2012

Interesting gig alert:

OpenITP is looking for a researcher to examine and report on circumvention technology usage in China (the project will later expand to more of Asia).

Interested? Consider applying! Also please feel free to repost this anywhere you think appropriate — & retweet / redent.

OpenITP.org Logo

Circumvention Tech: (noun) Technology, including software tools, designed to help people circumvent censorship and surveillance by state and non-state actors.

A modest proposal:

Give mobile device users the option to see which apps are open source, when browsing in app stores, and the option to know that the open source app they’re installing was actually built from the publicly-accessible source code it claims to be built from.

Right now, when an app is labeled “Free”, you have no way of knowing whether that means “no fee to download” or actually means “open source” [1]. Usually it’s the former, but not always. For example, in Android-land’s default online app catalog, Google Play, here is what “Free” looks like:

The Google Play Store, with the open source badge option turned off.

Which of those are open source? How would you tell?

But if there were an option in Settings, to display the OSI logo for apps distributed under OSI-approved licenses, then it would be easy:

The Google Play Store, with the open source badge option turned on.

The setting wouldn’t have to be the default (although it’d be great if it were). Those who care can turn it on, and they’ll see the OSI-approved badge next to apps that are open source. Maybe touching the logo could take the user to more information, such as a page showing the specific license, the app’s home page, the exact version of the source code and the build configuration that would be behind the app that gets downloaded if the user clicks “Install”, etc.

Why do I care?

I strongly prefer to install open source apps on my Android devices. When software is open source, I know it will always be maintained as long as it has a user base, and that no one can ever shut it down or take it away. This makes me much more willing to depend on it and invest time in learning it. Because I know other parties are making the same calculation — especially vendors who can provide third-party support — there’s a positive feedback loop, a virtuous circle that ensures I will never be p0wn3d by someone else’s monopoly over the code that runs on my devices.

Furthermore, from a security and trust perspective, in many cases I’d like to be able to know that the app I’m installing is directly derived from the published source code. Although open source is no guarantee that the code has been vetted, it raises the chances that the code has received some scrutiny, and it at least enables people to take responsibility (or outsource responsibility) however they want to, instead of leaving them in the position of simply hoping that an app has not been maliciously rigged.

Before app stores came along, figuring out whether software was open source was pretty easy. You could look at its documentation, visit its web page, ask your operating system’s package management tool, simply make sure to obtain it from sources known to provide only open source software [2], etc.

So the question “Is this open source?” was generally easy to answer, as were the related questions “If it’s open source, where’s the development site? Where’s the bug tracker? Where’s the development community? Where can I get third-party support?”

But mobile app development culture isn’t there yet. I think there are two main reasons for this:

First, app developers have only partial control over how their apps are presented to users: presentation is now centralized in the app stores, so the store admins determine a lot.

Second, the app store way is that users pay a small fee (sometimes zero, but often in the $1 to $5 range) for downloading an app, and the stores haven’t yet made it easy for people to pay that fee even for apps clearly labled as open source. Depending on how you look at it, the fee would then be either a donation, or a convenience fee instead of a license fee. It could also have a set-your-own-price option, so that the app developers don’t have to decide in advance what people are willing to pay. In any case, there’s no reason open source developers shouldn’t have a chance to make it easy for users to send them money (and yes, people really will) — it’s just that the app stores haven’t provided a mechanism for it yet, because they’re not yet distinguishing between “no fee required” and “freedom”.

The ability to at least see open source would be a good place to start.

Thoughts?

[0] Disclaimer: I’m a former director at the Open Source Initiative, but in this post am speaking only for myself. I think this might be an interesting idea for the OSI to push for, though! Comments welcome.

[1] In this context, the term “open source” is synonymous with “free software”.

[2] The Debian GNU/Linux operating system makes this particularly easy, by providing open source packages by default, offering non-open-source ones via a clearly-labeled alternate route, and offering vrms so you can get a licensing report at any time.

Dear Lazyweb,

I want to buy some online data storage.

I don’t want to have to learn any new APIs for accessing my storage. I already know how to interact with files in a computer filesystem, so I’d like to just access my cloud storage that way. In other words, I want to buy a networked mount point with a designated amount of storage behind it, where I’m charged based either on the amount of storage reserved or on the amount used, I don’t care which. It’s okay if it’s slow: we can copy data to faster local disk when we’re working with it. I just want a place to put large amounts of data, a place that’s backed up by someone who’s paid to back it up, such that it’ll be easily accessible to programs running on a server.

(Actually, in an ideal world I want to find two such offerings, so I can use them both and have one be a backup of the other, for organizational redundancy in our backups.)

I would have thought this service would be completely commoditized by now, but apparently not — or, possibly, I’m just not searching for it the right way.

I’ve been looking at Wikipedia’s Comparison of File Hosting Services, and maybe one of those will turn out to be it. I also had a conversation about using Ceph to do this, in the #ceph chatroom on the OFTC IRC network (many thanks to the people there who responded to my questions). Word there is no one’s offering this yet with Ceph, though it might be an offering in the future.

Any ideas?

Another highlight of OSCON:

The release (w00t!) of Ben and Fitz‘s new book, Team Geek: A Software Developer’s Guide to Working Well With Others:

Team Geek (cover)

Their talks on How to Handle Poisonous People and The Art of Organizational Manipulation are already famous. In fact, I tried to attend the latter at OSCON, but was turned away at the door because the room was already too crowded and was in danger of violating fire regulations — which gives you a sense of much people want to learn what they have to teach.

