So basically you are saying the GPL is the worst offender in existence because it is the only one available to legally ensure the freedom of users, and you think we should ask users to compromise their freedoms? Sounds like a road toward fascism.

Lets be a clueless wonder. The issue with not shipping source is a problem for LGPL programs on the apple store as well. If the person providing a LGPL program in the apple store disappears and cannot meet the source supply requirement the program to be LGPL following would have to be deleted. Now if the appstore hosted source this would not happen. LGPL barely works with Apple App Store License. There are many ways with LGPL and Apache license where Apple app store could end up infringing. This would all be prevented if for license requiring source provided to customer they provided a framework to provide source as well as binaries.

Lets focus in on GPL and ignore all the other licenses that a problem with the way apple operates their app store. Please note its not the only app store with the problem of not include means to upload source with binary application and not provide way to provide source to end users. Its not really complex requirement to host source and binaries instead of just hosting binaries.

So was that supposed to be an extreme straw man, slippery slope, both or just random words? Because I'm not sure how the hell you got from me talking about how it's a draconian license that really doesn't play well with other licenses that allow you to use someone else's code in your work, but it doesn't give you the right to publish it yourself without permission into some "road toward fascism" or something...

At least you spelled "fascism" correctly, because not everyone in the "everything I don't like is fascism"-crowd can do that, but that doesn't make your post any less loony.

The lGPL really doesn't differ from the GPL in any actually important regard. If you don't publish your lGPL licensed code, you're in violation of the license and need to either publish or take it down. The app store is not a developer platform so it's also really not the right place to be publishing sources for stuff, there's way better places for that like various Git services or self-hosting your repo. Adding dev features like Git integration to a service used almost entirely by people who couldn't program their way out of a paper bag let alone compile a full application from source is simply a waste of time.

The reality is that not everyone is going to want to make all of the code they create available for anyone to use and modify for their own purposes so a license that tries to force everyone into releasing everything they've made for others to freely use and modify is going to run into issues. There's this thing called "Being Pragmatic" which the GPL, it's founder and his followers flat out rejects by insisting this license be shoved into everything.

No matter how many times you call people who don't want to try to force everyone into GPL and everything it entails a "fascist" or something similar, it doesn't make it so. Hell, with the way GPL pretty much forces you to accept it if you as much as touch anything licensed with it it's easy to make the argument that it's all just a load of projecting going on when you call people fascists for preferring lGPL, Apache and BSD-style licenses.

Not claiming it would, and I am not claiming GPL doesnt have its used.

The point is that there are many reasons and different characters who are willing do spend ALOT time for work that they are giving away FOR FREE, be it binary or in source form. Its their thing how they want to do that, and I am pretty sick to hear again and again that MIT is not "freedom" as some forum trolls define it.
GPL is the ultimate open-source drain (can use most OS licenses ).
MIT/BSD is the ultimate open-source faucet (can be used by most OS licenses).

As a developer (being a USER of stuff like compilers and libraries), its clear which one is preferable to me.

Still a clueless wonder. App store is a distributor they do in fact have legal obligations. Flathub and f-droid are examples of appstores with source. Flathub is hidden from general user unless they really go looking. Both take snapshots of the source they use and store it. Why because from the time the application is build to when it got by users the upstream repository could be no more. Neither Flathub or f-droid are running any legal risk.

Also having the exact copy of the source the program was meant to built from if tampering is suspected it possible to rebuild from source and compare. Remember there have been infected xcode and other things out there.

You don't drive a car without headlights in most countries its the law to have headlights. The license says provide source so you should provide source. Who cars if 99.99 percent of users don't want it you have done your legal obligation. This is the big problem app-stores are in fact being a distributor and not meeting their legal obligation as an distributor.


By the way its not only open source programs that have requirement to provide extra files. You can have closed source programs required to provide documentation about licensed parts. That do not have to be displayed inside program.

GPL is not the only thing that is viral read you Microsoft Office academic license. Yes everything you create using a Microsoft Office academic license is not meant to be used for commercial gain. Yes there are closed source games where all mods fall under the games license. In court not reading a license does not mean you legally don't have to obey it terms.

I was talking about GPL because that is the license of the program you were was talking about. Part of choosing GPL is accept at times you have to use legal.

MIT/BSD in lot of cases not that usable. MIT/BSD projects are commonly defended not by copyright but by patents. This is why after all these years Khronos group for opengl/vulkan... is changing from MIT to Apache license as default due to patent issues they have added a clause to be LGPL and GPL compatible for projects like wine.

