This ignores the first part of my response - if I, as a legitimate user, might get caught up in one of these trees, either by mistakenly approving a bot, or approving a user who approves a bot, and I risk losing my account if this happens, what is my incentive to approve anyone?

Additionally, let’s assume I’m a really dumb bot creator, and I keep all of my bots in the same tree. I don’t bother to maintain a few legitimate accounts, and I don’t bother to have random users approve some of the bots. If my entire tree gets nuked, it’s still only a few weeks until I’m back at full force.

With a very slightly smarter bot creator, you also won’t have a nice tree:

As a new user looking for an approver, how do I know I’m not requesting (or otherwise getting) approved by a bot? To appear legitimate, they would be incentivized to approve legitimate users, in addition to bots.

A reasonably intelligent bot creator would have several accounts they directly control and use legitimately (this keeps their foot in the door), would mix reaching out to random users for approval with having bots approve bots, and would approve legitimate users in addition to bots. The tree ends up as much more of a tangled graph.

This ignores the first part of my response - if I, as a legitimate user, might get caught up in one of these trees, either by mistakenly approving a bot, or approving a user who approves a bot, and I risk losing my account if this happens, what is my incentive to approve anyone?

Additionally, let’s assume I’m a really dumb bot creator, and I keep all of my bots in the same tree. I don’t bother to maintain a few legitimate accounts, and I don’t bother to have random users approve some of the bots. If my entire tree gets nuked, it’s still only a few weeks until I’m back at full force.

With a very slightly smarter bot creator, you also won’t have a nice tree:

As a new user looking for an approver, how do I know I’m not requesting (or otherwise getting) approved by a bot? To appear legitimate, they would be incentivized to approve legitimate users, in addition to bots.

A reasonably intelligent bot creator would have several accounts they directly control and use legitimately (this keeps their foot in the door), would mix reaching out to random users for approval with having bots approve bots, and would approve legitimate users in addition to bots. The tree ends up as much more of a tangled graph.

I think this would be too limiting for humans, and not effective for bots.

As a human, unless you know the person in real life, what’s the incentive to approve them, if there’s a chance you could be banned for their bad behavior?

As a bot creator, you can still achieve exponential growth - every time you create a new bot, you have a new approver, so you go from 1 -> 2 -> 4 -> 8. Even if, on average, you had to wait a week between approvals, in 25 weeks (less that half a year), you could have over 33 million accounts. Even if you play it safe, and don’t generate/approve the maximal accounts every week, you’d still have hundreds of thousands to millions in a matter of weeks.

This is not true. The GPL does not force anyone to give up their code, unless they distribute it. From the “Definitions” section:

A “covered work” means either the unmodified Program or a work based on the Program.

And

To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

And from the “Basic Permissions” section:

You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.

Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.

Under the terms of the GPL, the owner can revoke your access for any violation of the license, and at their discretion, they can make that revocation permanent. The GPL does not guarantee equal treatment - an author can punish one person harshly, and another not at all. It still comes down to the author. Yes, there is a small barrier in that you have to find a violation, but if you look hard enough, you can probably find a violation - especially in large projects using libraries distributed under multiple different licenses.

the FUTO license can revoke the license just because Rossmann says so. It is a mechanism to keep Rossmann the owner of everything that spawns from the code of the app and being the only one who can make money from it. If Rossmann doesn’t like someone who wants to redistributes the app, he can immediately revoke their license.

Quoting from my comment here:

They’re just trying to prevent a company from making money off the free labor of the authors. It’s the same issue that has plagued other projects, such as Elastic Search, which ultimately led it to change licenses. And it’s why MariaDB created the BSL, which they and other companies have adopted (very similar terms here - source free to use for non-commercial purposes).

If the hangup is specifically that they can change the terms, or revoke rights altogether, the other licenses also allow for that - that’s how these projects are changing licenses at all, and it happens quite a bit. I have personally contributed to projects that were GPL, and then went Apache.

only one who can make money from it

This is not true. You can make and sell plugins, you could offer support, you could sell your services as a code auditor/security expert… anything other than selling the code you didn’t write. On top of that, in practice, this isn’t different from anything else - most contributors to open source projects don’t profit from them, unless they work for the organization that owns the project. When the non-owners do profit, it’s usually big companies and results in the license changes I’ve described above.

A user that doesn’t care about licensing is typically called a pirate.

The license literally does not govern the usage of the app. Here’s the first line:

This license grants you the rights, and only the rights, set out below in respect of the source code provided.

