would be no impediment to reverse engineering the protocol and building your own server. As that would not interact with their API/etc on their server nor interfere with the operation etc. Extra terms are definitely a concern.

WRT the snippet from the Privacy policy. I was not arguing that it was legally binding in all jurisdictions. But rather that people show be aware of what they are running before they go ahead and create an account. The devs here can not possibly protect users from borking their privacy. There are too many ways for the user to do such. In many cases they may be knowingly making that trade off because the truly desire to use a thing. It is not parabola's job to tell them they can not. That would not be freedom.

IMHO Telegram is problematic on so many fronts that I'd not be sad to see it go. I know bill-auger probably feels the same. I really do not know why telegram is so popular. It definitely is not something I'd ever use. That said packaging decisions should not be based on the personal opinions of the Devs.

#10

Updated by freemor 2 months ago

Added license from the telegram-desktop git.

I believe that the OP is trying to say that the TOS conclict with the GPL particularly:

  12. No Surrender of Others' Freedom.

  If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all.  For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
#11

Updated by freemor 2 months ago

The API TOS that the OP linked above:

Telegram API Terms of Service

We welcome all developers to use our API and source code to [10]create Telegram-like messaging applications on our platform free of charge. In order to ensure
consistency and security across the Telegram ecosystem, all third-party client apps must comply with the following Terms of Service.

1. Privacy & Security

1.1. Telegram is a privacy-oriented platform. All client apps must, therefore, guard their users' privacy with utmost care and comply with our [12]Security
Guidelines.
1.2. Developers are welcome to add new features or improve and extend existing Telegram features provided that these modifications do not violate these Terms
of Service.
1.3. As a client developer, you must make sure that all the basic features of the main Telegram apps function correctly and in an expected way both in your app
and when users of your app communicate with other Telegram users. It is forbidden to force users of other Telegram clients to download your app in order to
view certain messages and content sent using your app.
1.4. It is forbidden to interfere with the basic functionality of Telegram. This includes but is not limited to: making actions on behalf of the user without
the user's knowledge and consent, preventing self-destructing content from disappearing, preventing last seen and online statuses from being displayed
correctly, tampering with the 'read' statuses of messages (e.g. implementing a 'ghost mode'), preventing typing statuses from being sent/displayed, etc.

2. Transparency

2.1. You must obtain your own api_id for your application.
2.2. We offer our API free of charge, but your users must be aware of the fact that your app uses the Telegram API and is part of the Telegram ecosystem. This
fact must be featured prominently in the app's description in the app stores and in the in-app intro if your app has it.
2.3. To avoid confusion, the title of your app must not include the word “Telegram”. An exception can be made if the word “Telegram” is preceded with the word
“Unofficial” in the title.
2.4. You must not use the official Telegram logo for your app. Both the Telegram brand and its logo are registered trademarks protected by law in almost every
country.

3. Advertising & Monetization

3.1. Developers are allowed to monetize their coding efforts through advertising or other legitimate means.
3.2. If you decide to monetize your app, you must clearly mention all the methods of monetization that are used in your app in all its app store descriptions.

[16]4. Breach of terms

4.1. If your app violates these terms, we will notify the Telegram account responsible for the app about the breach of terms.
4.2. If you do not update the app to fix the highlighted issues within 10 days, we will have to discontinue your access to Telegram API and contact the app
stores about the removal of your apps that are using the Telegram API in violation of these terms.

We reserve the right to expand these terms and guidelines as the need arises. We will inform client developers of such changes via an in-app notification to
their accounts connected to the app in question.

I'n not sure how these would interact with the GPL as they seem to be specifically about interacting with the Telegram Server. To me creating ones own server would completely negate the importance of the above. However I'm not license wonk enough to know if these conflict with the section I mentioned above or any other part of the GPL.

I do not see anything in here that relates to to software directly just how one must use the telegram services API if one Chooses to do so.

#12

Updated by freemor 2 months ago

After looking at both of these I'm strongly leaning back in the not-a-bug direction.

is it true that telegram-desktop is pretty much useless without the server - yep

Is it true that there currently is no libre telegram server - yep

Do those facts negate the GPL - nope

Does interacting with telegrams server require you to follow their rules - Yep, but that is true of any third party service/server

Does that negate the GPL - Not that I see.

I'm sure with a quick grep / sed I could change all the server URI's in Telegram desktop to 127.0.0.1 and then work at reverse engineering. without violating the API TOS in any way.

This looks to me like a standard case of libre client proprietary server. Which is sadly all to common and a bit of a bait and switch IMHO. But not a violation of the GPL

#13

Updated by bill-auger 2 months ago

I know bill-auger probably feels the same.
I really do not know why telegram is so popular.
It definitely is not something I'd ever use.

it gained popularity on mobile phones, like signal, whatsup, and
others, which libre folks generally would see as completely
unnecessary - that is, if mobile users and mobile devs were
generally libre-minded folks, those services would probably be
based on open standards

there is one thing about this program to their credit: at least
its not an electron "app" - ironically, that would make this
decision easier, if it were

i wlll add some historical context, because i dont think this
ever made it onto the bug tracker - the original freedom issue
with this program, was that people claimed that the server sent
random javascript to the client routinely - if true, that would
be a clear freedom concern; but no one demonstrated it - the
reason i bothered to ask RMS, was precisely about that "grey
area", namely:

what about a libre program which sole purpose entails
blindly executing arbitrary proprietary scripts from the
network?

surely, such a program would need to be patched, at the least
- he apparently missed that subtlety, and responded with
the otherwise expected: "if the client is libre, its no problem"
- i did not care to argue about it further; and would have
preferred to simply banish it, than to take the time to
investigate or patch it myself

not that i am particularly trigger-happy to blacklist
packages - my rationale was simply that alleged freedom issue
reduced the 'desirability/work-load' ratio significantly - the
philosophical issue is clearly present; but that alone does not
jsutify removing it, so i did not

if we are going to do a deep dive into this one, i think it
would be wise to see if it has a JS engine, and if it evals or
includes arbitrary scripts off the wire

#14

Updated by oaken-source 2 months ago

bill-auger wrote:

"if the client is libre, its no problem"

That is my understanding of the situation as well.

