Defensive Open Source

[ftrotter]

Bittorrent Sync is a great idea. But someone, somewhere is either going to reverse engineer this product and release it as Open Source, or they are going to develop something from scratch as Open Source.

I huge portion of your users are concerned with privacy issues, and would consider such an offering superior.

Given that you are no charging, there is little reason for you to not Open Source. You are just increasing your development costs.. Assuming there is a feature complete MVP available as Open Source, a substantial part of your community will leave.

Instead, you should increase trust and shore up your community by going Open Source. If you do this right, this will only help you. Reddit is a great example of how you can release this way without losing anything.

Thanks for the great product.

-FT

[Xanza]

This has been discussed many times, and I'm sure the BTSync team knows of the ups and downs of throwing the source online. (at least they should by now). I, also, am an advocate of making BTSync open source, however, I really don't think it's going to happen. The BTSync team has been perfectly clear that they do not intend at any time to open BTSync to the public.

Even if other clients are released, they would probably never be as fast, or work as well as BTSync does now, even in Alpha. The BTSync team really has nothing stopping them from throwing this into CC, but nothing to incentivize it either.

TL;DR: Probably not going to happen.

[kos13]

Never say never We still consider this option.

[ametaireau]

That's great news to hear that you're at least considering it.

Hopefully you'll make what I think is the right decision :-)

[binarybana]

For what it's worth, the Free Software Foundation (FSF) has an open source Bittorrent Sync clone as one of it's priority projects: http://www.fsf.org/campaigns/priority-projects/priority-projects/highpriorityprojects#sync

[GreatMarko]

For what it's worth, the Free Software Foundation (FSF) has an open source Bittorrent Sync clone as one of it's priority projects: http://www.fsf.org/c...typrojects#sync

Ha! Where to even begin with their abstract text: "Bittorrent Sync is a peer-to-peer, two-way file synchronization utility with fine-grained access controls. We need a free software version of this client or free software that can be used for the same purpose."

First of all BitTorrent Sync isn't just "two-way file synchronization", it's multi-way file synchronization

Secondly, BitTorrent Sync IS FREE, and will remain free!!

[hhz]

You just stumbled on the difference between free as in free beer and free as in freedom. The FSF means the latter. http://www.gnu.org/philosophy/free-sw.en.html

[hhz]

This difference, btw, is an excellent waste of time for any forum and has been discussed to death, so no need to repeat that discussion here.

[quarrelinastraw]

I agree with ftrotter that open source is a necessary feature. I've seen others on this board mention that open source would be good for security or trust reasons. But it bears explicitly pointing out what some of these reasons are, since many potential users of BitTorrent will be Dropbox emigrees rather than the peer-to-peer crowd. P2P users are perhaps much more familiar with security and legal issues than the casual Dropbox user.

The issue is this: there is a gaping security hole in BitTorrent Sync, and it appears the company has ignored the most prominent security threat that faces most of its potential users.

One of the many lessons from the NSA scandal is that the successful way to beat encryption is through social engineering. Instead of hacking computers by brute force, the NSA and other spy agencies apply legal and fiscal pressure to obtain what they need. The international spy game is fiercely competitive, and it would be naive to suspect that the NSA has no interest in having direct access to the computer files of every American, since undoubtedly every foreign spy agency will want this information as soon as it is technologically and financially feasible. If we are unfortunate enough to experience a terrorist attack by an individual who used BitTorrent Sync for security, chances are very good that in the aftermath BT will be heavily pressured by the government into having btsync phone home with the secrets. This is independent of whether BT has already decided they'd like to have access to those secrets. Security against this attack vector cannot be guaranteed unless users can see the source code.

It's also worth mentioning that the primary concern *isn't* necessarily that BT Sync users will be targeted by the government for unnecessary privacy violations. Edward Snowden has admitted to taking a job at Booz Allen Hamilton with the express purposes of making goverment secrets public. Thus we have clear evidence that -- even if the NSA is just and secure -- private security firms can be infiltrated by individuals with motivations that run counter to the motivation of the NSA. It seems likely that there have been other infiltrations of these security firms by more nefarious organizations. So even if we are entirely trusting of our government's noble principles, the fact remains that the ability of BT Sync to transmit secrets home is a potential security hole that affects all of its users.

