Project cannot be built, half the repo is missing. Open source, but not really?

[PerplexedMascot]

Strongbox is declared as open source project, so I wanted to audit the code and build my own version. After all, I'm an iOS dev and know my way around Xcode.

To much of my surprise, there is no .xcodeproj file, no .plist files, no UI resources (storyboards), no .strings, almost no image assets, and all the URL strings right before the double-slash. This cannot possibly be built, even by its authors.

I looked around and found a confirmation in README:

What is here is all of the functional code used in building Strongbox Browser AutoFill, other non functional files (e.g. artwork, images, auxilliary and build configs) are not present.

Build questions are outright forbidden, and are indeed missing from the issue tracker.

Please do not file issues about build trouble or problems.

All the while:

Anyone can view the code and verify that everything is above board, the algorithms are correct and there are no backdoors or other malicious features present.

How are we supposed to verify the code if it cannot be compiled? Step-by-step in the head?

How is this "the preferred form in which a programmer would modify the program"?

How is this open source?

[strongbox-mark]

As you've discovered from our README, we do exclude some none source code files (e.g. binary dependencies, artwork, language localizations, none functional UI files, XCode project metadata, etc) from the repo for different reasons (e.g. licensing issues for artwork, sensitive API id/tokens in plists etc).

We're also a commercial endeavour and we do this to try to protect ourselves and our work against some amateur copy cats/piracy. This may not be to your liking and I'm sorry that's the case. In a better world we'd prefer not to have to make things more difficult. It'd be great to make things easier to build for devs like yourself.

I do disagree with a couple of your points (e.g. how is compilation in any way related to verification?, what has a .strings file got to do with an audit?) but I'm not going to get into a debate about the finer points of what is and is not "open" / "free" source, or auditing. This isn't something I think will be productive or a good use of our time.

What I will say in our defence is that it is possible for a developer with time and effort to reconstruct/build/compile the code in this repo. It's not impossible as you say, but it isn't super trivial either. I think we're pretty upfront about this in the README. We do also ask devs to refrain from consuming our time/resources asking or raising build issues for this reason. I think that's fair. We're not going to help people who want to take advantage of our hard work, but we do want to be transparent about the code we write.

As you can see we've been diligent in keeping it available and up to date. We're doing our best to build trust in this way, but there are limits to how easy we want to make things for people who would steal our work, particularly given that we don't have the moat of running our own servers and charging people for access to them (a la 1Password/Bitwarden etc).

So, while we may not fit your precise definition of "Open Source" (tm), we do want to make our source available for inspection, because we want to build trust and also because we gain from many eyes who might see bugs/issues that we might have missed. Unfortunately, I get the feeling we won't be able to see eye to eye on this, but I'm sure you'll understand our decision making here and why we've tried to do our best to balance openness/transparency/trust with protecting our work/IP so that we can keep on building a great password manager. Hope that makes sense, and sorry to disappoint.

[PerplexedMascot]

We're also a commercial endeavour and we do this to try to protect ourselves and our work against some amateur copy cats/piracy.

Got it. This is a money-making business and you monetize your work. It does not have to be free, open, complete or even public. You don't owe anyone anything and published some source files out of kindness. In order to protect your revenue, you don't want any forks, derivative works or self-compiled copies. None of that jolly open-source anarchy 🏴‍☠️

All good, a normal proprietary software business.

The problem is that you wave the "open source" badge and monetize its good name. Open source implies certain ethical principles and people respect and support that. I wish you did too, though.

we may not fit your precise definition of "Open Source" (tm)

Well done reframing this as my personal thing, not shady at all 👍

We're not going to help people who want to take advantage of our hard work, but

Yeah, I guess this might be a little in conflict with this whole "open source" thing.

There is no "my" or "your" definition. There is one common definition of open source. Ten simple criteria that protect OSS principles from abuse. Strongbox fails criteria 2, 3, 5, 6.

If you really want to be transparent and build trust, here's some food for thought:

• Source code that cannot be compiled is not open source.

• Discriminating some users like you do is a clear no-no: "What you can't do is restrict commercial use and still call your project open-source."

• In March 2023 you broke the repo so that only you could compile it. Your attitude confirms this was on purpose. Being a transparent company, where exactly did you announce this critical change?

• You hope that other developers would read/audit your code (for free). Yet we cannot /are unwelcome to build it. So after a careful audit we are supposed to... what? Go to the App Store and still download your build? What's the point of reading the code then? Who would ever do that?

---

If you want to keep the "open source" badge, stop playing tricks and comply with its requirements.

If you want to keep your proprietary barriers, drop the "open source" badge.

You cannot have both.