#15

Updated by bill-auger 2 months ago

all third-party client apps must comply with the following Terms of Service.

that is probably the main point of confusion - that precise
wording is simply not true - if the client is intended to be
copyleft, then that statement translates to: "our service will
block sufficiently deviant clients" - that would not conflict
with the GPL

the pretext there is that no one would ever implement a derived
server, and every derived client would use only that one
proprietary service - AFAIK, that would need to be specified in
the license (eg: "... but you must not modify the
protocol-specific code"); and thus it would not be the GPL

if the API/protocol were proprietary, and derivatives or
re-implementations of the API/protocol were prohibited, then it
would be more of a patent issue than a freedom issue, no
different than patented media codecs - we would need to remove
the restricted code, probably rendering the application useless,
and therefore the "desirability/work-load" ratio to nearly zero

if that were the case, i would expect to find some discussion on
the mailing lists of debian, fedora, etc - fedora has
traditionally been especially keen to prohibit software with
patent restrictions - the desktop client is in debian main - i
could not find the desktop client in fedora; but the CLI client
and pidgin plugins are there

#16

Updated by maddox 2 months ago

Issue #3010 has been updated by freemor.

File LICENSE added

Added license from the telegram-desktop git.

I believe that the OP is trying to say that the TOS conclict with
the GPL particularly:

I think TOS is not same as Telegram API terms to which I have been
referring:
https://core.telegram.org/api/terms

As that API terms refer to third party clients, if telegram-desktop
package would be modified, it becomes third party client, and thus
some issues contradict the GPL3 there.

#17

Updated by maddox 2 months ago

Issue #3010 has been updated by freemor.

After looking at both of these I'm strongly leaning back in the not-a-bug direction.

is it true that telegram-desktop is pretty much useless without the server - yep

Is it true that there currently is no libre telegram server - yep

Do those facts negate the GPL - nope

Issue is not if those above facts like being useless without sever and
no server available negate GPL, that was also not brought up here as
an issue. Issue is that there is additional API terms that prohibit
how program issued under GPL cannot be modified. If we call it
violation or contradiction, it is fine.

We speak here of terms under which program cannot be modified, which
contradict the four freedom. It is explained here:
https://www.gnu.org/philosophy/free-sw.html

The freedom to run the program means the freedom for any kind of
person or organization to use it on any kind of computer system, for
any kind of overall job and purpose, without being required to
communicate about it with the developer or any other specific
entity. In this freedom, it is the user's purpose that matters, not
the developer's purpose; you as a user are free to run the program for
your purposes, and if you distribute it to someone else, she is then
free to run it for her purposes, but you are not entitled to impose
your purposes on her.

Taking it from sense of that RMS article, I would say that in free
software OS, we shall use a check list item:

- [ ] By including this package, do we follow user's purpose or the
developer's purpose?

- [ ] Do we impose vendor's purposes on users?

Does interacting with telegrams server require you to follow their
rules - Yep, but that is true of any third party service/server

I was speaking of modifying software, users interact, but they do not
know about it. A developer who modifies the software has a legal basis
to do so, that is the license. However, the legal basis is extended
with additional API terms which contradict the original license.

Does that negate the GPL - Not that I see.

API terms, negate the GPL:

" You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License." -- but further
restrictions ARE there.

But we are free to remedy it in the program, if such further
restrictions are mentioned in the program.

All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.

So far I know, those further restrictions are NOT mentioned, and thus
the full terms are not transparent to user of Parabola. In other
words, the full licensing terms are not there, there is GPL3, but API
terms are not given with the software. There is conflict.

I'm sure with a quick grep / sed I could change all the server URI's
in Telegram desktop to 127.0.0.1 and then work at reverse
engineering. without violating the API TOS in any way.

Read: https://core.telegram.org/api/terms

1.3. As a client developer, you must make sure that all the basic
features of the main Telegram apps function correctly and in an
expected way both in your app and when users of your app communicate
with other Telegram users. It is forbidden to force users of other
Telegram clients to download your app in order to view certain
messages and content sent using your app.

So we cannot make modifications "as we wish." And again do we serve
the purpose of vender here? Or we serve purpose of user in the context
for user to have freedom 0?

This looks to me like a standard case of libre client proprietary
server. Which is sadly all to common and a bit of a bait and switch
IMHO. But not a violation of the GPL

In free software distributions we do not have standard cases like
this that I know. It is peculiar case.

#18

Updated by maddox 2 months ago

Issue #3010 has been updated by oaken-source.

bill-auger wrote:

"if the client is libre, its no problem"

That is my understanding of the situation as well.

Client is not libre if full licensing terms encompass both GPL3 and
API terms that contradict each other.

