18 October 2019

These 3 open source licenses are best? WHY??

I've already said that these 3 licenses are best for open source nowadays for me:
  1. Apache License 2.0 --- Apache-2.0 @ SPDX, ChooseALicense
  2. Mozilla Public License 2.0 --- MPL-2.0 @ SPDX, ChooseALicense
  3. GNU General Public License 3.0 or later --- GPL @ SPDX, ChooseALicense
But WHY??

The open source community has basically settled on 4 styles of sharing, and with it 4 genres of open source licenses.  The list above is my pick of what I think is best in each of the first 3 genres.  Let's talk about each one in turn:

1. Software developers are free to do whatever they want with my code in building their software.

Look for MIT, BSD, Apache licenses, etc.

But I think Apache License 2.0 is the best because
2. Users are free to do whatever they want with my code and any modifications to my code in the software they got from the software developers, even if they can't with the developer's other proprietary code.

Look for MPL, EPL, LGPL licenses, etc.

But I think MPL 2.0 is best because
  • compared to MPL and EPL, the LGPL basically makes the distinction that static linking of code equals modifications to that code, but dynamic linking is not.  That just seems like a needless distinction for a license to make, and MPL and EPL doesn't make that distinction.  And I like static linking.
  • EPL 2.0 is basically a very new update to EPL 1.0 that makes the EPL even more complicated than it already was.  The main purpose was to (1) change the boundary of what counts as "my code" from a module based distinction to a file based distinction, which is what the community has standardized on, (2) make it more internationally usable, and (3) add in GPL compatibility as an opt-in.

    Unfortunately, GPL compatibility is opt-in and not default making it even more complicated when mixing EPL 2.0 with/without GPL secondary license, and EPL 1.0 code which was never GPL compatible.

    So if your community has settled on EPL (like many in Java or Clojure), then maybe sticking with what the community is using is easiest.  Otherwise, it's hard to make an informed use of the EPL as an individual, unless you've got lawyers on retainer... which is maybe why the EPL is very well regarded by businesses?
MPL 2.0 on the other hand has GPL compatibility by default, unless opted-out of.  It's much older so it's better known and understood, still very well regarded, and used by large projects like Mozilla for Firefox, Adobe for Flex, LibreOffice, etc.  And it's relatively short and easy to understand, so MPL 2.0 it is! 

3. Users are free to do whatever they want with all of the code in the software they got from the software developers.

Look for GPL.

This is the classic "viral copyleft" thing, although talking about strong/viral copyleft is kind of more confusing than helpful (see Weak or Strong is Wrong) because, philsophical discussions aside, it's really just about what kind of code sharing you want to take place with your code you authored.

GPL is all about the freedom of the end users of the software, not about the developers'.


4. Users are free to do whatever they want with all of the code in the software they use from the software developers.

Look for AGPL, SSPL, etc.

GPL had a SaaS loophole / ASP loophole:  what happens if the end users never got the software, because they only used it running in the "cloud" (i.e. on computers they don't own)?

AGPL is supposed to close that loophole so that if an organization modifies AGPL software, any end user using that AGPL software in the cloud must be able to do anything they want with its' code.

More recently, AGPL was found to have a no-modification loophole: what happens if an organization just uses and doesn't modify AGPL software?  The AGPL doesn't compel code sharing in that case!

So companies could containerize AGPL software, build an API around it to use it internally, etc., and as long as they never modify the actual AGPL software, then they could use without ever sharing any code.

Some patched that loophole with the Commons Clause.  MongoDB took a different path by creating the SSPL.

I don't know enough about this genre of sharing to suggest any license as best.  Reading SSPL Was Not Commons Clause, it's clear this is still cutting edge licensing legal stuff.  If you're looking for a license for this genre of sharing for any serious work, you'd probably have your own lawyers anyway.

And I'm definitely not a lawyer, so let's just agree to take this as entertainment.  :)

12 October 2019

These 3 licenses are best for Open Source?


Choosing an open source license is confusing.  There's so many!  But I've narrowed it down to the 3 best ones for me nowadays.

I'm not a lawyer, so take this as entertainment.  :)
  1. Apache License 2.0 --- Apache-2.0 @ SPDX, ChooseALicense
  2. Mozilla Public License 2.0 --- MPL-2.0 @ SPDX, ChooseALicense
  3. GNU General Public License 3.0 or later --- GPL @ SPDX, ChooseALicense
Which you use depends on what kind of sharing you want to do.

