Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: freedom

  • Open Source Doesn’t Mean Public

    Open Source Doesn’t Mean Public

    Someone made a vague implication that my post about licenses were shots fired from someone who doesn’t ‘do’ but is only an ‘observer.’

    This is quite inaccurate, though I don’t blog about it here and I don’t talk about it anywhere for one simple reason. I can’t. I signed a paper, years ago, that agreed the work I did for them would be private. I would neither reuse the code (which I can’t anyway) nor would I discuss it. In fact, I had to make a phone call to ask if I could blog about it in general. I understand why someone might assume I’m not speaking from experience, but that just makes an ass of you and me.

    This isn’t about me refuting or dismissing allegations from someone who, for whatever reason, dislikes me and likes to make their hate public. No, this is about the interesting predicament about what happens when you can’t release information about your code.

    Half Open

    Here’s your scenario. The front end is an open system, a plugin say, that one installs on WordPress. It’s GPLv2 (or later) compatible because it’s distributed code I want to put on WordPress.org. That right there is a requirement. Alright, so I have one half of a product that is GPL and Open Source. The other half lives on a server somewhere in the world and does all the backend work. The plugin? It just passes API data too and fro as needed.

    I just described Akismet.

    You and I know very little about how Akismet works on the backend. And here’s the thing, that’s how it should be. We have a lot of information on how to interact with the Akismet API but none about how it actually calculates what is and isn’t spam on the back end. I repeat – this is the way it should be.

    Look at what Akismet does. It magically identifies spam. While it’s all well and good to be open source, the very first thing that would happen if they opened up all their code is we would see spammers read it and subvert it.

    But then again, we have things like SpamAssassin, an open source product I use on my email servers. Does this mean SpamAssassin is too dangerous to use? Does it mean it should be avoided? No, absolutely not! While it’s far from perfect, SpamAssassin does a phenomenal job at catching and stopping spam. But at the same time, it’s imperfect and being public, it’s more likely to be subverted by clever spammers. Thankfully the things it checks for are parts of email that a clever server admin can protect from and, all in all, it’s useful.

    Half Closed

    If we accept the fact that having a code base open or closed actually has very little impact on it’s usability, then why do we lock down our systems? That’s easy. Security and profit.

    Profit is the easy answer. If a system is closed then you can’t download it and install it for yourself. This means if you want to use it, you have to pay. Again, we can look at Akismet and VaultPress, which I would wager actually are built on open source code, as examples. They don’t have to be free, after all. There’s nothing wrong with being closed, either.

    By making a system a closed system that no one sees the backend code for, we create a product where only people who have access to the source code can easily infiltrate. This, of course, offers no assurance that it will never be hacked, only it raises the bar and makes it harder to deal with when it does get hacked. But at the same time, it is harder to hack an unknown than a known, and it does make things somewhat safer.

    Of course, if I told you all the ATM code in the world was not only open source but freely distributable and it was out there right now, how would you feel? That probably filled you with a little dread, thinking about how much trouble we already have with card skimmers and ATMs. If we have people who already know how to jack in, how much worse could it be if they knew how to encode software into the fake cards they make, and use them to backdoor your accounts?

    Have Your Cake And Eat It Too

    Just because the code you work on is open source doesn’t mean you can talk about it in public. Just because the code is closed doesn’t mean you can’t.

    I’m not talking about licenses here, though, I’m talking about contracts. I signed a paper about certain code I’ve written that prevents me from discussing it. So while I’d love to tell you everything about everything I’ve worked on, I can’t. But that’s not a bad thing. I’ve been privileged to work on the open and the closed, and it’s given me a greater appreciation and understanding of when we should and shouldn’t open our work. And this comes down to understanding the nature of the risks involved.

    Things like ATMs, financial trading, and mortgages should be secured and private. Why? Because the risk is much too high. A license? Well a worst case scenario is that someone figures out how to backdoor a free license for themselves. Another is they figure out how to use someone else’s license to gain access to their information. Those are pretty bad. So if you want to make your license API open but the code behind it not, I support that call.

    But. I do think you should have a way to manage your licenses and updates. That’s just business sense.

  • GPL Isn’t Protecting You

    GPL Isn’t Protecting You

    Some days I know my plugin reviews are going to wreck me. January has had a lot of complaints from people about aspects of the GPL. Specifically they wanted to know how to protect themselves with the GPL.

