Reposilite 4.x wishlist

[dzikoysk]

About

Reposilite 3.x is a stable piece of software and for most of the time it serves you well. Of course, some decisions I made during 2.x -> 3.x rewrite were good, and some of them are a bit of a problem these days. I think that's a good time to start summing up the 3.x release line, so we can prepare for the next major version. Fortunately, this time we're more likely talking about an evolution, not a revolution - the backend module is much easier to maintain, Kotlin really paid off here. Sadly, I can't say it about frontend in JS + Vue 3.

Roadmap

Some high level estimation of a roadmap for Reposilite 4.x 💕

Date	Description
Q1 & Q2 2024	Get some feedback from the community about current state of the project and possible enhancements in the 4.x
Q3 2024	Refine ideas, prepare project
Q4 2024	Development phase
Q1 2025	Release 4.x 🎉

General goals

Goal	Result
Include long overdue improvements that couldn't be addressed in 3.x	Improve the offer
Remove tech debt and reduce the complexity of frontend implementation	Easier to maintain
Prioritize simplicty and lightweightness	Keep the core advantage over alternatives

RFCs

Priority	Domain	Description	Status
P1	Tokens → Users	Reposilite should introduce user system. Users should be able to generate personal tokens on their own.	✔️
P1	Authentication	Thanks to the new user system in Reposilite, we should be able to support the following auth methods in the UI: OAuth, OIDC	📢
P1	UI / Dashboard	Maintaining current REST API + standalone frontend module requires a lot of work. With JTE-like template engine + some lightweight library like HTMX + Tailwind, we could probably do the same thing with a better result (and improve mobile UX)	❔
P2	Security	In-app alerting system to notify users in case of diagnosed security related issues (like CVEs)	✔️
P2	Licensing	Reconsider license change to protect project from SaaS-like actors	❔
P2	General	Simplify sources: Let's try to simplify & reduce sources having some more experience	✔️
P2	Build-systems	Prepare a better support on API level for other build systems / protocols	❔
P2	Checksum	Checksum plugin will be merged into the core module	✔️
P2	Prometheus	Prometheus plugin will be merged into the core module	❔
P3	Tests	Optimize tests: We're launching a whole ecosystem for each test method. Let's try to reuse some resources there	✔️
P3	Database layer	Exposed should be replaced with Sqiffy	✔️
P3	Built-in SSL	Move built-in SSL to standalone plugin to reduce JAR size (this integration is rarely used anyway)	✔️
P3	Targets	Split distribution across Linux, Windows and macOS to reduce JAR size	✔️

Priority: P1 - high, P2 - medium, P3 - low
Status: ✔️ - approved, 📢 - requires feedback/details, ❔ - unknown

---

Thanks to all sponsors that decided to support me this year! We wouldn't be here without you 💛

[solonovamax]

Since it seems like the UI is going to be majorly reworked: thoughts on adding "looks at least somewhat decent on mobile" to the list? (especially the admin interface, so admin stuff can be done from a mobile device)

[solonovamax]

also, one note: you mentioned using jte.
for me personally, jte is kinda okay-ish. I'd just like to add freemarker as a suggestion for a templating engine to consider.
there's also thymeleaf, which I've been using for my personal site. the experience has been okay-ish (solonovamax/solonovamax.gay if you wanna look at how I do stuff. kotlin + ktor.), but there have been a few kinda jank-ish parts, but other than that it's been nice.

[dzikoysk]

Since it seems like the UI is going to be majorly reworked: thoughts on adding "looks at least somewhat decent on mobile" to the list? (especially the admin interface, so admin stuff can be done from a mobile device)

Sure, the mobile support should be way better there. In current UI, it's mainly blocked by the tabs & jsonforms libraries, but it's a minor issue, so I didn't decide to invest my time into it for now.

I'd just like to add freemarker as a suggestion for a templating engine to consider. there's also thymeleaf, which I've been using for my personal site. [...]