Read the entire license (it’s only 32 lines), and you won’t find anything related to using the product, only the code.

This license should only be scary to developers, who might build on the project, and then have it taken away. As a user, your concerns are different, and this license vs the GPL, or any other FOSS, or even source available license, are more-or-less the same. As a user, your primary concerns are probably going to be related to the security and privacy related aspects, and as long as you have access to the source, you can audit it and ensure it meets your standards. If they choose to revoke access to the code, as a user, you’re in the same boat you described - don’t take new versions because you can’t audit them, but you can stay on the old version. They can’t revoke that access with this license, because again, this license literally does not govern usage of the product.

repackaging is a fundamental software freedom

Re-packaging is fine. You just can’t sell it.

They’re just trying to prevent a company from making money off the free labor of the authors. It’s the same issue that has plagued other projects, such as Elastic Search, which ultimately led it to change licenses. And it’s why MariaDB created the BSL, which they and other companies have adopted (very similar terms here - source free to use for non-commercial purposes).

If the hangup is specifically that they can change the terms, or revoke rights altogether, the other licenses also allow for that - that’s how these projects are changing licenses at all, and it happens quite a bit. I have personally contributed to projects that were GPL, and then went Apache.

As a developer, I could certainly see not wanting to build on the project while the license is what it is, but as a user, I don’t think this license is bad. I also think this is likely temporary (hence the name - “FUTO Temporary License”), and the tight grip on the rights are probably just so they can re-license later (hopefully to something a little more permissive). I could definitely be wrong, but given Louis’s track record of fighting for things like right-to-repair, I’d give him the benefit of the doubt here. He could certainly prove me wrong though, if they do anything shady. Feel free to rub it in my face if he ever does.

Edit:

Just for proof, here’s the specific line that says you can re-package and redistribute, from section 2, line 2:

2. You may provide the code to anyone else and publish excerpts of it for the purposes of review, compilation and non-commercial distribution, provided that when you do so you make any recipient of the code aware of the terms of this license, they must agree to be bound by the terms of this license and you must attribute the code to the provider.

As a user, or a developer? As a user, I don’t think it matters. As a developer, I think other licenses have similar carve outs, e.g. the GPLv3 section 8 is a whole section on “termination” - the copyright holder can revoke your rights for any ticky-tack violation of the license, and at their discretion, the revocation can be permanent.

Additionally, even with other FOSS licenses, the copyright holder can re-license the project. If I had to guess, this ability to re-license is probably why it is written as it is - the license is called the “FUTO Temporary License.” I would assume it’s written as is so they can re-license later, and they just want to cover their bases now. It’s entirely possible that’s incorrect, and they’ll clamp down. I’m personally willing to give them the benefit of the doubt (though having said that, I have no intention of buying, using, or contributing to this project).

According to the license, it is better than source available. You can modify and redistribute, you just can’t sell it. Other than that caveat, as far as I can tell, your rights are basically the same as with other open source licenses. (Feel free to correct me if I’ve missed something.)

Is there a particular aspect of the FUTO license you are concerned with? The code is publicly available, and the license seems to allow you to do anything you want, except sell the code. Other than not allowing you to re-package and sell the code, it seems like your rights are very similar to anything distributed via the GPL.

Am I missing something?

I noted in another comment that SearXNG can’t do anything about the trackers that your browser can’t do, and solving this at the browser level is a much better solution, because it protects you everywhere, rather than just on the search engine.

Routing over Tor is similar. Yes, you can route the search from your SearXNG instance to Google (or whatever upstream engine) over Tor, and hide your identity from Google. But then you click a link, and your IP connects to the IP of whatever site the results link to, and your ISP sees that. Knowing where you land can tell your ISP a lot about what you searched for. And the site you connected to knows your IP, so they get even more information - they know every action you took on the site, and everything you viewed. If you want to protect all of that, you should just use Tor on your computer, and protect every connection.

This is the same argument for using Signal vs WhatsApp - yes, in WhatsApp the conversation may be E2E encrypted, but the metadata about who you’re chatting with, for how long, etc is all still very valuable to Meta.

To reiterate/clarify what I’ve said elsewhere, I’m not making the case that people shouldn’t use SearXNG at all, only that their privacy claims are overstated, and if your goal is privacy, all the levels of security you would apply to SearXNG should be applied at your device level: Use a browser/extension to block trackers, use Tor to protect all your traffic, etc.

They are explicitly trying to move away from Google, and are looking for a new option because their current solution is forcing them to turn off ad-blocking. Sounds to me like they are looking for a private option. Plus, given the forum in which we are having the discussion (Lemmy), even if OP is not specifically concerned with privacy, it seems likely other users are.

