Debian, Arch, Guix, F-droid or any other independent signed reproducible build channels require a true Open Source license to function legally.
The license thus forces users to download unsigned non-reproducible binaries off grayjay servers and trust blindly that their build server is creating binaries from exactly the published code and not compromised to inject tracking or malware not in the public repo (an increasingly common attack they may not even know about for years!). Or say the grayjay domain is hijacked or even a BGP attack or a LAN MITM. All sorts of ways they could be helping distribute malware and not know it with no signatures or reproducible build proofs.
Thing is, your team would not have to solve these problems if you licensed it so the community could solve them for you, as we do for thousands of open source software projects.
I really want to see a project like this take off and would gladly donate, but only if it can be opened up for accountability via third party compilation and distribution channels so it can never be backdoored or co-opted for surveillance if your leadership or release engineers are ever compromised.
Said license: https://github.com/futo-org/Grayjay.Desktop?tab=License-1-ov...
There are other licenses like AGPL that would kill any attempt for someone to rip your code off to make their own proprietary offering, without locking yourself out of established freedom, security, and privacy preserving software distribution channels.
If anyone from the team is reading this, I would be happy to detail and discuss my concerns further as a software supply chain security specialist. Hit me up.