It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
AndrewC: ... No, open source just means that you have access to the source code, and that's it. The degree of access/freedom/whatever you want to call it is decided by the author of the code with the license he chooses. ...
You're right, somehow I mixed typical open source licenses like GPL with the term open source alone. Sorry.
avatar
BadDecissions: "The enemy?"
avatar
Licurg: AHA ! Another filthy Reptilian shill trying to discredit the truth ! KILL IT WITH FIRE !
So is the enemy Sauron?
avatar
Trilarion: In short Open Source gives maximum freedom to everyone. And this means everyone.
avatar
Szulak: The maximum freedom to everyone is WTFPL license ( http://www.wtfpl.net/ ) :)
WTFPL is indeed the most expressive form of Public domain ;)

The best law-wise bulletproof version of public domain is CC0 http://creativecommons.org/publicdomain/zero/1.0/ (works also in germany by fallback license)

And the strongest freedom defending variant is the unlicense http://unlicense.org/
(some explanation behind http://tieguy.org/blog/2013/01/27/taking-post-open-source-seriously-as-a-statement-about-copyright-law/)
avatar
Trilarion: open source means full freedom to everyone.
avatar
AndrewC: No, open source just means that you have access to the source code, and that's it. The degree of access/freedom/whatever you want to call it is decided by the author of the code with the license he chooses.
Well, the OSI would like to disagree... ;)
but yeah Open source is a broad term. But, there is a movement to call non-GNU or non-OSI opens source licenses (like Creative commons CC-BY-SA-NC or MS shared source licenses or other commercial variants) "source available" licenses
Post edited August 21, 2013 by shaddim
avatar
Trilarion: In short Open Source gives maximum freedom to everyone. And this means everyone.
avatar
Szulak: The maximum freedom to everyone is WTFPL license ( http://www.wtfpl.net/ ) :)
I might be asking the obvious, but does anyone else find it encouraging that a GOG employee is reading along in this thread? :]
avatar
timppu: Sorry if I am not fully up to date about open source, but is it so that GOG wouldn't be able to control to which direction such open source client would be heading?

Say, if a number of client users/developers thought it to be a great idea that the client would also let you share your purchased GOG games directly with other users (the client could e.g. include p2p functionality for that), if you feel so. If GOG opposed that idea (as it would make the game publishers quite anxious, I believe), would GOG have any power to block such feature from the client?
Control over the project doesn't require it to be closed source. Those who control code commits essentially control the end result. I.e. let's say there is a set of approved committers. If someone proposes a patch / update / bug fix, it can be merged, or rejected on whatever grounds. Open source project is not equal to "do whatever you want" kind of management.

avatar
StingingVelvet: Sounds like a neat idea that will never happen and that's okay.
Why can't it happen, care to elaborate?

avatar
shmerl: ...One of the major problems with other services - their clients are closed source. And they mess on your computer installing and updating stuff, while essentially being black boxes. This isn't how things are supposed to be done in order to build trust. ... What do you think?
avatar
Trilarion: I think it would be a nice move of GOG although it's not really necessary. After all even Windows is a black box and I'm using it <...>
I actually already trust GOG enough that when they say they aren't spying on us, then they don't. But then I also use Windows and Steam.
Not necessary, but it would give GOG an edge over the competition by building their trust even more. "Already trusting" isn't really good enough for any such closed client. You can avoid using Windows which is a black box if you want. There are open source OSes. I'd say anyone who cares about privacy and DRM-free choices won't use Windows, since Windows is by definition already DRM.

avatar
Trilarion: On the other hand maybe GOG just don't want to give control away. And if the API is unknown, it would be hard for the community to come up with their own solution.
Control over what? Having an open client and protocol doesn't give any control over the service away, since GOG defines that protocol and backend functionality. Unknown API and client doing stuff in secret are always worse security and trust wise. And there is no point for GOG to "control" the client as in preventing alternative implementations. GOG doesn't lose anything from community built clients for their service, as well as from opening their own implementation of the client.

avatar
timppu: But if GOG has full control over it (its features etc.), could it be considered open source anymore?
avatar
Maighstir: If the API is openly documented, the official client itself doesn't need to be open source. Third-party implementations will appear (admittedly, they already have, through black-box observation).
That's right, it doesn't need to, but it would be much better if it would be open source. As I said above, for the sake of enhancing trust and privacy respect and differentiation with the competition on that. And if GOG opens it, community has more chances to contribute to that client, instead of reinventing the wheel.

avatar
Fenixp: To be fair, I think OP is asking for the code to be released for peer (and internet rage idiots) review, not necessarily community expansion.
avatar
AndrewC: That's what I gather from the original post, but afterwards he adds:

avatar
shmerl: Potential collaboration with the community (bug reporting, contributions and etc.). I see GOG only gaining, and losing nothing by doing this.
avatar
AndrewC: Though I see that potential keyword in there.

