Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some modified Searx public instances found in searx.space don't comply with the AGPLv3 license #23

Open
caribpa opened this issue Mar 19, 2020 · 12 comments
Labels

Comments

@caribpa
Copy link

caribpa commented Mar 19, 2020

Quoting an excerpt of the AGPLv3 summary found in the license page of Searx:

[...] When a modified version is used to provide a service over a network, the complete source code of the modified version must be made available.

This is expanded on Section 13 but basically means that if you change anything* from the source project, then you must offer a public link to your changes. Here is a question about this matter.

If we access to the modified public instances found in searx.space, we can find that the majority of them don't offer a link to their sources. Instead, the Source Code link provided at the bottom of their main page still points to https://github.com/asciimoo/searx (some don't even have this link) and their actual sources cannot be found anywhere on their site, violating the AGPLv3 license.

* Although not stated directly in the license, code or configuration files storing secrets are excluded, unless these specific secrets (and not others) are needed for the software to work properly, according to these two sources.

@dalf dalf added the meta label Mar 20, 2020
@dalf
Copy link
Contributor

dalf commented Mar 20, 2020

This makes sense but for some instance, only one image and one CSS file are different. I don't know if it can considered as publication, since the browser downloads it ?

Some instances have published a link to their source code at the bottom of the index page, for example https://spot.ecloud.global/

An idea:

  • the settings.yml (in searx) configuration file contains a link to the source code.
  • the theme uses that settings to display the right URL for "source code"
  • the /config URL contains the source code URL ( should be in https://spot.ecloud.global/config for the spot.ecloud.global instance)

Then searx-stats2 can fetch this information and display it.


Brain storming / enhancement: searx.space could clone the git repository and compare

@caribpa
Copy link
Author

caribpa commented Mar 21, 2020

According to the license, you have to publish the full source code if you modify or add anything (except in the case of non-specific secrets as stated before).

I understand that it would be a PITA having to store separately the full source code if you change only one color from a CSS sheet (and make sure it stays up to date with any other modifications), but this is the way the license works.

Though it may seem that storing just a diff in your instance (and presenting it as Source Code) will yield the same result while saving space and being more convenient when tracking the changes, there is an issue in this approach: If my modified Searx instance is based on another Searx instance and the latter goes down, my modified Searx instance would have a diff file that might fail when applying it to vanilla code. This is assuming that the diff file was created from the changes made to code from a non-vanilla public instance. But even if we decide to create a diff based on vanilla code, it may happen that the vanilla code disappears or changes, thus having the same problem as before.

So the code should be stored in its completion and should be publicly accessible.

@caribpa
Copy link
Author

caribpa commented Mar 21, 2020

Also I believe that searx.space, apart from comparing the public instance's code with the vanilla code, it should also compare the stored instance's code with the actual webpage presented by the public instance to prevent people from lying or forgetting about updating their public source code.

@caribpa
Copy link
Author

caribpa commented Mar 21, 2020

By the way, I suggest that an announcement or something should be presented on https://github.com/dalf/searx-instances requiring the public instances to be compliant with the AGPLv3 license, and contact the public instance owners listed on searx.space asking them to make their source code public within a month (for example) or their instances will be removed from searx.space for violating the license.

@caribpa
Copy link
Author

caribpa commented Mar 21, 2020

Forgot to say that you are only required to store and make your source code accessible if you modified the original project (with the exceptions noted in the OP). If your public instance runs vanilla code* then you don't have to store it and the Source Code link can point to the original project.

* If my public instance is a non-modified copy of a modified Searx public instance AGPLv3 compliant (such as search.privacytools.io), my instance's code is considered vanilla so there is no need in storing it and changing the Source Code link.

@ghost
Copy link

ghost commented Mar 23, 2020

Forgot to say that you are only required to store and make your source code accessible if you modified the original project (with the exceptions noted in the OP). If your public instance runs vanilla code* then you don't have to store it and the Source Code link can point to the original project.

***** If my public instance is a non-modified copy of a modified Searx public instance AGPLv3 compliant (such as search.privacytools.io), my instance's code is considered vanilla so there is no need in storing it and changing the Source Code link.

<script type="text/javascript">
  var _paq = window._paq || [];
  /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="https://stats.privacytools.io/";
    _paq.push(['setTrackerUrl', u+'matomo.php']);
    _paq.push(['setSiteId', '2']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
  })();
</script>
<noscript><p><img src="https://stats.privacytools.io/matomo.php?idsite=2&amp;rec=1" style="border:0;" alt="" /></p></noscript>

it looks very poor!!!

@caribpa
Copy link
Author

caribpa commented Mar 23, 2020

@nibbleidea care to explain your quote? I am not affiliated with privacytools.io nor I did write that code :)

@ghost
Copy link

ghost commented Mar 23, 2020

@nibbleidea care to explain your quote? I am not affiliated with privacytools.io nor I did write that code :)

this code is tracking users

@caribpa
Copy link
Author

caribpa commented Mar 23, 2020

this code is tracking users

I saw it but what does it have to do with what I said?

@caribpa
Copy link
Author

caribpa commented Mar 23, 2020

Btw @nibbleidea privacytools.io openly states in their Privacy policy that they do track you. Ironic I know 🤦‍

@TheEvilSkeleton
Copy link

any update?

@dalf
Copy link
Contributor

dalf commented Jul 10, 2020

About new instances:

About the existing instances, this is issue is related to dalf#45

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

3 participants