Though, GPL3 gives us freedom not to consider those API terms. But I
do not think it would give us full freedom of liabilities when
somebody would really start modifying the software.

#19

Updated by maddox 2 months ago

Issue #3010 has been updated by bill-auger.

all third-party client apps must comply with the following Terms of Service.

that is probably the main point of confusion - that precise
wording is simply not true - if the client is intended to be
copyleft, then that statement translates to: "our service will
block sufficiently deviant clients" - that would not conflict
with the GPL

The one technical consequence does not exclude legal
consequence. Technical consequence is to block deviant clients, legal
consequence may be that user is prohibited to use API and issue may be
raised in court. While this is unlikely, option exists. Ask your
personal attorney.

the pretext there is that no one would ever implement a derived
server, and every derived client would use only that one
proprietary service - AFAIK, that would need to be specified in
the license (eg: "... but you must not modify the
protocol-specific code"); and thus it would not be the GPL

It should be obvious from various previous GPL violations that
companies may impose various EULA or other terms that contradict the
GPL, and they may not clearly say so.

if the API/protocol were proprietary, and derivatives or
re-implementations of the API/protocol were prohibited, then it
would be more of a patent issue than a freedom issue, no
different than patented media codecs - we would need to remove
the restricted code, probably rendering the application useless,
and therefore the "desirability/work-load" ratio to nearly zero

API is proprietary, API terms have been already referenced here, there
are no freedoms. If API is not proprietary, you may please post here
the URL to the reference that shows how it is not proprietary.

Read:
https://core.telegram.org/api/terms

Example:

"We welcome all developers to use our API and source code to create
Telegram-like messaging applications on our platform free of
charge. In order to ensure consistency and security across the
Telegram ecosystem, all third-party client apps must comply with the
following Terms of Service." -- this tells us that condition to use
API is only if user complies to terms. It says "free of charge" --
such documents are written by legal teams. If now large company comes
and modifies software for example to harvest some information faster,
then their legal team will come against that company and say in the
court:

- API is free of charge only under condition when our API terms are
respected

- as you have not respected it, we ask you to pay 10 million dollars.

While API terms may be apparently written as "free" they do not refer
to freedom, they refer to charge, and free charges under specific
conditions. Additionally, API terms are vague, as they may be expanded
as vendor's need arises.

If you do not have legal knowledge, I am advising you ask your fellow
attorney, personal attorney to review it.

if that were the case, i would expect to find some discussion on
the mailing lists of debian, fedora, etc - fedora has
traditionally been especially keen to prohibit software with
patent restrictions - the desktop client is in debian main - i
could not find the desktop client in fedora; but the CLI client
and pidgin plugins are there

Patents may be there, it is not necessary obstacle to include package
into Parabola and is not relevant here.

What is really relevant is that this package serves vendor's purpose,
not users' purpose to have freedom.

Without legal advise, by attorney, we cannot make proper legal
decision ourselves. What we can do is to see that it conflicts free
software philosophy.

Software as such, does not conflict GPL3. We can for example modify it
not to connect to Telegram, we could even connect it with other
protocol to other networks, like Fediverse or XMPP.

#20

Updated by maddox 2 months ago

Issue #3010 has been updated by oaken-source.

Please provide clarification why you think the telegram APIs terms
are in conflict with the GPL. Cite the relevant sections of the GPL
and the TOS. Citing the four freedoms is not enough, because these
are philosophical. The license text is legally binding. So claims of
GPL violations need to be founded in the legal text.

I have already referenced it previously. Please try to connect the
dots:

- GPL3 itself, mentions "further restrictions"; thus this comes from
practice of those who imposed further restrictions; it is relevant
to API terms;

- API terms impose further restrictions on clients; and is in conflict;

- Full terms for this client is not only GPL3, but also GPL3 and API
terms;

- We do have freedom to remove those "further restrictions" if they
are in the package; they are not that I know; they are on the
website;

From GPL3, with comments:

All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.

Thus GPL3 speaks of "license document" referring to something else but
GPL3, in this example API terms, but those further restrictions do
survive relicensing and conveying.

If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.

Which is not placed in the relevant source files. For example those
source files that interact with API, and which are contradictory. We
have freedom to ignore it, how I understand it, and I am not satisfied
with it as there is legal conflict.

Telegram as a company have every right to dictate how you, as a
consumer of their service, use their computing. (within reason of
course, regarding issues of privacy laws etc.)

Yes, though being a consumer is not related to freedom to modify
software.

Privacy is a personal responsibility.

Well, you wish to say, contributors in free OS have no obligations,
blah blah -- but that is true, nobody has true legal obligation, we
have moral obligations to help people. Statement is useless. There are
many privacy researchers, we cannot just close both eyes and say "it
is your responsibility". You are legally free to do so, but I decline
and I take responsibility to tell others about privacy issues.

This paragraph to me makes it clear that you are very personally
invested in this issue, which means you are arguing from an
emotional rather than a rational perspective. Please understand that
we have to keep focussed on the technical facts while evaluating the
very serious allegations that have been raised here. Becoming
emotional does generally not help in such a discussion.

I do not see your points there relevant.

IMHO, non-endorsed distributions may do what they want, they actually
do it, and they have freedom issues.