The problem is that maintaining an open-source project is not something I'd think of "losing nothing by doing this" because there's a lot of bureaucracy, especially if you accept community contributions/forks.
About the level of freedom in the code. Firstly, having it as open source (for review and trust), but not allowing contributions / modification (i.e. not free software) is pretty silly, since it would prevent any potential bug fixes and enhancements that could come from the community. There is no point in doing that. There might be something new to learn for GOG about managing an open source project, but it's not as scary as you might think. Though, even if contributions aren't allowed, but the code is open for review - it would be still a big improvement over the black box code.
Post edited August 21, 2013 by shmerl
avatar
Elmofongo: So is the enemy Sauron?
No... He's just a cover for the Reptilians.
That's a nice idea, but generally we're talking in hypotheticals here. No update client has been announced so far, so discussing it is a bit moot at this point.

EDIT: Oh, by the way, the title reads "issue of turst". Might want to do something about that, if at all possible ;)

avatar
nijuu: Question.
What functions could potentially go into this client, and what would stop stupid features (see all the extra shite on the Steam client which are unnecessary) from being added in the future because a bunch of people can't live without feature x in another client?.
If they accept patches, then they could stop stupid features themselves. Alternatively, they could make the system modular. Then everyone could build their own versions with whatever features they like. ./configure --with-extra-shite for those who want it, ./configure --no-extra-shite for those who don't. And packagers can create a gog-client and gog-client-lite packages to satisfy both extremes. Or it could use run-time plugins, like Pidgin, and then just offer each extra feature as a plugin (they could be maintained out of tree if needed).

avatar
timppu: Say, if a number of client users/developers thought it to be a great idea that the client would also let you share your purchased GOG games directly with other users (the client could e.g. include p2p functionality for that), if you feel so. If GOG opposed that idea (as it would make the game publishers quite anxious, I believe), would GOG have any power to block such feature from the client?
I think they would. Such a feature would be a tool for nothing but copyright infringement, so I think they could do DMCA takedowns on such a client version.

avatar
AndrewC: The problem is that maintaining an open-source project is not something I'd think of "losing nothing by doing this" because there's a lot of bureaucracy, especially if you accept community contributions/forks.
Not really. Code review is easier than writing the code in the first place. If they disallowed contributions, they would just lose features. If they allowed it, they would have to invest some extra time for review, but the return-on-investment would ultimately be better than writing the same thing from scratch. Also, if they didn't merge patches upstream, then people would just create a downstream version and most people would use that. Which would mean GOG wouldn't have to invest in review at all, but they wouldn't have as much control over what people end up using.
Post edited August 21, 2013 by GreatEmerald
avatar
GreatEmerald: That's a nice idea, but generally we're talking in hypotheticals here. No update client has been announced so far, so discussing it is a bit moot at this point.
EDIT: Oh, by the way, the title reads "issue of turst". Might want to do something about that, if at all possible ;)
GreatEmerald: Yeah, thanks. Can't edit the title unfortunately, may be moderators can fix that.

GOG didn't announce such client, sure, but it's something that should be expected even if not in the very near future. I.e. it's logical for GOG to make something like this to compete better.
Post edited August 21, 2013 by shmerl
avatar
timppu: Sorry if I am not fully up to date about open source, but is it so that GOG wouldn't be able to control to which direction such open source client would be heading?
They currently use an API that they do not publish and people like Sude basically reverse-engineered and documented for their own use like the linux gog downloader. Making the API public and imposing limitations or adding features to it is what they would have at their disposal as far as "direction" of the client is concerned.

avatar
timppu: Say, if a number of client users/developers thought it to be a great idea that the client would also let you share your purchased GOG games directly with other users (the client could e.g. include p2p functionality for that), if you feel so. If GOG opposed that idea (as it would make the game publishers quite anxious, I believe), would GOG have any power to block such feature from the client?
Oh c'mon. It's stupidly easy to create a torrent for anything these days as it is to put a file on a file hosting service. Do you really think that an "unofficial" gog client would suddenly peg the piracy meter?
Post edited August 21, 2013 by silviucc
If you want to "code review" the GoG downloader it's easy: download DotPeek or a similar free .Net decompiler tool and you can have access to the full, easily readable, source code, it's not native code nor obfuscated so it's not exactly a tightly locked black box.

