I currently recommend avoiding using, and/or contributing to their products, until they fix their false advertising.
They are actually licensed under CC-BY-NC-SA (Non commercial, share-a-like), which is not an open source license (as commercial use allowed is a requirement for open source).
When confronted on Github, the issue was shortly closed, saying that the libraries used for the apps are open source, and that they have no plan for allowing commercial use for their apps.
I pointed out that open source requires commercial use, and I got this reply from their CEO:
"Commercial use is not a requirement for open source software. Study the MongoDB case."
Didn't know that MongoDB is open source. Because it's not. It's source-available, not open source.
Well, can't blame for users not checking this. Even It's FOSS News publication (https://news.itsfoss.com/skiff-mail-review/) got baited. Startups are using open source software's reputation, without contributing to the community (by using an proper license).
@dushman They're drugged up on VC funding. False advertising themselves as open source and privacy-first E2EE email (well, only to other Skiff users 😂).
@raikas@jolek78 Not to mention, there’s a reason why you don’t use Creative Commons for your software projects: there’s no limitation of liability clause. (Lawrence Lessig told me that when I asked him about it years ago.)
@raikas Well done for calling this out. @illiliti shared this with me, so have added it as a case to watch on my repo where I track and document many of these kinds of cases:
i'd be interested: what is your opinion on the (i believe growing) number of closed saas backends pretending to be open just because they release a foss client?
@slink Thanks! I think the license setup itself is fine, more open is more better, but if they're advertising the wider product/scope as open source then that's misleading and wrong.
There's a similar trend of "open-core" repos with mixed licensing, advertising as open source, but their open code depends on closed code.
@raikas I wouldn't recommend protonmail because they are not fully open-source due to proprietary backend. Plus they don't support standard protocols like SMTP/IMAP and thus endorse vendor lock-in practice. They even invented their so-called "bridge" to workaround that, but it is so convoluted mess that nobody wants to use because it breaks certain types of messages. See https://github.com/ProtonMail/proton-bridge/issues/26
@illiliti@raikas I’m not an expert, but both imap and smtp are ancient technologies that don’t support E2EE. For example the subject of each email always travels unencrypted. I think that’s what they’re trying to remedy. There’s one reason for Bridge.
@funkybuddha@illiliti@raikas Protected headers. Here is how an actual (raw as seen with CTRL-U) email looks like (with most headers and the actual message removed)
Thank you for the article list, it is now on my reading backlog.
@raikas I don't have twitter account, but it seems to be the only way to contact privacytools.io. Do you have a twitter?(yes you do) You could ping them about skiff's behavior and if they have good moral stance, they will remove it from their website: https://www.privacytools.io/privacy-email
The thing is proceeding in issue #94, which was reopened. I tried to be a bit more civil and offered a possible solution to the problem (strong copyleft license like AGPL), and seems like they are trying to fix the licensing thing soon, when they can.
@illiliti Well, only time will tell. I'm probably not going to comment on the situation any further, but I have some hope for it, as they have lately relicensed the libraries from CC to MIT 🤷
@raikas They already said they won't relicense anything beyond already relicensed projects like skiff-ui. They are simply giving a false hope by intentionally dragging their feet with these useless discussions. This is not a new way how to create an impression "we are working on it" while keeping abusing open-source term without giving a shit at all. Don't fall for this because only real action will bring peace, not these discussions about nothing.
@illiliti@raikas i'd like to add that even in the best case where they relicensed all the client code as copyleft, the saas would remain inherently non-free, proprietary, lock-in.
so in my mind a service is only #opensource if the service code itself and all the environment is, too, such that anyone can self-host.
maybe we need a new term? #fosss for free open source software service? or #fsaas ?
@slink I think they just need to be clear that backend code is proprietary and client code is open-source(if they relicense to an open-source license). That would be enough, really.
Add comment