[ a / b / cf / cy / g / lain / un ] [ fresh / meta ] [ home / rules / faq ]

/g/ - Technology

Programming and Electronics
Name
Subject
Comment
File
Embed
Password (For file deletion.)

Hop in to our IRC channel! #wirechan@rizon.net

File: 1581156554049.png (789.07 KB, 761x1066, 86532c04290d84566673d48110….png)

 No.206

With the GPL, for any binary that you distribute, you have to make the corresponding source code available. With reproducible builds (see: https://reproducible-builds.org/), it is possible to verify that the binary was indeed compiled from the available source code. All you have to do is to compile the source code yourself, and compare the resulting binary with the one distributed. For an example of this in practice, see guix's `challange` command.

With the AGPL, if you run a service accessible through a network, you have to make the corresponding source code to the service available to the users. But is there a way for the user to verify that the service provided corresponds to the source code available? I can't think of any situation where the service couldn't just simply lie about what it is.

 No.207

Try asking on textboard.org maybe.

 No.208

>>207
Is my thread not welcome here?

 No.210

File: 1581359975763.jpg (73.11 KB, 850x1200, 994779f8f513495c26788a9ebb….jpg)

I believe this to be very important in today's climate where every megacorporation tries to paint themselves to be great supporters of "open source" and many of our organizations are funded by their "generous donations". But the problem is that they don't give a shit about software freedom. Take Visual Studio Code for example. Microsoft used to advertise it as being Open Source, and millions in good faith downloaded binaries of it. Until a careful eye noticed that the source code released as "Visual Studio Code" was different from the binaries released as "Visual Studio Code". In fact, the binaries even have their own license agreement that you have to accept to use them. After being called out on it, Microsoft modified their website and now Visual Studio Code only claims that it was "built on Open Source", as if that was something to be proud of. But the damage has already been done. I think Docker employed (or still employs) similar tricks. The problem is, pushover (so-called "permissive") licenses do not protect you from this trickery at all. With copyleft licenses, the source code of the binary has to be provided. But with pushover licenses, corporations can put some crippled version of their software on Github as bait, and distribute proprietary versions of it in binary form. This is why I think verifying source-to-binary correspondence, enabled by bootstrappable and reproducible builds, is so important.



[Return][Go to top] [Catalog] [Post a Reply]
Delete Post [ ]
[ a / b / cf / cy / g / lain / un ] [ fresh / meta ] [ home / rules / faq ]