In FSF endorsed distributions we do not have a final set of
guidelines. We have to discuss moral and ethical issues, what we are
now doing. Free OS-es decision management shall not be robotical and
look only into fact if software is free. RMS has already mentioned on
Emacs Devel mailing list problems with MELPA, as there are some
packages that are maybe GPL3, but which sole purpose is to run or
operate non-free or proprietary software. Because MELPA distributes
such software MELPA is not considered ethical repository. Technically,
user has rights to modify package, but ethically, it contradicts to
free software philosophy, that is why there is now Non-GNU ELPA, to
distribute packages, while not to drive users to MELPA.

In the same sense and analogy, we have free software OS-es, that are
not meant to distribute software only by looking into the aspect of
being GPL3/similarly free licensed, we have to look into ethical
aspect.

We cannot possibly look only into technical aspects of software, like
asking ourselves: are we free to modify it as we wish, disregarding
decentralization issue, disregarding further API terms restrictions,
disregarding privacy issue, disregarding that package
`telegram-desktop` serves vendor's purpose, not users' purpose (to
have freedoms).

#21

Updated by bill-auger 2 months ago

this program does serve the purpose of some parabola users -
that is the only reason why i did not delete it 2 years ago -
parabola users wanted to use it; because it serves their
purpose - i do not agree with their purpose; but thats
besides the point - myself and the majority of parabola users
are content to ignore the package

AFAIAC, if the authors of that program had the right to release
it under the GPL, and they did in fact release it under the GPL,
then they have in fact granted to the entire world, explicit
and irrevocable permission to modify and re-distribute the
implementation - therefore, any patent which they may once have
had on the protocol, would be effectively forfeited

for that reason, i think that the server ToS is completely
irrelevant in this case; and it is a waste of time to read it -
the GPL does not say that the GPL is invalidated by extra
restrictions - it says that anyone with a copy of the license,
may simply ignore any extra restrictions, imposed by anyone,
including the author

o/c, no one in this discussion is a lawyer; so no progress is
being made by discussing vague legal issues on this bug tracker -
if there were any unclear legal issues with this software, i am
quite certain that the debian-legal mailing list would have some
interesting information - the fact that this program is in debian
main, is a very good indication that it is kosher

you should really be asking the FSF about this - i would start
by convincing the FSD maintainers to reject it - if this program
has problems, then all FSDG distros will need to remove it - we
would remove it immediately, if the FSF asked us to

#22

Updated by bill-auger 2 months ago

  • Assignee set to freemor

freemor - i assigned this ticket to you

Kirk ... out

#23

Updated by freemor 2 months ago

  • % Done changed from 0 to 100
  • Priority changed from bug to discussion
  • Status changed from unconfirmed to not-a-bug

I agree with bill-auger and GNUtoo.

This has been discussed to death at this point.

I see no GPL violation here.

I'm closing this issue as not-a-bug.

#24

Updated by maddox 2 months ago

Issue #3010 has been updated by bill-auger.

AFAIAC, if the authors of that program had the right to release
it under the GPL, and they did in fact release it under the GPL,
then they have in fact granted to the entire world, explicit
and irrevocable permission to modify and re-distribute the
implementation - therefore, any patent which they may once have
had on the protocol, would be effectively forfeited

So far patents are not of concern for free OS.

for that reason, i think that the server ToS is completely
irrelevant in this case;

Maybe ToS -- I did not read it.

API Terms are not same as ToS.

API Terms are not related to patent, neither the issue at hand.

and it is a waste of time to read it -
the GPL does not say that the GPL is invalidated by extra
restrictions - it says that anyone with a copy of the license,
may simply ignore any extra restrictions, imposed by anyone,
including the author

We may remove "further restrictions", that is it.

Definitely we may modify program and do what we want.

Technically we can do it.

But that alone will not liberate modifier from legal threats.

What remains is the purpose.

Should free OS-es be inclined to serve vendors' purposes in the long
term and by principle?

Or is this just a peculiar single case?

FSF stance is clear that we need more decentralization, not
centralization.

IMHO this package inclusion is based exclusively on popularity. Vendor
made it "free software" with purpose to gain more and more
users. Would vender truly believe in free software principles, server
would be free as well. Because that is not so, it is visible that
software is locked to vendor, it serves vendor's purpose only, not
users' purposes.

https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
The article there says:

On the Internet, proprietary software isn't the only way to lose your
computing freedom. Service as a Software Substitute, or SaaSS, is
another way to give someone else power over your computing.

Now, free software is made that is included in the Free OS (endorsed
one). I don't mind if we may use GPL3 to ignore further restrictions,
that is great, but inclusion of such software in the free OS, IMHO,
collides with the fundamental principles.

How Service as a Software Substitute Takes Away Your Freedom

Service as a Software Substitute (SaaSS) means using a service as a
substitute for running your copy of a program. Concretely, it means
that someone sets up a network server that does certain computing
activities—for instance, modifying a photo, translating text into
another language, etc.—then invites users to let that server do their
own computing for them. As a user of the server, you would send your
data to the server, which does that computing activity on the data
thus provided, then sends the results back to you or else acts
directly on your behalf.

Let us take this peculiar example of Telegram into hypothetical
developments of future software. What if www.wolframalpha.com provides
GPL3 client to software, that users may calculate algebra, math, make
graphics and plotting, geometry by software that interacts with the
online service, every free FSF endorsed OS includes this package. Do
we increase freedom of users this way, or not?

Would there be 500 Telegram-like applications that are made solely to
promote relationship with vendor, would we be including them in the
free OS, just because they are made GPL3?

Would that be an OS that gives freedom of computing to users?

I don't think so.

IMHO, FSDG have to be updated.

