I recently looked into open sourcing Homechart (https://homechart.app). It's free to use already (for self hosting), but some users wanted it to be open source (almost entirely for auditing purposes, but I doubt they'd even read the code). I don't want anyone using it for commercial purposes, and I found a few licenses that would prevent this-- namely Commons Clause, but at the end of the day I didn't see a benefit to having it OSS aside from appeasing some OSS purists. The app is already free, and I don't need the added burden of responding to issues and pull requests (and supporting the code they add).
EDIT: I also don't want folks redistributing custom builds or effectively reselling it somehow. I'm a solo dev, I don't have the resources to litigate and enforce any kind of restrictive license.
> I don't need the added burden of responding to issues and pull requests
You don't have to. open sourcing does not mean putting it on Github with an open bug tracker, you could simply offer tarball downloads, mention you don't support it, and ignore any email about it.
This is actually how Apple does some of their open-source projects.
For example, the XNU kernel at the heart of macOS is open source, along with some of its kernel extensions. Apple isn’t interested in having other people work on it though or having their commit history unveil vulnerabilities, so they just squash all the commits into one and release the tarball for every new macOS version.
You can always clone the repo, change the git remote to a newly created one and upload there. You get a perfect copy, just that it isn't recognized as a fork, thus you can't make pull requests (you can still merge changes via the Git cli as always)
Yeah I think the developer of the Apollo Reddit app open sourced the app in the beginning so people could audit it and it led to some people immediately cloning it and trying to sell it for money.
So firstly, the people asking you to open source so they can "Audit" are dumb. Your app is android, android is EXTREMELY easy to audit and decompile. Especially with no obfuscation during compiletime. Things like Android and .Net you can almost literally dump the sourcecode for the app automatically, to the point is basically compiles out of the box. Especially .Net.
What I would recommend if you release an executable using native code. You should look into distributing debugging symbols. The private symbols contain function names, sometimes variable names, and all library calls, but not the source code. This means auditing is extremely easy, but stealing it is a bit hard. It also lets them run your stuff under a debugger extremely easy or make patches through instrumentation.
> I don't need the added burden of responding to issues and pull requests (and supporting the code they add).
I just state clearly in README that certain projects of mine are open source but not open contribution. This way people can follow development and modify things to their liking if they want to, but I don’t need to hear from them.
Of course don’t do it if you don’t want to see others repackage your stuff.
On Android, the potential downside (companies stealing your app under alternate names, bundling adware/malware, and even issuing fraudulent takedowns) outweigh the upsides.
Consider allowing some trusted users in your community audit/demo access? The developer of the AetherSX2 emulator for Android worked with the PCSX2 team (Open Source parent software) and YouTubers/other established media in the emulation community to verify their claimed improvements and reputation. https://pcsx2.net/301-aethersx2-pcsx2-mobile.html
Somewhat of a hot take here, but why is this even a problem? Why would shitty clones with malware existing somehow damage the original app? Every open source app on Android has these problems, but they don't seem to affect the app's existance or reputation. And in the case of AetherSX2, the benefits of a transparent, community-driven mobile emulator certainly outweight any risks it may have.
The point is not to prevent these things from happening, the point is to have enough people sbowing support and contributions for your software that the clones with malware become something just not worth it to even care about.
> Why would shitty clones with malware existing somehow damage the original app?
Best case, you get angry emails. Hell, Daniel Stenberg of curl fame got “I will slaughter you” because someone bundled libcurl and included a copyright notice.[1]
Worst case, certain scammers are very good at pretending to the the real thing.
That seems like a good compromise. I thought about looking for third party attestation services, but it would be a point in time snapshot and probably prohibitively expensive.
At the end of the day, the code is written in Go (highly reduced attack surface), doesn't need to be exposed to the internet (works fine locally or over a VPN), and functions perfectly fine with outbound internet access blocked (no phoning home or tracking). I built it the way I want self hosted software to work.
> On Android, the potential downside (companies stealing your app under alternate names, bundling adware/malware, and even issuing fraudulent takedowns) outweigh the upsides.
I don't have/use Android, so no dog in this fight, but I can say these things happen in pretty much every other non-niche platform: iOS, Windows, Mac. I've even had people cloning a VS Code extension I did.
When you say "Audit" do you mean in terms of security?
I was a penetration tester for a while and it was quite common for my clients to have customers who requested a security audit of their product. We would conduct the assessment and provide them with a letter that basically says we did an audit and we found x number of crit/high/med/low issues and then did a retest to verify that client fixed x number of crit/high/med/low issues. Might be worth a shot!
There are always going to be some people asking for more. Your app is not open-source and you already have that. Don't open-source it if you don't want to, or don't allow issues/requests for the open-source version if you don't want to.
Understand that some people will avoid your app and look for something that is open-source, for various reasons. So they can be confident they'll never have to pay, so they can theoretically fix bugs and port to newer platforms if they need to, so they can be confident there is no underhanded reporting or remote-control in the software, whatever. When looking for something, I value and prefer open-source alternatives, myself.
But that's not everyone, and that's fine. You don't have to open-source your app.
How would you feel about an "open source contingency", i.e. this will never be abandoned, it will be open sourced instead etc? I think I could add it to the ToS, but it would be nice to have some kind of trust/foundation or something setup as "proof" etc.
Sure, but then I can't prevent forks or folks distributing custom builds unless I start doing DRM notices and litigation. It's infinitely easier to keep it closed source.
Legally you can, and practically do you really think people can't reverse engineer your stuff if they want? Alternatively: it sounded like you just didn't want to support it or deal with pull requests; do you care about unofficial unsupported builds?
Edit: And yes, just distributing binaries and not worrying is the least work; I just wanted to point out that you can have it both ways if you ignore "Open Source".
Sure, up until the point where you run into people in countries like China ripping off your products and get stonewalled in any attempts at IP enforcement. Alternatively, are you sure that you can really afford the legal expenses of pursuing such enforcement?
I've seen enough stories of indie game developers having their games be stolen an re-uploaded under a different name to know that this is a problem that shouldn't be overlooked, though obviously it's worse in some industries than others.
> ...and practically do you really think people can't reverse engineer your stuff if they want?
No, most people cannot, and that's the extent to which it remains a good point.
You don't lock your door because you're worried about the one person who knows how to pick it out of a thousand, you lock your door to deter the rest 999 people who would go through it if it were not locked.
People talk a lot about obscurity not being security and so on, but to a certain degree it is, just like how changing your SSH port will prevent a number of automated attacks, even if port scanning is trivial otherwise.
Okay, so it's not "I didn't see a benefit to having it OSS aside from appeasing some OSS purists. The app is already free, and I don't need the added burden of responding to issues and pull requests (and supporting the code they add)." It's "I don't want to open source it at all". Which is fine, just say that instead of bringing up support burden.
EDIT: I also don't want folks redistributing custom builds or effectively reselling it somehow. I'm a solo dev, I don't have the resources to litigate and enforce any kind of restrictive license.