Bazar rules of engagement

First things first, the Bazar rules of Phosphorus Five, is probably the by far most Nazi rules you have ever encountered in an app store. For instance, I do reserve the rights to not publish your app, simply because it’s Monday! I am in no ways obliged to giving you any explanation for why I choose to reject your app either, and I might choose to do so, simply because I “feel for doing it”. In my Bazar, I am “Der Fuhrer”. Don’t like my rules, feel free to fork my Bazar. It’s Free Software and Open Source after all!

Secondly, if you wish to let me distribute your app, through my Bazar, you’d better make sure it’s secure. Any data you retrieve from a source outside of your own app, should be both properly URL encoded before it’s rendered to the client, in addition to avoiding SQL injection attacks on everything that’s fetched remotely, including your user’s input data. In addition, I will as a general rule, not accept apps that in any ways seems to potentially violate my user’s privacy. Privacy is, after all, the by far most important USP in Phosphorus Five, and its eco-system. Hence, if you create as much as a single remote HTTP GET invocation from your app, to another location, outside of your own little app – Be aware of that this is probably in isolation, enough reasons for me to simply reject it, answering “Monday” as my reasons – Unless your reasoning for doing such, is so strong, and your arguments so sound, that I would allow you to convince me about that your reasons are valid, and accept it …

To put this Nazi regime into context, realise I even HTML encode data retrieved from my own Bazar, which actually is my own GitHub Phosphorus Five repository, before I display it to the user – To avoid HTML injection, by an adversary in the middle, among other things. In addition, I only accept apps that are cryptographically signed with my own private PGP key, and if you try to download another app, from another location, that’s not signed with my PGP key – It simply won’t work, unless you modify by hand your list of “trusted app distributors”. Phosphorus Five is a server system, and if security is compromised, this could potentially lead to a security hole, for thousands of users – Making an iPhone virus seem like a freakin’ fart in the park in comparison! Therefor, what might seem like Nazi regime app store rules, are actually necessary to protect my user’s privacy, and not allow them to unwillingly compromise their server/computer, by installing malicious code, that could potentially jeopardise their server/computer.

As a general rule, I only trust three things; God, PGP, and myself – In that order!

I also do not trust Google, Facebook, Twitter, or any other website out there – Regardless of how “popular” it is in main stream usage. A simple static Facebook image button, loaded from a URL outside of your user’s main root server, or a CDN request – Might be enough for me to reject your app, assuming it’s intruding my user’s privacy, by logging these requests on the server endpoint, from where you fetch your image(s), and/or CSS files!

When your app is to be distributed, or upgraded for that matter, I will demand to scrutinise its entire source code, line by line. When I have done so, and (maybe) accepted it, I will cryptographically sign your .zip file, with my own private PGP key, and allow you to host the zip file any ways you wish. Which of course implies that if the zip file have been tampered with, after I accepted it, it will be rejected during the installation process. Hence, if you choose to create an update for your app, the process starts all over again.

The technical process for allowing me to do this, is to simply send me your zip file, containing all of your code, embedded inside a folder inside of this zip file. Hint, simply zip your entire app’s folder. My email address is thomas@gaiasoul.com. If it is accepted, you can choose for yourself, if you wish to host the cryptographically signed “app manifest file” yourself, or allow me to host it for you. If you choose to host it yourself, you can probably easily setup a log of the number of downloads of your file on your own server, and such at least to some extent, have control over how many users are actually using your app. If you choose to let me host it, you’re simply going to have to trust me. Regardless, I promise you that I will send you 75% (minus PayPal commissions) of any revenue your app is generating, if it is a commercial/proprietary app. For the record, all developers participating in creating a proprietary app, needs a valid proprietary license of Phosphorus Five.

For the record, I will not sign any NDAs with you, as a general rule, before you let me see your source code. I promise though, that I will treat our communication confidential, and that I will not violate your intellectual property. If this is not enough for you, yet again, feel free to fork the P5 Bazar for yourself!

When you send me your app, send me a “manifest” of your app, which you can basically deduct the structure of, by looking at the “/bazar/configuration/apps.hl” file for the Phosphorus root Bazar. You’re allowed to embed one external image into this manifest, which allows you to log if you wish, on your own server, how many users are actually reading the description of your app. If you wish for me to host this image, I am perfectly fine with that, but I will not send you any reports about views or anything, simply since logistically doing such a thing, for potentially dozens, and even possibly thousands of apps, would simply not be possible for me!

Notice, I will also follow up on you, if your app is rejected, and give you feedback – Unless your app is so full of holes, that there is simply no reasons for me to believe you’ll ever be able to create a secure app, without me having to literally teach you coding, from the grounds up! At which point I’ll probably send you a “Monday” email …

Thirdly, make sure you know Hyperlambda well before you start out. You can learn Hyperlambda here for instance. And stay away from “my stuff”. Which implies that I expect you to properly namespace your events, code and files, such that naming collisions are highly unlikely to occur. For the moment, I do not accept code written in any other languages than Hyperlambda, which means that you’re gonna have to exclusively create your app, using nothing but Hyperlambda.

