Originally posted by L_A_G
View Post
Announcement
Collapse
No announcement yet.
Purism's PureOS To Explore OSTree/Flatpak, Wants To Develop An "Ethical App Store"
Collapse
X
-
- Likes 3
-
Originally posted by L_A_G View PostYou do know that "full" GPL is a pretty draconian license? There's been a lot of talk over the years about how it's incompatible with the Apple App Store license after VLC ran into issues with that, but that license works just fine with just about every other open source license, including the lGPL which VLC changed to (much to the chagrin on the Stallman types).
Lets focus in on GPL and ignore all the other licenses that a problem with the way apple operates their app store. Please note its not the only app store with the problem of not include means to upload source with binary application and not provide way to provide source to end users. Its not really complex requirement to host source and binaries instead of just hosting binaries.
- Likes 2
Comment
-
Originally posted by fuzz View PostSo basically you are saying the GPL is the worst offender in existence because it is the only one available to legally ensure the freedom of users, and you think we should ask users to compromise their freedoms? Sounds like a road toward fascism.
At least you spelled "fascism" correctly, because not everyone in the "everything I don't like is fascism"-crowd can do that, but that doesn't make your post any less loony.
Originally posted by oiaohm View Post...
The reality is that not everyone is going to want to make all of the code they create available for anyone to use and modify for their own purposes so a license that tries to force everyone into releasing everything they've made for others to freely use and modify is going to run into issues. There's this thing called "Being Pragmatic" which the GPL, it's founder and his followers flat out rejects by insisting this license be shoved into everything.
No matter how many times you call people who don't want to try to force everyone into GPL and everything it entails a "fascist" or something similar, it doesn't make it so. Hell, with the way GPL pretty much forces you to accept it if you as much as touch anything licensed with it it's easy to make the argument that it's all just a load of projecting going on when you call people fascists for preferring lGPL, Apache and BSD-style licenses.Last edited by L_A_G; 19 June 2018, 09:45 AM.
Comment
-
Originally posted by oiaohm View Post
I do support for the wine project. winehq.org. I can state that this problem is normal. Just look at wine staging and many other items before it.
People have a fairly tail dream of open source. Being forked by maintainers and other people is unfortunately normal. Lets take wine we had distributions adding custom patches to wine that the upstream project knew was totally broken to support pulseaudio. Only option to deal with this nightmare was have people who could build and provide binaries directly. Wine had to change from MIT license to LGPL because code-weavers who support wine was suffering from a commercial competitor taking wine modify it and giving nothing back.
So yes you start a open source project if you don't want unfair usage expect to of a GPL protected work expect to have to deal with https://www.softwarefreedom.org/ to have them send out DCMA taken down notices on binary forks being provide without source.
Open source does not get you away from software theft.
Originally posted by oiaohm View PostMain objective of open source is if the lead developer disappears or quits someone else can pick it up. What has happened with gpsp. https://github.com/libretro/gpsp/
Reality with open source spitting the dummy that someone forking project is not going to change anything. Also quit with open source does not change much all it means is at least one of the fork takes over.
It you are not willing to share maintainer-ship with others starting open source project can be a really bad idea. Really the first developer behind gpsp did not have a thick enough skin to be a open source developer lead and the fact I see no other people added with maintainership rights either first developer was after too much control and unwilling to split the workload or there was something else wrong in the community. It more likely that the project in his eyes his personal project so unwilling to share.
Really instead of threatening to quit due to being forked better would be been putting on a notice for more developers with commit rights to develop faster.
Also have a few support people like me who don't code who job is to deal with the forums and other head aches. Split the workload should be the plan once open source project gets a following...
GPL is the ultimate open-source drain (can use most OS licenses ).
MIT/BSD is the ultimate open-source faucet (can be used by most OS licenses).
As a developer (being a USER of stuff like compilers and libraries), its clear which one is preferable to me.
Comment
-
Originally posted by L_A_G View PostThe lGPL really doesn't differ from the GPL in any actually important regard. If you don't publish your lGPL licensed code, you're in violation of the license and need to either publish or take it down. The app store is not a developer platform so it's also really not the right place to be publishing sources for stuff, there's way better places for that like various Git services or self-hosting your repo. Adding dev features like Git integration to a service used almost entirely by people who couldn't program their way out of a paper bag let alone compile a full application from source is simply a waste of time.
Also having the exact copy of the source the program was meant to built from if tampering is suspected it possible to rebuild from source and compare. Remember there have been infected xcode and other things out there.
Originally posted by L_A_G View PostThe reality is that not everyone is going to want to make all of the code they create available for anyone to use and modify for their own purposes so a license that tries to force everyone into releasing everything they've made for others to freely use and modify is going to run into issues. There's this thing called "Being Pragmatic" which the GPL, it's founder and his followers flat out rejects by insisting this license be shoved into everything.
Originally posted by L_A_G View PostHell, with the way GPL pretty much forces you to accept it if you as much as touch anything licensed with it it's easy to make the argument that it's all just a load of projecting going on when you call people fascists for preferring lGPL, Apache and BSD-style licenses.