    The truth is the GPL is not protecting anything except the right of the next guy to take your code and do stuff with it. And that terrifies people.

    I’m not entertaining a discourse on the merits or legality of the GPL here. Those comments will be deleted. Simply put, a requirement of the WordPress.org repositories is that to be hosted there you must be GPLv2 (or later). At that point, every other argument is moot. Your code has to be GPLv2 to be in the repositories. End of story.

    Okay. So what’s there left to discuss about protecting yourself and your code? Three things: Trademarks, copyright, and theft. Here we go.

    Trademarks

    GPLv2 doesn’t protect your trademark, but that doesn’t mean your trademark isn’t protected. While any image you put in your WordPress theme or plugin has to be given as GPLv2 compatible, that doesn’t void your trademark. A freely offered image that is trademarked (say, the WordPress logo) can be used in your plugin, but it comes with restrictions after all. The inclusion of the SVG of the logo in GPL code doesn’t change that.

    One of the things that changed in GPLv2 and GPLv3 was related to this. Remember, GPLv2 allows all code that does not include any restrictions that were not already in GPLv2. As long as license was as free (or freer) than GPLv2, it was deemed to be GPL-compatible (see the WTFPL). The issue with that is some licenses were very easy to comply with but had clauses like you couldn’t use certain trademarks. This caused confusion, as it was read as a restriction. The thing was that it wasn’t! Regardless of what the license said, you never had permission to use the trademark.

    This is good for companies. You can trademark your logo and, if someone takes it redistributes a fork with the logos still in it, they’ve violated trademark law. And you can protect yourself there. I suggest you read Joomla’s post on the matter of Trademark protection to get a better idea of how it all works.

    Copyright

    Copyrights are another thing that the GPL doesn’t protect. Except it does.

    GPLv2 and GPLv3 are both copyleft:

    To copyleft a program, we first state that it is copyrighted; then we add distribution terms, which are a legal instrument that gives everyone the rights to use, modify, and redistribute the program’s code or any program derived from it but only if the distribution terms are unchanged. Thus, the code and the freedoms become legally inseparable.

    What does that mean? Your copyright is yours. By the act of writing code, you own the copyright (with some exceptions, like if you’re hired to write the code). When you contribute code to an open source project like WordPress, you STILL retain the copyright unless you give it away, but the license is whatever the project’s license is. Most of the time this is fine, but as I recently saw with Hugo, this can be problematic when a project wants to change their license. Hugo had to get permission from every single person who had contributed.

    This is, by the way, why WordPress will probably always be GPLv2.

    One way around this is to require everyone to waive their copyrights in order to contribute. I believe DotNuke did this. Whomever owns the copyright, if the code is still licensed in a way that allows for free distribution then nothing’s really changed. The code is still open.

    Of course, then there’s the jQuery Foundation does with their Individual Contributor License Agreement – In order to contribute to jQuery’s code or website, you have to sign that and provide a valid email. This gives them a way to contact everyone and also makes sure you understand what you signed up for. WordPress just has a checkbox when you submit your code to remind you that you’ve given it up.

    If you’ve ever looked at the jQuery Foundation License, you may have noticed this line:

    You are free to use any jQuery Foundation project in any other project (even commercial projects) as long as the copyright header is left intact.

    This is not imposing a restriction more than GPLv2. See the bit in trademarks. Legally you had to do that anyway, they’re just reminding you not to be a tool and leave this simple line in:

    • Copyright jQuery Foundation and other contributors

    I bark at developers a lot for removing the license headers from javascript files. Don’t do it. You’re violating copyright and, if the original devs complain, you’ll lose your code until you fix it. Which is the point here. Copyright exists beyond GPL, so the fact that it doesn’t actively protect it doesn’t make it not enforceable.

    Theft

    I don’t mean legal here.

    A lot (a lot) of people argue that their plugin should be able to be encrypted or obfuscated to make it ‘harder to steal.’ I hear that about once a week, if not more. And my answer to all of them is “Not if you want to be hosted on WordPress.org.” WordPress.org has an ‘above and beyond’ understanding of the idea of distribution and allowing people to edit. It’s felt that the spirit of GPL means your code should be easy for someone to read and fork.

