←back to thread

Grayjay Desktop App

(grayjay.app)
544 points pierrelf | 4 comments | 20 Dec 24 17:33 UTC | HN request time: 0.982s | source
Show context
lrvick ◴[21 Dec 24 07:35 UTC] No.42478077[source]
I love the right to repair work Louis Rossmann does, and this project goal as a whole, but this license is a major step backwards for software distribution with high assurances of security, freedom and privacy.

Debian, Arch, Guix, F-droid or any other independent signed reproducible build channels require a true Open Source license to function legally.

The license thus forces users to download unsigned non-reproducible binaries off grayjay servers and trust blindly that their build server is creating binaries from exactly the published code and not compromised to inject tracking or malware not in the public repo (an increasingly common attack they may not even know about for years!). Or say the grayjay domain is hijacked or even a BGP attack or a LAN MITM. All sorts of ways they could be helping distribute malware and not know it with no signatures or reproducible build proofs.

Thing is, your team would not have to solve these problems if you licensed it so the community could solve them for you, as we do for thousands of open source software projects.

I really want to see a project like this take off and would gladly donate, but only if it can be opened up for accountability via third party compilation and distribution channels so it can never be backdoored or co-opted for surveillance if your leadership or release engineers are ever compromised.

Said license: https://github.com/futo-org/Grayjay.Desktop?tab=License-1-ov...

There are other licenses like AGPL that would kill any attempt for someone to rip your code off to make their own proprietary offering, without locking yourself out of established freedom, security, and privacy preserving software distribution channels.

If anyone from the team is reading this, I would be happy to detail and discuss my concerns further as a software supply chain security specialist. Hit me up.

replies(6): >>42479087 #>>42479200 #>>42479315 #>>42479424 #>>42479879 #>>42480938 #
1. 2OEH8eoCRo0 ◴[21 Dec 24 17:29 UTC] No.42480938[source]
The license lets you do whatever you want except rip off FUTO. What does the license prevent you from doing?
replies(1): >>42486463 #
2. lrvick ◴[22 Dec 24 14:21 UTC] No.42486463[source]
Everything I described in my comment.
replies(1): >>42487182 #
3. 2OEH8eoCRo0 ◴[22 Dec 24 16:08 UTC] No.42487182[source]
> You may distribute the software or provide it to others only if you do so free of charge for non-commercial purposes.
replies(1): >>42491952 #
4. lrvick ◴[23 Dec 24 05:10 UTC] No.42491952{3}[source]
Yes except all the existing reproducible build and independent signing channels are free software. They only do this software supply chain integrity work for free for those that provide their software for free. Also, the downstream distributions and compilations of software based on these channels, are using free software licenses, and someone -could- charge for say installing them on a new computer.

These communities should not be expected to change their entire license model to remove freedom 1, just because one proprietary software vendor has chosen to remove freedom 1.

So, fdroid, guix, arch, f-droid etc offering signed reproducible builds services for proprietary software vendors being off the table, it then becomes on FUTO to provide users an equally secure path to get their software with as good or better UX.

Right now the only way to assure you get a binary of FUTO without any malware in it is to compile it yourself. Expecting most users to do that is not a serious solution.

We could force their hand though under the terms of the license though.

Lets say I were to release a package of all the dependencies needed to compile FUTO, and on first launch it downloads the code on the fly, patches out any forced-payment or analytics, compiles it, then launches it. Their license would allow it, and it could now be distributed via free software channels technically. But users would just have a very slow first launch.

At that point FUTO loses, forcing us into hacky compliance and getting no money, vs releasing it AGPL in the first place and extending the goodwill that will make some want to donate.