GPL is not the only thing that is viral read you Microsoft Office academic license. Yes everything you create using a Microsoft Office academic license is not meant to be used for commercial gain. Yes there are closed source games where all mods fall under the games license. In court not reading a license does not mean you legally don't have to obey it terms.
Comment
-
Originally posted by discordian View PostNot claiming it would, and I am not claiming GPL doesnt have its used.
I was talking about GPL because that is the license of the program you were was talking about. Part of choosing GPL is accept at times you have to use legal.
Originally posted by discordian View PostThe point is that there are many reasons and different characters who are willing do spend ALOT time for work that they are giving away FOR FREE, be it binary or in source form. Its their thing how they want to do that, and I am pretty sick to hear again and again that MIT is not "freedom" as some forum trolls define it.
GPL is the ultimate open-source drain (can use most OS licenses ).
MIT/BSD is the ultimate open-source faucet (can be used by most OS licenses).
As a developer (being a USER of stuff like compilers and libraries), its clear which one is preferable to me.
This is the problem commercials doing open source look at the licenses and work out how they can defend it. Very open copyright license like MIT/BSD end up defended by patents and restricted licenses like GPL end up defended by copyright license and those in the middle can end up defended by both copyright and patents.
When you choose to use something licensed you are choosing the kinds of legal action you may take or may be taken against you. This applies to use open or closed source. Open source magically does not get you away from legal.
Comment
-
Originally posted by oiaohm View PostStill a clueless wonder. App store is a distributor they do in fact have legal obligations. Flathub and f-droid are examples of appstores with source. Flathub is hidden from general user unless they really go looking. Both take snapshots of the source they use and store it. Why because from the time the application is build to when it got by users the upstream repository could be no more. Neither Flathub or f-droid are running any legal risk.
Also having the exact copy of the source the program was meant to built from if tampering is suspected it possible to rebuild from source and compare. Remember there have been infected xcode and other things out there.
These are two different approaches that have their own strengths and weaknesses, but let's not act like open source isn't vulnerable to repos and binaries being tampered with as both of those have happened.
You don't drive a car without headlights in most countries its the law to have headlights. The license says provide source so you should provide source. Who cars if 99.99 percent of users don't want it you have done your legal obligation. This is the big problem app-stores are in fact being a distributor and not meeting their legal obligation as an distributor.
Comment
-
Originally posted by L_A_G View PostDo you think any significant number of people actually check that? Because they don't and there's been plenty of times when open source repos have been infected.
The introduction of reproducible builds to distributions and open source appstores is because having developers build their own have had infected binaries different to source uploaded. This does not require people to actually check its automated. Now if the malware is in the source it could be missed.
Originally posted by L_A_G View PostAlso, the with the signatures used by apps on the App Store you need to pilfer the developer's signature and that signature can be revoked at any time by apple, killing all instances of the infected application, rather than users having to all individually remove and replace the application with a non-infected copy.
Originally posted by L_A_G View PostThese are two different approaches that have their own strengths and weaknesses, but let's not act like open source isn't vulnerable to repos and binaries being tampered with as both of those have happened.
Comment
-
Originally posted by oiaohm View PostThe introduction of reproducible builds to distributions and open source appstores is because having developers build their own have had infected binaries different to source uploaded. This does not require people to actually check its automated. Now if the malware is in the source it could be missed.
True but this also same with open source apps stores.
This is ignoring that the system has evolved since then.
Comment
-
Originally posted by L_A_G View PostYou do know that this is basically just a more complicated alternative to comparing the hash of the binary you've gotten to one listed by the developer. There's a reason why most people who don't blindly trust binaries, who are a pretty tiny minority of users, just check that the hash matches up with what the developer has listed. If those two don't match up, you know something is not right.
Originally posted by L_A_G View PostNot to anywhere near the same extent as on app store tied to proprietary OSs. Try to remember that iOS (and MacOS if you don't go trough a really annoying process) will check than an application's developer signature is valid before it'll allow it to be installed or updated and will continue to check that this signature is valid every time the application is started if there's a working internet connection.
Originally posted by L_A_G View PostAs I said already, there have been instances when even the source code at the main repo has been infected with malicious code and what you brought up only works on infected binaries, which proprietary app stores handle more effectively by requiring attackers to not only get access to their victims' accounts, but also steal code signatures from their personal development machines.
You have not used f-droid have you. It warns you about programs using suspect code . In fact items f-droid will have huge warning due to bad code you can install from google play without issue. Google only got the binary to look and could not run source code lint tools. In fact if stuff is bad enough when you update f-droid will uninstall stuff. Yes some open source programs have been pulled from f-droid while still being in google play. Yes built from exactly the same source yet one is rejected by f-droid and the other is accepted by google play. Not having the source also ties the hands of the appstores ability to audit what they are providing.
Reproducible builds closes down the attack path against only binaries like infected compilers so making that the source code has to be modified. Source lint tools can scan for a lot in fact a lot more than with google and apple automated tools can. Of course this is not absolutely perfect.
Also modern stored source code is not as simple as you would first think.
When you do reproducible builds part of a lint can be checking the gpg keys used on the source. So what talk about binary level can be done at source with even more details like is every patch signed by multi people. Some projects due to operational design that should be the case. Does end user need to see these audits no. Having the source open source appstores can do this form of auditing.
Comment
Comment