Raivo OTP is not open source

jonah · March 30, 2023, 1:19am

raivo-otp/ios-application/blob/b82e98d2e40e5a849a6f55947fb969e90af9b763/LICENSE.md

# License

> Effective date: July 30, 2022

Copyright © 2022 Tijme Gommers. All rights reserved.

Raivo OTP ("us", "we", "our", "Raivo", "Tijme Gommers") operates the Raivo OTP related services (the "Services"). The Services include and are limited to the Source Format and Processed Format of [Raivo OTP for Apple iOS](https://github.com/raivo-otp/ios-application), [Raivo OTP for Apple MacOS](https://github.com/raivo-otp/macos-receiver), [Raivo OTP Issuer Icons](https://github.com/raivo-otp/issuer-icons), [Raivo OTP APNS Server](https://github.com/raivo-otp/apns-server) and [Raivo OTP Marketing Website](https://github.com/raivo-otp/marketing-website) (raivo-otp.com).

The Services are provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the Services or the use or other dealings in the Services.

## Source Format

Permission is hereby granted, free of charge, to any person who obtains a copy of the Services in source format ("Source Format"), to use the Services in Source Format, subject to restrictions, to the rights to use, copy, modify, merge, and provided to allow you to do so, subject to the following conditions:

This license and copyright notice and this permission notice shall be included in all copies or substantial portions of the Services. Any form of Processed Format arising from the Source Format shall be used as specified in section [Processed Format](#processed-format). 

## Processed Format

Modification, duplication, and (re)distribution of the Services in binary or published format ("Processed Format") for any purposes and/or reasons is strictly prohibited without the explicit permission from Raivo OTP. Permission for modification, duplication, and (re)distribution of the "Service" in Processed Format can be requested via [GitHub](https://github.com/raivo-otp/ios-application/issues/new?assignees=tijme&labels=Question).

Let’s figure out if this affects our recommendation, or if we should lower the criteria to “source available”

I haven’t looked at the iOS TOTP space in a while, if there’s a good one that’s also open source I’m happy to replace Raivo with it, if there isn’t I’m happy to change the criteria, but either way the current listing is inaccurate.

jonah · March 30, 2023, 1:24am

Replacements we could consider:

There’s also GitHub - ente-io/ente: Fully open source, End to End Encrypted alternative to Google Photos and Apple Photos and https://2fas.com/ which should probably be separate threads since they’re not iOS specific.

Nostradamus · March 30, 2023, 4:11am

What’s the reason for “Open Source” as a requirement on this case? Is it is transparency and the ability for people to audit the code? In that case, it being " Source-available" is good enough for me.

If we keep it, should we weight if recommending their MacOS receiver: GitHub - raivo-otp/macos-receiver: A MacOS TabBar (StatusBar) application that securely receives one-time passwords (OTPs) that you tapped in Raivo for iOS.

Niek-de-Wilde · March 30, 2023, 8:09am

Well being open source in general is not a hard requirement. That said, if there are viable opensource alternatives with about the same level of usability, then we will list those above the closed source variants in general.

Also that said, Ive been setting my sights on 2fas as well lately as a authy replacement, but i havent been able to play with it personally just yet because of time constraints.

jonah · March 30, 2023, 12:52pm

It is for this category, hence the need for some sort of change, for what it’s worth.

Niek-de-Wilde · March 30, 2023, 1:17pm

Thats what I mean’t with “in general” ;p.

ch3k · April 3, 2023, 1:40pm

GitHub - X1nto/Mauth: A Material You Two-factor Authentication app is a nice one for android. For ios i use otp-auth which also isn’t open source, but works offline.

OyeMate · April 3, 2023, 1:44pm

Both ente-io/auth and 2fas fail to meet the minimum requirements, which are:

These requirements include:

Must not require internet connectivity.

Must not sync to a third-party cloud sync/backup service.

We have two options to consider. Firstly, we can relax the requirements, or secondly, we can stick to the current recommendations. However, if we choose the latter, we won’t have a good alternative for Authy, which is far from ideal due to its weak privacy and lack of data-portability.

Edit: Bitwarden can be a decent alternative to Authy for a good number of people.

Nour · April 5, 2023, 2:28am

Raivo has always been OSS, not FOSS.

This meets the criteria of being open source, no? The license just prohibits redistribution or modification.

catlike · April 5, 2023, 12:54pm

No, the term “open source” is defined. The correct term for Raivo is source-available software.

catlike · April 5, 2023, 12:58pm

The first point of the Open Source Definition is Free redistribution, so if the license “just” prohibits redistribution it can’t be open source at all.

Nour · April 5, 2023, 1:10pm

Thank you, that makes sense.

In that case, since I believe Raivo is definitely worth keeping as a recommended option, the best way to go about it IMO is to update the recommendation requirements to ‘open source or source available’.

I’d assume the open source requirement was originally added more for the ability to inspect and verify the code and its security, rather than for the code’s freedom of redistributability.

This would be a good compromise and middle ground to have against popular (and also great, but closed source) options like Authy and Duo.

jonah · April 5, 2023, 4:16pm

github.com/privacyguides/privacyguides.org

Clarify source availability in MFA criteria

privacyguides:main ← privacyguides:jonaharagon/raivo-not-foss

opened 04:16PM - 05 Apr 23 UTC

jonaharagon

+1 -1

Changes proposed in this PR: - Require source code availability (as opposed t…o a distinct open-source requirement) for MFA apps Context: https://discuss.privacyguides.net/t/raivo-otp-is-not-open-source/12198/10?u=jonah  - [x] I have disclosed any relevant conflicts of interest in my post. - [x] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. - [x] I am the sole author of this work. - [x] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).

jonah · April 10, 2023, 10:53pm

Status: In Progress → Done

Topic		Replies	Views
Remove Raivo OTP (iOS MFA) Tool Suggestions completed	29	6947	July 27, 2023
OTP Auth for iOS Tool Suggestions	10	1543	July 28, 2023
Raivo OTP f*** up Questions software	2	770	November 4, 2022
FreeOTP (iOS/Android TOTP 2FA App) Tool Suggestions	5	901	July 28, 2023
PSA: Export your keys before updating Raivo OTP to the latest 1.6 version Off Topic software	43	3910	June 4, 2024

Raivo OTP is not open source

Related Topics