Do you plan on making source code available? (Or: how can users verify that this is not malware?)
hmm not sure yet on the open source thing, but how do people normally verify downloadable software has no malware? I guess we could try to distribute it on like reputable distribution channels like the app store
Personally I do take at least a quick look over sources before deciding to trust any new app. I simply won't install apps that don't provide the option.
This used to be an ideological stance but increasingly recently it's the only pragmatic thing to do from a stance of security and safety. The playing field is increasingly hostile and if someone asks you to install their software on you machine and let it record your face and voice but refuse to show what it actually does, that is a red flag. Reasonable exceptions could include video games (which run on dedicated untrusted devices and IMO the IP aspect makes the closed-source stance more understandable there). On the other hand, this app is inherently sensitive and trusted because of its function. I don't see the reason why it needs to be closed-source.
Malware is commonly distrubuted in all app stores. I reported some obviously pretty bad stuff that is still up a year later on Play Store, for example. Google simply doesnt bother if the case is too messy.
> hmm not sure yet on the open source thing
You could start with just go source-available by sharing the source with your users without going full Open Source, if you want to take the time and think about what license to use.
thanks for the write up! it's an electron app so i think you can also view the source code easily that way tbh
Another thing to add: this is Linux-only and a large amount of Linux users will care about your product being free software or under an open source license for ethical reasons. Source available doesn't mean open source, and open source means your product's license protects distribution and modifications of the code to some extent. This extent is quite debated, but you should certainly read up on this and have a strong defence for why your product isn't open source either way. I can certainly see why you wouldn't want to, but make sure to think about it especially for Linux-only. Windows and Mac users are probably more amenable to proprietary software.
> you can also view the source code easily that way tbh
sure thing, just gotta download and execute it.... WAIT A MINUTE. YOU ALMOST GOT ME! YOU SOB
> you can also view the source code easily
can just as easily throw it on github, if your intentions were legit
Some day we should have everything sandboxed on the hw level. Like computers in 1980
Reproducible builds are the way. But source available is better for people who are worried about malware
How do you reproduce a build without source?
Meticulously with Ghidra I suppose. This trend of saying it’s to protect us is getting old. The only way to prevent malware is by making the source available for us to see for ourselves.
Yeah, reproducible builds are meaningless for users without a reference to reproduce.
If this isn't monetized, is there any reason against opening its source? I personally would like to be able to disable the usage analytics and crash reports.
> If this isn't monetized, is there any reason against opening its source? I personally would like to be able to disable the usage analytics and crash reports.
Although I personally deplore it and try to stay away from software that requires it, or even opts me in, I nonetheless think that it's reasonable for a developer to impose telemetry as a requirement for people to make use of their freely available software.
The first thing I'd do if it were open source is spin up a PR to allow the telemetry to be opt-in. After two decades of being the product, it's hard to trust any data collection done by companies outside the EU.
As long as it's opt-in, sure. Otherwise it's be an illegal GDPR breach.
Pretty sure if they just don't you use the software without opting in then it isn't a GDPR breach... You aren't entitled to use the software.
GDPR is very clear about how you are not allowed to make data collection a requirement for use.
It is a straightforward set of rules written in simple language and it’s not very long either. It’s not necessary to rely on third party readings or interpretations of it. Just go ahead and read it yourself and you will be well equipped to apply and argue about it.
Except I can just deny all of Europe access? Then anyone who wants to use it has to pretend to not be European through a VPN or otherwise.
You can argue specifics and nitpick, but the outcome is effectively the same.
eh, don't worry about it. there are some weirdos with trust issues (I'm one) that are vocal about that, but regular people don't have that problem.