In September of 2015 the International Women’s Media Foundation (IWMF) released an app called Reporta. This journalist focused app implemented a check-in-system, customized alerts, and an SOS button for when the journalist is in distress. The app was quickly, and widely criticized by security, journalism, and media-development experts for a variety of reasons. After a back-and-forth with various members of these communities IWMF capitulated and undertook a process of updating the application in an attempt to reflect the feedback they received. This included removing analytics, enhancing encryption, revising data retention procedures, among other things. At the end of this process Reporta “open-sourced” its code. This is where my interaction with Reporta began.
Like many, I was curious to see how IWMF had responded to these communities. When I heard it had been open sourced I quickly went to the Github page to look at some of the code. I found that Reporta had “open-sourced” their various code-base’s by creating a single github repository containing zip archives for each code-base. To my further frustration, once I unzipped these zip archives there were even more zip archives within them. This is open source at its laziest.
In IWMF’s post about open-sourcing their code they talk about how they wanted to hear feedback.
“We would love to hear your comments and suggestions on how to improve the code and additional features you would like to see in it. We sincerely appreciate comments and contributions made in the spirit of improving Reporta and the functions it provides users.”
When done right open source encourages so much more than simply the feedback they spoke of. By simply keeping each project in its own version controlled repository it would encourage users to participate by removing the requirement that they download and unzip the current code bases to see the code. It would allow IWMF to directly tie community concerns and requests directly to the code they changed to address them, and allow developers to browse the changes that IWMF have made directly in the github web-interface. It would allow outside developers to use git and Github’s built in functionality for forking, adding features/fixes, and submitting code back to IWMF’s project.
This failure to properly open source the project not surprising. Non-profit tech projects often do not have the time, money, or human resources to collaborate or maintain a tech-project after its initial creation. Having worked on a variety of grant-funded tech projects I know just how hard it can be. I also know that understanding the benefits of properly open sourcing an application requires having been a part of open source communities and seeing their benefits. So, I did the work for them.
I made repositories with Reporta’s android, admin, and iOS, code bases so that IWMF could simply fork them to their organizations account. I even cleaned the archives provided of the various binary blobs and added Githubs default gitignore files so that your repositories would automatically filter out some of the well known binary and compiled files that might sneak in if they continued development. All they had to do is to visit the links I provided them and click the fork button on the top right of their screen. Once they had forked the repositories they could change the names, titles, url’s, README’s etc. however they wished and it would make the code immediately available to the public from their organizations page.
I submitted an issue seven days after the application was open sourced providing these links and some polite guidance on how to use them. Five days later they let me know they would move ahead with forking the repositories. Five months later I wrote this blog-post still waiting for them to take any action.
I recently had a conversation where I stated that users can only rarely be called members of the community in open-source secure messaging projects because they are not engaging with the developers creating the tool. Often, when a secure messaging app is frustrating or fails most the users simply move to another app. Other times the channels that a user must use to contact the developers are difficult to find or use and the support is near nonexistent or confusing when they do use them. After coming home from this conversation I opened my Github account and saw that another day had gone by with the official open source code of Reporta trapped in a series of zip archives. For a moment I remembered my first attempts at filing bug-report’s before I learned the undocumented “proper” practices and procedures of submitting bugs to an open source project. I remembered the rejections for completeness, clarity, and already known issues. The communities that were supportive earned my trust and as I became more able to contribute code and documentation some eventually received my support.
Unlike with Reporta, often times when I find a project I don’t have knowledge about the people and history of the project. By lazily dumping archives of their latest code into a single github repository IWMF was signaling how uninterested they were in outside participation, support, or feedback. There are many projects desperately seeking a community, and there are many that are not. Simply being open source does not mean that a project has any interest in building a community or listening to outsiders. This experience was a poignant reminder of how important it is for open source developers and security experts to watch for these types of warning signs and use them to choose where they put there time and trust.