How to Choose Sovereign Software - The Sovereign Computing Show (SOV019) - ATL BitLab Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Choosing new software is important, if it

(00:02):
goes well and it becomes part of our daily
workflow, we might be using a given piece
of software for years, maybe even decades.
So it's important when we make these
decisions, we don't want to get sucked
into a vendor like a walled garden, right?
So anytime you make a choice about
adding a new piece of software.
I think it's important to keep that in

(00:23):
mind, "How hard would it be for me to
leave if I ever had to change apps?"
Welcome to the Sovereign Computing
Show, presented by ATL BitLab.
I'm Jordan Bravo, and this is a
podcast where we teach you how to
take back control of your devices.
Sovereign Computing means you own your
technology, not the other way around.

(00:45):
This episode is sponsored by ATL BitLab.
ATL BitLab is Atlanta's
freedom tech hacker space.
We have co working desks,
conference rooms, event space,
maker tools, and tons of coffee.
There is a very active
community here in the lab.
Every Wednesday night is
Bitcoin night here in Atlanta.
We also have meetups for cyber security,
artificial intelligence, decentralized

(01:05):
identity, product design, and more.
We offer day passes and nomad passes
for people who need to use the lab only
occasionally, as well as memberships
for people who plan to use the lab
more regularly, such as myself.
One of the best things about
having a BitLab membership isn't
the amenities, it's the people.
Surrounding yourself with a
community helps you learn faster
and helps you build better.

(01:27):
Your creativity becomes amplified
when you work in this space,
that's what I think at least.
If you're interested in becoming
a member or supporting this space,
please visit us at atlbitlab.
com.
That's A T L B I T L A B dot com.
Alright, on to our show.
Welcome to the Sovereign Computing Show.

(01:48):
I'm Jordan Bravo.
I'm recording today from
the Heart of Atlanta at a TL
Bitlab with Steven De Alarm.
What's up?
Today we're gonna talk about how
to choose sovereign software.
What do we look for?
What are the signs that
software is better than others.
So we're gonna get into that.
But first, we have a few news items

(02:11):
and products and applications to
look at First, the article is called
Say Goodbye to your Custom ROMs as
One UI Kills Boot Loader Unlock.
And what this is about is Samsung has
announced that it will no longer allow.
People to use to unlock the boot loader

(02:31):
on Samsung smartphones to be able to load
their own custom operating systems on it.
So what this means is that if you,
want to use any other, like de
Googled Android, whether that's
Graphos, lineage os, calx os, you
cannot use that with Samsung devices.

(02:53):
The article mentions that this is
actually not going to change anything
for United States users because Samsung
took away the option there to unlock the
bootloader years ago, but it was kept open
for users in other parts of the world.
But that is gonna change starting
soon with their next major version.

(03:13):
if you had hopes that you could use
a Samsung phone to load a. De Googled
os on there version of Android, then
unfortunately Samsung is not gonna be
an option in the future for anybody, and
it's not an option in the US currently.
So this is unfortunately a

(03:33):
step backwards in my opinion.
Right now we have Google Pixel is
the only phone that Graphos can be
loaded onto because it's the only
phone that can unlock the boot loader.
Put on a custom RO and then relock the
bootloader, which gives you the most
amount of security, protects you from
evil made attacks, physical in person
attacks on your phone, on your device.

(03:55):
However, if you are less concerned
about that and you're willing to have
that risk of an unlocked bootloader,
there are other brands out there.
now Samsung is no longer an option,
but there's Motorola, I believe.
I don't know.
I'm blanking on other brands.
Do you have any off the top of your mind?
I don't.

(04:16):
So this is unfortunate, this is
one less option for people to use
on Android, for D Google oss, but
ultimately it's not the end of the world.
There's still plenty of other
options out there, but just wanted
to bring this to your attention
and something to keep in mind.
So you mentioned that the, there's
like kind of that security risk with,

(04:37):
having the boot loop loader open and
being able to load your own custom
firmware on there, that, is that just
kind of a risk that's always going to
be there with stuff like graph and os?
No.
In fact, graph Os in particular is the,
one of the reasons they only support being
loaded onto the Google Pixel is because

(04:57):
the Google Pixel is the only Android phone
where you can unlock the boot loader.
Put on a custom Os and then
re-lock the boot loader.
Oh, okay.
So Graph Os doesn't suffer
from that vulnerability.
But if I have, let's say a Motorola phone
and I, it's of a kind where I can unlock
the boot loader and then I load like

(05:19):
Lineage os let's say on there, or Calx os.
Now I've got a De Googled
phone, a de Googled Google Os
on my, on my Motorola phone.
But I don't have the ability
to re-lock the boot loader.
So if I left my phone in the room and
you wanted to install malware on it
or compromise it and you had physical
access to it, you could do that.
Got it.
You could mess with the

(05:40):
operating system somehow.
Do you think, uh, I'm just curious with
like devices like these, do you think,
uh, what would be their argument for,
uh, you know, making a change like this?
Is it like, you know, well, we, want to
make our users more secure so we don't
want to have the option to even foot
gun yourself with an open boot loader?

(06:03):
Or is it something more like, well, we
don't make as much money on, you know,
data collection or something if this
is, you know, accessible to be replaced
with a open source operating system.
Do you have any ideas?
you know, you'll probably never hear that
second one that you mentioned, but that
might be part of the motivation, however.

(06:24):
I often hear, the first one I have,
they don't say anything in this article
about why Samsung is doing this.
They don't, they haven't like
released a press statement.
But what I typically hear is, as you
mentioned, it's all in the name of safety.
You know, we don't wanna our,
we want our users to be secure.
We wanna protect against
malware, et cetera, et cetera.

