Audacity has new administration

Audacity has new administration

[Bone Baboon]

# Contents

* Audacity's new administration
* Controversial Changes to Audacity
* Audacity Forks
* Guix and Audacity

# Audacity's new administration

Audacity has new administration.  Based on these announcements Audacity
is now part of Muse Group.

May 3 2021 this announcement was made on Audacity's website
<https://www.audacityteam.org/audacity-musescore-announcement/>

April 30 2021 this announcement was made by the new lead of audacity:

Invidious link
<https://invidious.silkky.cloud/watch?v=RMWNvwLiXIQ>
YouTube link
<https://www.youtube.com/watch?v=RMWNvwLiXIQ>

# Controversial Changes to Audacity

Muse Group has made several controversial changes to Audacity.

Three controversial changes were:

* The introduction of telemetry
  <https://github.com/audacity/audacity/pull/835>
  <https://github.com/audacity/audacity/discussions/889>

* The introduction of a contributor license agreement
  <https://github.com/audacity/audacity/discussions/932>

* A new privacy policy
  <https://github.com/audacity/audacity/issues/1213>
  <https://github.com/audacity/audacity/issues/1236>
  <https://github.com/audacity/audacity/issues/1232>
  <https://github.com/audacity/audacity/discussions/1225>

The introduction of telemetry has been discussed here
<https://lists.gnu.org/archive/html/guix-devel/2021-05/msg00246.html>.

# Audacity Forks

The controversial changes to Audacity by Muse Group has motivated
several Audacity forks.

One example of a fork is <https://github.com/tenacityteam/tenacity>.
That fork gives this rational for it's existence
<https://github.com/tenacityteam/tenacity#why-did-this-project-fork-audacityaudacity>.
Which includes some of the links in the to the Controversial Changes to
Audacity section above.

It is probably to early to tell which if any of the Audacity forks are
going to be maintained over an extended period of time.

# Guix and Audacity

Guix packages the 2.4.2 version of Audacity.

Looking at /gnu/packages/audio.scm the source code repository Guix uses
for audacity is <https://github.com/audacity/audacity> which is now
controlled by Muse Group.

Based on Audacity release information
<https://wiki.audacityteam.org/wiki/Category:Release_Notes> version
2.4.2 was released on 26 June 2020.  This is before Muse Group acquired
administrative control of Audacity some time between April 30 2021 and
May 3 2021.  So no action is currently required by Guix in regards to
it's Audacity package.

The most current version of Audacity before Muse Group acquired
administrative control of Audacity was version 3.0.2 which released on
19 April 2021.

Before the next update of the version of Audacity that Guix packages it
would probably be a good idea to reassess the situation with Muse
Group's Audacity and the Audacity forks.

Re: Audacity has new administration

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 3005 bytes --]

Hello Bone Baboon,

thank you for pointing this facts but how many times do we have (I mean
me and you) to discuss about telemetry to be assured it's never enabled
by default in Guix... and if not that's a bug? :-)

Bone Baboon <bone.baboon@disroot.org> writes:

[...]

> # Audacity's new administration
>
> Audacity has new administration.  Based on these announcements Audacity
> is now part of Muse Group.
>
> May 3 2021 this announcement was made on Audacity's website
> <https://www.audacityteam.org/audacity-musescore-announcement/>

This is "old news" and this should not be an issue by itself.

[...]

> * The introduction of telemetry
>   <https://github.com/audacity/audacity/pull/835>

Already discussed, see below

[...]

> * The introduction of a contributor license agreement
>   <https://github.com/audacity/audacity/discussions/932>

Can I say that's not a Guix problem? :-)

AFAIU The Muse Group intentions are that Audacity it's going to be
GPLv3+, that's even better than GPLv2... good luck Muse Group!

> * A new privacy policy

That's relevant only for people using telemetry (off by default); AFAIU
privacy policies are not covered by FSDG: am I wrong?

[...]

> The introduction of telemetry has been discussed here
> <https://lists.gnu.org/archive/html/guix-devel/2021-05/msg00246.html>.

As you say, we already had recent discussions about telemetry:

- https://yhetil.org/guix-devel/875yzme70r.fsf@disroot.org/
  «Free software telemetry and the Guix System»

  in particurar Mark H Weaver reply
  https://yhetil.org/guix-devel/87sg2pjib3.fsf@netris.org/

  "Telemetry is strictly optional and disabled by default."

- https://yhetil.org/guix-devel/87fsxm7s69.fsf@disroot.org/
  «Telemetry on by default kitty»

  il particurar the fact that there is general consensus among Guix
  maintainers that phoning home should be disabled by default in all
  FSDG compliant packages

I'm not following discussions on GitHub on telemetry but AFAIU the
situation has not changed since we had the above mentioned discussions:
am I wrong?