Finally, we've seen some judges attempt to force defendents to decrypt their harddrives so that these drives may be searched. As of now, this legal point hasn't been settled, and individuals might still have the ability to take the 5th amendment and refuse to decrypt their hard drives. What *has* been settled is that neither the 4th nor 5th amendment applies to information held for you by a third party. Thus if BT Sync for any reason has copies of your secrets, and you are being investigated for a crime (wrongly or otherwise) you have effectively no security from BT Sync.

We need to know that BT Sync does not currently transmit secrets anywhere, and will never do so in the future. The only way we can really know these things for sure is to look at the source code.

[jumpwah]

I am certain that the bittorrent sync team have their own very well thought out reason for their licensing, whatever it may be.

Yes, personally, I really cannot see the reason to not open source, especially if this product will be forever free, as in price, and since it's heavily involved with security (being a file sync-ing program), but who am I to judge their decision without knowing anything else about this project? I certainly am no legal expert either.

But "Never say never, we still consider this option", is very good news, and pretty big as well. Since to change the licensing of a product will probably take a lot of thinking and what not (with their legal team etc).

So just my two cents to try and nudge this decision. Quoting Emil Ivov "You cannot seriously talk about security in anything that is not open source, this is impossible." [source, 10:19 - 11:41 video on this page]. Yes I know this is fosdem, but the point stands. Now don't start debating 'security through obscurity', since that's irrelevant. What I mean is from an end user point of view. The only way end users (who care about this) can sleep tight at night is with the product being open source. Otherwise it simply isn't an option. This of course doesn't mean that they necessarily don't trust the company or dislike them or anything, just that it simply isn't possible to confirm what a company claims, which is a big deal when dealing with sensitive information.

Now whether or not the btsync team will cater to these users and decide to open source is completely up to them of course. (And even if they do choose to do that, they have to choose what license and all, and that can be difficult as well.) But I have no doubt that due to the recent NSA PRISM leaks, there will be a large and growing proportion of users concerned about this.

Now imitation is a form of flattery right? With the above, I still however have no doubt that btsync is a great product, there's simply nothing like this out there at the moment, call me much too enthusiastic, but I'd say this is quite revolutionary. I can pretty easily believe that btsync will become very popular regardless of the license (not that it isn't already), as in >= Dropbox popularity, since the main feature of dropbox is file sync (not cloud storage). (Especially with your upcoming mobile apps.) And that's also the same reason why I believe that, riding on the popularity of btsync, some sort of open source btsync will emerge. May not be as good as, or have all the features of this, but with such popularity, people will certainly at least try to come up with something. (Since btsync is at the least a very good 'proof-of-concept'.) And might I even dare to suggest that, if something does emerge (big if), it might become a threat to this. Since open source projects can grow quite easily, again popularity being the keyword, (now I'm starting to dream) but it may make say some sort of open protocol which may become standard or something etc. I know I'm just stirring stuff here, it may turn out that I'm horribly wrong, but I think some thought on btsync's direction here could go a long way. Collaborating with the rest of the world does in my humble opinion seem to be the best option here (from my viewpoint of course, I know nothing about what any real factors regarding licensing maybe, I can only postulate).

Back to reality though, at the moment, in addition to FSF having this on their priority list (as binarybana pointed out), there also seems to be this (for what it's worth): https://groups.googl...ts/7WUj3nASuLo (which I'm in as well, I guess).

I can though certainly understand, as this project still seems to be in early stages (somewhat, maybe not), that one reason for being closed source, is the maturity of the code. A company that plans on making a product open source may not feel that it's appropriate to release source code for something that's not ready yet or something. This happens all the time (the difference being that if they don't release the source code, they don't distribute binaries of the program either). So pretty sure btsync team already knew this but just in case.

Anyhow, I'm taking this as great news, not taking anything for granted, but great news nonetheless. Now hopefully the time spent typing that was worth it. And thanks for reading this if you did. Peace.