(06:44):
So by restricting freedom on the phone,
freedom to load your own operating system.
Yes, in theory they are making
you more secure, but they're also
removing your ability to do what
you want with your own device.
Yeah.
Got it.
Any other thoughts on this article?
think I'm good.
Yeah.
Pretty, pretty straightforward,

(07:04):
not the end of the world.
The next one we're gonna look at is the
headline reads, privacy Advocate Sound,
digital sovereignty, alarm, and, um.
This is all about the age verification
requirement in the the European Union,
the eu, uh, you might've heard this,

(07:25):
but a lot of, EU legislation's being
passed now, I think, I think it started
with the uk, but also is going live
in the eu where they are forcing
users to have to dox themselves to, to
basically KYC themselves, to provide
ID and age and, um, identification

(07:46):
verification in order to be
able to use some basic apps.
So like, imagine you want to download
an app from the Google Play Store.
You have to first upload your driver's
license or your government ID to
your Google Play account, and then
they have to approve you and make
sure you're not on a bad person list.

(08:07):
And then you're allowed to download.
And then of course they keep track
of everything that you download.
So this is pretty dystopian and,
absolutely in the opposite direction
of, of digital self sovereignty.
And I don't know what the eus like goal

(08:27):
is for this, but it just seems really.
they've been doing a lot of stuff lately
in this direction of just making it kind
of like a surveillance dystopia in the eu.
the weird thing about this is
they, I didn't pull up the article
here, but there's another thing,

(08:47):
another article about how the EU is
publishing papers on how they want
to be more digitally sovereign.
Yes, that's right.
They want to be more digitally sovereign.
Yeah, but they also institute
all this surveillance crap.
So it's kind of like a Dr. Jekyll,
Mr. Hyde, or maybe the reasoning
is that they wanna be more
sovereign from other countries.

(09:09):
Like they're, they're sick of
relying on American tech companies,
but they themselves have no problem
with being big brother when it
comes to their own citizens.
Yeah, that's absolutely, yeah,
it's a geopolitical concern.
It's that we wanna, they want to
be able to, be able to have greater
control over where their silicon comes
from and, how the, the chips are made

(09:29):
probably, and what software they're
using, what their supply chain risk,
geopolitical supply chain risk is.
but yeah, it doesn't have
anything to do with making the
citizens more digitally sovereign.
I will say though.
It, I'm kind of torn because when
I see stuff like this, they also
talk about moving in the, in the

(09:50):
same way that they wanna move off of
like big tech platforms from the us
like Microsoft, Google, et cetera.
They are putting a lot of money
into open source software.
So you'll see governments
and big corporations adopting
open source alternatives.
We're talking next cloud instead
of Google Docs we're talking,
or Microsoft, you know, we're

(10:11):
talking, matrix instead of Slack,
Microsoft teams, that kind of thing.
So in on the one sense, in the one
sense, it's really cool to see these
open source projects getting a lot
more, use a bigger user base, which
means more funding, which means better
features, more people using it, more
security, more people developing for it.
But on the other hand, if I lived in

(10:33):
the eu, I would really be pissed off.
I would, I would feel like the
walls are closing in when it comes
to digital sovereignty and freedom.
it's, it is interesting though.
It does say it's, they're trying
to provide privacy, preserving,
digital proof of age for accessing
restricted online services.
It, it uses, it's built on the European
Digital Identity Wallet blueprint.

(10:54):
The system uses, uh, anonymous credentials
and data minimization principles.
However, security requirements mandate
Google Play distribution exclusively.
So, you know, I haven't dug into
the, Specifics of how this is
built or how this technology works.
If it does indeed verify privacy, it's
not out of the question that it could

(11:15):
actually use some sophisticated, you know,
arrangement or cryptography principles
to be able to verify age without,
like keeping a record of the identity.
It's, it's not impossible.
to me it seems like this issue is
less about, this might be less about

(11:35):
privacy and more about Google, right?
Because like when you look at stuff
like the dead spec and decentralized
identity, a lot of people have been
working on decentralized identity
projects for, for decades now.
And, uh, you know, it's not
like the kind of topic that.
Really gets talked a lot about,
in like mainstream circles.
People like to talk more about like
in the bitcoin side of things, noster

(11:57):
and outside of that people talk about
blue sky and stuff like that, but
like decentralized identity, a lot
of people have been working on it
and for credentials for a long time.
And you can do the kind of stuff
with that where you can like, have
a credential issuer that issues you,
a credential like you do go through
a, you know, standard KYC process.
But then they issue you

(12:18):
like a digital credential.
and with that digital credential, it
makes it so that you can then verify
that you meet a certain criteria
without having to actually verify your
age or actually verify your identity.
So another take on this is
that, This might actually, it

(12:38):
might actually be a good thing.
Again, I haven't really dug into
the specifics of that, but if it's
built on some of those decentralized
identity fundamentals and verifiable
credentials, this actually could be the
kind of thing where you can verify age,
without needing to know their identity.
and that could be, you know,
really powerful for like, making
it so that like kids can't get to

(12:58):
porn sites and stuff like that.
but I, I think that the key thing that.
Might be critical here is like Google's
Grip Titans on EU digital identity.
Just like the concern I'm seeing in this
article and a a, a brief perusal is just
the idea that it only works in the Google
Play Store the way it's currently defined.