Document your code, excessively, as if it is written for a 5 year old child! And make sure you follow my coding standard. Which can kind of be deducted by scrutinising Sephia Five. Create extremely clean code, easily read by me, and/or the rest of the world. If I feel that your code is somehow not easily understood, I’ll probably send you an email, without a body, and the subject of “Monday”!

Your entire app must be confined to a single folder, which includes your CSS, resources, Hyperlambda, etc. And this folder must be uniquely named, with some intelligently namespace’d name, such as “sephia-five”. “Email” or “files” is *NOT* acceptable! Your app should feature an “uninstall.hl” file, allowing users to uninstall your app. This file is also necessary when your app is updated later, so this is crucial to avoid having “dead active events” laying around. See Sephia Five for an example of such a file. In fact, see Sephia Five for an example of literally everything mentioned in this article!

Now that all the Nazi stuff is explained, I wish you good luck, and would love to accept your app, if it is well written, preferably obey by the design GUI guide line rules, which I have not yet written, but which you can kind of deduct, by examining Sephia Five for yourself. For the record; No ads or marketing. This point is non-negotiable! And preferably, to increase the chances of having your app accepted, don’t even display a logo! And if you do, make it so tiny and small, that it is almost impossible to see! User’s of P5 really don’t care about the name of your company, and/or app – They simply want to get to their data, without being tackled, by huge banners and ads, or dancing bears. If you can’t obey by this, feel free to fork Phosphorus Five and setup your own Bazar! Also make sure you use as little resources as possible – Both on the server itself, in addition to bandwidth.

Phosphorus Five architectural challenges

Phosphorus Five has a couple of architectural challenges. First of all, for lots of users out there, it will simply appear to be an “alternative ‘desktop’ environment within their existing operating system”, allowing them to easily access their P5 apps, from within P5. It will for these people “feel” like a single user desktop type of application environment, and hence no multiple user types of solutions, or architectural design decisions seems to be necessary.

However, it also is a server (multi user) system at its core. This means that a lot of your users, will use it with potentially hundreds, and maybe even thousands of users, at the same time. Make sure your app is thread safe, make sure it works on all core operating systems (Mac OS X, Windows and Linux), and make sure the rendered HTML is standard compliant, and works on each device possible. Make also sure it uses as little bandwidth as possible, since some might want to bootstrap your app, over their local home servers, which often has “crappy bandwidth capacity”. Hundreds of KB of download for your app, is a sure way to get it rejected!

If you intend to create an app which has no value for a desktop type of environment (file sharing comes to mind), please make sure you explicitly explains this fact in your app’s manifest description, such that we don’t end up having some poor individual, pay thousands of dollars, for an app, that will never really add any value for him, since he’s using P5 simply as a desktop app “host”.

If you wish to discuss your ideas for your app with me, before you start coding, for such to reduce the likely-hood of that I reject your app – Feel free to toss me an email at thomas@gaiasoul.com, and explain the idea with a couple of paragraphs. Not too long though! I will not spend multiple emails talking to you, before you show me some code. Sorry, I’ve got better things to do, than to discuss “Fata Morgana” with people, who’ll never be able to deliver the goods. Prove to me that you can code, and that you can deliver though, and we can expand communication at that point …

If you treat security as priority #1, #2 and #3 – And you treat your customers as the Mother of God, and are insisting upon adding value for your customers, not interrupting them with ads and other “crapware”, and protecting their privacy with your life if necessary – You’re probably gonna do very well, and I wish you the best of luck! Just remember these 3 simple rules …

  1. Respect your users privacy
  2. Respect your users privacy
  3. Respect your users privacy!!!!
  4. Respect your users privacy!!!!!!!!!!!!!!!!!!!!!!!!!!!!

And you’ll probably be perfectly fine …

For the record, I do also allow you to distribute your app for a fee, commercially – However, if you’d like to create non-GPL code, you’ll need a proprietary license of Phosphorus Five. If you choose to do such a thing, please give me your app’s price, and I’ll setup a PayPal product page, which redirects the user’s to your cryptographically signed zip file once they’ve paid for it. I will send you a monthly report of how your app has been doing, as long as there is at least one purchase of your app, otherwise I won’t bother. This allows you to log downloads of your app, and for that matter reject any GET requests not being referred to by PayPal, giving you control over its download count, while I control the payment mechanisms.

