corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jan i <>
Subject Re: [PROPOSAL] White-Box Releases Only
Date Sun, 21 Dec 2014 18:48:43 GMT
On Sunday, December 21, 2014, Dennis E. Hamilton <> wrote:

> I am not clear on to what degree Corinthia Source releases will allow
> building of binaries that are end-user meaningful and working in anything
> more than console sessions.  This proposal is intended to anticipate the
> prospect of the code being compilable to store "apps" and GUI-based
> end-user applications on many form factors and platforms.  This proposal is
> particularly relevant to cases where forks will compete for monetization,
> including via embedded advertising and also sales through search-engine
> optimization and purchased ad placement.

Terminology is important here. We will only have source releases, but we
will have several convenience  binaries:
- dfformat library to be embedded in other projects
- dfconvert an appl to convert files
- dftest, is more internal
- editor which hopefully is the appl used most.

all these should be made available on all platforms we support.

I do however not see that as white box or black box, which are terms more
related to test.

> Corinthia project source code releases and the source-code repository
> shall build to "white box" binaries and distributions/deployments with
> default branding as unsupported Corinthia development editions (stable or
> otherwise).  Provisions for branding of a distribution (and distributions
> of forks) will be incorporated and given default settings.  This also
> extends to producing digitally-signed versions designed to satisfy
> certification requirements for introduction into software "app" stores.
> There may be instructions for how to successfully build a branded and
> supported authentic distribution, but one should not be directly obtainable
> using the stable source without modification.

If we use digital signing then it for sure will be a branded product.  In
general I am in favor for branded applications and non-branded libraries
and source.

> [There is no time-limit on this proposal.  Let's see the discussion first.]
> If there are to be convenience binaries that are branded as authentic
> Apache Corinthia (incubating) distributions, there must be an arrangement
> where the branded builds are accomplished in an auditable way without
> releasing the branding materials to the public.  These builds cannot be
> part of the Apache Release process, but there would have to be arrangements
> that demonstrate the integrity of the resulting code.

+1 we do want to repeat the problems from AOO.

> Note: This is not intended to prevent commercial derivatives of Corinthia
> source code, whether closed source or with licensed open source code.  It's
> just about misidentification of authentic origins.
> It must not be easy to produce a fake product that trades on "Corinthia"
> and its Apache project status as a way of obtaining sales and abdicating
> any support obligations by passing-off to the Corinthia project.  Fakery
> can be innocent/careless, it can be willful (it has to be at least that
> much in the case of this proposal), and it can be malicious.  All of these
> are seen with impersonation of "Open Office" and it can be expected in the
> current mobile space "Wild West" equivalent of patent-medicine nostrums.

here we only talk about dfconvert and the editor. It would be nice to have
digital signing for those....and knowing the signing process (with my infra
hat) this is not difficult.

thanks for starting this discussion.

jan i.

> An example of the situation is on this thread:
> <
> >.

Sent from My iPad, sorry for any misspellings.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message