This is the problem commercials doing open source look at the licenses and work out how they can defend it. Very open copyright license like MIT/BSD end up defended by patents and restricted licenses like GPL end up defended by copyright license and those in the middle can end up defended by both copyright and patents.

When you choose to use something licensed you are choosing the kinds of legal action you may take or may be taken against you. This applies to use open or closed source. Open source magically does not get you away from legal.

Only problem with your comparison to those two niche alternative stores is that they're really not installed on anything out-out-of-the-box (like the App Store, Play Store or Windows Store) so the share of users actually interested in the source is actually non-insignificant and they're on platforms where most of the UI-interface code is proprietary and thus providing full source doesn't run afoul of "You can use this in your software but you don't get the right to re-distribute it" type licenses.

Do you think any significant number of people actually check that? Because they don't and there's been plenty of times when open source repos have been infected. Also, the with the signatures used by apps on the App Store you need to pilfer the developer's signature and that signature can be revoked at any time by apple, killing all instances of the infected application, rather than users having to all individually remove and replace the application with a non-infected copy.

These are two different approaches that have their own strengths and weaknesses, but let's not act like open source isn't vulnerable to repos and binaries being tampered with as both of those have happened.

The fact that you compare very necessary road safety equipment, the lack of which can cause accidents with lethal outcomes, to something with is simply convenient, the lack of which at worst just annoys people, really goes to show how badly you've gone off the deep end. Most people just aren't interested in getting all of the source code and apart from some very niche applications where proper code auditing is required or necessary, it's not even critical for those who are interested.

Really have you not notice that both f-droid and flatpak use reproductable builds system


The introduction of reproducible builds to distributions and open source appstores is because having developers build their own have had infected binaries different to source uploaded. This does not require people to actually check its automated. Now if the malware is in the source it could be missed.

True but this also same with open source apps stores.

This is ignoring that the system has evolved since then.

You do know that this is basically just a more complicated alternative to comparing the hash of the binary you've gotten to one listed by the developer. There's a reason why most people who don't blindly trust binaries, who are a pretty tiny minority of users, just check that the hash matches up with what the developer has listed. If those two don't match up, you know something is not right.

Not to anywhere near the same extent as on app store tied to proprietary OSs. Try to remember that iOS (and MacOS if you don't go trough a really annoying process) will check than an application's developer signature is valid before it'll allow it to be installed or updated and will continue to check that this signature is valid every time the application is started if there's a working internet connection.

As I said already, there have been instances when even the source code at the main repo has been infected with malicious code and what you brought up only works on infected binaries, which proprietary app stores handle more effectively by requiring attackers to not only get access to their victims' accounts, but also steal code signatures from their personal development machines.

Doing a source to binary check for those running appstore and even running tools on it to detect bad code is lot more effective than trying to scan binaries. Google app store shows this all the time.

Most of the open source appstores don't insist on checking signature against internet. There is a repository key in all the open source ones. On update applications are check if they are still listed. APK usage by f-droid sees the signing check to local gpg key, ostree used by flatpak is signed though out. Yes key checking does happen as part of ostree before programs run. There is very little difference here.

Really infected binaries and clean source has happened in google and apple app-stores due to infected build tools. This is way Apple and google have to run so much binary application scanning and still fail to get it all.

You have not used f-droid have you. It warns you about programs using suspect code . In fact items f-droid will have huge warning due to bad code you can install from google play without issue. Google only got the binary to look and could not run source code lint tools. In fact if stuff is bad enough when you update f-droid will uninstall stuff. Yes some open source programs have been pulled from f-droid while still being in google play. Yes built from exactly the same source yet one is rejected by f-droid and the other is accepted by google play. Not having the source also ties the hands of the appstores ability to audit what they are providing.

Reproducible builds closes down the attack path against only binaries like infected compilers so making that the source code has to be modified. Source lint tools can scan for a lot in fact a lot more than with google and apple automated tools can. Of course this is not absolutely perfect.

Also modern stored source code is not as simple as you would first think.

When you do reproducible builds part of a lint can be checking the gpg keys used on the source. So what talk about binary level can be done at source with even more details like is every patch signed by multi people. Some projects due to operational design that should be the case. Does end user need to see these audits no. Having the source open source appstores can do this form of auditing.