In general, we can take as granted that if we find a package in Guix
with telemetry enabled by default we can consider it a bug a file a
proper bug report so it can be fixed if possible or the package removed
if not.

> # Audacity Forks

[...]

> It is probably to early to tell which if any of the Audacity forks are
> going to be maintained over an extended period of time.
>
> # Guix and Audacity

[...]

> Before the next update of the version of Audacity that Guix packages
> it would probably be a good idea to reassess the situation with Muse
> Group's Audacity and the Audacity forks.

I think the situation it's already clear enough to agree there is no
issue with the introduction of optional telemetry in Aucacity in
particular and with telemetry in Guix in general.

Happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]

Re: Audacity has new administration

[Leo Prikler]

Hello Giovanni,

overall you make a great summary, there's just some points I wish to
add as I'm also following the drama around audacity.

Am Montag, den 12.07.2021, 10:37 +0200 schrieb Giovanni Biscuolo:
> Can I say that's not a Guix problem? :-)
> 
> AFAIU The Muse Group intentions are that Audacity it's going to be
> GPLv3+, that's even better than GPLv2... good luck Muse Group!
W.r.t. licensing there are some concerns raised about a CLA, that would
enable the Muse Group to reuse all the code (whether GPLv2+ or GPLv3+)
under any license of their choosing, including making it proprietary. 
Perhaps that's not their intent, but it's bad optics either way.


> > * A new privacy policy
> 
> That's relevant only for people using telemetry (off by default);
> AFAIU
> privacy policies are not covered by FSDG: am I wrong?
> 
> [...]
The privacy policy could potentially violate some of the software
freedoms (particularly freedom 0), but it's unclear whether it would
apply to the telemetry-free Guix builds, since the issue here is
compliance between the telemetry and the GDPR.


> [...]
> 
> # Audacity Forks
> 
> [...]
> 
> > It is probably to early to tell which if any of the Audacity forks
> > are
> > going to be maintained over an extended period of time.
> > 
> > # Guix and Audacity
> 
> [...]
> 
> > Before the next update of the version of Audacity that Guix
> > packages
> > it would probably be a good idea to reassess the situation with
> > Muse
> > Group's Audacity and the Audacity forks.
Please bear in mind, that this is not a mutual exclusion.  We can
package Audacity up to 3.0.2 without problems and perhaps also later
versions with telemetry disabled (assuming everything else about this
hypothetical 3.0.3 is fine).  We can also package forks like tenacity
next to it, similar to how we have both glimpse and GIMP.

Regards,
Leo

Re: Audacity has new administration

[Bone Baboon]

Bone Baboon writes:
> * A new privacy policy
>   <https://github.com/audacity/audacity/issues/1213>
>   <https://github.com/audacity/audacity/issues/1236>
>   <https://github.com/audacity/audacity/issues/1232>
>   <https://github.com/audacity/audacity/discussions/1225>

My initial message in this email tread did not clearly communicate what
the issues with Muse Group's new privacy policy for Audacity are.

The two main issues are the on by default telemetry and that Audacity
can no longer be used for any purpose contradicting freedom 0.

# On by default telemetry

On by default telemetry is being introduced to Audacity.  This does not
comply with the No Malware section of the FSDG.
<https://www.gnu.org/distros/free-system-distribution-guidelines.html>

The on by default telemetry collects IP address information, system
information and Audacity version information.
<https://github.com/audacity/audacity/discussions/1225#discussioncomment-967178>
<https://github.com/audacity/audacity/discussions/1225#discussioncomment-966782>
<https://www.audacityteam.org/about/desktop-privacy-notice/>

# Freedom 0

Audacity can no longer be used for any purpose.  Section 3 of the Muse
Group's new privacy policy for Audacity
<https://www.audacityteam.org/about/desktop-privacy-notice/> says:

> 3 Minors
>
> 1 The App we provide is not intended for individuals below the age
> of 13. If you are under 13 years old, please do not use the App.

This age restriction contradicts freedom 0.
<http://www.gnu.org/philosophy/free-sw.en.html>

> The freedom to run the program as you wish, for any purpose
> (freedom 0).

This age restriction also contradicts Audacity's license which is the
GPL version 2
<https://github.com/audacity/audacity/blob/master/LICENSE.txt> 
says:

> The act of running the Program is not restricted

Re: Audacity has new administration

[Bone Baboon]

Giovanni Biscuolo writes:
>> * A new privacy policy
>
> That's relevant only for people using telemetry (off by default); AFAIU
> privacy policies are not covered by FSDG: am I wrong?

Muse Group's new privacy policy for Audacity has added telemetry on by
default.  For more details see:
<https://lists.gnu.org/archive/html/guix-devel/2021-07/msg00083.html>

> I'm not following discussions on GitHub on telemetry but AFAIU the
> situation has not changed since we had the above mentioned discussions:
> am I wrong?