    I said a dirty thing there, I know. The ‘spirit’ of the GPL is probably causing some of my friends to roll their eyes so hard they’ve got migraines. Sorry about that. But it really is the one time I use it. When I say the ‘spirit’ I mean the intention of the license and it’s application to WordPress.org’s repositories only. Right or wrong, agree or disagree, it’s straightforward. If you want to have your code in the .org repos, it’s gotta be human readable.

    There’s a simple reason for this. The GPL Copyleft is all about freedom and keeping that freedom alive. The Copyleft says that anyone who redistributes the software, with or without changes, must pass along the same freedom to further copy and change it. In order to allow people to change the code, we want it to be human-readable. We want people to be able to look at your code and say “Oh I understand how this works. I will improve it!” When you take away, or overly complicate their ability to do that, we feel you’re intentionally impinging on that freedom. You’re trying to find a way around it, basically.

    About the only time I’ve heard someone not claim they were smushing the code up to protect it from being stolen is when someone has smashed their javascript into a p,a,c,k,e,d() type compression file. I actually hate those files. Javascript is hard enough as is! Stop making it harder. Plus I need to tell you something really important.

    While minifying your javascript will improve a website’s performing by decreasing the load time, it doesn’t make it run any faster for the majority of code out there. Of course there are situations (large libraries or limited devices) where this is not the case, but trust me here. Your 7 line javascript is not going to be significantly faster just because you compressed it. I advocate using the .min version of common libraries, but unless your code is huge, leave it alone and let other people see how to edit it.

    Bonus: Distribution

    GPL comes into play when your code is distributed. If I put my code on my server and never give it to anyone, it’s not been distributed so licenses don’t really matter. As the GPL FAQ explains:

    But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program’s users, under the GPL.

    It’s the big if there. What constitutes distribution? Is your browser downloading a javascript file in order to run my site distribution? Is handing you a zip file distribution?

    I always recommend people play it safe.

  • OpEd: Community, Community, Community

    OpEd: Community, Community, Community

    Lately there have been a lot of talk about the issues within various communities. It might be the shit storm over in Reddit land, it might be the drama in WP World. It doesn’t actually matter for the purposes of this post.

    Poisoned Well

    As my friend Helen asked recently:

    Do you ever feel like the entire internet has been taken over by trolls because I feel like I’m drinking from a poisoned well right now.

    I do.

    All the time. Always have. People have always used the internet as a way to let out what they’re feeling without filtering it through their humanity first. They hide behind anonymity, or the simple shield that they can’t see the faces of the people they bully and humiliate. They see it as ‘just good fun’ or ‘just letting things out.’

    My friends know I feel that way too. But I always ask them “Can I be unfiltered? I need a rant.”

    The Internet Is Broken

    What we’re facing is the endemic brokenness of communities as a whole and their sewage spewage.

    As my friend JJJ remarked (specifically about a subject but it doesn’t really matter for the purposes of this post):

    … I’m waiting for a “things are broken” post …

    J-trip, I know I’m not the person you’re asking for the post from but, yes, things are broken. Things are badly broken. Things have always been broken. We’ve always been at war with Eastasia. Things are broken because we, as humans, are broken. The online communities we tout as being fundamental to the growth of software development and that bind us together, closer, as humans, is broken because humans suck.

    What’s broken isn’t PHP or Reddit or WordPress.

    What’s broken is us.

    And we remain broken because we don’t fix things.

    Let’s Fix It

    Fixing isn’t easy though.

    Unlike your ‘in person’ community, an online one is incredibly diverse.

    At the same time, we need to stop giving it a free pass simply because it’s online. Treat it with the care and love you would treat the people who come together to shoot arrows or sew or watch a baseball game. This is a community and we need to treat it like that.

    Remember that what we do in public, and yes the Internet is totally public, reflects on who we are because it is who we are. Behave with integrity and honesty and be yourself. If that self reveals itself to be a bad person who does mean things and doesn’t care about the outcomes, then deal with the outcomes.

    Stop pretending that there are no repercussions just because you’re online. Stop thinking that you can get away with being mean just because it makes you feel better. Start caring about people as people, online and offline.

    And then there’s the hard thing. Stop letting people get away with it. We all fear the cry of censorship, but there will come a time when we have to stop killing ourselves. It’s our choice to keep the hatemongers among us, and it’s our choice to tell them to change or leave.

    Make the right choice.

  • Mailbag: What’s The Diff?

    Mailbag: What’s The Diff?