[sjau]

First of all BitTorrent Sync isn't just "two-way file synchronization", it's multi-way file synchronization

 

You seem to misunderstand the term "two-way synchronization".

 

one-way sync:   MASTER  -->  SLAVE

two-way sync:   NODE  <--> NODE

 

From Wikipedia:

In one-way file synchronization, also called mirroring, updated files are copied from a 'source' location to one or more 'target' locations, but no files are copied back to the source location. In two-way file synchronization, updated files are copied in both directions, usually with the purpose of keeping the two locations identical to each other.

 

 

A bit late but still opting BTSync to go FLOSS

[dms2013]

Multi sync as in all synced nodes will assist any node still syncing. In theory it would lead to a faster sync. But in practice most of them idle as there's no thought how each chunk is distributed, node1 will send the same piece to all other nodes. Then continue with the next one..

Sent from my Nexus 4 using Tapatalk

[Harold Feit]

Multi sync as in all synced nodes will assist any node still syncing. In theory it would lead to a faster sync. But in practice most of them idle as there's no thought how each chunk is distributed, node1 will send the same piece to all other nodes. Then continue with the next one..

I haven't been able to observe this behavior you're seeing in my own test setup.

If you're seeing that behavior it's POSSIBLE that your other nodes aren't talking to each other either because of blocking or a misconfiguration.

[Orbixx]

Never say never We still consider this option.

 

Searched this forum hoping to find good news, but this is the best I've found and is from 6 months ago

 

I would use BTSync if it were open source. Unless it clashes with your ideas for monetising this product, I cannot see why you would not open source it.

[steinbitglis]

If I could support a kickstarter type of campaign for opening the source, I'd virtually be throwing money after you, knowing that I'd be solving one of real problems of the internet still around.

 

Please please please! I love this product so much, but I can't ignore the closed source, it really matters, as you can imagine.

[gunwald]

I really love you software, but do not use it as it isn't open source. I hope you will make it open source once. Meanwhile, I found an other project, which looks promising an actually is open source: Ori file system. But the project seems to be an an early stage, and I was not able to get the software working. Besides, we don't now whether or not it'll be continued...

[overand]

I'll add my own voice to this:

 

An open source version would be nice and all, but what's far more important?

 

Make BTSync an OPEN PROTOCOL / STANDARD!

 

Keep the "BTSync" application itself propretary (and free), but open up the documentation / design of the BTSync protocol - and let other folks make their own BTSync clients!

 

Of course, this means that there will potentially be interoperability headaches, but this will improve the market penetration of BTSync because the open source folks will be more inclined to use the protocol, and the 'don't care' folks will be GLAD to use the tried-and-true official BitTorrent.com BTSync application!

 

Please, please - this before 'open source.'

[petko10]

I'll add my own voice to this:

 

An open source version would be nice and all, but what's far more important?

 

Make BTSync an OPEN PROTOCOL / STANDARD!

 

Keep the "BTSync" application itself propretary (and free), but open up the documentation / design of the BTSync protocol - and let other folks make their own BTSync clients!

 

Of course, this means that there will potentially be interoperability headaches, but this will improve the market penetration of BTSync because the open source folks will be more inclined to use the protocol, and the 'don't care' folks will be GLAD to use the tried-and-true official BitTorrent.com BTSync application!

 

Please, please - this before 'open source.'

^^^ This! The fact is that as of now, since Bittorrent Inc. isn't making money off the service, the only imaginable reasons for the code not to be released are to hide security flaws or to avoid clones of the project. Assuming that it's just the latter - it's still not worth it, considering no one would trust a clone more than the original app, and the patches from the community would be very beneficial for the stability and feature-set of the service.

 

 The actual BTSync developers probably know all of that, so I'm just going to say - the biggest reason for me to want a FOSS BTSync is because I want to trust it. 

[sciurius]

 the biggest reason for me to want a FOSS BTSync is because I want to trust it. 

That.

And I want to be able to build it on my computers. Not all of them are standard PCs, you know.

And I want to be able to track down anomalities in behaviour before filing bug reports. Currently, the documentation is very sparse and only covers the most general cases.