When telemetry in Audacity was discussed previously here
<https://lists.gnu.org/archive/html/guix-devel/2021-05/msg00246.html>
Muse Group's telemetry policy for Audacity was that the telemetry be off
by default.  However Muse Group's new privacy policy introduces on by
default telemetry.

For more details see:
<https://lists.gnu.org/archive/html/guix-devel/2021-07/msg00083.html>

> In general, we can take as granted that if we find a package in Guix
> with telemetry enabled by default we can consider it a bug a file a
> proper bug report so it can be fixed if possible or the package removed
> if not.

Guix's current package of Audacity does not have telemetry on by
default.

Muse Group is aware of the issue of telemetry on by default and it
appears that they are going to proceed with telemetry on by default in
future versions of Audacity.

>> # Guix and Audacity
>>
>> Before the next update of the version of Audacity that Guix packages
>> it would probably be a good idea to reassess the situation with Muse
>> Group's Audacity and the Audacity forks.
>
> I think the situation it's already clear enough to agree there is no
> issue with the introduction of optional telemetry in Aucacity in
> particular

Muse Group's new privacy policy for Audacity has added telemetry on by
default and an age restriction that contradicts freedom 0 and Audacity's
GPL version 2 license.  For more details see:
<https://lists.gnu.org/archive/html/guix-devel/2021-07/msg00083.html>

Re: Audacity has new administration

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 2088 bytes --]

Hi Bone Baboon,

thank you for the further info!

Bone Baboon <bone.baboon@disroot.org> writes:

[...]

> # On by default telemetry
>
> On by default telemetry is being introduced to Audacity.  This does not
> comply with the No Malware section of the FSDG.
> <https://www.gnu.org/distros/free-system-distribution-guidelines.html>

Will be possible to disable Audacity telemetry in our official Guix
package definition using a build flag or a patch?

AFAIK the answer is yes, this means Audacity Guix package can (easily)
be "transformed" to be FSDG compliant when (if?) telemetry will be set
opt-out upstream; if the answer will be no, we should remove the next
Audacity-with-undisableable-telemetry version.

[...]

> # Freedom 0
>
> Audacity can no longer be used for any purpose.  Section 3 of the Muse
> Group's new privacy policy for Audacity
> <https://www.audacityteam.org/about/desktop-privacy-notice/> says:

--8<---------------cut here---------------start------------->8---

The policy below is a DRAFT document.

It does not apply to any current Audacity release as these do not
include networking features.

--8<---------------cut here---------------end--------------->8---

it's still a draft and it does not apply to current release

>> 3 Minors
>>
>> 1 The App we provide is not intended for individuals below the age
>> of 13. If you are under 13 years old, please do not use the App.

I really don't know the rationale for that (draft) privacy notice, but -
although IANAL - I'm almost sure they can not add any sort of
restriction to run the program via some sort of "EULA-like" clauses like
a "Privacy Notice"... so let's see how the legal situation of Audacity
will evolve: I'm pretty confident they'll remove the above mentioned
article 3 (Minors) before the next release :-)

[...]

Anyway, as Leo P. correcly points out, Guix can provide both official
Audacity (with telemetry disabled by default) and any of it's coming
forks.

Happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]

Re: Audacity has new administration

[Ricardo Wurmus]

Giovanni Biscuolo <g@xelera.eu> writes:

> Hi Bone Baboon,
>
> thank you for the further info!
>
> Bone Baboon <bone.baboon@disroot.org> writes:
>
> [...]
>
>> # On by default telemetry
>>
>> On by default telemetry is being introduced to Audacity.  This 
>> does not
>> comply with the No Malware section of the FSDG.
>> <https://www.gnu.org/distros/free-system-distribution-guidelines.html>
>
> Will be possible to disable Audacity telemetry in our official 
> Guix
> package definition using a build flag or a patch?
>
> AFAIK the answer is yes, this means Audacity Guix package can 
> (easily)
> be "transformed" to be FSDG compliant when (if?) telemetry will 
> be set
> opt-out upstream; if the answer will be no, we should remove the 
> next
> Audacity-with-undisableable-telemetry version.

For reference, that’s what we do for Ardour, which has a benign 
up-to-date? check that is enabled by default and that we remove in 
a patch.  Oddly enough there was no big discussion about any of 
this, perhaps because disabling features like that is pretty 
common and has been done for decades in Debian.