(13:18):
And so, by only working in the Google
Play Store, it could completely cuts
out all of these open source app stores.
Yeah, it would be really
cool if they are using.
Decentralized or, yeah, decentralized id,
technology and verifiable credentials.
That would be cool.
But the problem is it, it is a Google

(13:40):
centralized platform, so it's not
like Google is, at least we don't know
from the article here, Google doesn't
seem to be opening it up to multiple
providers, and as long as you're
following the spec, can verify yourself.
But that doesn't seem like
at all what's happening here.
It seems like they're.
More locking down.
You have to use Google Play.
You have to use the Google

(14:01):
Play Integrity, API.
and quoting from the article here,
it says, this means apps from
Steroid Aurora store or side loaded
installations, face elimination.
And so we've talked about this before
in previous episodes about alternative
app stores, and this sounds like it's
gonna make it even more difficult or
even impossible to be able to use those.

(14:25):
Bummer.
Yes.
Yes.
If you are in the EU and you happen
to be listening to this, let us
know what you think are, are you
concerned about this boosting?
And let us know what we
got wrong about it too.
Oh yeah.
I think when I jumped into the show today,
I forgot to mention that you can email us.

(14:47):
Our email address is
sovereign@atlbitlab.com.
And don't forget, you can also send
us a message with a Boosto gram in a
podcasting 2.0 app, such as Fountain
FM or Pod Verse, or any of the others.
Alright, let's move on
to the next article.
I wanna look at a couple of apps now,

(15:10):
and for two factor authentication.
A lot of people are familiar
with Google Authenticator.
What people might not know is that.
Google Authenticator is an implementation
of an open source spec of the time-based
one-time password specification.
that's where you open up an app and you
see a 32nd countdown timer and every 30

(15:32):
seconds it shows a new six digit code and
you copy and paste that code into your
whatever you're logging into, and that's
how you get two-factor authentication.
So all of that, that whole
scheme, that way that works is
a completely open specification.
And Google Authenticator just being
the most well known by most people.
But there are other options, and

(15:55):
one of 'em we're talking about
today is a new offering by Proton.
We talk about proton a lot because
they are, um, catering to privacy.
They, they're a privacy respecting
company and they offer a
lot of open source software.
And today we're talking
about Proton Authenticator.
This is a alternative
to Google Authenticator.

(16:16):
Some of the, benefits that Proton
Authenticator provides over Google
Authenticator would be that they're from
a company that, respects your privacy and
their whole business model is to preserve
your privacy rather than Google, whose
business model is to mine your data.
it is also open source.
It has, zero knowledge syncing so that

(16:37):
you can sync it across devices without,
but it's completely end-to-end encrypted.
And, uh, and then if you go to one of
these classic, uh, marketing charts
where they show this product against
other competitors, they show that
Google, excuse me, proton Authenticator
is open source, encrypted sync,

(16:58):
no ads or tracking cross platform.
So it's for Android, iOS,
windows, Mac, and Linux.
That's cool that they have desktop
clients as well and they have direct
export, meaning if you ever wanna pull
your data out of it and use another
app, you can do that very easily.
Steven, have you had a chance
to try a proton authenticator?

(17:20):
I have not though.
I'm excited to try it.
This, uh, whole chart full of
green check marks makes me excited.
I currently use Offie.
I had to compare the logo here against
the one on my phone, and they're actually.
Oh, I see what they're saying.
I thought that was saying they
don't support Android to, sorry.
yeah, I mean I, I've always used, uh,
AUI and that's worked pretty good 'cause

(17:41):
it at least has that encrypted sync,
check mark, the Google one hasn't.
I think they stopped supporting
the desktop application, which got
really annoying 'cause I used to
love having the desktop application
because then I could just like.
Get the two FA codes without
pulling my phone outta my pocket.
so it'd be cool if Proton, is going
to have the, uh, the same one here.

(18:04):
Uh, that'll be nice.
I think one potential security concern
that I've been thinking about with
two FA codes though, is that there's,
I've definitely seen a movement
to try and make two FA codes like
easier to use and, like for example,
one password actually supports.
Two FA you can actually put in, you

(18:26):
can actually put the two FA codes
inside of one password where you
store the username and the, the, you
know, the email and the password and
all that kinda stuff for our website.
And that can be a little problematic
because you think about that
the whole, like the two FA
code is supposed to be unique.
It's supposed to be a separate,

(18:47):
a second authentication factor
aside from the password.
So that if your password gets
compromised, you still have this other
layer, this other factor that keeps
your data and your account separate.
And so in the event of one
password, I think it's kind of
interesting that they support it.
'cause it's like, well, if somebody did
get my password, it might mean they have

(19:09):
access to my one password and if they
have access to my one password, then
they also have access to the two FA.
It doesn't mean they have
access to your one password.
They could have gotten your
password through other means, but.
Just saying that if they did
get access to your one password,
they would have all of that.
And I imagine that it's the same
with Proton Authenticator, like the
way a lot of their services work is
that it's like, I think it's like the

(19:30):
proton drive and calendar and mail.
It's all kind of encrypted
against the key that's like
derived from your, your password.
So, if you're using Proton has
a password manager, so if you're
using their password manager.
Or you're using proton mail and you're
using Proton two FA, like you just run
into this scenario where like if you're

(19:51):
using the password manager and the two
FA and if that password gets leaked,
they kind of have access to all of it.
So, you know, it's one of those
things you gotta be careful with.
It might be worth like kind of breaking
it up and like using authenticators
from different services or.
I, I don't know.
I, I'm not sure, but it, it does

(20:11):
seem like a slight potential risk.
But having said that, I'm glad that
there's another, uh, two FA thing on the
market and, you know, I think proton's a,
a good actor in the space and all of that,
so happy to see that they have a product.
Yeah.
So what you're saying, I know exactly what
you're talking about with the separation
or the supposed separation that you just,
you, you're recommended to have there.

