[liberationtech] [Re: was Secure hosted mail, now: VaultletSoft]

Jacob Appelbaum jacob at appelbaum.net
Wed Feb 29 10:40:20 PST 2012 

On 02/27/2012 11:43 PM, R. P. Ruiz wrote:
> Heyall,
> 
> It's late, so I can't even begin to address Jacob's earlier
> substantive comments (maybe this weekend when I come up for air),

No hurry, I guess. I was merely replying to Robert's request and I felt
it reasonable to tell you whatever I thought.

> nor
> can I muster up even an iota of umbrage to your well written but
> mildly hyperbolic statements of principles.
> 

Uh, thanks, I guess...

> I can say however, that I *do* understand what your getting at, w/o
> necessarily agreeing with your comments about the NDA (like I said,
> it's late, I'm burnt out and bone tired).  The simple explanation is
> that the NDA's a direct lift (based on lawyer's advice) of PGP's
> source code review license.
> 

Understood.

> Now, whether you like PGP's source code review license is, of course,
> your choice.  And NDAs, all opinions aside as to whether you like
> them or not, are a part of most people's understanding of how
> olde-school for-profit companies work/worked.  Enough of that.
> 

Well, we also have had decades of free licenses - PGP is not horrible
but it is not a gold standard in this community.

> Now, here's a part of the story that you're probably not familiar
> with: I've been wanting to create an open source version of the
> entire stack for years now, and haven't been able to find *anybody*
> interested in helping to shoulder the burden (See this announcement
> from December 2009:
> https://www.vaultletsoft.com/about/project-autonomy.html)  The
> response to the community of users I served, along w/ others in the
> NGO/HRD world was, not to put too fine a point on it, insanely
> underwhelming - they simply wanted to use it, not participate in
> creating it.
> 

I'm not too surprised that non-technically inclined folks, be it
non-developers or others did not care very much about development
process or licensing. While I think they should care, I think that their
lack of caring does not matter very much, their expertize is probably in
other areas. A human rights reporting org wants to do human rights
related work and they don't consider software development process as
part of that world. I guess RMS and others would disagree but I get why
they might not see the connection right off.

They are not the people who will participate in development or as a
subtask, a security audit, of the software. They at best may involve
themselves in funding such a project.

> So while I haven't done anything w/ it along those lines, I'd still
> be happy to do so  - as long as others are willing to do some of the
> heavy lifting too.
> 

That's great to hear. It is entirely unclear from your website that you
have any such interest - there is a lot of work in creating a community.
I think it's hard to convince others to do that heavy lifting when they
don't understand the benefits - what is the benefit to the world? What
is the benefit to them?

If your community right now is just you, I think you'll have to make the
code free software and recruit people to the task.

> Know anybody who'd be interested, 

I would be surprised if no one was interested.

> or is all this talk about
> principles just shorthand for "not invented here/not really
> interested/too busy w/ other things"?
> 

You're not a free software project. The NIH theory doesn't apply as far
as I can tell. I don't run non-free software in security critical
situations. I try not to use protocols and systems that lack a spec or a
peer reviewed publications. Sometimes it is not possible; with email or
messaging, I think we're well beyond that point.

> Really, at this point guys, it's okay to not be interested for
> whatever reason - I'm too tired to argue about it (kind of like
> Madeline Kahn in Bride of Frankenstein).
> 

One mailing list is not a good way to measure interest. This isn't even
a development mailing list - it merely has a few people who do some things.

> If, on the other hand, you see the value of releasing and maintaining
> a completely Free and Open Source version, then let's do it.
> 
> I'm off to bed,

The value is two fold. First, free software is easier to view and audit
- as you can see, I already looked but I stopped because of the NDA
concerns/lack of source. Second, people who have an interest *for any
other reason* have basically zero barrier for entry.

I encourage you to make your project free software because it is very
aligned with the goals of the free software movement. I'd be more than
happy to look at it when it is without an NDA gag and when my review
benefits the entire world by being free software.

All the best,
Jacob

More information about the liberationtech mailing list