Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

I agree. This has always been something that makes me uncomfortable in Privacy Guides.

Can you please explain the difference between open source and source available? This is the first time I hear of the latter term.

Source available usually means that you’re allowed to inspect the code but not to modify or redistribute it, while many open source licenses also allow the latter.

That’s because source-first is a marketing term that, as far as I know, only FUTO uses. Open-source, source-available and closed-source are all common terms with established meanings. Meanwhile, FUTO likes to pretend their software respects user freedom, when in reality, it’s proprietary software just like source-available and closed-source software.

This is basically the one grain of truth in that whole wall of text, unfortunate that it’s attached to the rest of it

I’m surprised FUTO is such a let-down. I’m a big fan of Louis Rossmann, and he always struck me as an honest and authentic person when it comes to issues of privacy, right to repair, and ownership.

I still don’t quite understand what source first and source available means, though. Can you explain what they mean? Yes, they are marketing terms, are they just another confusing term for proprietary?

Companies like 1Password defend not being open source by saying that they get audited regularly and pass those audits. Is that satisfying to you?

The way I see it, what FUTO is doing is perverting the open-source space and causing much more harm than good. They are arguably worse than source-available software, since they misrepresent themselves by claiming the right to modify when they have a dizzying amount of asterisks attached. It’s clear FUTO is about protecting their billionaire owner and profitability, not the rights of users and developers equally.

Sure I’ll try my best, let me know if it’s still unclear after.

Open-Source
The standard definition used is the Open Source Initiative’s (OSI) Open Source Definition (OSD). You can read it here. The core rights are: access to the source code, the right to modify it, and the right to distribute it.

Source-Available
Also a pretty clearly defined term, which is self-explanatory. Any software where the source is available to view falls under source-available software. Source-available software can very well include open-source software, assuming all the necessary rights are granted to users. Realistically, however, it’s used to describe software which precludes those rights, meaning users lack one or many of the rights required for open-source software.

Source-First
A one-of-a-kind model used only by FUTO, which prioritizes protecting the developers over almost anything else. The users are entitled to see the code but cannot freely modify it. Any modifications must be distributed non-commercially without any payment links being removed. Take FUTO keyboard for example. What FUTO has done is forked LatinIME and made significant changes / improvements. Therefore, they added payment links and changed the license as the open-source license of LatinIME permits them to do. However, if a developer were to fork FUTO keyboard in the future, they have none of those same rights. They could not take a cent for any improvements they made. This is even worse than some source-available which only restricts commercial use, since it’s not just that the new developer can’t profit from their work, it’s that FUTO continues to profit from it and the developer has no right to remove or obscure the payment links in any way.

Closed-Source
Sometimes incorrectly used as a term synonymous with proprietary software, closed-source software is often actively obscured to prevent users from reverse-engineering the source code. In fact, all the models listed above, with the exception of open-source software, are categorised as proprietary software since they grant exclusive rights to the rightsholder. Users of closed-source software are granted no rights in regard to the software and are often subject to extremely broad EULAs.

You mentioned this, but it’s definitely to protect the original IP/company of the product. I wouldn’t even say protect developers, as most external developers wouldn’t touch FUTO code with a 10 foot pole. Look and use, but be careful about litigation for modification.

However for privacy respecting software, FUTO is great in theory, which I believe we should be focused on, but currently not battle tested.

Any code running serverside must also be released alongside any client source code.

This is the main line of protection for end users for auditing server side code, which is most of the world we live in. But how well this holds up against AGPL, time will tell.

Possible hot take, but this is LatinIME’s “fault” if we are going to prescribe it. If they released the code as GPLv2+, FUTO wouldn’t have been able to use it in the FUTO fashion.

Time and time again people use weak FOSS licenses to gain more traction and popularity for their applications and projects, but that simply lets others profit off what they do. This is what FUTO aims to prevent.

In this case, FUTO simply did what they say they are against - don’t let corporations steal from weaker licenses FOSS code and turn it to profit. They could have accomplished the same goal with GPL or to contribute back, but the incentive is to run a business with FUTO as a selling point.

Yeah, in this context by “the developers” I meant FUTO.

I disagree, I see little reason to trust FUTO over GBoard w/ network disabled. FUTO has time and time again mislead users into adopting their products and because of their licensing, users will have no recourse in the form of a hard fork if FUTO decides their work isn’t profitable enough.

I still believe FUTO is at fault as you kind of get into at the end. Like you said in the context of the open-source space FUTO is the ‘mega-corp’ they are warning about, taking open-source code and re-licensing it under extremely restrictive licenses to protect themselves.

