Closed movermeyer closed 4 years ago
Further, the link to Gabriel Weinberg's post about tithing no longer works. I was unable to find a working link to the post, but the Internet Archive still has it.
Well I feel dumb! Thanks for point that out!
As for contributing directly... I have not put this out as open source yet. Its something I may consider doing in the future if searchcode server takes off enough to justify it but at the moment I am unwilling/unable to deal with the support overhead its likely to create. I wrote about why in more detail here http://www.boyter.org/2014/10/searchcode-com-100-free-software/ Its really a self preservation thing. If I am ever going to shut it down it will be released in its entirety however.
I also updated to point at the internet archive link for the moment. I had hoped that http://fosstithe.org/ would still be up but alas. Will need to think about what do about this.
My question was specifically about the website content. Some people use a GitHub repo to back the website content so people can fix typos directly.
I understand your reasoning for not open-sourcing the server. Unfortunately, I'm not sure that we're comfortable with giving it access to our internal Git repos without at least a cursory code review ("trust, but verify"). So as much as I really love the look and feel and ease-of-use of searchcode server (and I think is has a shot to really take off), my use of searchcode will likely be fairly limited.
Thats a fair point. I might look into doing something like that to make that sort of thing easier.
Thats understandable. I suspect you may be worried about the downloaded version reporting back to some master server somewhere? The server version has no external calls to anything beyond what repositories you ask it to index. You can actually run it without any external network connection in fact (and how I run a copy at home). Your concern is why the server version is not a SAAS product and was designed from day one with this in mind.
If you doubt me by all means consider doing the following,
I personally hate "phone home" software be it free/open source or otherwise and hence would never consider doing it myself.
I will be adding one small external call in the next release which will ping the following url https://searchcode.com/product/version/ when requested to check if you have the most upto date version. It will be on demand, IE it will never make that call unless it is explicitly requested for by an administrator. It will not be submitting any details with the call, and will only be there to check if the version is the latest.
Not sure if that helps. I understand trust is a difficult thing to be gained, and since its fairly new its something that needs to be gained over time. I will never do anything to break that trust because frankly thats the only thing that is likely to help with searchcode server becoming successful. If anyone ever discovered code in there that took copies of their source code not only would I likely be sued into oblivion it would kill something I have put a lot of effort into. Neither of which is appealing.
Yes, that helps. Thanks for the verification suggestions.
Im sure you would have through of them yourself. However since I have nothing to hide I see no reason why I shouldn't suggest it.
Let me know if you have any other questions though.
@movermeyer I was thinking about this problem a bit further. If you only want to grep through the source code to ensure nothing is leaking id be happy to provide the source to you to browse through.
Ultimately I want this to work such that I can invest more time in searchcode.com itself but am not 100% comfortable moving to a pure OSS model yet. Its something however I am seriously considering if there is not enough traction in the next few months.
How many lines of code are we talking about here? I can lend my hand in a source code review.
While it would help ease my mind, I'm not sure what kind of guarantee I could offer others after the code review. Would I have a commit hash that I could "certify"? Something like "I Michael Overmeyer certify that to the best of my knowledge, there are no backdoors in version eda349dd60896e89c39f864bbe74f17f06ef122e of the searchcode repo?"
Others don't have access to the code, so they don't know what commit went into which binary. I suppose I could also certify that I was able to produce the same binary, although that might require some additional work on your end to make reproducible builds possible.
That might be useful when it comes to uptake, but it also might not. Let me know what you think.
Its about 9300 thousand lines including tests, but that's just the Java code there is collection of supporting files (XML, Python etc...) that perform other roles.
I see your point... I can totally understand you being hesitant. I guess the only real option that works for what you want is to actually release the source code. I'll have a think on it.
For the record I would release it using the Fair Source Licence https://fair.io/ if I decide to do so. I think it is fairly reasonable in terms of use.
That makes sense.
@movermeyer You can now browse the source https://github.com/boyter/searchcode-server its under the fair source licence as previously mentioned.
Thanks. Time to take a look. :smiley:
Let me know if everything is above board for you. As I mentioned previously the only calls it will make out are ones you request. These include calling GIT or SVN servers and the other being a request to find out if it is the latest version which can only be triggered by an admin user clicking.
Going to close this one down now since I the main issue raised has been resolved. If you have further questions about searchcode-server you can use its github tracker and I can keep this one for searchcode.com itself https://github.com/boyter/searchcode-server
@movermeyer Hey did you ever manage to run through the code? Would be curious to know how you found things and if it put your fears to rest :)
For example, on this page
probably should be
One the same page:
Is there a way that people can contribute typo fixes directly?