And I think Telegram desktop is defended in FSDG not because of
freedom, it should be clear that we do not have computing freedom, as
it is locked to specific vendor with proprietary API and server
software.

It is defended because of popularity.

Adopting this type of corrupted principles corrupts the FSF goals as
well. It is not in alignment.

Example with Hyperbola GNU/Linux-libre, my favorite. I would not be
using Parabola, I have switched from Hyperbola for time being as
specific GPS/geographic software is in Parabola, but I could not build
it in Hyperbola.

IMHO Hyperbola is doing better job among free FSDG, they do not favor
popularity, technicality, they are uncompromised.

Many of our computers in local area network still run Huperbola. Here
is one result of the grep of your-freedom's blacklist:

[admin@t400 your-freedom]$ grep -i telegram blacklist.txt
cutegram::hyperbola:1005:[nonprivacy] only useful with Telegram service
libqtelegram-ae::hyperbola:1006:[nonprivacy] only useful with Telegram service
telegram-qt::hyperbola:1007:[nonprivacy] only useful with Telegram service
telegramqml::hyperbola:1008:[nonprivacy] only useful with Telegram service
telepathy-morse::hyperbola:1009:[nonprivacy] only useful with Telegram service

Thus all Telegram applications are removed.

Strictness of Hyperbola is what makes it exceptional free OS. They do
care about issues that take away users' freedom, and will not be
opportunistic and look only into technicality of software.

Example:

flickrnet::::[nonprivacy] only useful with Flickr service

I agree with it. If software is useful only with SaaSS then such
software impairs freedom of computing. But if flickrnet can be used
with my own self-hosted server, it should be included as then it makes
sense to be in the free OS.

purple-facebook::hyperbola:909:[nonprivacy] only useful with Facebook
service

Plugin is excluded because it interacts with Facebook only
service. Good choice.

certbot-dns-cloudflare::::[nonprivacy] provides support for services
that are unsafe and dangerous

npm is excluded because repository does not distinguish between free
and non-free.

Software depending on npm is thus excluded for example.

skype-call-recorder::::[uses-nonfree] only useful with Skype installed

This is similar case. Software is GPL3, but serves vendor's purpose
only. We do not increase users' freedomg by including that
software. We diminish users' freedom.

I have given few examples from Hyperbola and I expect and welcome new
Hyperbola BSD with GNU tools, but not GNU related, OS version that
will truly respect users' freedom.

#25

Updated by oaken-source 2 months ago

You keep raising two points, which have been proven invalid before:

1.) you claim that telegram violates the GPL

this is false.

2.) you claim that telegram is SaaSS

this is also false.

You also claim that the telegram desktop client 'serves the vendor's purpose only', but it remains unclear how exactly this is a tangible, provable problem with respect to the FSDG that warrants removal of the package.

the rest of your argument is based on the previous two false premises. Unless you can bring forward new arguments, there is nothing more to discuss here.

You may notice that the telegram packages in hyperbola are blocked for the '[nonprivacy]' reason. I didn't look at the relevant issue in the hyperbola issue tracker, but we blacklist packages with privacy problems in the [nonprism] repository, specifically the package your-privacy. You should consider enabling this repository.

If you think that telegram-desktop should be blacklisted for privacy related reasons in the your-privacy blacklist package, then please start a new ticket. This one is getting too long and convoluted.

#26

Updated by maddox 2 months ago

Issue #3010 has been updated by oaken-source.

You keep raising two points, which have been proven invalid before:

1.) you claim that telegram violates the GPL

this is false.

When describing somebody's claim, than please quote, or otherwise you
deviate from original claim. As you can see I am quoting your
statement here exactly. And no, I did not claim that "telegram
violates the GPL" -- I do not express myself in vague dubious manner,
and I myself try to reach conclusions. There is no claim, there is
discussion of possible issue related to privacy, freedom and
distribution packaging principles.

Further restrictins as described in the GPL3 do exist on the API terms
page, and those are not allowing users' freedom to modify software how
users wish and want.

We have our freedom by the GPL3 to ignore that.

By ignoring vendor's terms, this does not necessarily limit our
liabilities, that is matter that is solved in courts, and it is
unlikely that some developers group will start changing Telegram
Desktop to use it with their own Telegram server, when this is
specifically disallowed -- which means, sooner or later they would get
legal threats, Telegram is stronger company, not weaker.

But we do have our freedom by the GPL3 to ignore those.

However, the inclusion of such package does not serve users' freedom,
it serves promotion of vendor relationship, it serves vendor's
purpose, not user's purposes.

That software has GPL3 should not be the only decision factor.

2.) you claim that telegram is SaaSS

this is also false.

Telegram Desktop is GPL3 licensed client that interacts with
proprietary server that does computations on behalf of the client.

Read:
https://www.gnu.org/philosophy/who-does-that-server-really-serve.html

Quote:

SaaSS means using a service implemented by someone else as a
substitute for running your copy of a program. The term is ours;
articles and ads won't use it, and they won't tell you whether a
service is SaaSS. Instead they will probably use the vague and
distracting term “cloud”, which lumps SaaSS together with various
other practices, some abusive and some ok. With the explanation and
examples in this page, you can tell whether a service is SaaSS.

When you use XMPP chat and register username at some server, they are
computing, there is software running as a substitute for running your
copy of a program, that is SaaSS. Telegram is SaaSS.

The difference between XMPP and Telegram is that users of free OS,
have the XMPP server included in the free OS, and they have the
freedom to run their own copy of the program. They can change the
hostname freely and use software as they wish, without being locked to
vendor.