When I'm thinking about a desired stack for a new frontend, I want to cover these 3 crucial requirements:

1. Get rid of a translation layer between backend and frontend (optimized template engine)
2. Avoid covering with JS basic CRUD operations (frontend framework that covers the most common boilerplate code)
3. Interface should become a part of the plugin api, so it'll be customizable to some degree (some sort of a component system)

The main reason behind JTE choice is performance - it provides a compilation mode, where it generates classes for all template components:

This + a possibility to implement Node-like hot reloading makes it a good candidate. It has some issues tho - writing a JavaScript code inside a template might be a bit painful. Even if HTMX/Unpolly/something similar would cover most of the features, there are still some side cases, when we may need to cover with JS. Raw JS/state management is kind rough, so we could try to utilize something like Preact locally, for some specific features.

[freshpr]

The only thing I'm missing is an indexer+search built-in.
That's it :)

[solonovamax]

The only thing I'm missing is an indexer+search built-in.
That's it :)

I was working on that for a bit as a plugin sometime ago, and may continue it one day™ (or I might just forgor again)

[SirEndii]

Maybe not too related to Reposilite. But what about an integrated docker registry?

[dzikoysk]

Yes, the Docker registry would be absolutely great. Unfortunately, it requires a lot of work, as the specification seems to be quite complex - there's an issue for that:

• Support Docker (OCI) repositories #1618

It'd be nice to document all things we need to do (from specification perspective), so later on we could try to estimate if we'll be able to do that or not.

[luolong]

Maybe not too related to Reposilite. But what about an integrated docker registry?

There is already Harbor for that, so I don't think it is strictly necessary. I do appreciate Reposilite's focus on providing great light weight solution for hosting Maven repositories.

[SirEndii]

Yeah you're right. There is enough software which is already capable of providing a registry and reposilite should stay simple-ish

[cranberry3148]

I'd like to see support for byte ranges. I want to use reposilite as a simple arch mirror, and arch is complaining about failed downloads.

[dzikoysk]

Maybe not too related to Reposilite. But what about an integrated docker registry?

There is already Harbor for that, so I don't think it is strictly necessary. I do appreciate Reposilite's focus on providing great light weight solution for hosting Maven repositories.

Well, yes and no. These days, you're often distributing JVM apps as containers, so it'd be kinda nice to have it supported at some point - I could even distribute Reposilite itself there. Of course, it can't be considered as the new main target, because we don't have enough resources to compete with dedicated tools, like e.g. Harbor. Hopefully, something like that should be possible to implement purely as an optional plugin.

I'd like to see support for byte ranges. I want to use reposilite as a simple arch mirror, and arch is complaining about failed downloads.

It'd be nice if you could submit a new issue with a bit more detailed description. As long as we don't aim to support arch itself, supporting http range requests probably could be a thing.

[Desoroxxx]

One thing I would like to see is the ability to customize the appearance

[solonovamax]

yeah, the ability to provide your own css styles/themes would be quite nice

ie. use the default frontend, but just have some customized css (ie. to make the frontend a bit less "harsh")

---

also here's a few misc. things:

1. smth I thought of a while back that would be nice is: the ability to store cached files from a proxied/mirrored repository in a separate location.

   so, for example, the contents of the releases (that have been uploaded directly to the repo) repo could be stored in repo/releases.
   but then, say you're mirroring foo.com and bar.net (and reposilite is configured to store those artifacts)
   then, the artifacts from each of those would be located in smth like mirrors/releases/foo.com and mirrors/releases/bar.net.

   with this, you'd also be able to provide the following things:

   • add a badge on remote artifacts/modules to indicate they're from a mirror (& maybe which mirror they're from?)
   • allow administrators to set storage limits on mirrored artifacts and use smth like an LRU policy to discard old cached artifacts.

2. the ability to change the name of the repository provided in the generated "repository details" for maven, gradle kotlin, gradle groovy, and sbt. (eg. I'd like the "name" to be smth specific rather than what was generated, as well as using specific capitalization, etc.)