    How do you compare two plugins to see if one’s a fork or stolen? What’s the difference between a fork and a clone?

    Sometimes people like to ‘steal’ plugins. This normally happens when someone takes a premium (purchase only behind a firewall) plugin and attempts to give it away for free on WordPress.org. They tend to violate copyright when they do that, but also it’s just not a cool thing to do and I find it distasteful.

    Often we catch these since people who steal like that aren’t always very smart and we recognize code that is generally well known and popular. But more often we don’t catch it because CodeCanyon has 3400+ plugins and WordPress.org has 37k+ and that’s a lot to compare and remember. And that’s when we get an email from a plugin developer who says “So and so stole my work!”

    What do we do? We ask them for a copy of their code, in a zip, and say we’ll compare. Most developers are happy to do that. We’re a trustworthy lot, otherwise we wouldn’t be on the plugin team (yes, being a good, moral, and ethical person is very important). Once I have the zip, I download the claimed-clone and compare them line by line.

    Well. Not really.

    My toy is DeltaWalker.

    With DeltaWalker I can compare two zip files without having to open the zips and look at each line. In the below example, I’ve got Akismet 3.0 vs 3.1.1 and I can see every single change just by tossing the zips in as files to compare:

    DeltaWalker Example: Akismet 3.0 vs 3.1

    DeltaWalker is so good, it helps me compare the readmes so I can easily see that someone has just fiddled with the original and not written their own.

    What I look for is code style, formatting, and naming conventions. Rarely do two separate individuals use the same code formatting (tabs vs spaces vs tabs+space etc), so seeing their additions will jump out. Similarly, the code style, their internal logic, is often wildly different. Same with naming conventions.

    When you look at it, it will jump out at you that generally all anyone does is rename functions or classes. They remove credit and copyright information too, and sometimes they mess with the help docs. Rarely do they add anything of substance. If they do then it’s a legit fork and we’ll push them to restore credit and copyright information.

    But since it’s generally not, we will quickly see that the plugin is a direct, no feature added, copy, and remove it.

    If this happens to you, if your plugin is ‘taken’ and duplicated without any code being added, email pluginsATwordpress.org with a copy of your original plugin (and a link to perhaps prove it’s you) and we’ll look at it. If you get an email where we tell you that your plugin is a copy, take a moment to review your code and feel free to talk with us about it. A ‘one line’ change actually MAY be acceptable as a fork, but it’s rare unless it’s adding in a massive feature, or totally changing functionality.

    Above all, remember this:

    Despite the fact that all plugins in our directory are licensed under the GPL or compatible licenses, we do not allow direct copies of other plugins to be re-listed under somebody else’s name. “Forking” is acceptable only when the resulting fork is of a substantial nature, or when the original plugin is no longer updated or supported.

    Always try to contribute back to the original plugin’s authors if you wish to make improvements to the original plugin, instead of creating an entirely new version and thus creating incompatibilities and duplicated code in the repository.

    Alternatively, write your own plugin to perform the functionality you want to have, drawing on ideas from the original. Ideas can always be copied.

  • Mailbag: A Case Against (Part Of) Jetpack

    Mailbag: A Case Against (Part Of) Jetpack

    You told me to try Photon, but I noticed you’re not using it on all your sites. What gives?

    When people ask me how to speed up their sites for images, I often recommend Jetpack for the CDN boost. It’s a double edged sword, though. While Photon does two things amazingly well (resize images and put them up on a CDN), it’s hosted on wp.com which means I can’t use it.

    What? Why not? No, it’s not that I have something against wordpress.com, it’s that other people do. Like China, Pakistan, and Turkey.

    The list is probably longer. But those places, among others, block WordPress.com which means every module of Jetpack that phones home (stats, photon, tiled galleries, LaTeX, related posts, etc) cannot be active on my sites that have a large enough user-base in those places. When I leave those Jetpack features on, the site grinds to a halt for them, which is a terrible experience for my (often non-technical users).

    Now that said, I do still use the stats plugins on all my sites with Jetpack. It’s a pretty safe loader to run, and it doesn’t slow the site down terribly (see Issue #566 for the code magic). Photon on the other hand I had to disable entirely because my poor users in China were complaining they could see nothing. I can live with a little delay for loading. I can’t live with an image heavy site not working.