Now they’ve written a whole book on “people for geeks”. Things I’m going to start paying more attention to:

  • Avoid the “compliment sandwich” (pp. 74-75). (I guess for metaphorical consistency it should be called a “criticism sandwich”, since a “roast beef” sandwich is not a slice of bread between two pieces of roast beef. Whatever. Just read about it.)
  • Track happiness (p. 76).
  • Look for facts in the bile (p. 96) — particularly useful in technical projects.
  • “Offensive” vs “defensive” work (p. 117).
  • Leave time for learning (p. 20).
  • Why you can’t ignore marketing (pp. 130-133).

Order it directly from O’Reilly Media here.

And Fitz, I’m sorry for being such a clod when we were working on cvs2svn (pp. 20-21, though you didn’t say it that way of course). I got better, I promise.

Update 2012-08-02: Thanks Brian Fitzpatrick, Jim Blandy, Jen Mankoff, Roland McGrath, Justin Erenkrantz, and Noah Friedman for congratulating Bradley by donating to the Conservancy after reading this post. Other readers who join them, please let me know!

I hesitate to call it a “mini”-campaign… might that be too limiting? Let’s see how far it can go!

Last week, Bradley M. Kuhn, the Executive Director of the Software Freedom Conservancy, received a very well-deserved 2012 O’Reilly Open Source Award.

A number of us are celebrating this by donating $25 USD each to the Conservancy, which does terrific work mentoring free and open source software projects, helping them raise funds, manage assets, negotiate contracts, put on conferences and developer gatherings, etc. The Conservancy does this all with extreme efficiency — a donation to them is a donation where every dollar counts.

Software Freedom Conservancy
Portrait of Bradley M. Kuhn

Has the Conservancy helped you or your project? Has it helped a project that you directly or indirectly depend on? (Hint: the answer to at least the latter is probably “Yes”, even if you don’t know it.) Then please join us in congratulating Bradley, by donating today!

Mac Slocum of O’Reilly Media interviewed me last week at OSCON 2012 about open source software in the U.S. government — I enjoyed the conversation a lot:

It ties in with the presentation Gunnar Hellekson of Red Hat and I gave the next day:

US Government v. Open Source: A History and Lessons Learned
(slides available there)

which in turn was based on Gunnar’s amazing timeline of open source in the U.S. Government.

Identica, Twitter, and similar services tell you how many people are “following” you. Of course, it just means “are subscribed to you” — it’s not like they’ll follow your orders or something. Though I haven’t tested that hypothesis.

Anyway, let’s call that number F.

Now, I wonder if any services present an interesting (and in some situations perhaps more useful) variation on that number:

  R == the sum of X over all of one's followers, where for each follower,
       X == 1 / the total number of people that follower is following

Then, for any given person on the service, I want to see R and F together, and I wonder if the ratio R/F would vary wildly. I think it might :-).

It’s happening, right on schedule:

First the Stop-and-Frisk Watch app was released, to help citizens monitor the New York City Police Department as it implements its policy of stopping people in the street for melanin posession. But even though it’s a public-interest app, Stop-and-Frisk Watch wasn’t open source.

Now the ACLU has released the Police Tape app, which has very similar functionality, and is intended to be used motorists being pulled over by the police. (As a conservatively-dressed white guy driving a 1994 Honda Accord LX, this never happens to me — but again, many sources report that I could reliably attract more police attention by carrying a larger quantity of melanin when I travel, if I really wanted to.) The Police Tape is also not open source.

Two public-interest apps, very similar in purpose and functionality.

Could they share code? Could the developers profit by talking to each other in open source forums? Could some third party come along and notice commonalities between the two code bases, and even unify them into common code library that other public service organizations could use to build similar apps?

Hard to say, without the code being released under an open source license.

Public-interest app developers: please, please make your code open source! It’s easy. It’s important. I’ll help you do it. Seriously.

OpenITP.org Logo

Circumvention Tech: (noun) Technology, including software tools, designed to help people circumvent censorship and surveillance by state and non-state actors.

Yo, circumvention tech hackers! And if you read my blog, there’s a greater-than-average chance you are one, or could play one on TV…

The Open Internet Tools Project, in conjunction with the FreedomBox Foundation, InformSec, and ISOC-NY, is hosting a circumvention tools hackfest in New York City in just a few weeks:

When: July 9 – 12, starting at 10am
Where: Columbia Law School, Jerome Greene Hall, 116th and Amsterdam
Who: Privacy and communications-freedom hackers like you
What: Your project — whatever you’r working on that would benefit from an in-person gathering or direct feedback from others in the circumvention tech field.

Four days to plan, code and learn! If you want to hack on anti-censorship or anti-surveillance tools, bring your project, bring your skills and bring your friends. This event will be focused on writing code and solving design problems. There won’t be long presentations, though there will be some lightning talks and we may give away a door prize or two.

It’s taking place right before HOPE, to make it easy for people who are coming to HOPE anyway to also attend the hackfest.

Please RSVP to Dragana Kaurin <kaurin {_AT_} openitp.org>, with a brief description of what you’d like to work on, what kind of projects and people you hope to meet, and which days you’ll be attending. (Modest travel stipends are available for amazing projects — email James Vasile <james {_AT_} openitp.org> for more.)

Some projects we know are attending:

Please feel free to forward / repost this invitation, of course, and to redent or retweet.