raphaelrobert
commented
6 years ago Hi @segahm,
The title of this issue is not correct. Wire is fully open-source, licensed under GPL:
- Android: https://github.com/wireapp/wire-android
- iOS: https://github.com/wireapp/wire-ios
- Desktop (Windows, macOS, Linux): https://github.com/wireapp/wire-desktop
- Web: https://github.com/wireapp/wire-webapp
You are asking to relax a security measure for the web app (#1134). We are happy to do whatever is reasonable, but relaxing security rules is not a path we want to take.
In the meantime, you have a number of options:
- Use another platform, like Android, iOS, Windows, macOS, Linux.
- Try and host the Wire backend yourself
- Wait until self-hosting becomes easier (this is work-in-progress on our side)
We understand that this is maybe not what you expect, but we would like to re-iterate that Wire is fully open-source and that the issue you mention is a measure in place for security reasons.
segahm
Documenting here Wire's restrictions on CORS(Cross-Origin Resource Sharing). Without this change, building on top of Wire's open source project is not an option.
This is a continuation of github.com/wireapp/wire-webapp/issues/1134 (from Apr 26 2017 Wire Team issue). Posting this outside of the wire team, so that the ticket remains open until the issue is resolved.
Foreword
Wire is made up:
The web client is loaded in user's web browser (think Facebook messenger) and interacts with the server (think api services). Both are supposedly available independently for forking and custom implementations (under GPL).
Issue Summary
Wire's open sourced App client cannot be hosted anywhere other than on app.wire.com domain because:
Specifically, when self-hosting Wire App project on a custom domain, you will run into the following errors (at random intervals):
On our side, we have adhered to all the licensing restrictions and have made our own code modifications public here and here.
Wire contract with an open source community
On Jul 22, 2016, CTO and co-founder Alan Duric, stated that "Wire’s users can now build their own client from our source code and run it on our platform"
Running Wire Chat App on a self-hosted domain is fully in accordance with the use requirements--specifically with clause 6.4 on independent apps
End-to-end encryption and associated security should not depend on origin (origin is easily faked with changes to etc/hosts). if it does, claims in this post are invalid
Timeline:
Oct 2016 - Wire's public announcement is made about open source
Jan 2017 - My team chooses Wire as a platform decision and begins building on top of it
Apr 26 2017 - bug issue is first reported to Wire
May 8 2017 (wire side: founders) - we reached out to Founders in order to understand a high-level commitment to open source
June 2017 - Nov 2017 (wire: dev team) we received some technical support from staff during our implementation of both Wire App (this repo) and Wire Bot, and reported bugs--the usual...
Dec 13 2017 (wire: CEO) - we reached out to confirm their high-level vision to support businesses with use cases as ours (i.e. guest users)
Jan 17 2018 (wire: CTO) - we offered to pay a standard Professional Services fee for technical support with the goal of eventually getting to the core of CORS (Wire refused)
Closing Remarks
Let me say that wire team is doing good work. Their coding practices are top notch. I've had the pleasure of debugging errors (both ours and theirs) with them on several occasions. This ticket is in no way trying to diminish their contributions. Just attempting to sort out some misunderstandings.
I personally have been in touch with many members of their team (see above), so the reason for this ticket is that other communication venues for resolving this issue have been exhausted.