Grayjay Desktop App

I love the right to repair work Louis Rossmann does, and this project goal as a whole, but this license is a major step backwards for software distribution with high assurances of security, freedom and privacy.

Debian, Arch, Guix, F-droid or any other independent signed reproducible build channels require a true Open Source license to function legally.

The license thus forces users to download unsigned non-reproducible binaries off grayjay servers and trust blindly that their build server is creating binaries from exactly the published code and not compromised to inject tracking or malware not in the public repo (an increasingly common attack they may not even know about for years!). Or say the grayjay domain is hijacked or even a BGP attack or a LAN MITM. All sorts of ways they could be helping distribute malware and not know it with no signatures or reproducible build proofs.

Thing is, your team would not have to solve these problems if you licensed it so the community could solve them for you, as we do for thousands of open source software projects.

I really want to see a project like this take off and would gladly donate, but only if it can be opened up for accountability via third party compilation and distribution channels so it can never be backdoored or co-opted for surveillance if your leadership or release engineers are ever compromised.

Said license: https://github.com/futo-org/Grayjay.Desktop?tab=License-1-ov...

There are other licenses like AGPL that would kill any attempt for someone to rip your code off to make their own proprietary offering, without locking yourself out of established freedom, security, and privacy preserving software distribution channels.

If anyone from the team is reading this, I would be happy to detail and discuss my concerns further as a software supply chain security specialist. Hit me up.

I read the license and of course IANAL but it seems clear that Debian, Arch, Guix, F-droid or any other independent signed reproducible build channels can package and distribute their own reproducible builds of this software, as long as it is "free of charge for non-commercial purposes", isn't it?

(a FOSS license would also work, but if I have learned something in HN before, is that don't FOSS if you ever want to make money from something while preventing others from making money off of it)

You can take a copy of Debian and resell it or put it in a product and sell that. That’s a pretty important freedom of free software.

And Debian is OK with that, because Debian is not a for-profit company that paid it's developers money to make a product, thus they don't care that others get it and resell it.

For a company, the product itself, what makes money, cannot be OSS, as it makes its resell value effectively zero. If the software was OSS, then the software is _not_ the product, but added values are (support, consulting, etc... the classic trope)

But if the software itself wants to be the product, and is created by devs who require their monthly salary, typically the question is between a non-FOSS license or it not existing at all to begin with. Not between a non-FOSS and a FOSS license.