(20:34):
I use Bit Warden right now for my
two-factor authentication and like
you were saying, with one password,
I've got my passwords and my two FA
codes in the same application, and so.
If somebody were to compromise, get
into my bit bit warden password manager,
they would have both my passwords

(20:55):
and they would have my two FA codes.
Like you were saying.
I personally have, I
consider it worth the risk.
I don't know, maybe I'm being
naive, but I, I feel like if my
bit warden is compromised, that's,
that's a problem right there.
Right.
I have a bigger problem in my hands, so.

(21:15):
By having two FA in bit warden, it's,
it's a simple like one click or one key
press when I'm logging into something.
So it'll ask for my username and password.
That's one key press, and then two FA
one another key press and boom, I'm in.
Could it be more secure if I
put it on a separate device?

(21:36):
Probably.
But I feel like it's a acceptable balance.
Yeah, it might be.
I mean, it just depends on
the threat model, I guess.
'cause that's the thing, it's like I,
I guess when I think about how your
password gets leaked, it's probably
more likely to get leaked by like
something that intercepts your password

(21:58):
from a, a form input, like some kind
of malicious script on a website or.
A, a key logger or
something to that effect?
probably, or, you know, if, some website
service doesn't, you know, is using
a weak encryption algorithm or like
a weak, weaker hashing algorithm for

(22:21):
storing their passwords, um, they're
not salting their database properly.
All that stuff, your password
gets, reverse engineered
through like a database dump.
With rainbow tables, like then, if that's
the threat model, then yeah, totally.
They're they're not in
your password manager.
So Yeah.
I can see you feel.
Another example would be your

(22:43):
email gets compromised and somebody
goes and resets your password on
a website, but if they don't have
your two FA code, they can't log in.
Yeah.
so one thing I wanted to point
out here is that if you want
to use proton authenticator.
One, it's completely free.
You don't have to sign up
for other proton services.
And two, again, you don't have
to sign up for other proton

(23:04):
services, meaning it's separate.
So if you are not using any of the
other proton products, you can still use
Proton Authenticator as a standalone app.
You don't even have to
create a proton account.
Hmm.
Wow.
A any other thoughts on this?
'cause I wanna talk about
one other Authenticator app.
Yeah, yeah, I'm good.
Okay.
The other Authenticator app
is called Entente, ENTE.

(23:28):
And Ntte actually has a, their main
product is a, uh, sort of a Google Photos
alternative, but their auth, ante auth
is another just good authenticator app.
It is open source, it's
end-to-end encrypted for syncing.
And, it is completely free to use

(23:48):
and, and it is also self hostable.
So if you want to just by default you
can use their servers for syncing your
end-to-end, end-to-end encrypted backups.
But you can also self-host it.
I have not a chance to do that.
This is actually pretty new on
my radar, but I think at some
point I might give it a shot.
Sweet.

(24:08):
Yeah.
Yeah.
Yeah, that's probably more than
I'm, I'm gonna be lazy and use, uh,
stuff like proton authenticator.
One thing about auie, I did use
to use auie, but I found that
you have to use a phone number
with them, and I don't like that.
So I, I'm bullish on proton,

(24:30):
authenticator, ante bit warden,
these, these kinds of options.
Yeah, I want to get off, off, honestly,
I've been using it for too long.
It's time to make a, a fresh start
with a new authenticator app.
I like how on the n intake auth page,
there's a, it gives you the different

(24:50):
download options and it's got the usual
platforms, but it also lists Foid.
Nice.
So they, they're clearly respecting
people's choice of mm-hmm.
Of App Store.
It's a nice looking marketing website.
Yeah.
Real quick, even though this
is kind of off top, off topic,
click on the ante homepage and

(25:11):
you'll see their main product.
Hmm.
Which is again a Google
Photos alternative.
Did we cover this on another episode?
We have not.
We briefly talked about image, but it
might be good to do a deep dive on ante.
Hmm.
Pretty cool.
Yeah, I like the sound of it.

(25:33):
All right.
Well, that's all of the apps and
articles we wanted to look at.
Today we're gonna talk about our
main topic, which is how to choose
self sovereign software, and what do
we look for when choosing software.
I'll go through some of the things
that I look for, and then Steven,
maybe you can share your opinions.

(25:54):
I would say I look for the following.
I would prefer an app to be open source.
It's not an absolute requirement,
but it gives me a lot more trust
and comfortability with the project.
another plus is if it is self hostable.
Again, I may not self-host

(26:14):
it right out of the gate.
Some people may never self-host it.
That's fine.
But the fact that you can, I feel like
it's a very ethical business model.
They're saying we don't have any
magic secrets that we're hiding.
We have the, the source code is open.
You can even host your own server
if you want, but most people
are happily willing to pay for.

(26:35):
the convenience of having a company
host their own infrastructure for them.
So to me that's a very
ethical business model.
It's compatible with privacy
and digital self sovereignty.
Another thing I look for is if an
app is cross platform, obviously, I'm
partial to more open platforms and we
know that Apple is pretty locked down.

(26:56):
But even if they do have an
Apple offering, I wanna see
them having a Android offering.
It's great if they have offerings
outside of the play Google Play Store.
So if they are offering it, let's say
on Foid or any of the other alternative
app stores, that's even better.
Or if you can just download
the A PK, that's also great.

(27:17):
Another thing that I look for is I
don't want any vendor lock-in, and
so I look for how easy do they make
it to exit or to export your data?
So if you are unhappy with the
service or maybe they just go outta
business or go offline and you need
to take your data and go to some
other company, how easy is that?
Do they make it directly exportable

(27:39):
in a common format that you can
easily import somewhere else?
And on that similar note, do they
use open standards or open formats?
Do they, is there data locked behind
some proprietary format that nobody else
uses and maybe is completely opaque?
Or is it something that everybody uses?
Is it A-A-J-S-O-N file, let's say?

