←back to thread

Grayjay Desktop App

(grayjay.app)
512 points pierrelf | 2 comments | | HN request time: 0s | source
Show context
lrvick ◴[] No.42478077[source]
I love the right to repair work Louis Rossmann does, and this project goal as a whole, but this license is a major step backwards for software distribution with high assurances of security, freedom and privacy.

Debian, Arch, Guix, F-droid or any other independent signed reproducible build channels require a true Open Source license to function legally.

The license thus forces users to download unsigned non-reproducible binaries off grayjay servers and trust blindly that their build server is creating binaries from exactly the published code and not compromised to inject tracking or malware not in the public repo (an increasingly common attack they may not even know about for years!). Or say the grayjay domain is hijacked or even a BGP attack or a LAN MITM. All sorts of ways they could be helping distribute malware and not know it with no signatures or reproducible build proofs.

Thing is, your team would not have to solve these problems if you licensed it so the community could solve them for you, as we do for thousands of open source software projects.

I really want to see a project like this take off and would gladly donate, but only if it can be opened up for accountability via third party compilation and distribution channels so it can never be backdoored or co-opted for surveillance if your leadership or release engineers are ever compromised.

Said license: https://github.com/futo-org/Grayjay.Desktop?tab=License-1-ov...

There are other licenses like AGPL that would kill any attempt for someone to rip your code off to make their own proprietary offering, without locking yourself out of established freedom, security, and privacy preserving software distribution channels.

If anyone from the team is reading this, I would be happy to detail and discuss my concerns further as a software supply chain security specialist. Hit me up.

replies(6): >>42479087 #>>42479200 #>>42479315 #>>42479424 #>>42479879 #>>42480938 #
apex_sloth ◴[] No.42479424[source]
As I understand it, GrayJay is not free (as in they want to be paid, which is I think is reasonable). How does this work with something like AGPL?

I'm curious to hear more, because I'm in the process of evaluating licenses for a software I'm planning to build and sell. For me it's important that users can feel safe with running my code and build it themselves - and keep using the software if I'm no longer around to maintain it. Looking forward to hearing your thoughts.

replies(2): >>42480246 #>>42480257 #
1. akdev1l ◴[] No.42480257[source]
There’s literally nothing in any open source software license that stops the author from getting paid.

It is literally one of the fundamental freedoms mentioned by Richard Stallman. Freedom to sell the software.

AGPL just closes the cloud service loop where someone can take your code, modify it and deploy it and offer it as a cloud service. As they’re not technically “distributing” the modifications they wouldn’t be required to release their changes by regular GPL but they would by AGPL.

IANAL

replies(1): >>42481534 #
2. lurkshark ◴[] No.42481534[source]
This comes up occasionally and while it’s 100% true FOSS doesn’t mean you can’t get paid, any sufficiently big project is going to get folks repackaging it without the payment component.

A good example is for-sale Wordpress plugins. There are entire sites/communities for using the FOSS license to take those for-sale plugins and redistributing them for free. The RedHat debacle is another example although with some more nuance. Standard Notes had a similar situation.

It looks like the FUTO license is trying to prevent someone from stripping the payment features and redistributing. Personally I prefer when folks use a FOSS license but I think the “you can get paid for FOSS” argument is overly optimistic.