3. since you're looking at making the frontend part of the plugin api, should a search plugin be added to the roadmap? if it is, I could start that one thing I was working on a while ago with maven-indexer back up.

4. funny numbers: it would be cool if the statistics showed more information. for example:

   • a list of artifacts by popularity (eg. "here are the top 10 most downloaded artifacts in [time interval]: this artifact has been downloaded 123 times in the past [time interval]"
   • also maybe aggregate stats information, such as which modules have the most downloads, which versions of a certain module have the most downloads, etc.
   • showing shit like how many of the downloaded artifacts are from mirrored repos or not (ie. "123 downloads from the local repo, 123 downloads from cached mirrored artifacts, and 123 from uncached mirrored artifacts)"
   • which mirrors are the most "popular"? (eg. "123 downloads from mirror foo, 123 downloads from mirror bar")

   unsure if this might be better suited for just sending that data to prometheus and using grafana for this, though.

5. minor change to the badges api: support for different styles (see: https://shields.io/badges), eg. flat, flat-square, plastic (current), for-the-badge, and social.

6. increased visibility of metadata via a dashboard for a specific version. eg. when clicking on a specific version of an artifact, it will list (all of this is in the pom.xml)

   • the name (which may be different from the module name. see: the name field in the POM)
   • if it is a snapshot (some repos could be used to store versions & releases)
   • the description
   • the author/developers (+ contributors?)
   • the license(s)
   • the issues/repo url
   • the inception year
   • the dependencies

7. the ability to have "repository overlays" or to "inherit repositories".
   eg. let's say I have snapshots and releases. when a user adds the snapshots repo and attempts to fetch a version from it, but said version does not exist in it (or any of its mirrors), it would be nice if it then went and checked if it existed in the releases repo. so, snapshots falls back on/inherits from/is an overlay on top of releases.

---

~ edit: merged both comments / @dzikoysk

[dzikoysk]

One thing I would like to see is the ability to customize the appearance

yeah, the ability to provide your own css styles/themes would be quite nice
ie. use the default frontend, but just have some customized css (ie. to make the frontend a bit less "harsh")

I'll most likely implement the new frontend with HTMX+Tailwindcss. These sources don't need a build process, so users should be able to pretty much do whatever they want there. I don't think I'll target the appearance that much tho, because it's quite niche feature, but the idea with a separate CSS file for some most common stuff like e.g. colors might be interesting. I think I'll be able to tell more once I'll start doing this, because I'm not completely sure how it should be done yet.

smth I thought of a while back that would be nice is: the ability to store cached files from a proxied/mirrored repository in a separate location.

This is already possible - just create a new repository per each mirrored repository and link these local mirrors via local loopback link:

• https://reposilite.com/guide/mirrors#link

You can set individual storage limits per each repo as it'd be a regular repo.

add a badge on remote artifacts/modules to indicate they're from a mirror (& maybe which mirror they're from?)
policy to discard old cached artifacts

Currently, we're only providing a built-in option to delete snapshot files, but if we'd have an option to determine if a given file was proxied or not, then date based cleanup for mirrors would be a great enhancement. This is not really related to 3.x/4.x, so I created a new issue for this:

• Automated date based cleanup option for mirrored artifacts #2074

the ability to change the name of the repository provided in the generated "repository details" for maven, gradle kotlin, gradle groovy, and sbt. (eg. I'd like the "name" to be smth specific rather than what was generated, as well as using specific capitalization, etc.)

It was requested a lot of times - not sure how it'll look like on the new frontend, but in general this is already planned ✔️

since you're looking at making the frontend part of the plugin api, should a search plugin be added to the roadmap? if it is, I could start that one thing I was working on a while ago with maven-indexer back up.