(28:01):
Or is it a, maybe a markdown
or YAML or something like that?
Something that you can easily
save it and it's, it's plain text.
You know, you could read it with your
eyeball if you want, and then you can
easily import it into some other app
that it uses a, an open standard as well.
Any, um, anything that you wanted to,

(28:22):
well, let, let me get your thoughts as
well and just kind of go through your
thought process, Steven, when you're
looking for new software, when you're
trying it out and maybe considering, do
I wanna make this as part of my workflow?
Because
choosing new software is important,
right?
We.
We're gonna be if,
if, if it goes well and it becomes
part of our daily workflow, we might

(28:42):
be using a given piece of software
for years, maybe even decades.
So it's important when we make
these decisions, we don't want
to get sucked into a, vendor
like a walled garden, right?
This is, this is a classic Apple
technique and uh, apple makes a lot of
great stuff, but they also are notorious

(29:02):
for locking you into their ecosystem.
So.
They, you're using their phone and their
laptop and their software and now, you
know, you might say, you might look
elsewhere and say, you know what, I would
love to use software X for something,
but I can't because it would be, I would
have to change my entire ecosystem over.

(29:23):
Right?
So that's a lot of momentum that's
holding you into their ecosystem.
And that's kind of,
so anytime you make a choice about
adding a new piece of software.
I think it's important
to keep that in mind.
How hard would it be for me to
leave if I ever had to change apps?
Yeah.
I think I agree with
everything you stated.

(29:44):
I mean, I, I wouldn't disagree
with any of those points.
on the open source side of things, I
think it's important to investigate
and dig a little bit deeper.
No.
Using open source as a buzzword.
like it's a thing that you can fall

(30:05):
for easily when companies just throw
around the word open source on their
marketing website, or sometimes they
don't use open source as a term.
They'll just put a link to
GitHub to like, make it seem
like, oh, we're cool developers.
We have a GitHub, and
we, we share our code.

(30:26):
And then you click into their GitHub
and it's just like, I don't know, an
example repo or something like that.
I mean, I've seen like tech startups that
will put like a link to their GitHub just
'cause I guess they think it gives them
like cool points, but it'll just be like a
read me file with, you know, some markdown

(30:46):
links to their API docs or something and
it's like, okay, that's not open source.
It's you just have a
GitHub profile and then.
Uh, even when a product advertises
themselves as being open source and
it actually is like, you then have to
question like, well, is it maintained?

(31:07):
And one thing I look for is just
going to the GitHub page and
just seeing in the commit history
has anything happened recently.
And if you see something
that's like updated a year
ago, that might be a red flag.
if it says updated four years
ago, that's a serious red flag.
if it says updated a year ago, that
might be more like an orange flag.

(31:29):
Uh, it kind of depends on the,
the, the software in question,
like is it the kind of thing that
doesn't need frequent updates?
Even a year though is still
a long time, and you would
think that there would be some.
Security updates or something.
But if it's a simple enough application
that doesn't really deal with sensitive
data, I could totally see it going

(31:50):
by for a year with no updates.
But you just gotta kind of keep that
in mind, that if there's no update
history, it might not be maintained.
and you know, then it's like, even
furthermore, it's like, I like to think
about like, well, who maintains it?
Is this like.
Is this a startup that's moving fast

(32:11):
and it's going to be subject to change
because they're just iterating quickly?
Or is it, you know, the kind
of project that actually has
like a community behind it?
because when there's a community
behind it, even if there's a, a
startup that backs it, when there's
like an open community for, you know,

(32:31):
even if it's just like a Discord
or something, if there's kind of a
place where they invite people to.
You know, share feedback and, you know,
if they welcome contributions from
people outside of their company, then
that, signals that, okay, well this
is like a robust open source project
where they're thinking about long-term

(32:52):
maintainability and stuff like that.
so that makes me feel a little bit safer
adopting it if I can see more frequent
commits and if I have a better idea of.
Who is maintaining it and all of that.
And I think a company can
actually be a great thing.
I mean, there's a lot of examples
of open source projects that

(33:12):
have been either maintained by
companies or nonprofit foundations
dedicated to serving the project.
and that, that can actually be really
good because then, you know, you
actually have people who are on the
payroll of the project, so to speak.
They can, commit a lot more
serious quality time towards

(33:34):
maintaining the project.
versus a project that might just be
some developer's kind of hobby project
or something like that, that they
might forget about in six months.
So that's kind of what I think about
when I think about open source at least.
No, that's a great point.
Open source is not a panacea
if it's not a silver bullet.
That will solve every problem.

(33:56):
And like you mentioned, there is
a. Wide spectrum of open source
projects in terms of quality, right?
You have something on the one end is like
this unmaintained hackathon project that
somebody threw up four years ago after
a weekend session, and then on the other
end of the spectrum might be something
like proton authenticator, right?

(34:18):
By a company that's, I, I don't know.
I haven't seen their repo, but
I'm just saying hypothetically,
it's well maintained, well funded.
It's not going anywhere anytime soon.
it's, it uses professional coding
guidelines and, this high quality.
So keeping all that in mind, you,
you mentioned you wanna see some
recent commits that that gives you

(34:38):
more, confidence in, in the project.
Maybe we could show
people how to check that.
Like, let's say they find a
link to an open source project
and it takes them to GitHub.
You know, maybe they don't
know anything about GitHub.
They've never used it before.
How do they check the commits?
Well, let's see.
So why don't we just pull up
this NT one as an example.
Um, so I'm assuming this

(34:59):
is one who is open source.
Let's find out.
Hey, open source mobile Web, desktop, COI.
So I can see here in the footer for those
that are only listening, I've gone down to
the footer of this NT Authenticator app,
which talked about earlier in the footer,
I found something that says open source.
Uh, a column and there's links
for mobile, uh, web, desktop, CLI.
So I can click on all those.

