The scale-build repository is also licensed under GPL-3.0. Clearly that was not a roadblock at all. I was right in the middle of the process of building a new storage system and this whole situation has made me question if I can trust this project with my data in the long term. The primary reason why I was about to pick TrueNAS over things like Unraid etc. was that it was fully open.
When you hide the build system, the rest does not really matter as people can’t audit the end result. Like sure, the rest might be open source, but what’s preventing you from changing things during the build process. I happen to be one of those Gentoo users that build things from source and situations like these feel very eerie. I sincerely ask you to reconsider this decision.
Why?
“Open source” is not an insurance against death.
But if TrueNAS (the company) went belly up, you’d be losing “only” updates to the user interface. Your actual data remains readable by any system which run OpenZFS—so OpenZFS is the actual project you depend most on in the long term, here is the possible benefit over Unraid.
If I were to play the devils advocate for a moment. Even before this change to the build repository, iX could have used a malicious private build method to create their distributed ISOs and update files filled to the brim with malware galore. The build repository could just have been for show; users would not have been able to catch that simply by building their own versions and comparing.
You are correct, it is not a fool proof insurance. I’m not one of those who go with the “open source only” kind of vibe (I used to use an nvidia graphics card for years), but I do tend to prefer to have as many things open source as possible. If not for the reason that I’m going to read the source code, then for the reason that I can read it if I want to (or need to) some day. The fact that they hid this part kind of undermines their promise to not hide anything else in the future.
Also the mention regarding OpenZFS is very valid. To be honest I probably wouldn’t have made much use of a lot of TrueNAS features as I’m mostly just after storage. Maybe I should just learn to use ZFS manually and set it up on barebones Debian or Alpine Linux (assuming it supports ZFS). Being familiar with the underlying storage system would also be beneficial when things go tits up.
This is correct. Nothing in the current build system allows you to rebuild and audit the results of what we ship as the TrueNAS ISO. Why? None of the builds are fully deterministic. Each build results in different sizes, checksums, etc. Not that I want to make folks paranoid, but at some point you do have to trust your builder / vendor…
Wasn’t that a case of infiltration by a malicious state (?) actor? I may remember it wrong, but that was a long play to A) place extra burden on the sole developer, then B) offer to assist in helping out with all the things that needed to be done and finally C) when trust had been gained and access been given, eventually introduce the backdoor.
That the package happened to be an integral part of many distributions turned it into the supply-chain attack it was eventually known as.
Alas I am going off-topic.
Everyone has to make their own mind up if they trust iX or not. Trust should not set in stone and I recommend reevaluating it as appropriate. I am not going to stop using TrueNAS because of this change but I concede that an equally acceptable choice is to start looking for alternatives based on a different risk assessment or loss of trust.
It’s a fine line between getting the job done and stopping to run everything by the community first. I suspect there’s dozen technology decisions we make on a monthly basis that somebody could make a stink about, but since 99%+ of the code is written by us and not many folks really look at it that closely, they tend to just sail by in the night. We don’t really have a super-engaged community for development that way. Which is perfectly fine, not complaining, just the reality of what it is.
That said, this issue in particular was much more visible and of interest to the wider community, so we absolutely could have done more to proactively engage on this up front. Pros and cons of developing in the open like this, we (speaking to myself) also just need to put some more thought into what might be sensitive and/or political with our users vs just business as usual. This one clearly fell into the former category though and we could have been more prepared. In most places the users don’t find out whats in the product until it ships and you read the release notes. We have to be sure to do things a bit more real-time due to the visibility on Github. The build repo refactor happening now is being done in anticipation of TrueNAS 27, which is a year+ away from Beta, to give you an idea of the lag between code changes and shipping product.
FWIW I prefer you folks screwing up rather than put a faceless PR account/team in front. Please improve, but please don’t take any of my criticisms (I myself am extraordinarily critical compared to most people) as a sign to slink into the shadows further.
How much of this is due to the foolish “OS-level Age Attribution” being pushed by more and more socialist and totalitarian state governments (California, Colorado, Illinois, and [ugh] New York).
Sounding more and more like time to shut the internet down.
This actually screws me as someone that is using an older GPU in my system, now I can no longer revert the commit that switched to the Nvidia open drivers and compile my own nvidia.raw file.
lol