> You make money in open source by selling related services (e.g. github, Android) or support (Red Hat). You can't do it by licensing the product.

This is where the distinction between "free" (as in freedom) and "open source" is helpful.

You can, hypothetically, release the source code of a project under a license that prohibits compilation of that source code (or, prohibits running anything other than the paid binary of the source code). This would allow people to view and theoretically vet the code; they just can run it (legally) without paying for it.

Not that I would like to encourage such behavior, or think that it's valuable. But it's an important distinction to remember.

> release the source code of a project under a license that prohibits compilation of that source code

Such a license would qualify for neither "open source" nor "free software" under the relevant official definitions though.

Yes, it would be reviewable for bugs and probably preferrable to a blob. But without the ability to verify the complication you'd have no assurance that the proprietary code was actually built with the reviewed source. Basically this would just be a stunt.

If the license said that you were in violation if you executed the built code but there was instructions to build the exact version that is distributed it would still allow people to verify that the binary was built from the provided source.

I recall Transgaming Wine had a model that was effectively this, it was difficult for a laymen to build the source and binaries couldn't be distributed freely but the source was still available.

There would be no assurance that the binary is compiled from the source though.

And even if it were, http://cm.bell-labs.com/who/ken/trust.html

Do we really need to keep posting this link anytime someone says something that has anything to do with building something from source?

Sure, I guess. But if you don't trust your own system, it doesn't really matter whether you use their code or not. That said, "Reflections on Trusting Trust" is mentioned far too often, without people fully understanding the fact that it would be incredibly difficult, if not impossible to pull something like that off.

They can split the program into two parts. The "UI" part and the "transport" part.

The UI part will be in charge of converting plaintext into ciphertext and vice versa. ciphertext will be handed off to the transport module.

The transport module can remain closed source. Only the API to the transport needs to be published. People can write their own UIs.

But that would defeat the point of opening the source, the part we're interested in is the security of the transport not how that pretty UI is made.

If the UI module does encryption and decryption, and if the said encryption is good enough, why would you care if the transport layer steals your encrypted data?

The transport layer is running on the same computer at the same trust level as the encryption layer, which means it can intercept the unencrypted data. Even if the developer's 100% honest it's easy for them to accidentally create a remote code execution vulnerability that allows an attacker to do this.

Interestingly, you can. Limewire was open source, but charged for a "pro" version. (which was also open source, with the exception of some build files)

The biggest problem with all of it was that there were a bunch of scam sites that added malware, built binaries, and bought "lime wire" keywords on google.

On the other hand, I don't think OSS is to blame for that--the scam sites could have just as easily distributed any binary.

You are right. I see a lot of companies that do well with the support model though. What's their business model with this as it is today anyway?

Only enterprise companies can survive on the support business model; it doesn't work for consumer or SMB because they just won't buy support contracts (I'm not counting scams).