I still think that the search option in UI should be implemented internally in Reposilite, based on some metadata we'll store in the database. Speaking about the maven-indexer, we have a separate issue for this:

• Support Maven Indexer to build a cache for repository content #601

There were some issues with it, if you have some more data on this, it'd be nice to continue this thread there, just so we can keep this in one place.

funny numbers: it would be cool if the statistics showed more information, [...] unsure if this might be better suited for just sending that data to prometheus and using grafana for this, though.

The problem with detailed statistics is that it highly increases the database usage - that's why we're currently only counting unique requests per month by default. On the other hand, the prometheus integration will be merged into the core sources, so we should be fine with just pushing some extra events instead of storing this on our own. In this case, it's also not important to address this directly in 4.x - extra metrics can be added later as a feature requests.

minor change to the badges api: support for different styles (see: https://shields.io/badges), eg. flat, flat-square, plastic (current), for-the-badge, and social.

It wouldn't be a breaking change, so I think it could be moved to a standalone issue if needed. In general, I have a limited time for the project, so such issues usually have really low priority for me, but feel free to submit a PR - it's cool to have such options.

increased visibility of metadata via a dashboard for a specific version. eg. when clicking on a specific version of an artifact, it will list (all of this is in the pom.xml)

Probably could be addressed after 4.x, but I'll try to remember about this after rewriting the layout.

the ability to have "repository overlays" or to "inherit repositories".
eg. let's say I have snapshots and releases. when a user adds the snapshots repo and attempts to fetch a version from it, but said version does not exist in it (or any of its mirrors), it would be nice if it then went and checked if it existed in the releases repo. so, snapshots falls back on/inherits from/is an overlay on top of releases.

I think this should be also already possible with local links 🤔 nevermind, it'd require from us to generate a merged pom.xml file on the fly to contain all versions from different repositories. I think this is highly unlikely I'll do that in the core module, but such things should be possible to implement on plugin API level, and if not, we can work towards the enhancements in this area.

[andrm]

Ability to hostdart/flutter packages: https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md

[pauliesnug]

Copying this over here just in case: #1011 (comment)

[pauliesnug]

Maintaining current REST API + standalone frontend module requires a lot of work. With JTE-like template engine + some lightweight library like HTMX + Tailwind, we could probably do the same thing with a better result (and improve mobile UX)

As for the UI of Reposilite, I think that using something like Tailwind or UnoCSS would be a good fit. I wonder if there could be a redesign of the way that data was fetched from the backend and the frontend that wouldn't require a templating engine serving the content. I wonder if there is some sort of RPC that existed for generating Web based code from Kotlin types and APIs? If not then a templating engine and a lightweight framework with styling sugar sounds like a good step towards there, as I don't think Kotlin has amazing web features.

[dzikoysk]

I wonder if there could be a redesign of the way that data was fetched from the backend and the frontend that wouldn't require a templating engine serving the content.

I'm a bit tired of introducing intermediate layers, just to display some sort of static content. Having a template engine, I could possibly get rid of the whole frontend module. There are some drawbacks as always, but as far as I see it could be an option to significantly reduce the size of the codebase, so it'd be easier to maintain it.

Another benefit of having the frontend generated by backend is extensibility - currently, there is no option to modify frontend via plugin API, because frontend is just a standalone app that is precompiled earlier. It's even hard to inject custom base path url, not speaking about some more advanced effects.

I wonder if there is some sort of RPC that existed for generating Web based code from Kotlin types and APIs

Even if we'd have some sort of RPC framework, it'd still need to make some calls over the network to fetch/update latest state for client-side logic. It means we're falling once again into the world with 2 independent states (client and server) that we need to synchronize at some point.

If not then a templating engine and a lightweight framework with styling sugar sounds like a good step towards there, as I don't think Kotlin has amazing web features.

I had some time to prototype a basic plugin for Javalin, and it's promising:

7GvUf0FLo5.1.mp4

So we can prototype frontend with hot-reloads. Of course, for backend changes we need to rebuild a project, but it's good enough I'd say.