As for accepting "contribution", not really convinced that the extra workload that would generate would really be worth it for GoG.
avatar
Gersen: If you want to "code review" the GoG downloader it's easy: download DotPeek or a similar free .Net decompiler tool and you can have access to the full, easily readable, source code, it's not native code nor obfuscated so it's not exactly a tightly locked black box.

As for accepting "contribution", not really convinced that the extra workload that would generate would really be worth it for GoG.
Gersen: We aren't talking about current downloader. There are open source alternatives already available now, like one by Sude mentioned above. This is about potential future complex client for incremental updates.
avatar
GreatEmerald: Not really. Code review is easier than writing the code in the first place.
This is highly dependent on the quality and style of the code being reviewed and just how well the code review has to be performed. In my experience 90% of the outside contributions to large projects are complete clusterfucks which tend to take more time properly being merged than just writing the damned code itself.

Also, you should see some test cases that come with the submitted code. Or better said, you should see the number of emails sent explicitly telling people to read the commit requirements and WRITE the fucking test cases.

avatar
GreatEmerald: If they disallowed contributions, they would just lose features. If they allowed it, they would have to invest some extra time for review, but the return-on-investment would ultimately be better than writing the same thing from scratch.
Not in most cases, especially not from my experience. They can very well receive feedback and a wish-list and decide if they implement them or not. As I said above, the quality of code out there varies widely, and in most cases is complete shit, especially for small projects.

avatar
GreatEmerald: Also, if they didn't merge patches upstream, then people would just create a downstream version and most people would use that.
Dependent on the license they chose for their code. As I said above, I can let you see my code and compile it for yourself, or even modify it for yourself, but I can disallow you distributing said code. Now, would some tech-savy users be able to compile the base + your changes? Sure. Would the mass majority of people be able to? No.

avatar
GreatEmerald: Which would mean GOG wouldn't have to invest in review at all, but they wouldn't have as much control over what people end up using.
See above.

--------------------------------------------------------

My main problem with the whole "let's make it open-source, this way people can see for themselves that the code is good" is that there's plenty of evidence that people don't do that/people fail badly at understanding good code especially when it comes to security.

I think this highlights a bigger concern that people are trusting of "open source" and essentially falling into a false sense of security by assuming that other people will verify that it's secure for them.

I personally worry about this all the time with things like TruCrypt and OnePassword. What sort of validation do we really have that there's no backdoor to these programs, or critical flaws that would completely invalidate them?

Sure, they all have the "the source code is constantly being reviewed by many independent researchers and users" somewhere in their FAQ but it's still just about a network of trust. Who reviewed the code? How do we know they reviewed it? How do we know they are security experts? How do we know the person who verified the reviewers are actually security experts knows what he's talking about? And so on, and so on.

Just look at the mess Cryptocat went through for example. Good reads are and [url=http://tobtu.com/decryptocat.php]here.
Compare "open source code has a risk of backdoor" and "closed source code has a risk of backdoor". There is always risk. The difference is that second risk is always higher, since there is no way to do the same level of review as in the first place. So your argument that "open source has risk also" doesn't change the fact that open source option is still better trust wise. Don't trust blindly either. But the point is, closed one can't be properly trusted at all.
Post edited August 22, 2013 by shmerl
avatar
shmerl: Compare "open source code has a risk of backdoor" and "closed source code has a risk of backdoor". There is always risk. The difference is that second risk is always higher, since there is no way to do the same level of review as in the first place. So your argument that "open source has risk also" doesn't change the fact that open source option is still better trust wise. Don't trust blindly either. But the point is, closed one can't be properly trusted at all.
Not necessarily. I can very well trust a closed source company who's going through external code security certification audits without me seeing the code if the audit firm is reputable more than I can trust open-source code which claims to be checked by security experts without any actual proof. This is because I am not a security expert and can't judge the code for myself.
avatar
shmerl: ..."Already trusting" isn't really good enough for any such closed client. You can avoid using Windows which is a black box if you want. There are open source OSes. I'd say anyone who cares about privacy and DRM-free choices won't use Windows, since Windows is by definition already DRM. ...
Hmm, I cannot do without Windows. But actually the GOG client is not DRM, once you download the setup files, they are yours. So the concern would be more about privacy. Modern games often track players behavior and phone home. What about them? Would you want the newer games on GOG also to be open source, so you can be sure?

I'm all for open source, but I think such a stance might end up in demanding that every single programm must be open source because you can never be sure and a chain is only as strong as the weakest element.

It would be nice if GOG would do it but I personally don't need it.
Post edited August 22, 2013 by Trilarion