(35:20):
I'll click on the mobile one and see.
And just so people know, sometimes
you'll just see a, a GitHub logo,
uh, which is the little Octo Octocat.
Yeah.
And that, that's usually takes
you to their GitHub repo,
which is their source code.
And it looks like this is like a
monorepo that has stuff for mobile,
other, and desktop and all the other.

(35:41):
You know, flavors of
their app, inside of it.
So I'm actually gonna click on,
I'm, I'm in like a subdirectory
full of all the files.
I'm actually gonna back out and just
click on the main project name, which
is nt and then I can see here, under the
phrase nt, just at the very top of GitHub,
it has like, make CI fail on warnings.

(36:03):
And it says committed 16 hours ago.
and it has a little, you know, picture of
the person who committed it or, all that.
Another thing I can look at is I can go
onto the side and I can look for releases
and it'll usually tell you, so commits
are like the developers pushing updates,
but they don't always, they don't always
make that like an official release, right?

(36:25):
Like the developers are usually
always pushing new code.
to a frequently maintained project, but
that doesn't necessarily mean that they're
cutting a new release, which is when
they're like, okay, we are done working
on this new version of the software.
We are giving it a release.
We're giving it a number.
In this case, it's off V 4.4 0.3.

(36:45):
Sometimes they give it kooky names.
It was released two weeks ago.
That's a good sign to me too, because
it means that they're, you know,
they're, they've recently done new
releases and I can go back in time and.
So this one might be a newer
project, maybe because Well, you're
looking at the specific release.
Oh, you're right.
Yeah.
If I go to releases, if I go back
a page, I can see all of 'em.

(37:06):
And it says, okay, two weeks ago, three
weeks ago, July 3rd, July, June 2nd.
So it seems like they have one
release every month, which is okay.
That's, that's a good sign.
It's like, look, I'm not gonna
go through and, you know.
Pick through every single bullet point
of the change log for all the release.

(37:27):
But I can scroll through this
page and quickly get the idea that
this is a well-maintained project.
It has a very consistent, cadence for
cutting new releases of the software.
So this to me, just kind of
eyeballing it on live on the pod.
It looks to me like it's a well

(37:48):
maintained open source project.
Another thing that I like to
look at is going to the issues.
Yeah.
So if we scroll to the top of this
page and we go under the repository
name, we can click on issues and
there's 386 open issues right now.
and just 'cause there's 386 issues doesn't

(38:08):
necessarily mean it's bad in my opinion.
You know, you, what I tend to find
is that the more a piece of software
gets used, the more issues it has.
and the, I think the, the reason for
that is because as it for twofold,
as it grows in size, like as they

(38:30):
add more features, every feature
adds a little bit more complexity.
And then when you have more users and
more people using it, you increase the
likelihood that someone will use it in
a way that you didn't expect and uncover
a bug that you didn't know was there, or
request a feature that you didn't know

(38:50):
that they wanted, that sort of thing.
So, then when it's a public repo,
you also, or I should say when it's
open source with a public repo, you.
it's a little bit different.
Like people can just open issues.
It's not like a closed help desk
where you can't see what people
are asking at the help desk.
It's like a public help desk and

(39:11):
you can see, everybody asking
for stuff at the help desk.
And so some of these are
gonna be good requests.
Some of these are gonna be bad requests.
Some of these are gonna be
serious, absolutely critical.
We need to fix immediately requests.
And some of these are like, eh,
you know, it can wait till later.
That's.
That would be a, a nice to have.
so anyways, that was a little bit of

(39:32):
a rant, but context for people that
aren't used to looking at GitHub issues.
And I would just add that it, it's less
about the number of issues and more of.
Are people reporting issues and are
they being responded to and either
worked on or closed for other reasons?
So in this particular repo, we could

(39:52):
see that there are 386 open issues,
but there are 796 closed issues.
So it sounds like a lot of
issues are being closed.
Again, we don't know.
If those were good or bad
issues, if they were trivial or,
or important critical issues.
But the fact that somebody is actively
maintaining this repo is evident by the

(40:13):
fact that issues are being addressed.
Yeah.
And you know, like for example, in
this issue I pulled up, it's like.
You know, sounds like this, you know,
someone's having an issue with faces not
being synced between desktop and mobile,
and it looks like somebody who works on
the project says, sounds like it might
be an issue with the mobile app not being
able to re decode those pictures properly.

(40:36):
Can you reach out to support with
the logs and we'll take a look.
And so it looks like this kind of got
turned into more of like a customer
support thing, rather than an actual.
Code change in the project.
and that's the sort of thing is when you
run into stuff like this that are like
big, well-maintained public projects
like you, sometimes the issues kind

(40:57):
of ends up doubling as like a customer
support pipeline and all of that.
But, you know, you can get a feel for
the pace of the project and that's
good that somebody responded to it.
So, it seems well maintained.
Yeah.
I notice this is the, this is
not the Ante Authenticator.
This is the Ante Photos app.
Yeah, that's right.

(41:17):
I was on Correct.
Good.
Good call.
We had, navigated to the photo app
when we were finishing up that topic,
so I already had the tab open for it.
However, everything we just
mentioned about looking at the
repo and judging the software and
the, the project, this all applies.
It's, it doesn't matter if this is the
authenticator app or the photo app.
Yeah.
And I'm not going to like shame some poor

(41:40):
open source project here on the podcast,
so I'm not gonna go hunting around on
GitHub trying to find a bad example.
But you can imagine that.
You know, this gi, you know,
the GitHub issues might have
issues not being responded to.
and you know, it might say committed
four years ago and there might be
an inconsistent release schedule.