    So should you use Photon? Yes! Unless your visitors are blocked by WordPress.com.

  • Why I (Still) SelfHost

    Why I (Still) SelfHost

    The other day I saw the notice that Google was banning all explicit adult content from blogger.

    Outside of the irony of remembering when the post’s author (Violet Blue) had her content deleted from Boing Boing back in 2008, she’s actually pretty uniquely qualified to talk about the difference between censorship and removal. For the record I think that it’s a pretty crappy thing to do and I don’t like it. But as I often say, my beliefs are pretty straight forward:

    I do not agree with what you have to say, but I’ll defend to the death your right to say it. ~ Voltaire

    Is It Censorship?

    Let’s be clear on this. The change to Blogger’s Adult Content Policy is pretty straightforward.

    Starting March 23, 2015, you won’t be able to publicly share images and video that are sexually explicit or show graphic nudity on Blogger.

    Yes, this is a change to their Terms of Service (which they reserve the right to do at any time), but is it censorship for them to say “We don’t want hard core stuff on our servers”? That’s like saying a country music station on the radio is censoring heavy metal. No, they just don’t want to have it on their servers. Google’s said they don’t want that. They don’t want to do business or make money off of things they find morally distasteful.

    Frankly I think the whole planet’s hang ups about sex are laughable. The majority of adults I know have consensual sex and like it. I do know a couple asexuals, and I know people who have reasons why they hate sex. I also know people who hate peanuts. It’s about the same thing for some of them (one has a traumatic peanut in his ear story that resulted in surgery and hearing loss). Sex is normal. It’s what everyone does and no one talks about (thank you George Carlin). So grown ups wanting to Google for information about the sex they want to have? There’s nothing wrong with that! There’s nothing wrong with kids looking that stuff up too. We used to hide in the back of libraries, looking things up when we didn’t feel comfortable asking our parents.

    The argument that they’re not ‘censoring’ they’re just enforcing their guidelines falls flat when you remember that the definition of censorship is defined as acting as a censor. So yes, I think Google’s censoring, but in this instance they’re within their right to do so. That doesn’t mean I think it’s right, but I’ll support their legal rights.

    Is It Discrimination?

    One of the sites hit up by this is a site where porn stars play D&D. I kinda like that site. It amuses me to no end and is how I learned about this change. They had just posted about how they’re leaving the escapist. They were talking about discrimination and general asshattery and non-inclusiveness. Their site may be punted off of Google’s Blogger service soon for being ‘adult’ by nature.

    I’m actually not sure about that. But I really have no idea why their site is considered ‘adult’ in the first place. I’ve never read anything about sex there except this:

    I’m Zak, I live in Los Angeles. Most of the people I know here are women I know from being a porn “actor”–so they’re porn stars and strippers. So that’s who I play Dungeons & Dragons with.

    First of all, I want to play with them because the game looks fun, but mostly I don’t recall ever reading adult or explicit content there. So of course I started thinking about how they could be making it harder for people to read about things that help them understand themselves. A lot of people sort out what they’re interested in by quietly reading stories about other people who had similar issues and thoughts and feelings. While Google’s only said they’re punting “sexually explicit” content, that’s a really slippery road.

    I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description [“hard-core pornography”], and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that.

    That quote is from United States Supreme Court Justice Potter Stewart, used to describe his threshold test for obscenity in Jacobellis v. Ohio in 1964 (the film being Louis Malle’s The Lovers). We’re allowing, and trusting, Google to define what is and is not explicit. And this means that it becomes a case by case value judgement. Are two women kissing ‘explicit’? It gets messy really fast.

    Is It What I Expected?

    Yes. I totally expected this.

    Google to punt all explicit blogs? Haaaaaaaaave you met WordPress?

    I meant Self Hosted WordPress, James. Yes, WordPress.com also restricts and censors your content. It’s their playground. I will, till my dying day, support their right to do this. They don’t want to do business like that, fine. I wouldn’t argue the French restaurant that servers pomme frites needs to serve a hamburger or some chutney. That’s their business choice and it just means I can’t use them.

    But it brings up the main reason why I still self-host.

    As someone who self-hosts, I still have to be aware of the Terms of Use for my webhost, but generally that provides me a lot more freedom. I have a legal contract and a leg to stand on. As long as I don’t violate that, I’m good to go.

    And of course I work for a company who would host anything, as long as it’s legal.