
Google’s Monopoly is Stifling Free Software? - byuu
https://medium.com/@byuu_san/googles-monopoly-is-stifling-free-software-e63dea114f39
======
kyledrake
Running [https://neocities.org](https://neocities.org) I have a lot of
problems with Safe Browsing too. The way it works is secretive and arbitrary,
and there's absolutely nobody at Google (except a few friends which I hate
bothering) you can talk to about it when they make mistakes (which is quite
often). They also don't give you any way programmatically manage reports, I've
been asking for an API for years and I still have to do everything manually
through their crappy UI. It's one of the biggest worries I have, that they
will make some arbitrary mistake that blocks millions of people and there's
nothing I can do about it and there will be nobody to talk to. Even their
"support forums" are just answered by weird non-employees that have decided to
give Google free tech support for some reason.

Google still hasn't figured out that the web is their content providers and
they need to support them, and treating their producers with contempt and
neglect is a glorious example of how stupid and shortsighted the entire
company is right now about their long term strategy (how many ads will you
sell when the web is a mobile Facebook app?). They should as soon as possible,
as a bare minimum, start providing representatives and support for the content
providers that make people actually use the web and help them to be
successful, similar to how Twitch has a partnership program.

~~~
tmpz22
There is a fascinating class system for users of Google products, from the
biggest GCP spenders who are treated immaculately, to free-tier youtube
consumers with adblockers who only exist to be A/B tested and tracked.

------
ameshkov
This “shoot first ask questions later” approach is typical not just for
Google, but for AV vendors as well. The problem is that in the case of Google
the potential consequences for a legit developer are much scarier: all
browsers are affected, the whole website may be blocked.

The other, even more serious issue, is that with Google there is no way to get
the feedback and learn what exactly they consider wrong?

Let’s also talk about their “unwanted software policy” that leads to this kind
of warnings. The policy mostly sounds okayish, but there are some points that
bother me. For instance, there is a point explicitly prohibiting working with
Google APIs in a nonstandard manner. What does that even mean? Is ad blocking
software blocking google’s ad server can be categorized as unwanted now? Or
any AV that scans Chrome downloads?

~~~
utopian3
Google’s typical approach is more like, “shoot first, ask no questions, and
provide no contact method”.

~~~
PaulKeeble
People would have a lot fewer issues with Google if it actually had support
contact that functioned. It is awful that they just kill a thing without even
contacting the author but it is made so much worse by the utter lack of
willingness as a company to even accept the possibility they made an error.

These sorts of problems are the reason I stopped doing Android and OS X apps,
being that beholden to companies who have shown time and again to do not just
wrongfully takedown apps but also act anticompetitively in their marketplaces,
it is just asking for trouble. Stick to games and website apps and avoid
genuinely innovative takes on anything that Google (and Apple) has any remote
interest in or your business might just disappear overnight and you won't have
the funds to stop them.

This sort of protection is just messed up but I can't see the USA taking
action against this giant of a company any time soon. You still see people
complaining about EU fines for anti-competitive behaviour regularly here on HN
and yet they are a drop in the bucket. The web isn't free anymore and those
that want their data to be their own went underground into the self-hosting
community.

~~~
craftinator
Consider the scale at which they operate... How could they possibly turn a
profit given the number of people who use their free and paid services, and
the number of people who are pissed off at their business practices? I know I
want to call and harangue them at least once a month... Imagine if every
single Gmail user could do that. They would crumple over their own tech
support costs in just a few years.

~~~
not2b
They could afford it. It would be expensive but they are so hugely profitable
that the cost of a large customer support team would be a small drop in the
bucket of incoming cash.

------
zozbot234
This has nothing to do with Google's monopoly. MS Windows will also warn about
unsigned executables downloaded from the Internet, at least until these have
become well-known enough. Reproducible builds will definitely help with this,
both by establishing social trust in your release and by having a single
version of the binary that will eventually stop getting these warnings.

Apple has similar issues these days, with their weird "app notarization"
requirements that may even require you to pay the platform vendor in order to
be acknowledged as a "trusted" developer.

~~~
ENOTTY
I think the author’s point is that Google’s standard for what constitutes a
trustworthy download creates a barrier that may prevent the new app from
gaining a userbase large enough to sustain itself and get onto Google’s safe
browsing list. This is the definition of limiting market access.

Google’s standards are arbitrarily set and applied, with no evidence of
community involvement in setting those standards.