[solonovamax]

Of course, for backend changes we need to rebuild a project, but it's good enough I'd say.

if you don't introduce any methods/etc. you can hotswap code in intellij when running in debug mode. I personally have a macro set up to execute:

• SaveAll action
• CompileProject action
• Hotswap action

when pressing ctrl + s (you can create a similar macro by starting macro recording, using double shift then searching for and executing each action, and then afterwards edit the macro to remove all the double shifts & other useless stuff)

it won't hotswap anything which introduces new methods or new classes, but if it's just a change to the method body, it hotswaps it. quite useful.

[pauliesnug]

So we can prototype frontend with hot-reloads. Of course, for backend changes we need to rebuild a project, but it's good enough I'd say.

That's perfect yeah! I understand that reasoning.

[pauliesnug]

Even if we'd have some sort of RPC framework, it'd still need to make some calls over the network to fetch/update latest state for client-side logic. It means we're falling once again into the world with 2 independent states (client and server) that we need to synchronize at some point.

I do feel like that for this, if an RPC framework existed, there are good solutions for syncing up backend and client. Even just a simple SSE connection could go a long way for a simple dynamic frontend, and if there was an RPC, all the API infrastructure for the framework side code could be standardized and modified from the backend, without requiring a change to the frontend. Obviously this is easier said than done, but I'd be happy to look into if this is a possible solution, since generally the downsides of a templating engine can introduce limitations in the future, but I think in this case, either solution would work generally well.

[luolong]

As long as we are talking about choices of frontend technology, what about going for a nice "clean" HTMX powered front-end?

Backend could use your own favorite templating engine to serve html smippets, so we get best of both worlds -- fast in-place reloads and templated/skinnable frontend.

[solonovamax]

As long as we are talking about choices of frontend technology, what about going for a nice "clean" HTMX powered front-end?

Backend could use your own favorite templating engine to serve html smippets, so we get best of both worlds -- fast in-place reloads and templated/skinnable frontend.

afaik, htmx was/is already being considered. (and, from what I can tell, is currently the preferred option)

[dzikoysk]

We've got a decent conversation regarding the 4.x, so I'd say we're close to finalizing the RFCs list. I'll try to refine this in the upcoming month, so we'll have a batter overview of what needs be done.

Looking at my schedule, I think the roadmap is still quite up-to-date - the development phase will more likely start in Q3.

[freshpr]

So searching for an artifact didn't make it into the list? :(

[dzikoysk]

The RFCs list is not yet updated, but I can already say that some sort of artifact browser should be a part of 4.x :)

[Minecraftschurli]

As discussed on discord: adding the ability to have the metrics served on another port so you don't need to expose an authenticated endpoint but can just use a docker network to grab the data without auth and security risk

[nuessgens]

Wanted to comment on OAuth/OIDC:
Personally I'd love to see this feature as I'm currently evaluating Authentik and I think that would be very cool as it can also be integrated with forgejo/gitea.
So it would bring some kind of SSO in a dev-environment/homelab with a central user management.

[Minecraftschurli]

Just noticed that configuration via environment variables (for docker/kubernetes) is not on the task list for v4
currently only the settings in the local configuration file can be set via environment variables but things like initial config for the shared config or the working directory are not

[dzikoysk]

@Minecraftschurli Complex configuration via environment variables is not something that would work for us quite good - e.g. consider some predefined access tokens, there's no way we can include more advanced details like routes etc. I don't quite like the way Reposilite is configured right now, so it'll be definitely reworked from scratch. My rough idea on how it should work in 4.x:

1. Use parameters/env variables only for some crucial settings like e.g. port
2. Store whole configuration in JSON file (by default stored in db, but can be also linked as a static file).
3. Updating db credentials will be tricky, so we'll have an additional command for that
4. For the initial setup, we'll have new UI

[Minecraftschurli]

everything that is set up through a ui should also be able to be preconfigured using parameters/env/configfiles so installation in cloud environments (docker/kubernetes) is easier

[tverbeke]

I personally think that a license change (to a non-open-source license) would do more harm (discourage usage) than good. With the recent changes in Nexus OSS (moving towards closed-source, see https://www.sonatype.com/blog/sonatype-nexus-repository-community-edition), you are likely to strengthen your user base and staying open source would be much more welcoming to people coming from Nexus. Just my two cents.