Use Apache 2.0 license if:
    1. you want anyone to be able to use your code however they want
    2. including building bigger projects based on your code with the bigger work licensed however they want (including possibly "all rights reserved" proprietary licensing), 
    3. without expecting them to share anything back in return,
    4. without expecting them to acknowledge they used your code,
    5. and without expecting them to share your code that they used.
Use MPL 2.0 if:
    1. you want anyone to be able to use your code however they want,
    2. including building bigger projects based on your code with the bigger work licensed however they want (including possibly "all rights reserved" proprietary licensing),
    3. but you expect that any changes they make to your files are shared back in return,
    4. you expect that they will acknowledge they used your code,
    5. and you expect they'll make available your code that they used.
Use GPL if:
    1. you want anyone to be able to use your code,
    2. including building bigger projects based on your code but with the bigger work also GPL licensed,
    3. and any changes they make to your code, as well as any code added to your code even if in other files or modules, are all shared back in return,
    4. you expect that they'll acknowledge they used your code,
    5. and you expect they'll make available your code they used, and also any code they add, even if they added them in other files or modules.
Notice the big distinguishing point is in how much you want users of your code to share back changes or additions.  From zero sharing required (Apache 2), to sharing changes or additions to your files (MPL 2), to sharing all changes or additions whether they be in your files or in other files linked (dynamically or statically) to your files (GPL).

If you want help navigating to which license to use, this License Selector I found the best (except it's missing EPL-2.0).  While the Choose a License site from GitHub has the slickest UI, they make some questionable suggestions from my point of view, like highly suggesting the MIT (a.k.a Expat*) License instead of the Apache license.

One reasonable advice from ChooseALicense though is to choose the license common in the community you want to share in, but that's really only true if there is an equivalent license to what you'd otherwise want to use.

For example, if you want to use the MPL-2.0, but you're wanting to share in the Clojure community, then you're probably better off using the EPL-2.0 (Eclipse Public License) instead, despite the EPL 2 being very likely not as "good" as the MPL 2 by some metrics.  But EPL is only even an option as it's basically equivalent to the MPL as far as I could tell.

If for some reason you really wanted to GPL license your Clojure code, then EPL isn't going to cut it anyway because they're not at all equivalent.
    * this is different from the MIT / X Consortium License.

    14 September 2019

    How to fix a corrupted VMDK VirtualBox disk image

    I was testing a VMDK VirtualBox disk image created as a dynamically sized sparse disk.  And I tested putting data into it to grow its size until my disk ran out of space on the host OS --- while inside the guest OS the disk image still had space.

    It crashed and corrupted the VMDK disk image.  And VirtualBox doesn't have a way to fix it.

    VMDK is actually a VMWare format.  They have a utility to fix it.

    Just download the vdiskmanager from the Attachments section of this page [1].  Then use it as sudo /path/to/vmware-vdiskmanager -R /path/to/broken.vmdk to fix it as documented here [2].

    [0] Can I fix corrupted vmdk image? VERR_VD_VMDK_INVALID_HEADER
    [1] Repairing a virtual disk in Fusion 3.1 and Workstation 7.1 (1023856)
    [2] Repairing a sparse virtual disk in Fusion (1023888)

    06 September 2019

    Migrating to Lubuntu again - tips and fixes

    I like Lubuntu, and it just keeps getting better.  My old migration notes is mostly outdated as the new Lubuntu uses LXQt instead of the previous LXDE.  So here's some new things I made note of as I migrate to Lubuntu 19.04:

    Time Clock Auto Update Synchronization Problem
    Lubuntu uses by default timedatectl as the tool for setting time including synchronization via NTP Network Time Protocol.  It doesn't seem to have much manual controls though, like forcing an update.

    You could instead use chrony.

    See Keep Your Clock Sync with Internet Time Servers in Ubuntu 18.04  and Ubuntu Docs on Time Synchronization.

    It lets you do things like chronyc sources to see the currently available and selected time sources.  Perhaps your network is blocking NTP updates?

    Or chronyc sourcestats to see your clock's time offset from the various NTP sources.

    You could do a single time offset check, without setting the time: sudo chronyd -Q

    Or manually force a time synchronization with: sudo chronyd -q


    Screen Saver Lock Screen Madness
    There are at least 3 places to set the screen saver / lock screen / sleep settings:
    1. Preferences > LXQt Settings > Session Settings
    2. Preferences > LXQt Settings > Power Management
    3. Preferences > Screensaver
    They seem to interact with each other, and each has slightly other settings and uses.

    My default Screensaver sometimes ran the CPU real hot, so maybe set that to something less energy intensive first.  I used Deco with settings to reduce framerates.

    I'd suggest using Screensaver purely for setting the screensaver and when it turns on.

    Set when the screen locks using Power Management (Idle tab).

    Use the Session Settings to set whether the screen locks before suspending the OS (I think it defaults to locking after suspending).


    Microsoft Fonts

    Install ttf-mscorefonts-installer.  Some instructions for this but it's straightforward from the package manager.  Just use sudo apt install ttf-mscorefonts-installer.