Telegram Desktop users are exclusively locked to vendor, and they have
to submit their freedom to vendor's purpose.

Thus my proposal is that FSDG should disallow any software in free OS
distributions when software is used exclusively to promote vendor's
purpose, not users' purposes, see:
https://www.gnu.org/philosophy/free-sw.html because "The freedom to
run the program means the freedom for any kind of person or
organization to use it on any kind of computer system, for any kind of
overall job and purpose, without being required to communicate about
it with the developer or any other specific entity." -- but WE ARE
required to communicate with vendor, and submit to vendor's API terms
and we cannot just use Telegram Desktop with any kind of computer
system, we have to use it exclusively with the vendor's computer
system.

If there is server software that client software can be used
decentralized, that should be allowed in free system distributions.

We have to ask practical questions before including such software in
free OS or FSF endorsed distributions, questions such as: Do we give
to user more freedom or less by including the software?

Do we give more freedom to user by providing `openfire' and `prosody'
XMPP servers together with many XMPP clients? I think yes, as users
can built upon it, modify software, even make their own protocols,
change software both on server and client, it is meaningful.

Do we give more freedom to user by providing various web servers and
web browsers? I think yes, as users can even modify the HTTP
protocol, modify both servers and browsers. They have freedom to
choose to which remote server they connect and they have freedom to
install their own copy of program, they are not locked by vendor.

Same for dictionaries, we shall not include GPL client dictionaries
that are pointing to proprietary dictionary, but we install GPL client
package that points out to server which server's host can be changed
by the user. User may use for example dict.org but can also install
dictd server and use that one.

That should be the rule for FSF endorsed distributions.

Copy of this to RMS and FSF.

Hyperbola GNU/Linux-libre disallows such software already.

Other issue is that FSF promotes decentralization but allows
centralized packages in fully free FSF endorsed distributions, that is
contradiction in its own free software politics:

Quote from:
https://www.fsf.org/campaigns/campaigns-summaries#surveillance

If we want to defang surveillance programs like PRISM, we need to stop
using centralized systems and come together to build an Internet
that's decentralized, trustworthy, and free "as in freedom." Check out
the surveillance campaign area to get involved with the effort to make
the Web in general safer and from surveillance.

On an individual level, we also need to start encrypting our personal
communication to make bulk surveillance much more difficult and to
protect the people we communicate with. Try Email Self-Defense, our
beginner's guide to email encryption, to get started in less than an
hour.

Telegram Desktop DOES NOT support decentralization. So far I have
found by researching it does not even support encryption and messages
remain unencrypted on server. This issue may be solved until now, but
that information is what I found. There are numerous database leaks
from Telegram network.

Quote from:
https://www.fsf.org/campaigns/surveillance

Mass-scale surveillance like PRISM is disturbing, but is an
unsurprising effect of how centralized the Web is today. For years,
people have been trusting more and more of their data to remotely
hosted systems. Users are also giving up control of their computing to
Service as a Software Substitute (SaaSS), remotely-hosted programs
that exchange data with users to do computing that they could do on
their own machines. In both cases, there's no way to see what these
servers are doing with your data, so you have to take the host's word
for it that they are being responsible. But these companies submit to
governments when they ask for your information, whether it's
ostensibly to fight terrorism or to stop unauthorized copying.

If we want to defang surveillance programs like PRISM, we need to stop
using centralized systems and come together to build an Internet
that's decentralized, trustworthy, and free "as in freedom

Comment: FSF's stance on those pages is something I agree to. But it
is contradictory to inclusion of software that serves the vendor's
purpose, which is centralized network, interacting with proprietary
server software that nobody of free OS users can install themselves.

you also claim that the telegram desktop client 'serves the vendor's
purpose only', but it remains unclear how exactly this is a
tangible, provable problem with respect to the FSDG that warrants
removal of the package.

FSDG is not final document. We are looking here into political issues
that concern users' freedom in computing in general.

I have given here quite good number of examples that demonstrate it.

Jean

#27

Updated by oaken-source 2 months ago

You claim again that telegram is SaaSS. it is not. Please read the website you reference in its entirety, especially the section titled "Distinguishing SaaSS from Other Network Services".

You claim that the telegram API terms and conditions restrict your freedom of computing as per the GPL. they do not. they restrict what you can and can not do as a participant of the telegram network. The difference should be obvious.

I will not comment on the other points you have raised because they are not related to software freedom. If you want to discuss privacy related issues, please open a separate issue. We should avoid mixing these issues up, otherwise the discussion becomes convoluted and unmanageable.

This issue is closed and will remain closed.

#28

Updated by maddox 2 months ago

You may close the issue on this page as you have authority to do so, that does not close the true issue, which is centralization, software that interacts only with proprietary SaaSS and that Parabola does not conform to FSF public statements on surveillance and decentralization.

#29

Updated by maddox 2 months ago

FWIW, when this package first entered the system, i wanted to
remove it, for essentially the same reasons you are arguing
for; but several parabola users wanted to use it - that is the
only reason it is still available - otherwise, i would have
removed it 2 years ago - that would have been entirely on my
personal opinion though - another parabola dev could have let it
back in

I said already, package is included because of popularity, without
insight into overall freedom issue.

And I said that Parabola developer gave me impression that I cannot
trust their decisions.

FWIW, i just checked trisquel, guix, and pureos - they all have
this program, and several other telegram clients - hyperbola does
not - maybe you would prefer hyperbola

That is why I have raised issue on the mailing list for free systems
and informed FSF about it.