(42:01):
And hey, some of my open source
projects are like that too.
Inconsistent release schedule.
So.
it happens to the best of us.
you know, it doesn't mean that
the people who made it are, uh,
bad people or anything like that.
It just means that, uh, it just
might, you know, signify to you the
difference between a well maintained,
super robust project versus something

(42:23):
that's maybe a little bit new or
maybe more of a hobby project, right?
These metrics are all health
indicators of the project.
No single one.
Is is necessarily a death nail
or, you know, make or break.
But another indicator that we could
look at is the number of contributors.
Mm-hmm.
So if you scroll down on the right

(42:43):
side of a, any GitHub project or even
GitLab or other repo, you'll see the
contributors and they'll have a number,
which is a number of contributors, and
then a bunch of, uh, little avatars of
each person's account who's contributed.
So.
This has 215 contributors, that is a
very healthy number of contributors.

(43:03):
So that's, that's another,
a plus for this project.
Yeah, I think on some of the other
stuff you mentioned too, like, I mean,
yeah, self hostable is always great.
I don't really have, you know,
too much to comment on there.
Cross platform, no vendor
lockin, open standard format.
Yeah.
I mean, I agree with all that.
Some, some, I guess it depends

(43:24):
on the software you're using.
Some, some types of applications
might not even have open standards or
formats, but it's good when they do.
Like, an example of that to consider
would be like, let's say you're
talking about word processing.
Well, there's ODT, the open document
type, or I think ODSI think is like

(43:44):
open spreadsheet or something like that.
ODF or format.
Yeah.
And you know, that was an alternative to
Microsoft Word, Microsoft Excel, all of
those types of Microsoft Office files.
And I'm sure that was
pioneered with open office.
I might be wrong on that, but there's also

(44:05):
Libre office and there was other like word
processing and shout out to only office.
Only office.
Yeah.
Never heard of them.
but yeah.
So they must support that same
format, I'm assuming, or you
wouldn't have brought them up.
So like yeah, like the, these
sorts of, that's an example.
Like, okay, that format works
across, you know, all of 'em.

(44:26):
I think another way to think
about it too is like what, for
what the purpose you're using.
Is this application going to be a
one time thing or is it going to
be something that's kind of like.
Deeply embedded in your life forever.
So like, if you're choosing like an email
client or a password manager or a chat

(44:47):
application, like these are all kind the
kinds of things that are gonna become
deeply embedded in your life and you're
probably gonna use them every single day.
then, you know, like for me,
like, you know, operating in the
kind of design and art world.
Uh, I can safely pick up an open source
art application and use it as only
one, uh, use it only for one project.

(45:10):
So, like I love the Blender project.
They're one of my favorite
open source projects.
Cool.
3D application.
And, there's just certain, you know,
professional projects you may not be able
to use it for because you may need, deeper
interoperability with like cinema four D.
just depending on who you're collaborating
on a video or a game or an animation with,

(45:33):
there's a ton of open source formats.
It does support, but you know, depending
on the team you're working with or the
kinds of tools you need to integrate
with, it might not be your daily driver,
but I can safely pick it up for like one
project that's only me working on it.
Right.
And so there are some kinds of

(45:53):
self-sovereign open source tools that
you, you know, you might use, just
for one-off projects because you can
safely use those sorts of things.
and you know, if the project is no
longer supported any year or, uh,
isn't interoperable with, you know,
your friend's software, that's fine.

(46:14):
So I think that's like, you know,
just depends on like your use case.
Is this a daily driver?
Is this a one off project?
You know, all that kind of stuff.
Hmm.
I did have one other, category that I look
at when it comes to choosing software.
And this is kind of a no brainer
that I almost forgot to mention
it, but that is how good is the UI

(46:34):
and the ux That right, that's the
user interface and user experience.
Now, if I am choosing in some
categories of applications.
Your choice is gonna be limited.
If you, if you are prioritizing things
like open source, self, hostable, cross
platform, all these other things, you
might only have one or two choices, right?

(46:55):
But all other things being equal.
If one has a pleasant ui, that's
delightful to use and it's super
easy to figure out and discoverable.
And the other one is old looking and.
Ugly.
Then obviously I'm gonna go with the one
that has the better ui, the ux, so that,
that one might seem a little obvious.

(47:15):
There's not a, a whole lot to dwell on
there, but I just wanted to bring it up.
It is something that goes through
my head as I'm choosing software.
Yeah, totally.
I mean, on the note of Blender, it
was like for the longest time they
had this interface that felt very
nineties, and I think it really
harmed the adoption of the software.

(47:36):
you know, even though they had their
reasons for it, but, you know, like before
left, clicking on the mouse was the norm.
Like in the nineties, like there was
just like before Windows and Mac just
completely, I, I guess I should say before
Windows completely stole mind share.
Society hadn't quite settled on this
idea that like right click opens a menu

(47:57):
and left clicked as a primary action.
And, uh, it was like.
You know, 'cause you would buy an
Apple computer and in those days Apple
computers just had a single button
on the mouse and it was the PCs, it
was windows with the double mouse.
And then sometimes you'd go like this, the
Sun Unix computers from the late eighties
and early nineties would've three buttons.