-- 
Ricardo

Re: Audacity has new administration

[Mark H Weaver]

Hi,

Bone Baboon <bone.baboon@disroot.org> writes:

> My initial message in this email tread did not clearly communicate what
> the issues with Muse Group's new privacy policy for Audacity are.
>
> The two main issues are the on by default telemetry and that Audacity
> can no longer be used for any purpose contradicting freedom 0.
>
> # On by default telemetry
>
> On by default telemetry is being introduced to Audacity.  This does not
> comply with the No Malware section of the FSDG.
> <https://www.gnu.org/distros/free-system-distribution-guidelines.html>
>
> The on by default telemetry collects IP address information, system
> information and Audacity version information.
> <https://github.com/audacity/audacity/discussions/1225#discussioncomment-967178>
> <https://github.com/audacity/audacity/discussions/1225#discussioncomment-966782>
> <https://www.audacityteam.org/about/desktop-privacy-notice/>

Thanks for letting us know about this.  When the telemetry functionality
was first added a few months ago, they emphasized that it was disabled
by default.  Now it seems that they have changed their minds and intend
to enable some telemetry by default.

We'll need to keep an eye on this, to ensure that all telemetry is
disabled by default in Guix.

> # Freedom 0
>
> Audacity can no longer be used for any purpose.  Section 3 of the Muse
> Group's new privacy policy for Audacity
> <https://www.audacityteam.org/about/desktop-privacy-notice/> says:
>
>> 3 Minors
>>
>> 1 The App we provide is not intended for individuals below the age
>> of 13. If you are under 13 years old, please do not use the App.

I'm not a lawyer, but nonetheless I'm _highly_ confident that this
language in their (draft) privacy policy has no binding force.  By
publishing Audacity's source code under a free software license, they
have irrevocably granted the four freedoms to anyone who has a copy.
Any license that would allow the copyright owner(s) to restrict the four
freedoms is not a free software license.

Moreover, their privacy policy is irrelevant if they aren't able to
collect any information about us.  By disabling telemetry, we ensure
that their privacy policy is irrelevant to Guix users who do not
"opt-in".

Does that make sense?

    Regards,
      Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

Re: Audacity has new administration

[Chris Lemmer-Webber]

Mark H Weaver writes:

> Hi,
>
> Bone Baboon <bone.baboon@disroot.org> writes:
>
>> My initial message in this email tread did not clearly communicate what
>> the issues with Muse Group's new privacy policy for Audacity are.
>>
>> The two main issues are the on by default telemetry and that Audacity
>> can no longer be used for any purpose contradicting freedom 0.
>>
>> # On by default telemetry
>>
>> On by default telemetry is being introduced to Audacity.  This does not
>> comply with the No Malware section of the FSDG.
>> <https://www.gnu.org/distros/free-system-distribution-guidelines.html>
>>
>> The on by default telemetry collects IP address information, system
>> information and Audacity version information.
>> <https://github.com/audacity/audacity/discussions/1225#discussioncomment-967178>
>> <https://github.com/audacity/audacity/discussions/1225#discussioncomment-966782>
>> <https://www.audacityteam.org/about/desktop-privacy-notice/>
>
> Thanks for letting us know about this.  When the telemetry functionality
> was first added a few months ago, they emphasized that it was disabled
> by default.  Now it seems that they have changed their minds and intend
> to enable some telemetry by default.
>
> We'll need to keep an eye on this, to ensure that all telemetry is
> disabled by default in Guix.
>
>> # Freedom 0
>>
>> Audacity can no longer be used for any purpose.  Section 3 of the Muse
>> Group's new privacy policy for Audacity
>> <https://www.audacityteam.org/about/desktop-privacy-notice/> says:
>>
>>> 3 Minors
>>>
>>> 1 The App we provide is not intended for individuals below the age
>>> of 13. If you are under 13 years old, please do not use the App.
>
> I'm not a lawyer, but nonetheless I'm _highly_ confident that this
> language in their (draft) privacy policy has no binding force.  By
> publishing Audacity's source code under a free software license, they
> have irrevocably granted the four freedoms to anyone who has a copy.
> Any license that would allow the copyright owner(s) to restrict the four
> freedoms is not a free software license.
>
> Moreover, their privacy policy is irrelevant if they aren't able to
> collect any information about us.  By disabling telemetry, we ensure
> that their privacy policy is irrelevant to Guix users who do not
> "opt-in".

I think that seems right.  Also there's a fork of Audacity in progress
called "Tenacity", but it seems early days.  It might be worth
considering that.

I have to say that initially I was unsure how well to interpret the Muse
Group acquisition in terms of with good or bad faith... maybe these were
just blunders.  Well, I've been fully corrected of that by this recent
post:

  https://web.archive.org/web/20210719115639if_/https://github.com/Xmader/musescore-downloader/issues/5#issuecomment-882450335

Basically the person in charge of that takeover trying to perform an
aggressive takedown of a download tool, resorting to direct threats
about using an alleged copyright infringement to get someone to be
deported to their allged country of origin, and directly stating that
the person should consider that since they performed some actions of
political criticism against that country, they could be tortured or
killed if not complying with that takedown.

We should assume that the current copyright holder / maintainer is not
going to behave in a user freedom friendly way at all based on that
information.

 - Chris