August 2012

Interesting gig alert:

OpenITP is looking for a researcher to examine and report on circumvention technology usage in China (the project will later expand to more of Asia).

Interested? Consider applying! Also please feel free to repost this anywhere you think appropriate — & retweet / redent. Logo

Circumvention Tech: (noun) Technology, including software tools, designed to help people circumvent censorship and surveillance by state and non-state actors.

A modest proposal:

Give mobile device users the option to see which apps are open source, when browsing in app stores, and the option to know that the open source app they’re installing was actually built from the publicly-accessible source code it claims to be built from.

Right now, when an app is labeled “Free”, you have no way of knowing whether that means “no fee to download” or actually means “open source” [1]. Usually it’s the former, but not always. For example, in Android-land’s default online app catalog, Google Play, here is what “Free” looks like:

The Google Play Store, with the open source badge option turned off.

Which of those are open source? How would you tell?

But if there were an option in Settings, to display the OSI logo for apps distributed under OSI-approved licenses, then it would be easy:

The Google Play Store, with the open source badge option turned on.

The setting wouldn’t have to be the default (although it’d be great if it were). Those who care can turn it on, and they’ll see the OSI-approved badge next to apps that are open source. Maybe touching the logo could take the user to more information, such as a page showing the specific license, the app’s home page, the exact version of the source code and the build configuration that would be behind the app that gets downloaded if the user clicks “Install”, etc.

Why do I care?

I strongly prefer to install open source apps on my Android devices. When software is open source, I know it will always be maintained as long as it has a user base, and that no one can ever shut it down or take it away. This makes me much more willing to depend on it and invest time in learning it. Because I know other parties are making the same calculation — especially vendors who can provide third-party support — there’s a positive feedback loop, a virtuous circle that ensures I will never be p0wn3d by someone else’s monopoly over the code that runs on my devices.

Furthermore, from a security and trust perspective, in many cases I’d like to be able to know that the app I’m installing is directly derived from the published source code. Although open source is no guarantee that the code has been vetted, it raises the chances that the code has received some scrutiny, and it at least enables people to take responsibility (or outsource responsibility) however they want to, instead of leaving them in the position of simply hoping that an app has not been maliciously rigged.

Before app stores came along, figuring out whether software was open source was pretty easy. You could look at its documentation, visit its web page, ask your operating system’s package management tool, simply make sure to obtain it from sources known to provide only open source software [2], etc.

So the question “Is this open source?” was generally easy to answer, as were the related questions “If it’s open source, where’s the development site? Where’s the bug tracker? Where’s the development community? Where can I get third-party support?”

But mobile app development culture isn’t there yet. I think there are two main reasons for this:

First, app developers have only partial control over how their apps are presented to users: presentation is now centralized in the app stores, so the store admins determine a lot.

Second, the app store way is that users pay a small fee (sometimes zero, but often in the $1 to $5 range) for downloading an app, and the stores haven’t yet made it easy for people to pay that fee even for apps clearly labled as open source. Depending on how you look at it, the fee would then be either a donation, or a convenience fee instead of a license fee. It could also have a set-your-own-price option, so that the app developers don’t have to decide in advance what people are willing to pay. In any case, there’s no reason open source developers shouldn’t have a chance to make it easy for users to send them money (and yes, people really will) — it’s just that the app stores haven’t provided a mechanism for it yet, because they’re not yet distinguishing between “no fee required” and “freedom”.

The ability to at least see open source would be a good place to start.


[0] Disclaimer: I’m a former director at the Open Source Initiative, but in this post am speaking only for myself. I think this might be an interesting idea for the OSI to push for, though! Comments welcome.

[1] In this context, the term “open source” is synonymous with “free software”.

[2] The Debian GNU/Linux operating system makes this particularly easy, by providing open source packages by default, offering non-open-source ones via a clearly-labeled alternate route, and offering vrms so you can get a licensing report at any time.

Dear Lazyweb,

I want to buy some online data storage.

I don’t want to have to learn any new APIs for accessing my storage. I already know how to interact with files in a computer filesystem, so I’d like to just access my cloud storage that way. In other words, I want to buy a networked mount point with a designated amount of storage behind it, where I’m charged based either on the amount of storage reserved or on the amount used, I don’t care which. It’s okay if it’s slow: we can copy data to faster local disk when we’re working with it. I just want a place to put large amounts of data, a place that’s backed up by someone who’s paid to back it up, such that it’ll be easily accessible to programs running on a server.

(Actually, in an ideal world I want to find two such offerings, so I can use them both and have one be a backup of the other, for organizational redundancy in our backups.)

I would have thought this service would be completely commoditized by now, but apparently not — or, possibly, I’m just not searching for it the right way.

I’ve been looking at Wikipedia’s Comparison of File Hosting Services, and maybe one of those will turn out to be it. I also had a conversation about using Ceph to do this, in the chatroom on the OFTC IRC network (many thanks to the people there who responded to my questions). Word there is no one’s offering this yet with Ceph, though it might be an offering in the future.

Any ideas?

Another highlight of OSCON:

The release (w00t!) of Ben and Fitz‘s new book, Team Geek: A Software Developer’s Guide to Working Well With Others:

Team Geek (cover)

Their talks on How to Handle Poisonous People and The Art of Organizational Manipulation are already famous. In fact, I tried to attend the latter at OSCON, but was turned away at the door because the room was already too crowded and was in danger of violating fire regulations — which gives you a sense of much people want to learn what they have to teach.

Now they’ve written a whole book on “people for geeks”. Things I’m going to start paying more attention to:

  • Avoid the “compliment sandwich” (pp. 74-75). (I guess for metaphorical consistency it should be called a “criticism sandwich”, since a “roast beef” sandwich is not a slice of bread between two pieces of roast beef. Whatever. Just read about it.)
  • Track happiness (p. 76).
  • Look for facts in the bile (p. 96) — particularly useful in technical projects.
  • “Offensive” vs “defensive” work (p. 117).
  • Leave time for learning (p. 20).
  • Why you can’t ignore marketing (pp. 130-133).

Order it directly from O’Reilly Media here.

And Fitz, I’m sorry for being such a clod when we were working on cvs2svn (pp. 20-21, though you didn’t say it that way of course). I got better, I promise.