←back to thread

Grayjay Desktop App

(grayjay.app)
544 points pierrelf | 7 comments | 20 Dec 24 17:33 UTC | HN request time: 1.457s | source | bottom
Show context
lrvick ◴[21 Dec 24 07:35 UTC] No.42478077[source]
I love the right to repair work Louis Rossmann does, and this project goal as a whole, but this license is a major step backwards for software distribution with high assurances of security, freedom and privacy.

Debian, Arch, Guix, F-droid or any other independent signed reproducible build channels require a true Open Source license to function legally.

The license thus forces users to download unsigned non-reproducible binaries off grayjay servers and trust blindly that their build server is creating binaries from exactly the published code and not compromised to inject tracking or malware not in the public repo (an increasingly common attack they may not even know about for years!). Or say the grayjay domain is hijacked or even a BGP attack or a LAN MITM. All sorts of ways they could be helping distribute malware and not know it with no signatures or reproducible build proofs.

Thing is, your team would not have to solve these problems if you licensed it so the community could solve them for you, as we do for thousands of open source software projects.

I really want to see a project like this take off and would gladly donate, but only if it can be opened up for accountability via third party compilation and distribution channels so it can never be backdoored or co-opted for surveillance if your leadership or release engineers are ever compromised.

Said license: https://github.com/futo-org/Grayjay.Desktop?tab=License-1-ov...

There are other licenses like AGPL that would kill any attempt for someone to rip your code off to make their own proprietary offering, without locking yourself out of established freedom, security, and privacy preserving software distribution channels.

If anyone from the team is reading this, I would be happy to detail and discuss my concerns further as a software supply chain security specialist. Hit me up.

replies(6): >>42479087 #>>42479200 #>>42479315 #>>42479424 #>>42479879 #>>42480938 #
apex_sloth ◴[21 Dec 24 13:03 UTC] No.42479424[source]
As I understand it, GrayJay is not free (as in they want to be paid, which is I think is reasonable). How does this work with something like AGPL?

I'm curious to hear more, because I'm in the process of evaluating licenses for a software I'm planning to build and sell. For me it's important that users can feel safe with running my code and build it themselves - and keep using the software if I'm no longer around to maintain it. Looking forward to hearing your thoughts.

replies(2): >>42480246 #>>42480257 #
1. akdev1l ◴[21 Dec 24 15:40 UTC] No.42480257[source]
There’s literally nothing in any open source software license that stops the author from getting paid.

It is literally one of the fundamental freedoms mentioned by Richard Stallman. Freedom to sell the software.

AGPL just closes the cloud service loop where someone can take your code, modify it and deploy it and offer it as a cloud service. As they’re not technically “distributing” the modifications they wouldn’t be required to release their changes by regular GPL but they would by AGPL.

IANAL

replies(1): >>42481534 #
2. lurkshark ◴[21 Dec 24 19:09 UTC] No.42481534[source]
This comes up occasionally and while it’s 100% true FOSS doesn’t mean you can’t get paid, any sufficiently big project is going to get folks repackaging it without the payment component.

A good example is for-sale Wordpress plugins. There are entire sites/communities for using the FOSS license to take those for-sale plugins and redistributing them for free. The RedHat debacle is another example although with some more nuance. Standard Notes had a similar situation.

It looks like the FUTO license is trying to prevent someone from stripping the payment features and redistributing. Personally I prefer when folks use a FOSS license but I think the “you can get paid for FOSS” argument is overly optimistic.

replies(1): >>42486438 #
3. lrvick ◴[22 Dec 24 14:17 UTC] No.42486438[source]
As someone that runs a profitable FOSS business, you can indeed get paid well for FOSS. Just be better than the status quo by a lot. Thankfully it is a low bar.
replies(2): >>42486510 #>>42488199 #
4. apex_sloth ◴[22 Dec 24 14:28 UTC] No.42486510{3}[source]
Would you like to elaborate on how you run your FOSS buissness? What makes your approach different than the numerous company's that struggle with it
5. lurkshark ◴[22 Dec 24 18:41 UTC] No.42488199{3}[source]
I took a look at your bio but after a glance (forgive me if I’m missing something obvious) it looks like you do consulting but I don’t see FOSS for sale. I’m curious what your project is if it’s something else, but if it’s consulting that makes sense. Consulting doesn’t really work for a lot of categories of software though. Like nobody is going to pay FUTO for consulting on following YouTubers.
replies(1): >>42491906 #
6. lrvick ◴[23 Dec 24 04:57 UTC] No.42491906{4}[source]
We sell support, customization, ensuring packages some people care about most are supported, etc.

Also some people just pay monthly to ensure we stay viable because we save them a lot of work trying to implement and maintain what we do themselves.

Look at all the content creators that make a living on patreon etc. If you give stuff away for free people value but also make it really easy to support you, often people do.

An example outside my projects is Octoprint. Last time the founder had donations public, she was pulling in like 5k/mo for one person just doing FOSS dev for something totally free no one needs consulting for.

Our own projects individually are not that profitable as they are much more niche, so consulting makes much more sense for us.

That said, for projects that are fully open source you can get listed on opencollective so people can make tax deductible donations to specific open source projects, like the stagex project I founded: https://opencollective.com/stagex/donate

If you are going to do something for public good, make it easy for people to justify donating to you for a tax write off!

replies(1): >>42493058 #
7. apex_sloth ◴[23 Dec 24 09:25 UTC] No.42493058{5}[source]
Interessting point with the tax right off. I asked my boss to donate to a open source software we used a lot in our dev department and he labeled it as license costs because donations aren't something he could argue for (big company tho).