Weakness Observatory

Jan. 17, 2021 [technology] [libre]

I do a lot of chest beating here championing free software for its successes but let’s take a look at some areas where free software has met with some failure.

Application Aware Firewalling

The firewall situation on libre operating systems is developing. End users have been able to opt for tools such as firewalld or (g)ufw, or directly through iptables or nftables. But these are what I call whack-a-mole firewalls. They only care about allowing connections by port or address and are completely application blind. This leaves users constantly having to play whack-a-mole to find which connections are trying to go outbound and then constantly open these ports, all the while praying that it is the only application that will use this port. Desktop users will have a multitude of applications which may be reaching out over the network, sometimes unsolicited or through dynamic port ranges. Opening port 443 for web browsers will also facilitate any other application to connect on this port with no way to discriminate between individual applications.

It has taken all too long for free and open OSes, often mired for their handling of security and privacy, to devise a proper application aware firewall solution. And we now seem to have a winner:

OpenSnitch: Was a one-man-show for some time until development halted. It was eventually picked back up by another author and has begun to reach maturity. OpenSnitch is rapidly shaping up to become the uMatrix for your entire OS. And it is now widely available in distro repositories, beating the others to the punch!

Douane: Ignore. It lost the race against OpenSnitch . Predates OpenSnitch but remains unavailable within distro repositories that I am aware of. One must build this oneself in order to install. Run at your own risk.

LAF, Linux Application Firewall: This absolute disgrace and dead project (since June 2020) lost the race against OpenSnitch. Slow clap for Dr. Peter Maynard. At least your non-existant contributors had a CoCk to follow! amirite? Started in May 2020, a one man show. Currently, its code of conduct contains more lines than the actual program. Update Q1 2023: LAF repository has not received any commits since June 2020. I am declaring LAF a dead project.

The prognosis: I will be covering OpenSnitch in greater depth at some point. The losers will eventually be removed from this page.

HiDPI Scaling

Resolutions exceeding full HD are actually not in terribly bad shape, as most desktop environments seem to have implmented DPI scaling. In my experiences, this scaling extends itself to anything using qt and gtk. Problems remain however for individual programs. Any fixed icon in an interface will be roughly 1/4th the size of what it was designed for. Form boxes and text on fields can sometimes be cut off or shifted out of view.

Games have also been slow on the uptake. In many free games it is possible to set the resolution to 2560x1440 or 3840x2560 but the actual FoV and in-game UI might remain below 1920x1080 scale. Despite the DE-wide scaling implementation, it is clear that the teams behind these individual projects would need to adjust their UI options for high resolution displays. This invariably means that some programs simply may never play nice on your new ultrawide 4K monitor.

Video Calling

2020 has drawn a lot of attention to this shortcoming, which may end up being a positive thing, as video chat/video conferencing has traditionally been a weak area for free software. The best contendors we seem to have at the moment are;

  1. Tox: Works well, I have actually not found any technical issues with it but good luck getting friends, acquaintances and family to try it. P2P may be a limiting factor in holding a video conference with many peers, depending on bandwidth.

  2. Jami: Formerly Ring. All users must be on the same release version, I have run into forward/backward compatibility problems in my testing. Otherwise it is fine execpt for the same potentiality of P2P scaling limitations mentioned above for Tox. UPDATE 2023: Now implements swarm messaging so that offline users will still receive messages once they return.

  3. Telegram: As of September 2020, they have implemented one to one video chat as an alpha feature. I have not tried it, Telegram demands a phone number and relies on a third party man in the middle. Telegram cannot be self hosted.

  4. Jitsi: Worked well once when I tried it in the past, it seems to have been removed from distribution repositories (fell out of development?). The Jitsi site seems to indicate that it is now just a web application.

  5. XMPP (Protocol): Statuses and invitations where a bit slow to update, but I was pleasantly surprised at the call quality. The only drawbacks I see being that laypersons may struggle to conceptualize creating accounts with different servers and varying clients, and that not all servers fully comply with XMPP standards. I would be extra careful to introduce colleagues to this. Maybe use the analogy of email.

A scattered offering, but these as well as others I did not name have been receiving some much needed development attention in response to the events of 2020.