It is absolutely not logical that FSF promotes decentralization and
wants people to promote decentralization and then to endorse
distributions that carry software that is meant to connect to
centralized network.

if there were a libre server for this program; you probably
would not be complaining about it - i believe you have stated
that explicitly - but, that would change absolutely nothing -

I don't think so, and I wonder how you do not see the point.

any server which the client connects to, would have all of the
same freedom and privacy concerns as the proprietary one, for
everyone who connects to it, except for the one person who hosts
it - the same is true for XMPP, IRC, or anything else - no one
has any software freedom while using someone else's server, and
no guarantee of privacy either - but that is no reason to purge
all clients from the repos - people should know, that software
freedom and privacy are going to severely limited, tenuous, or
totally forfeited, as an inevitable consequence of using any
network services; and they accept any risks, merely by
connecting to them

The difference by having server software is that user is free to
install it oneself. I have mentioned that many times. No XMPP software
is defining some server explicitly, user is free to insert any
server. Those who do not have option to self-host may use other
servers, but freedom to host own server is there.

With Telegram Desktop there is no such freedom.

i think the most we we do, if it can be shown that it has
unreasonable privacy issues, would be to put it on the
your-privacy blacklist - there is no imperative to do so
though - the FSDG does not require distros to protect anyone's
privacy - that is something extra, that parabola tries to do;

FSDG is not a complete document, it is dynamic and new principles may
be defined, that is what I have proposed.

but it is impossible in practice - people should know that -
the only way to protect one's privacy on the internet, is
through educated decisions and self-restraint from sweet
temptations

Hyperbola demonstrates that increasing the protection of privacy for
users IS possible in practice. You can say the opposite, but
practically is possilbe.

We do not need to think robotic, like if it is written in the FSDG, it
does not mean decisions of developers are rigid, we need more common
sense thinkin rather than thinking within some boundaries of FSDG
rules. The FSDG document itself says that those are not only
boundaries!

My analysis is my own, I look on the overall distribution's purposes
to improve users' freedom.

Which freedom do we offer by providing client software that is meant
to exclusively communicate with SaaSS?

Who cares if it is GPL licensed?

So what if software is included in other free distributions? You think
it is not an issue? I think the issue relates to all those
distributions, including to all other client software that communicate
to proprietary SaaSS without users having option to host free server
themselves.

If one distribution is corrupted, does that mean let us all be
corrupted leaning on those which are? I don't say they are, I am
giving here hypothetical review.

No, I don't think that Guix developers put enough intention on FSF
guidelines. I don't say FSDG within public FSDG boundaries, I say FSF
politics.

Organization's politics has to be aligned with its communication. FSF
wants decentralization but propagates centralized software and thus
promotes centralization through its infrastructure. How that makes
sense?

Developers will say: "FSF did not tell us anything" -- but they don't
want to look if FSF has already made statements on
decentralization.

as a general rule, we prefer much more to educate people about
computer usage, than to protect them from ignorance - it is much
more effective - putting it on the public blacklist with a clear
rationale, is really the best we can do, generally - otherwise
people will use this stuff anyways, with no warnings from anyone

Myself I do not promote that people should not use software X because
of reasons ABC, I promote that we shall in FSF endorsed distribution
not be hypocrites and not make the FSF hypocrite by doing what is
clearly said we shall not be doing.

- RMS speaks about SaaSS, FSF speaks about decentralization, FSF
endorses distributions that contain packages that are exclusively
made to talk to proprietary centralized SaaSS without freedom for
user to build their own network. It is hypocritical.

There are many reasons why somebody needs web server, I have been
installing web server many times, including in local area network and
to use a browser I need not external network. One example is offline
Wikipedia. Browser gives choice to user which server to access.

If browser would be exclusively talking proprietary protocols and be
tied to exclusively one vendor, then distribution becomes place for
promotion of vendors' relationships, without giving increase of
freedom to users.

Would our FSF endorsed distributions be most popular distributions,
let us say like Ubuntu or Debian, there would be more corporations
wanting to include their clients, they would be hypocritically
including their clients which can do nothing else but promote their
service.

This is not just one issue, it is not just privacy issue, it is not
just freedom issue, there are various issues.

#30

Updated by oaken-source 2 months ago

maddox wrote:

FWIW, when this package first entered the system, i wanted to
remove it, for essentially the same reasons you are arguing
for; but several parabola users wanted to use it - that is the
only reason it is still available - otherwise, i would have
removed it 2 years ago - that would have been entirely on my
personal opinion though - another parabola dev could have let it
back in

I said already, package is included because of popularity, without
insight into overall freedom issue.

I disagree. popularity is not a concern. We are removing plenty of programs from the repositories, regardless of their popularity, because they have tangible, provable freedom issues. telegram-desktop does not, and thus is not removed.