    Download your own software to get the latest versions
    The default package manager using the default Ubuntu software sources are pretty good at keeping up with the versions.  I like doing that most of the time to reduce on maintenance.

    Some things are worth the manual install though.

    1. LibreOffice is at 6.3, but the default installed version is currently only 6.2.6.  Small difference but 6.3 has major efficiency and compatibility updates!  Actually, you don't need to download and install manually.  Just add this PPA to get the freshest version by doing sudo add-apt-repository ppa:libreoffice/ppa and using your package manager to upgrade.
    • LibreOffice has a extension I rely on a lot:  MultiFormatSave.  Let's me save a document to multiple format at the same time, great for supporting MS Office compatibility.
    2.  Google Chrome is self-updating.  I prefer Firefox but anyway, sometimes you need it.

    3. Apache NetBeans.  This requires as a dependency the Java JDK at least version 8.  Version 11, the default on Lubuntu right now, works fine so far.
    • And get the "Maven Remote Search" plugin before Netbeans starts downloading and extracting the maven index that's apparently more than 1 GB in size (froze my computer since I have very little disk space...).


    File compression archiver tool

    The default Ark works fine, but when compressing folders, it likes to compress the entire directory tree from root down to the folder you actually want to compress.  There must be a setting for it in Ark but I can't find it.

    So just install file-roller instead from the muon package manager.  The default file explorer PCManFM-Qt has a preferences option to integrate with file-roller instead as well for ease of use.


    Markdown editor

    I like Ghostwriter so far.  And it could even be installed from the default muon package manager.  Even better!


    Basic graphics editing
    The default graphics viewer LXImage has some annotation tools, I guess, but nothing more.  I miss the Mac Preview tool.

    Anyway, ImageMagick or the more updated GraphicsMagick fork is quite useful (but beware it has a very... historic?... dated?... GUI).  It can be installed via the muon package manager, but it doesn't seem to install a default app launcher icon --- well, it's meant to be used from the terminal, but I like to deal with the GUI.

    So I added a blank file to ~/.local/share/applications called "GraphicsMagic display.desktop" with the following text saved to it:

    [Desktop Entry]
    Encoding=UTF-8
    Name=GraphicsMagick display
    Comment=GraphicsMagick display
    Exec=/usr/bin/gm display %F
    Icon=lximage-qt
    Categories=Graphics;Viewer;RasterGraphics;2DGraphics;Photography;
    Type=Application
    MimeType=image/jpeg
    Terminal=false

    Now you can use it like LXImage (in fact, it uses the LXImage icon because, why not?).

    If I need more intensive graphics editing, I'll use GIMP.

    29 August 2019

    VeraCrypt download: how to verify its PGP signature

    VeraCrypt's download page has a link to a clear explanation on how to verify its download.  But I noticed the PGP signature/key has changed since version 1.22.

    They've also since moved their website from the old Codeplex page to the new download page here: https://www.veracrypt.fr/en/Downloads.html

    VeraCrypt is apparently sponsored by IDRIX (https://www.idrix.fr) and you can verify the new PGP signature/key from them too: https://www.idrix.fr/Root/content/category/7/32/60/

    Their open source development has moved to GitHub where you can see when PGP signature/key update occurred: https://github.com/veracrypt/VeraCrypt/commit/3e25b07646fdb5f01f48da329b91b0553f54a396


    On Macs
    Make sure Homebrew is installed (or else you can install these yourself from source).

    brew install gnupg
    brew install gpg2

    Get VeraCrypt PGP key ID from:
    https://www.idrix.fr/Root/content/category/7/32/60/

    In the terminal, run the following with the VeraCrypt PGP Key ID you got above:

    gpg --recv-keys 0x680D16DE
    

    That should import the public key and say "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393)" etc.

    gpg --fingerprint 0x680D16DE

    That should display the key fingerprint, which you should compare with the key fingerprint that's posted on:
    https://www.idrix.fr/Root/content/category/7/32/60/
    and on:
    https://www.veracrypt.fr/en/Digital%20Signatures.html

    Now to verify your download, run the following in Terminal for your downloaded version of the files:

    gpg --verify veracrypt-1.23-setup.tar.bz2{.sig*,}

    The message displayed should say the signature used key ID 0x680D16DE (make sure it's the key ID found from above!), or that the primary key fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE (matching the fingerprints from the above links).

    And it should say the signature is a "Good signature" from the VeraCrypt Team.

    That's it!


    On Linux or Windows

    Similar instructions apply for Linux, but install GnuPG and GPG from your system's package management system instead.

    You can see similar instructions for setting up VeraCrypt on Kubuntu here.

    Similarly for Windows, but you'll have to figure out how to install GPG yourself --- see the Tor project's manual on doing that (that's what helped me piece together the above):
    https://www.torproject.org/docs/verifying-signatures.html.en