This describes the precursor to monopolistic behavior.

~~~
Frost1x
Obviously, you should rewrite your application using SaaS paradigms and
implement everything on GCP. /sarcasm

------
nneonneo
Sadly this is really one more line of defense - perhaps one of the last lines
of defense - against the pervasive threat of malware which has massively
eroded trust in downloadable binaries. This has been going on for decades, but
the rise of money-making ransomware has given criminals a powerful new profit
motive for making and distributing malware every possible way they can.

Let’s take some examples from the post. If a domain is 15 years old and
implicitly trusted by this point, then an attacker is just going to compromise
an ancient WordPress install to post malware.

If an OSS developer occasionally releases software, attackers might approach
them to add a new SDK or monetization opportunity (happened many times to VLC
- good thing JBK hasn’t been tempted!), or just straight up attempt to
compromise their infrastructure (e.g. download servers, has happened to many
pieces of software like Transmission).

If we actually had Let‘s Encrypt for code, attackers would trivially get certs
for their stuff. Then end-users would have to decide which certs to trust or
not, which would significantly weaken the purpose of code-signing.

Short of just sandboxing all binaries by default, I don’t see a great solution
to make binary downloads safe. macOS is already moving very heavily in that
direction.

~~~
zackees
Or maybe the vulnerabilities should be handled at the OS level with
confirmation of privileged access at the user level. If I download a notepad
app and it asks me record then that is something that I can respond with.

The OS vulnerabilities being exploited should be fixed. The solution of a
white list solution managed by unaccountable tech oligarchs should be laughed
at and then resisted at all costs.

~~~
nneonneo
Yes, this is more or less sandboxing. The fact that a freshly downloaded
binary has r/w access to all of my files should be considered a vulnerability
nowadays. The macOS approach, in which a binary only gets access to files that
are explicitly selected through the OS’s file chooser, is a good first step.
The downside is that it can get very annoying for the user. An ideal solution
for desktop machines still doesn’t quite exist.

~~~
contextfree
That is also the UWP approach on Windows (though there are also ways to grant
a UWP application broader filesystem access)

------
dTal
HN meta comment:

Once again, the title has been (ungrammatically) editorialized with a question
mark. It would appear that this is HN editorial staff policy[1]

What is the purpose of this policy, and in particular what criterion is being
applied here, that does not apply to (e.g.) the (considerably more subjective)
title "McDonald's holds communities together" which remains un-editorialized
on the front page of HN?

I am similarly curious about the difference between "Apple News No Longer
Supports RSS"[2] and "Google bans niche browsers from Gmail"[3] (to my eyes
they are virtually identical submissions - third party forum-based
verifications of changed behavior of Big Five software).

[1][https://news.ycombinator.com/item?id=21767023](https://news.ycombinator.com/item?id=21767023)

[2][https://news.ycombinator.com/item?id=21892714](https://news.ycombinator.com/item?id=21892714)

[3][https://news.ycombinator.com/item?id=21765615](https://news.ycombinator.com/item?id=21765615)

~~~
ebcode
The question mark is absolutely unnecessary, and gives credence to the idea
that the site admins are somehow biased in Google's favor. I would like to see
this stop as well?

------
jfoster
This problem also occurs for "downloads" that are generated purely in
javascript. I see this warning in the search console for BulkResizePhotos.com
and (as the article mentions) even after having it reviewed and passing the
review, the warning comes back within a week or two.

Dreading the day that Google decides to turn this warning into a search
penalty. The other image resizing websites typically upload the images to
their server and download the resized ones back again. That sucks for users,
who have to wait for all that to happen and have the privacy of their images
put at risk.

------
garganzol
Here is an actionable plan:

1\. Create a DNS record for subdomain and name it to something like
downloads.byuu.org

2\. Put a file there. The preferred naming scheme is to categorize it by
product or product category, so something like
downloads.byuu.org/emulators/higan.zip will do fine.

3\. Start by putting the downloads in non-executable file formats first, e.g.
use higan.zip instead of higan.exe. It's a no-brainer for a Windows user to
launch the file from ZIP archive

4\. Make links to downloads from your main website as you would usually do

5\. Everything should be smooth now

6\. Your downloads.byuu.org subdomain will slowly gain reputation

7\. Once it has an established reputation, you will be able to put .exe files
there. Gaining the reputation will take about several months. I would expect
about 12 months to be on a safer side

8\. Enjoy and be creative

~~~
byuu
My main website has a domain authority of 53; a subdomain with the same IP
would be seen as the same site (I used to use subdomains and have seen this
firsthand); a subdomain with a different IP would start me over which is a
very bad thing (I've been struggling with byuu.net in this regard.)

The URL scheme is the convention I follow, but I also include the version# in
the file name.

I did put the executable inside of a ZIP archive, along with a text database
and a few video pixel shaders. One change I made recently was moving from .7z
to .zip since some users don't have 7-zip installed, but I presume Google is
smart enough to scan inside 7-zip archives even if Windows isn't (out of the
box at least.)

I've been providing these releases for fourteen years now. I have no idea what
suddenly changed other than it took about two years to release a new version
due to a lot of massive changes.