As for cookies, searxng can’t do any more than your browser (possibly with extensions) can do, and relying on your browser here is a much better solution, because it protects you on all sites, rather than just on your chosen search engine.

“Trash mountain” results is a whole separate issue - you can certainly tune the results to your liking. But literally the second sentence of their GitHub headline is touting no tracking or profiling, so it seems worth bringing attention to the limitations, and that’s all I’m trying to do here.

You mean between their instance and the final search engines? Or between them and a public instance of searxng?

In either case, I’m not sure it buys you anything in terms of privacy you wouldn’t get by using the VPN and going directly to the search engines.

It looks like a few people are recommending this, so just a quick note in case people are unaware:

If you want to avoid being tracked, this is not a good solution. Searxng is a meta search engine, meaning it is effectively a proxy: you search on Searxng, it searches multiple sites and sends all the results back to you. If you use a public instance, you may be protected from the actual search engine*, because many people will use the same instance, and your queries will be mixed in with all of them. If you self host, however, all the searches will be your own - there is then no difference between using Searxng and just going to the site yourself.

*The caveat with using the public instances is while you may be protected from the upstream engine, you have to trust the admins - nothing stops them from tracking you themselves (or passing your data on).

Despite the claims in their docs, I would not consider this a privacy tool. If you are just looking for a good search engine, this may work, and it gives you flexibility and power to tune it yourself. But it’s probably not going to do anything good for your privacy, above and beyond what you can get from other meta search engines like Startpage and DuckDuckGo, or other “private” search engines like Brave.

This isn’t necessarily true - a developer choosing to not include their app in a repo can always opt for a self-updating mechanism.

Don’t get me wrong - repos and tooling to manage all of your apps at once are preferred. But if a developer or user wants to avoid the Canonical controlled repo, I’m just pointing out there are technically ways to do that.

If you’d question why someone would use snap at all at that point… that would be a good question. The point is just that they can, if they want to.

The age and obscurity of the library is irrelevant - you could always include libraries bundled with the app, if they didn’t exist in system repos. For example, in deb packages, you could include it in the data.tar portion of the package (see https://en.m.wikipedia.org/wiki/Deb_(file_format)).

Libraries with version names baked in are one solution to the dependency hell problem, but that requires support from the language/framework/tooling to build the application, and/or the OS (or things get hacky and messy quickly).

If you read that dependency hell page, you’ll see another solution is portable apps, which specifically mentions Appimage, Flatpak, and Snap.

Additionally, if you read the Debian docs on How to Cope with Conflicting Requirements, the first solution they give is to “Install such programs using corresponding sandboxed upstream binary packages,” such as “Flatpak, Snap, or AppImage packages.”

Bin the consumer environment? It is nice and good practice but it is nowhere near as important as it used to be.

This is incorrect. The target audience for Flatpak is desktop users: https://docs.flatpak.org/en/latest/introduction.html#target-audience. Flatpaks are explicitly for consumer, graphical applications.

It’s worth noting you can bypass the repo, and install snaps that you downloaded from some other source - see https://askubuntu.com/questions/1266894/how-can-i-install-a-snap-package-from-a-local-file.

That doesn’t give you a separate “repo,” but it does allow you to install snaps from anywhere.

It’s actually less about the library being obscure, and more about version conflicts, which is actually more a problem with common libraries.

For example, let’s say you want to install applications A, B, and C, and they each depend on library L. If A depends on Lv1, and B depends on Lv2, and C depends on Lv3, with traditional package management, you’re in a predicament. You can only have one copy of L, and the versions of L may not be compatible.

Solutions like snap, flatpak, appimage, and even things like Docker and other containerization techniques, get around this issue by having applications ship the specific version of the library they need. You end up with more copies of the library, but every application has exactly the version it needs/the developer tested with.

I have no personal experience with this company, but I’ve followed them for a few years. I was initially very interested in their laptops, but was also very excited when the phone was announced. In the years since the phone was announced, I’ve heard and read many negative things about build quality and software on their laptops, and I’ve seen the shipment of the phones get repeatedly delayed. More recently, https://youtu.be/wKegmu0V75s showed up in my feed. I would recommend anyone considering purchasing from them watch that video, and do a little research into their security/openess claims, as well as customer satisfaction.

Again, I don’t have the personal experience to say they are bad in anyway, but I don’t want to see anyone get scammed, so I would recommend healthy skepticism and due diligence before making a purchase.