I don’t really think it’s fair to blame the license of LatinIME, these licenses are the best for users and developers despite the risk of ‘mega-corps’ coming it and taking the code for themselves. There are sustainable open-source projects like GrapheneOS whose permissive licenses help encourage the most external contributions and support.

Correct, it’s only as sustainable as FUTO is sustainable. Given they are brand new, I’d highly avoid recommending any products from them that are critical.

If someone doesn’t want their product forked for profit without contributing back, it pretty much needs to be GPL or proprietary. It’s a risk/reward situation of gaining traction and someone just taking your code. Maybe they don’t care it was taken, and are happy someone found use in it.

There are variables at play for risk of profiting off FOSS code. Perhaps GOS is in a niche enough spot there isn’t a market to fork for profit, so it’s permissive licensing works out fine. Iirc, haven’t there been people who tried to fork and sell their own version and failed?

—

It’s getting a bit off track, but I think users want software that respects privacy and has longevity. FOSS licenses make it easier to audit what is happening, and strong copyleft licenses providing more guarantees the software audited is what is running. If a project “dies”, someone else can revive it, but this isn’t a guarantee (DivestOS are massive shoes to fill).

FUTO checks the privacy box, but the sustainability of these products falls to them and then alone. There are plenty of other products that if the company goes so do the products, so FUTO is a “lesser” of proprietary evils.

Here is the FUTO clause for conveying source code:

You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms. If you modify the software, you must include in any modified copies of the software a prominent notice stating that you have modified the software, such as but not limited to, a statement in a readme file or an in-application about section.

This isn’t clear if they just distribute source through networks. It’s ambiguous enough to be questionable.

Compare this with Section 5 of AGPL, and FUTO shows it’s clearly not fully fleshed out. AGPL seems written by lawyers, FUTO briefly by a company and developers with the idea of protecting their assets.

I’ll take back what I said, FUTO is not battle tested to provide the same protections as AGPL, and would be cautious of assuming you will have legal guarantee of the source code running on their servers.

Just wanted to add my ramblings to the different types of open source software:

Tiers of open source:

• Closed source: cannot view source code.
• Source available: can view but not modify or distribute source code (e.g. to make sure it there are no backdoors in the encryption). Example: MEGAsync
• Source first: access to source code and right to modify and distribute the source, but not for commercial use; therefore it doesn’t meet the definition of ‘open source’ (OSI) or ‘free’ (FSF). Example: FUTO
• FOSS in name only: published under a license approved by the FSF and OSI, but not in the spirit of open source development. Restrictions include:
  • Bypassing FOSS license with technical means:
    • Cannot be built without proprietary SDK or dependencies. Example: OnlyOffice Android app
    • Exclude some files that aren’t source code but still needed from the repo (e.g. artwork, language localizations, non-functional UI files, project metadata). Example: Strongbox
    • Depends on proprietary server component. Example: Snap package format and package manager depending on the proprietary Snap Store for a lot of the functionality.
    • Core program is FOSS, but lots of functionality comes in the form of proprietary extensions. Example: Virtualbox.
  • Bypassing FOSS license with non-technical means:
    • Separate end-user agreement at odds with the FOSS license. Example: Red Hat requiring licensees of RHEL to not share the source code (which is under GPL license) or else they will cancel the contract and customers will not be able to receive any more support or updates.
    • Network effects preventing forks: Example: The Signal messenger is fully FOSS (both client and server), but Signal doesn’t allow third-party apps to use their servers (in reality they may tolerate it… until they don’t), however those third-party apps would be useless if they can’t connect to the servers in order to communicate with users of the normal Signal client.
    • “Behemoth” project controlled by only one party. Example: Chromium, which must be open source as it is forked from a GPL’d program (Konqueror) but completely controlled by Google, with no regard for any outside feedback (e.g. dropping JPEG XL support and Manifest v2 extensions) and no realistic chance for volunteers or small organizations to hard-fork the codebase due to its massive scope and the constant upkeep needed to stay compatible with websites.
• Fully free and open source. With multiple types of licenses ordered from more to less corporate-friendly:
  • Permissive, e.g. BSD, MIT, Apache
  • Weak copyleft, e.g. MPL, CDDL, LGPL
  • Strong copyleft, e.g. GPL v2, GPL v3, EUPL
  • Strong copyleft with additional protections:
    • AGPL (similar to GPL, but also applies to software running over a network, e.g. on a server)

Correct, but I think these are more fine grained details that vary case by case depending on the product.