If you choose to allow me to distribute your app for a fee, through my Bazar, I will charge 25% commission, sending you the rest of the money over PayPal, having you pay any PayPal transferring fees. For the record, I encourage you to charge at least 2-3 orders of magnitude more for your app, than what’s normal to pay for apps in Apple’s AppStore. The Bazar is not the place for thousands of free “flashlight apps”, not adding value to P5’s users in any ways. It is also not a place for games or ads. It is a place where P5’s users can go to get web server applications, that would somehow significantly improve their lives. Sephia Five for instance, is probably the by far most expensive email client in existence today, simply because it is worth it. While I at the same time give it away for free to individuals. And unless your app is worth it, you should probably find alternative distribution channels. And for God’s sake, don’t steal other people’s intellectual property. If I find you have violated the copyright of another individual and/or organisation, I will remove your app, for then to never talk with you again!

Notice, I also do not accept apps that contains unnecessary complex licensing regimes, or requires the user to type in license keys, etc, to make the app work. This implies that “piracy” will occur to some extent, and some will choose to use your app, without paying you – Even if it explicitly is created to be a commercial app, and you require users to pay you, before they install the app. I have attempted to reduce this is much as possible, by for instance never showing to the user himself the link to the cryptographically signed zip file, that contains your app. In addition, I physically delete the app’s cryptographically signed zip file after installation. This means that piracy becomes more difficult, but still, a seasoned hacker, could easily deduct the link to your file, download it manually, and distribute it to his friends. My theory though is, that as long as you provide actual value to your users, most will be happy to pay you to gain access to your app. If it shows that I am wrong in the future, and an extremely high amount of users are using “pirated versions”, I might choose to change this practice. However, no guarantees is given of this! Notice “extremely high percentage of piracy” implies more than 90%! Hackers were patching exe files back in the 80s, and it is simply impossible to guard against. Hence, creating all sorts of hoops and loops to defend against it, is meaningless anyways!

If you’d like to distribute an Open Source app through my Bazar, you’re more than welcome to do that too – However, the rules are still the same, implying Adolf Hitler Nazi rules! I will not accept an app which I feel is intruding my user’s privacy, just because it’s “Open Sauce”

Do what you love, love what you do, and treat your customer’s privacy religiously – And you’ll probably be just fine!

For the record, yet again, if you do not like my Nazi Bazar rules, you are more than welcome to fork Phosphorus Five, and create your own Bazar, with your own PGP key as a “trusted app distributor”, pointing to your own app declaration file(s). Just remember, that if you wish to distribute closed source applications using P5, you’ll still need a license for each developer participating in creating the code for an app you choose to distribute. And make sure all developers who have created apps you distribute in your Bazar are actually legally allowed to do so, by for instance demanding to see their PayPal receipt before you distribute their apps.

If I come across an app, which is being distributed as a proprietary app, and I know for a fact that this app’s developer does not have a valid proprietary license – I might choose to simply distribute the app as GPL, and create a GitHub repository containing its code! I also give no guarantees of warnings in these regards!

Stay legal!!

Creating your own Bazar

If you setup your own Bazar, you are legally obliged to making sure that all app creators in your Bazar have a valid proprietary license for Phosphorus Five, if you are distributing non-GPL software in your Bazar. If you allow users to distribute proprietary software in your Bazar, and the developers who created this software, does not have the right to create proprietary software – You are actually participating in distributing illegal software yourself as the owner of your Bazar. This is easy to verify though, by simply demanding from all your Bazar app creators, that they send you a PayPal receipt for a proprietary license of Phosphorus Five.

Sorry, I too need bread and butter …

PS!
For the record, this blog explains a future feature of Phosphorus Five, which is to be released in the upcoming release of P5. However, if you’d like to get a head start, feel free to start coding!

PPS!
You can expect Micro to be installed. Besides from that, you should not make any assumptions about additional modules being installed, and you must check for any missing other modules and/or apps, and lead users to the Bazar, if these are not installed.

When that is said, creating and consuming events from other apps, and/or components, is considered perfectly valid, and developers are encouraged to not reinvent the wheel, but rather build incrementally upon each others work in these regards. For instance, Sephia Five has several publicly exposed Active Events, which other developers can use. However, if an event is not public, meaning it does not show up in a [vocabulary] invocation, you should *not* consume it, and allow its developer to keep that event alone, as he sees fit for himself.

PPPS!
If you’re dirt broke, and can’t even afford a P5 license, but you have created the best app ever, since the invention of sliced bread, and you wish to sell this app through my Bazar – I *might* choose to give you a license, free of charge, if you ask me nicely. If so, make sure you explicitly ask me about this, as you send me your app’s zip file, for the scrutinisation process. However, if you choose this, you’re going to have to be at the point where you literally need to dumpster dive for food, to not starve to death! And I might choose to demand proves of your lack of finances. And your app better be the best thing ever, since the invention of sliced bread!!

PPPPS!
Everything is up for debate, just remember, I have the first word, and the last word!

The buck stops here!

Ohh yeah, almost forgot. If you’re working for one of those Silicon Valley Judas companies, go fuck yourselves!!

With the powers granted me from God the Almighty, I hereby declare Googleplex *OBSOLETE*!!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s