(48:19):
I'm not talking like scroll
wheel, I'm talking about like, it
would be a mouse with like three
discrete buttons on the face.
and so there was just like a lot more
like variety in terms of even mouse input.
And like Blender was kind of made in
that period in the nineties and they
had just some kind of quirky mouse
behavior and the way their UI worked and
it just really confused, you know, the

(48:40):
crap out of everyone for a long time.
And they finally updated the
UI and it looks more modern now
and you can use the mouse thing.
And that was a huge hindrance.
Even those solid 3D rendering engine, it
just the, the UI messed with everybody.
And then another example is pen pot.
I, you know, Figma, I just, I
love Figma as a piece of software.
The experience is great

(49:00):
as design software.
I know they're tracking my every move
and I just try to not think about it.
And I've tried to adopt pen pot, which
is like the self hostable open source pay
to host alternative, to it so many times.
And every time I try to use it, I
just like, I'm frustrated within
like 15 minutes or within 30 seconds.

(49:20):
Like the performance is just.
Such garbage.
And it just pains me to say that
because it seems like a team of nice
people working on it, working very
hard, and they've actually shipped
some incredibly cool features like
design tokens and an open API.
Like they, they, they really
put a lot of thought into the.
Types of features they support, but

(49:42):
because the rendering engine is so
slow when you're using it, it just,
the performance just feels so janky.
And so it's like, well,
it's not a daily driver.
So I, I can't, I can't adopt it as a
designer because of the user experience.
No matter how great the ethos of
the team is or how much I like their

(50:02):
feature set, the UX just, it, it
doesn't work as a daily driver for me.
So.
But I'm hoping that they're gonna
overhaul the render engine one of
these days, and I'll be able to come
back on another episode and report
that I've, you know, dropped Figma
that, you know, one day I can dream.
Yeah, that'll be cool.
While you were, you were talking about
that, it, it reminded me of another

(50:24):
aspect that we haven't really covered
yet, which is, well, we, we talked about
health metrics of a project, right?
You go into the GitHub.
Recent commits, that kind of thing.
But what about monetization and
a business model you've had?
we've seen in the past instances
of projects that come out and
they're open source and they're

(50:44):
awesome and everybody loves it.
But then the maintainers, they don't
get paid and they get burned out,
or they get pulled onto something
else or move on with their lives
and the project dies on the vine.
So something else that's good to see I
think is, does this product or project.
Have a sustainable business model or does

(51:05):
it have a healthy monetization source?
And that that can be another factor
in determining what software might
stick around for the long run.
Yeah, that's a great point.
'cause they all have different ones.
Again, if you have one that's just like
a solo dev, maintaining their free time,
you know, you don't know if that project

(51:26):
is gonna make it or not, and you know,
maybe you don't wanna, you know, maybe.
If, if it's going to be a pain to move off
of it, it might not be your daily driver.
yeah, that's, that's obviously bad.
Then you have stuff that's like signal.
We've talked about
signal a lot on the show.
I think there's a signal Foundation.
Yes.
I'm pretty sure they've are

(51:46):
funded entirely by donors.
Like there's no business
model for Signal, so.
Okay.
That's pretty interesting.
And, I, I don't know what their team
size is right now, but I think when I
first started using Signal like seven
or eight years ago, it was like six
people working on it or something.
Huh?

(52:06):
At the company full time.
It was, it was lean.
That's what it looked like, at least.
That, uh, maybe they've grown in size
by now, but the point is, is that they
seem to be able to persist off of this,
like, Open Source foundation donor
model is, is kind of a source of concern

(52:29):
of like, well, what if whoever stops
donating to them, like, who's gonna
ultimately foot the bill for signal?
you gotta pay the devs for
security updates and maintenance.
They, they have to run some
infrastructure to make that magic happen.
So maybe that's a concern, but.
You know, I'm not trying to

(52:49):
like spread F about signal.
I love it and use it every single day.
But you have to think about these things.
You know, sometimes you see with projects
though, they'll have an open source
foundation and they'll get a lot of
corporate donors and that would be good.
Like, I'm the Linux Foundation.
I mean, I don't know who funds them, but
it must be like corporate donors, right?

(53:09):
I mean like, yeah, a lot of companies
are on the board of the Linux
Foundation, like Microsoft Red Hat.
Google, et cetera.
Probably open Seus, maybe.
Yeah.
Or canonical.
Yeah.
Like, so you, you know, you have
companies that, that, that always makes
sense if, if you have a foundation that

(53:30):
has like a lot of corporate backing
you, you at least know the foundation
has deep pockets at that point.
I think another great model is just when
you have a project that has a company
that's incentivized, run it, I think the.
Pay to host is a very valid business
model, and when you just have a
pay to host, at least you know that

(53:51):
it's a company and the company has
an incentive to keep supporting it.
So that also works too.
But that's the kind of thing is that when
there's no money involved, that's where
there's a little bit of that, that's
almost like maybe a red flag for me.
It's not a red flag that
there's a malicious attempt.

(54:11):
It's just a red flag for me of like, is
it mature enough to be a daily driver?
Well, I certainly don't want to cut you
off, but why don't we tease this for a
future episode where we go into detail
about open source business models, ethical
business models, and that whole topic,
and we can really do a deep dive on it.
Yeah, sounds good to me.

(54:31):
All right.
Well, were there any other.
Criteria that you wanted to cover
or anything else regarding our topic
today of how to choose software?
I don't think so.
Alright.
Well thanks a lot everybody,
and we'll see you next time.
Catch you later.
Hey, thanks for listening.
I hope you enjoyed this episode.
If you want to learn more about
anything that we discussed, you can

(54:53):
look for links in the show notes
that should be in your podcast
player, or you can go to atlbitlab.
com slash podcast.
On a final note, if you found
this information useful and you
want to help support us, you can
always send us a tip in Bitcoin.
Your support really helps us so that we
can keep bringing you content like this.
All right.

(55:13):
Catch you later.

All Episodes

How to Choose Sovereign Software - The Sovereign Computing Show (SOV019)

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

The Joe Rogan Experience

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}How to Choose Sovereign Software - The Sovereign Computing Show (SOV019)