Saying you have the right to modify is extremely misleading. FUTO doesn’t allow you to strip out payment links or obscure them in any way. FUTO is the only party that gets to profit, even from future development by others for non-commercial purposes.

FUTO purposely uses ambiguous language in other places to try to obscure this fact. For example:

• Sourcefirst.com reads:
  • “This does not include the right to strip out payment links…”
• Their open-source definition prohibits:
  • “… payment links to pay someone other than FUTO.”
• The actual license that matters which is on this page reads:

  • "You may distribute the software or any part of its source code only if you do so free of charge for non-commercial purposes.

    Notwithstanding the above, you may not remove or obscure any functionality in the software related to payment to the Licensor in any copy you distribute to others."

Not to mention the fact that FUTO has unilaterally decided on their own definition of open source to suit them: “Open source just means access to the source code.”

Because of all this, I would make the argument that software licensed under the source-first license is less favorable than that licensed under source-available licenses. The real-world benefits are the same: access to review the source code, and the drawbacks are largely the same too:

• Both lack the freedom to modify or redistribute the software without restriction, even non-commercially.
• Both are driven by commercial interests and exclusively or very heavily prioritize protecting the interests of the original developers of the software.
• Neither leaves a sustainable path forwards or recourse if something happens to the original vendor. It allows them to take whatever anti-user actions they want in the exact same way closed-source software can.
• There is no such thing as a free lunch. It is naive to assume that people will donate their time and energy to review the source code of a piece of software when they have nothing to gain since they have very restricted or, if any, rights to the software. In this way, an argument could be made that software under one of these licenses is even less likely to be reviewed than open-source software (where users already severely overestimate the number of eyes on various software).

The difference is that FUTO is blatantly misleading people with their licensing in an attempt to lock users of open-source software into using their proprietary software. Source-available software is transparent about the fact that they own the software fully and that the code is only available for viewing.

Personally, I believe that any requirement for open-source software should require true open-source software, not source-available software. However, for the reasons listed above, if source-available software were to be made a requirement either as an intermediate step or permanently, I would petition for source-first software to be explicitly excluded due to its deceptive nature.

Thank you for the explanation. I have a better understanding now.

Does Louis defend Futo’s decision? Because on some level, they are exploiting him, to the extent that he is a popular internet public figure. They’re also using his credibility to his audience.

Not trying to get political, but privacy and right to repair have become political issues. What I’m trying to say is that, I have seen progressives in the comments argue that with all the harsh criticism that Louis has of capitalism, he should embrace anti-capitalism, and they are disappointed that he doesn’t, as he always says in his videos that he’s a capitalist.

The way I see it, as long as Louis is fighting the good fight, he shouldn’t be pressure to embrace this or that political ideology. And even if he was, I don’t he’s that easily influenced on this issue.

That said, he should be smart enough to realize when FUTO is steering the wrong direction.

I assume so, as far as I can tell he is their public face. Honestly I think he was doing good work with promoting right to repair and it would probably be best for everyone if he / FUTO stuck to that, rather than trying to re-invent open-source.

Meh, I see FUTO as a middle ground between privacy and proprietary in favor of protecting company assets.

assuming the differentiation is there between clientside and serverside service usage, Clientside speaking (and don’t get me wrong i’m not implying that PG is doing it) you can’t just recommend me, the random netizen out there that wants to have privacy on his computer, to install ANYTHING that is not fully FOSS, and claim to have privacy with it.

So yeah clientside at least, you guys should 100% enforce the FOSS requirement since i’m assuming privacy from adversaries like the big bad boogeymen governments is the goal.

It’s a matter of standard imo, in my blog at least, for OPSEC purposes, i have never and won’t ever tolerate closed-source software when talking about privacy, because that’s just how it is, closed-source software is the main way people get spied on in the current era we’re in.

all I can say is. Username checks out.

What purpose does open source software do that you’re pushing it so hard because even Independently Audited Proprietary software can be just as good as an open source counterpart (and in General, Independent audits is what makes up more about security and privacy claims than just auditing code). Leading everyone to just use Open source software misses the whole narrative In general. And let’s also not forget, FOSS doesn’t mean the software is secure or guaranteed to not have trackers or that the binary provided by that software is the same as on the code itself.

I see people miss the point of can

Maybe there could be something like a filter or setting for the recommendations like “Show only FOSS recommendations”?

This way all parties could be happy I guess.