#31

Updated by bill-auger 2 months ago

I said already, package is included because of popularity, without
insight into overall freedom issue.

this program was discussed shortly after it appeared, and RMS
permitted it, explicitly

And I said that Parabola developer gave me impression that I cannot
trust their decisions.

we do not, can not, and should not make such decisions for
ourselves - several FSDG distros distribute this program - we
really do not want each distro deciding for
themselves, what is libre and what is not - you are irritating an
old wound here, jean - we want the FSDG distros to respect the
FSDG, above the frivolous desires of users; and to escalate any
legitimate shared concerns to the FSDG work-group

if the FSF, RMS, or the FSDG work-group decide that this program
is unfit, we will remove it, and the others should too

it is not reasonable to expect one distro to blacklist some
software as non-free, which the others do not - in fact, it is
divisive and subversive - the parabola mission statement states
that parabola should never compete against any other libre
distro; so please do not ask us to do that

It is absolutely not logical that FSF promotes decentralization
and wants people to promote decentralization and then to endorse
distributions that carry software that is meant to connect to
centralized network.

to promote something, does not entail preventing people from
doing otherwise - promotion is a suggestion, not a command

every web browser is "meant to connect to centralized network" -
if that was not the case, most people would not use any web
browser, ever - in fact, that is the only reason why most people
own a PC - it is only a freedom concern when the server provides
SaaSS (computation which you could have done offline)

logical or not, we are not going to re-interpret the FSDG - if
you believe that the FSF is illogical, then convince them to
change the FSDG - that would have a much greater effect; because
the decision would be binding to all endorsed distros

#32

Updated by maddox 2 months ago

it is not reasonable to expect one distro to blacklist some
software as non-free, which the others do not - in fact, it is
divisive and subversive - the parabola mission statement states
that parabola should never compete against any other libre
distro; so please do not ask us to do that

Distros are separate group of developers and they need not have same
opinions in decision making process which package to include or not.

I understand you imagine some ideal scene, but there is no centralized
package list that distro's should choose from, that is why it is not
so that distro's act unified.

It is absolutely not logical that FSF promotes decentralization
and wants people to promote decentralization and then to endorse
distributions that carry software that is meant to connect to
centralized network.

to promote something, does not entail preventing people from
doing otherwise - promotion is a suggestion, not a command

That is the problem that I see, you have opinion you should be acting
on a command, like when it is written in the FSDG, instead of thinking
yourself. So far I know, Telegram was adopted because few users asked
for it. It was not adopted or disregarded because there was some
discussion about decentralized Internet, so that is not goal or
purpose in Parabola to promote decentralized Internet.

every web browser is "meant to connect to centralized network" -

Absolutely not. Internet is decentralized, it was designed to be
decentralized for the cold war purposes, so that parts of network
remain even under nuclear disasters.

I don't know how much of TCP/IP did you set yourself, I did that
several times. Even towns can have their own town-Internet on TCP/IP
and interact with the global Internet. Local area networks can be in
thousands of computers having their own information that global
Internet users cannot browse.

Browsers are designed to connect to any host, like example.com or
abc.com or gnu.org -- thus browsers interact with decentralized
Internet.

Telegram is designed to connect to Telegram servers. It promotes
centralized network, and that is the sole purpose of that package.

if that was not the case, most people would not use any web

Most people do not think themselves. They will move to direction where
the wind blows, that is why we are here as we are not really in the
group of most people.

browser, ever - in fact, that is the only reason why most people
own a PC - it is only a freedom concern when the server provides
SaaSS (computation which you could have done offline)

That is not only freedom concern, social interaction is maybe most
important part of human life, trading with it is freedom concern, not
necessarily software freedom. FSF support freedom related to computing
and networks, related to free and proprietary software but which may
be out of the scope of the four freedoms. Such freedoms that FSF
support are freedom from surveillance, freedom to have your own
communication without vendor lock-ins and without centralization.

You say Telegram is not included for popularity. Hypothetically, if I
would make now my own client software that communicates exclusively to
my own JL network, by using my proprietary API, and where there is no
server-side code, would that software be included or discriminated in
Parabola? It would not be popular, why would you include it?

#33

Updated by oaken-source 2 months ago

maddox wrote:

You say Telegram is not included for popularity. Hypothetically, if I
would make now my own client software that communicates exclusively to
my own JL network, by using my proprietary API, and where there is no
server-side code, would that software be included or discriminated in
Parabola? It would not be popular, why would you include it?

you misunderstand my point. packages are of course considered for packaging both by us and by upstream arch based on their popularity. but blacklisting decisions are not influenced by popularity. we don't discriminate between popular and unpopular packages when evaluating freedom issues, which is why popular programs with freedom issues are necessarily excluded, but unpopular programs are not necessarily included, unless there are specific reasons to do so (such as a desire to make them more popular / easier to access).

#34

Updated by bill-auger 2 months ago

instead of thinking
yourself. So far I know, Telegram was adopted because few users asked
for it. It was not adopted or disregarded because there was some
discussion about decentralized Internet

you are very wrong about that

no parabola users asked for it; and it was not "adopted" - it
entered the system from arch - some users asked us to look at
it; and i argued strongly to remove it, for exactly the same
reasons you are now

if it will help you to stop putting words in my mouth, i will
re-post one paragraph from it - re-reading it, i was surprised
myself, at how much i agreed with you - but my opinion was
over-ridden by others, who wanted to keep it; and RMS confirmed
that we could keep it

this was my opinion - from
https://lists.nongnu.org/archive/html/gnu-linux-libre/2018-08/msg00008.html

i can only speak with direct experience of parabola; but i can
say that parabola removes anything that so much as smells of
proprietary, trade-marked, or encourages the use of proprietary
network services - that is not strictly required by the FSDG
though, it is done more for those "philosophical" reasons

you raised the issue on the FSDG mailing list now - that is
the appropriate venue to discuss it - this ticket was closed by
an admin - please refrain from adding anything else to this
ticket - several people are becoming annoyed by it

Also available in: Atom PDF