• taaz@biglemmowski.win
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    We’ve consolidated all our code into a single repository – just clone ente-io/ente on GitHub, and you will have at your disposal a state of the art, end-to-end encrypted, full stack (mobile/web/desktop clients, the server, and a CLI to boot) alternative to Google Photos and Apple Photos.

    • Moonrise2473@feddit.it
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      This seems a disadvantage, a single repo that does everything seems inconvenient and unnecessarily complex for a casual hobbyist that wants to try the project

      • stoicmaverick@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        8 months ago

        I don’t think so Tim! Just stick it all in one repo/compose file and smash the ‘go’ button. Are you paying by the directory or something?

  • corsicanguppy@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    The first two things I saw:

    • docker seems to be required
    • the download page seems to require javascript

    Too much neu hype. Done.

    • cmhe@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      Only really nice when not CLA is required and every contributor retains their copyright. Ente doesn’t seem to require a CLA.

      Otherwise it allows the owner to just take the changes from their contributors and change the license at a later date.

      • Arthur Besse@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        8 months ago

        edit: the two issues i raised in this comment had both already been addressed.

        this was the developer’s reply on matrix:

        1. We do have a CLA: https://cla-assistant.io/ente-io/ente
        2. We will update the iOS app to offer you an option to point to your self hosted instance (so that you can save yourself the trouble of building it): https://github.com/ente-io/ente/discussions/504
        3. The portion of the document that deals with authentication has been outdated, my bad. We’ve adopted SRP to fix the concerns that were pointed out: https://ente.io/blog/ente-adopts-secure-remote-passwords/
        here is my original comment

        AGPL-3.0

        Nice

        This would be nice, but, this repo includes an iOS app, and AGPL3 binaries cannot be distributed via Apple’s App Store!

        AGPL3 (without a special exception for Apple, like NextCloud’s iOS app has) is incompatible with iOS due to the four paragraphs of the license which mention “Installation Information” (known as the anti-tivoization clause).

        Only the copyright holder(s) are able to grant Apple permission to distribute binaries of AGPL3-licensed software to iOS users under non-AGPL3 terms.

        Every seemingly-(A)GPL3 app on Apple’s App Store has either copyright assignment so that a single entity has the sole right to distribute binaries in the App Store (eg, Signal messenger) or uses a modified license to carve out an Apple-specific exception to the anti-tivoization clause (eg, NextCloud). In my opinion, the first approach is faux free software, because anyone forking the software is not allowed to distribute it via the channel where the vast majority of users get their apps. (In either case, users aren’t allowed to run their own modified versions themselves without agreeing to additional terms from Apple, which is part of what the anti-tivoization clause is meant to prevent.)

        Only really nice when not CLA is required and every contributor retains their copyright. Ente doesn’t seem to require a CLA.

        I definitely agree here! But if it’s true that they’re accepting contributions without a CLA, and they haven’t added any iOS exception to their AGPL3 license, then they themselves would not be allowed to ship their own iOS app with 3rd party contributions to it! 😱 edit: it’s possible this is the case and Apple just hasn’t noticed yet, but that is not a sustainable situation if so.

        If anyone reading this uses this software, especially on iOS, I highly recommend that you send the developers a link to this comment and encourage them to (after getting the consent of all copyright holders) add something akin to NextCloud’s COPYING.iOS to their repository ASAP.

        cc @[email protected] @[email protected] @[email protected]

        (i’m not a lawyer, this is not legal advice, lol)

        edit: in case a dev actually sees this… skimming your architecture document it looks like when a user’s email is compromised (“after you successfully verify your email”), the attacker is given the encryptedMasterKey (encrypted with keyEncryptionKey, which is derived from a passphrase) which lets them perform an offline brute-force attack on the passphrase. Wouldn’t it make more sense to require the user to demonstrate knowledge of their passphrase to the server prior to giving them the encryptedMasterKey? For instance, when deriving keyEncryptionKey, you could also derive another value which is stored on the server and which the client must present prior to receiving their encryptedMasterKey. The server has the opportunity to do offline attacks on the passphrase either way, so it seems like there wouldn’t be a downside to this change. tldr: you shouldn’t let adversaries who have compromised a user’s email account have the ability to attack the passphrase offline.

        (i’m not a cryptographer, but this is cryptography advice)

    • RedNight@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I’m trying to learn about licensing. Why do you like AGPL-3.0 compared to others?

      • baduhai@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        8 months ago

        The AGPL applies copyleft to web services. If you’re learning about licensing, it might be worth googling copyleft. Fascinating concept, and, in my opinion, something to subscribe to.

  • HybridSarcasm@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    If you really want to serve the self-hosting community, please improve your documentation. As someone unfamiliar with this product, I have no idea what to do with this once I clone the repo. I hunted and found a compose.yaml file, but it’s not clear if this is all I need.