[ott0disk]

<flame>

Is there any proof it is not a spyware? On my network i saw it opening connections to "r.usyncapp.com" and "t.usyncapp.com" i have read in the forums the dev team said it was for gaining stats only, ok, but i wasn't asked for that during the installation neither there is an option to prevent this. Also if you read the terms of service http://www.bittorrent.com/legal/terms-of-use  under paragraph 7 Investigations there is written "BitTorrent shall have the right, in its sole discretion, to remove any of Your Content for any reason (or no reason)"  so what happens if i share stuff under DRM copyright? How do the know what i am sharing? 

</flame>

 

BTSync is a shame, because it works well but is completely destructive when it comes to privacy, and i believe it will never be opensource, dev team may be saying they consider it so people stay tuned and keep using btsync, but for a company that says "privacy matters" that's just ridiculous.

 

cheers

[noiime]

I hope this is an agreement related to Bittorent apps in general!!

 

I believe/hope It doesn't include reference about privacy and encryption that BTS provide if not, as ott0disk mention it, there's a BIG problem!!!!

 

It's not secure at all if you reserve the right to monitor/terminated X transfers for X matters/reasons??

 

BTS is supposed to be a secure way to exchange files...I sure want to see change in the license agreement regarding BTS unless, we, as a company, we will probably look elsewhere!!!

 

* Also, part 21-b, there is french language that shouldn't be there:

 

http://www.bittorrent.com/legal/terms-of-use

 

-- It is the express wish of the parties that the Terms, any Additional Terms and all related documents have been drawn up in English. C’est la volonté expresse des parties que la présente convention ainsi que les documents qui s’y rattachent soient rédigés en anglais.

[jedie]

I see the only disadvantage of bittorrent sync that it is not open source. Because of close source, no one can proof the security of btsync

 

So: Hands up for Open Source btsync!

[Zbig]

Guys, you had all the time in the world to study the OpenSSL sources and prevent the whole Heartbleed fiasco. Have you? My opinion is, the kids screaming for everything to be open-sourced the loudest, are rarely the ones giving actual valuable and educated input once given the chance to. They usually demand to open source everything possible on principle and then sit and wait for someone to do the actual analysis. Are you all experienced coders and cryptography experts willing to dedicate your time and resources to audit someone else's non-trivial code properly? If not, what makes you think just skimming  through the source will give you peace of mind? Or perhaps you somehow think there's gonna be lots of void secret_backdoor(int secretNSAnumber) all over the place? Would you be able to conclusively prove the compiled binaries are indeed generated from the source you're looking at? By the tone of your posts I somehow doubt you're all mature, experienced security experts, so why not just chill out, not use the thing if it doesn't fit your world outlook and leave the devs and their product alone?

[GreatMarko]

Guys, you had all the time in the world to study the OpenSSL sources and prevent the whole Heartbleed fiasco. Have you? My opinion is, the kids screaming for everything to be open-sourced the loudest, are rarely the ones giving actual valuable and educated input once given the chance to. They usually demand to open source everything possible on principle and then sit and wait for someone to do the actual analysis. Are you all experienced coders and cryptography experts willing to dedicate your time and resources to audit someone else's non-trivial code properly? If not, what makes you think just skimming  through the source will give you peace of mind? Or perhaps you somehow think there's gonna be lots of void secret_backdoor(int secretNSAnumber) all over the place? Would you be able to conclusively prove the compiled binaries are indeed generated from the source you're looking at? By the tone of your posts I somehow doubt you're all mature, experienced security experts, so why not just chill out, not use the thing if it doesn't fit your world outlook and leave the devs and their product alone?

 

^ what he said!

[ChrisH]

You make a lot of good points. I'd just like to point out TrueCrypt, which IS open source and recently had a (community funded) audit that proved the binary files are indeed compiled from the public source code AND contain no backdoors.

 

I agree that open source is overrated by many people, but the fact remains that such independent verification IS possible with open source software, and NOT possible with closed source.

Whether the verification is done at all and if you trust the people that do it is another topic.