[solonovamax]

I personally think that a license change (to a non-open-source license) would do more harm (discourage usage) than good. With the recent changes in Nexus OSS (moving towards closed-source, see https://www.sonatype.com/blog/sonatype-nexus-repository-community-edition), you are likely to strengthen your user base and staying open source would be much more welcoming to people coming from Nexus. Just my two cents.

yeah, I agree

I hadn't noticed this before

I'm also entirely unwilling license any of my contributions under a non-FOSS license*. (if you want to switch to a different FOSS license, I would be willing to relicense my contributions)

*it really depends on the license. if it's nearly a FOSS license, ie. a FOSS license with one or two small clauses that, by technicality, make it non-FOSS, then I'd be willing to consider it.

[dzikoysk]

I personally think that a license change (to a non-open-source license) would do more harm (discourage usage) than good. With the recent changes in Nexus OSS (moving towards closed-source, see https://www.sonatype.com/blog/sonatype-nexus-repository-community-edition), you are likely to strengthen your user base and staying open source would be much more welcoming to people coming from Nexus. Just my two cents.

I'm doing OSS consistently for over past 10 years and for quite a long time I tend to disagree with this. It's a broader topic, but tl;dr:

From my point of view not protecting a project from so called free-riding is what harms it the most, in some really specific way. I'm responsible for maintaining this project on a daily basis and I want to interact with my users, so can I understand their needs - in fact, I want to know everything that is going on with this piece of software directly from them. It doesn't matter if you're a hobbyist, a community, small or big company - as long as there's no 3rd party player between us, you're welcome.
What I want avoid, is companies that would sell this project as their primary product, and use this community as their free labor - it's not helping the project in any way, it just adds a lot of work and makes it harder to prioritize stuff from the group of people I'd actually care about.

Also, the time flies and I have only more and more responsibilities. Cutting out such service providers in the first place leaves me some area to build even more stuff around the project in the future. Eventually, the gains for this community should be incomparably higher than being compliant with what FOSS definition stands for.

it really depends on the license. if it's nearly a FOSS license, ie. a FOSS license with one or two small clauses that, by technicality, make it non-FOSS, then I'd be willing to consider it.

The only license I'm considering right now is a FSL (Relicense sources as FSL Apache 2.0 ~ #2224), that I'd simply call a delayed Apache 2.0 license. This is probably the closest licensing model to what I have in my mind as a desired state.

I'm also entirely unwilling license any of my contributions under a non-FOSS license*. (if you want to switch to a different FOSS license, I would be willing to relicense my contributions)

This change, if I'd decide to do it, would only apply to 4.x. Considering that it's pretty much a full rewrite, it shouldn't be an issue, but of course if you'd find some leftovers I'll do as much as I can to satisfy both sides.

[solonovamax]

I'm doing OSS consistently for over past 10 years and for quite a long time I tend to disagree with this. It's a broader topic, but tl;dr:

From my point of view not protecting a project from so called free-riding is what harms it the most, in some really specific way. I'm responsible for maintaining this project on a daily basis and I want to interact with my users, so can I understand their needs - in fact, I want to know everything that is going on with this piece of software directly from them. It doesn't matter if you're a hobbyist, a community, small or big company - as long as there's no 3rd party player between us, you're welcome.
What I want avoid, is companies that would sell this project as their primary product, and use this community as their free labor - it's not helping the project in any way, it just adds a lot of work and makes it harder to prioritize stuff from the group of people I'd actually care about.

do you know if currently any companies are even offering reposilite even as a secondary product (ie. offer hosted services, one of those services being reposilite)?
because I feel like if it's not something that has come up yet, then no need to worry about it until it does.

