Bump people should know about this

_nix wrote:

I sent an email through Contact Us asking about the purpose of scratch-api being a private repository; here was the response, for anybody curious:

thisandagain wrote:

Our backend code is private for a number of reasons:

- It is tied very closely to our backend infrastructure which for reasons of scale is fairly large and complex. Because of this, open sourcing our backend code wouldn't just mean publishing `scratch-api` but also nearly 20 other repos that support it (otherwise it would be useless). With that and the scale of our hardware it isn't something that any single engineer could just put on a server and run.

- The API and related repos contain our search, explore, front-page, and other relevance algorithms that govern how content discovery works. While part of me would really like to release this info to the community it does present a fairly great risk of helping Scratchers “game” the algorithm and cheat the community.

- The API and related repos contain all of the information about how we automatically filter and moderate content. Sharing this information would make it easier for spammers and trolls to attack the community.

- This is a terrible reason: The API and related repos include some technology that MIT would prefer that we not disclose because they are interested in patenting it. This is a really bummer as I am strongly opposed to software patents of any kind, but until we resolve this issue we cannot even consider releasing the code.

I am a huge advocate of OSS (I was the Director of Research at the Mozilla Foundation before joining MIT) and have been pushing us to release more and more, but we have to balance the needs of the community. Hope that helps clarify!

- Andrew (thisandagain)

The whole “gaming the system” thing honestly goes against the entire open-source philosophy… Like the whole point is to let the ethical hackers (or the “good guys”) find bugs before the “bad guys” do… If scratch-api and scratchr2 and a few others were open-sourced, a lot of bugs that people can exploit today could be fixed, because I've found it quite common for the ST to receive a bug report and move it to a closed-source repo, and then do nothing about it. It's happened to me before, and I know it's happened to others too…

Also, open-sourcing it would be more about improving security with a collaborative approach than making it usable, so 20+ repos wouldn't need to be open-sourced, regardless of if it needs those to work or not.

AmazingMech2418 wrote:

The whole “gaming the system” thing honestly goes against the entire open-source philosophy… Like the whole point is to let the ethical hackers (or the “good guys”) find bugs before the “bad guys” do… If scratch-api and scratchr2 and a few others were open-sourced, a lot of bugs that people can exploit today could be fixed, because I've found it quite common for the ST to receive a bug report and move it to a closed-source repo, and then do nothing about it. It's happened to me before, and I know it's happened to others too…

This is true – a particular part of the backend that would really benefit from being open source is the trending algorithm.

AmazingMech2418 wrote:

Also, open-sourcing it would be more about improving security with a collaborative approach than making it usable, so 20+ repos wouldn't need to be open-sourced, regardless of if it needs those to work or not.

Collaboration is much harder if it isn't usable, so I'm not sure how that would work.

Maximouse wrote:

-snip-

AmazingMech2418 wrote:

Also, open-sourcing it would be more about improving security with a collaborative approach than making it usable, so 20+ repos wouldn't need to be open-sourced, regardless of if it needs those to work or not.

Collaboration is much harder if it isn't usable, so I'm not sure how that would work.

It would be harder if you can't actually test it, but it would be possible, I think, to just read code and see where things could be fixed. And if that doesn't work, they can just open-source the 20+ repos!

Bump, please sticky.