Also, the time flies and I have only more and more responsibilities. Cutting out such service providers in the first place leaves me some area to build even more stuff around the project in the future. Eventually, the gains for this community should be incomparably higher than being compliant with what FOSS definition stands for.

it really depends on the license. if it's nearly a FOSS license, ie. a FOSS license with one or two small clauses that, by technicality, make it non-FOSS, then I'd be willing to consider it.

The only license I'm considering right now is a FSL (Relicense sources as FSL Apache 2.0 ~ #2224), that I'd simply call a delayed Apache 2.0 license. This is probably the closest licensing model to what I have in my mind as a desired state.

hmm, I'd have to read through it, but I might be fine with that.
you could also consider something like the AGPL, maybe? it wouldn't fully be preventative of that, but it would require that if any providers do decide to offer it as a service, then they will be required to contribute back

1. any modifications
2. any plugins
3. any tooling they build around reposilite (ie. if they make a separate "health monitor" service, it will need to be AGPL, etc.)

there is also the Commons Clause, which you'd add on to any other license (ie. the Apache 2.0 license)
(do note: this cannot be applied to the GPL, as the GPL has a clause in it saying no additional restrictions can be applied). it is essentially just whatever other license you want + "you cannot sell the software, including as a hosted service"

I know there are also the polyform licenses, however I have not yet decided my opinion on them.

I'm also entirely unwilling license any of my contributions under a non-FOSS license*. (if you want to switch to a different FOSS license, I would be willing to relicense my contributions)

This change, if I'd decide to do it, would only apply to 4.x. Considering that it's pretty much a full rewrite, it shouldn't be an issue, but of course if you'd find some leftovers I'll do as much as I can to satisfy both sides.

I was planning at some point to contribute more to reposilite, just because I really like reposilite and want to see it improve.

[dzikoysk]

do you know if currently any companies are even offering reposilite even as a secondary product (ie. offer hosted services, one of those services being reposilite)?
because I feel like if it's not something that has come up yet, then no need to worry about it until it does.

Yes, but nothing significant yet. Being responsible requires prior communication, I think that would be harmful to do such change knowing that there's a whole ecosystem relying on you (and history is full of such surprises). I think we should tackle it down in its roots, so we'll never end up in a situation like that in the first place.

you could also consider something like the AGPL, maybe? it wouldn't fully be preventative of that, but it would require that if any providers do decide to offer it as a service, then they will be required to contribute back

That's one of my problems with the "OSS"-compatible licenses - in reality, such license is way more restrictive and affects mentioned hobbyists, freelancers and companies of any size, because it forces them to change the way they work with the project on a daily basis. That's the complete opposite of my intention and I'd hardly argue that it is really "free".

there is also the Commons Clause, which you'd add on to any other license (ie. the Apache 2.0 license)
(do note: this cannot be applied to the GPL, as the GPL has a clause in it saying no additional restrictions can be applied). it is essentially just whatever other license you want + "you cannot sell the software, including as a hosted service"
I know there are also the polyform licenses, however I have not yet decided my opinion on them.

There's no much difference between FSL, Commons Clause, BSL or Polyform. All of them are from the group of source-available licenses and actually FSL is the most permissive one, because it's purely focused on free-riding from SaaS-like services. Any other commercial use you could think of is still permitted + it has the shortest delay time.

[solonovamax]

Yes, but nothing significant yet. Being responsible requires prior communication, I think that would be harmful to do such change knowing that there's a whole ecosystem relying on you (and history is full of such surprises). I think we should tackle it down in its roots, so we'll never end up in a situation like that in the first place.

I wonder if it would be possible to put a poison-pill type of thing in a license/CLA saying that it's currently under xyz license, but if any provider in the future offers it as a primary product and earns over $x from it, then it automagically relicenses (for everyone, or just for them, idk) to one of the more restictive licenses (commons clause, FSL, etc.).
dunno, not smth that would be useful to you at this exact moment in time because you'd obviously have to do the whole lawyer song and dance and whatever, but just an interesting thought I had.

That's one of my problems with the "OSS"-compatible licenses - in reality, such license is way more restrictive and affects mentioned hobbyists, freelancers and companies of any size, because it forces them to change the way they work with the project on a daily basis. That's the complete opposite of my intention and I'd hardly argue that it is really "free".

fair enough

[tverbeke]

Also, the time flies and I have only more and more responsibilities. Cutting out such service providers in the first place leaves me some area to build even more stuff around the project in the future. Eventually, the gains for this community should be incomparably higher than being compliant with what FOSS definition stands for.

Do you want to create a company to offer services around Reposilite?

If not, then I don't see the issue. Part of open source is that other people can do useful things with the software including building services on top of it. If that would happen, it would be a success of the project not a threat. If they close the source of their modifications, they become irrelevant. If they keep it open, it gives extra features to pull in or gives ideas to do things better or differently.

If yes, then the first thing to do is to attract customers, not to close up the software with a source available license. Closing up will deter potential customers (including my organization) so you will shoot yourself in the foot.

Open source software (using standard open source licenses, i.e. what you call "FOSS definition") represents 8.8 trillion USD of economic value. No need to change the game to be successful!

[dzikoysk]

Do you want to create a company to offer services around Reposilite?

Like I said, it would be great to build something on top of it in the future. By looking at a FSL I think it's pretty clear what it would be, so I pretty like the transparency we'd get. Also, as long as I would not build anything, this would be just Apache 2.0 as it is right now.

Closing up will deter potential customers (including my organization) so you will shoot yourself in the foot.

Is your organization building, to be quite explicit, a cloud hosting that sells Reposilite? I'm trying to understand your use-case and concerns, because for me it's like a discussion between minimum wage workers who are trying to oppose higher taxes for billionaires. I mean I get the idea, I'm just not sure if that's the hill we'd like to die on for them 😅

Open source software ([...]) represents 8.8 trillion USD of economic value. No need to change the game to be successful!

Cashed by the individuals at the end of the food chain :') If that'd be about the money, I could just not do 4.x - maintain 3.x and secretly write something new from scratch. That's not the case, I'm just looking for some options to improve the sustainability of the ecosystem, so we don't have to wait 2-3 years for some issues to be resolved + have some infrastructure around it. I'm actually already paying someone to help me with 4.x and we were gathering this budget for last 1.5 year, mostly based on donations from lovely individuals. If we'd like to stay in this kinda toxic love-hate relationship (but consistent with OSS definition!) I'm fine with that too, but I think eventually you (as a community) are the ones that are losing on this trade.

[freshpr]

The default free open source license should be that you can do anything with it except offering it as a paid service or anything profit related.
What's the point of being open source if you have companies abusing the spirit that drives open source.
I don't know all license types but it makes perfect sense to protect a project from this type of behavior.

[tverbeke]

What's the point of being open source if you have companies abusing the spirit that drives open source.

The point of FOSS software is freedom as defined here https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms and this has been the case for the past 40 years. Go for a copyleft license if you want more reciprocity e.g. with AGPL.

[tverbeke]

Is your organization building, to be quite explicit, a cloud hosting that sells Reposilite?

No. Just a company considering to move to Reposilite for internal purposes. If software is not open source, it does not pass our selection criteria for internal usage (since it does not respect our freedom in the meaning cited above).

[freshpr]

40 years ago, you didn't have SAAS companies abusing open source software I suppose?
I don't really mind but I understand both sides :)

[tverbeke]

40 years ago, you didn't have SAAS companies abusing open source software I suppose?

No, but the AGPL was introduced exactly for that reason in 2007 (with some prehistory in the early 2000s - see https://en.wikipedia.org/wiki/GNU_Affero_General_Public_License)