I appreciate the reply all the same, thank you for taking the time.

~~~
garganzol
>a subdomain with a different IP would start me over which is a very bad thing

Cannot confirm that. IP is virtual thing in terms of HTTP web hosting. I have
experience with attaching fresh IPs to existing domains and attaching fresh
domains to old IPs: the only thing that matters for HTTP reputation is DNS.
IPs do not really matter unless they are seriously blacklisted by a manual
action (which is not your situation I presume).

>Google is smart enough to scan inside 7-zip archives

Google sees raw EXE files as a risk factor. Once domain serves a naked EXE,
Google gives it a higher risk score.

Publishing an EXE file inside archive (of any format) significantly lowers
that risk because an archive cannot be directly executed by OS.

(Please note that a lot of corporate internet gateways do not allow naked EXE
files via HTTP for the very same reason)

~~~
byuu
Well it would be both, right? A new IP and a new subdomain. When I did that
for a wordpress install it had very low (<10) DA. I trust your experience more
than my one attempt though.

Also my program was inside a ZIP archive. It did not help me.

------
GordonS
You can get code signing certificates _much_ cheaper than that - I paid $234
for a 4 year certificate from K Software (IIRC, they are a Comodo reseller).

Yes, it's still money that cash-strapped OSS devs might not have, or indeed
might not want to pay on principle. And yes, the validation process is a total
farce and a PITA.

But I don't think it helps the argument to use the most expensive certificate
they could find as an example.

Also, having a cert does not mean your software won't be marked as "uncommon"
\- presumably Google (and Microsoft) use a certificate as a signal, but it
seems only the number of downloads _really_ counts. And I do agree with the
thrust of the article, that this harms OSS and indeed small businesses.

------
_Marak_
First off, thank you for bsnes. Have used it a lot in the past.

It's a tough call, but it's somewhat understandable what Google is doing.
Arbitrary binary downloads from arbitrary websites are for the most part a
problem for the majority of users.

There is nothing stopping a savvy user from still finding and downloading your
binaries. You should probably figure out a better distribution channel.

Remember that all the hoops you have to jump through to get a signed binary
are also required for anyone who would want to pirate your software and re-
release it with a virus ( which I have seen done in the emulator community
before ).

------
akerro
Some rant about monopoly published on medium, while I run out of free-articles
for this month...

~~~
enjoyyourlife
The article explains why it was published on Medium instead of the author's
personal website

~~~
akerro
Ironic.

------
ognarb
Since almost 9 months, KMail (KKE mail client) is blocked from accessing
GMail. See
[https://bugs.kde.org/show_bug.cgi?id=404990](https://bugs.kde.org/show_bug.cgi?id=404990)

~~~
trasz
Only when trying to use Google’s proprietary auth method. The standard one
works just fine, even in mutt.

~~~
arminiusreturns
Wait, they aren't using oath or saml? I still use imap/pop so I haven't tried
that method in a long time.

------
jariel
Needs smart regulation. I can't fathom many governments smart enough at this
level of granularity. Maybe when x-ers ore millenials are fully in charge.

The simplest regulation could be: all policies have to be transparent,
consistent, with predictable outcomes, and there must be a process for
addressing grievances.

Then Google would have to hire 20 000 support people and act like a regular
company.

~~~
fauigerzigerk
I agree it's difficult to get right, starting with basic questions such as how
to define a market.

Detailed regulation of specific markets often misses the mark or comes far too
late. I think it's time for a radical rethink of competition policy.

For instance, I wonder what would happen if we were to ban all mergers and
acquisitions involving companies above a certain size.

It's obviously a very blunt instrument and I can think of many good arguments
against it.

But I think we need simpler rules that are less prone to policy mistakes,
protectionism, arbitrary definitions and selective enforcement.

~~~
jariel
"For instance, I wonder what would happen if we were to ban all mergers and
acquisitions involving companies above a certain size."

This is de-facto the case. Mergers are monitored by the FTC etc. subject to a
lot of scrutiny.

Unfortunately, even with this - it's really, really hard to define what
monopolies and anti-competitiveness really is.

Some think Disney should not own distribution, but Apple is also vertically
integrated - and distribution channels are so volatile it's hard to regulate.

It's possible things might settle down in a few years and we might be able to
establish boundaries.

~~~
fauigerzigerk
_> This is de-facto the case. Mergers are monitored by the FTC etc. subject to
a lot of scrutiny._

No, it's not the case. Only mergers between two large companies are monitored
and then they are allowed to go through most of the time.

What I'm talking about is banning all M&A (and even certain asset purchases)
where _one_ of the companies involved has more than, say, $20bn revenue (or
some industry specific metric). Large companies would only be allowed to grow
organically.

Obviously startups and VCs would hate the idea, because it would block one of
the most favoured exit strategies. What it would mean is that startups would
have to sell themselves to medium sized companies, join forces with each
other, and/or go public and compete with the giants.

~~~
jariel
Yes, it's 100% the case that the FTC reviews all M&A of sizes substantially
smaller than $20B in revenue. There are reporting requirements, and it's
something like if the merged entity has >$200M assets (I'm not sure of the
details but something like that), they have to report the merger to the FTC
beforehand.

The FTC probably should allow most mergers to go through.

It would likely not be efficient for companies to not be able to acquire one
another beyond a certain scale, I suggest deference should be given to the
liberal side of the equation, with regulation affecting only within certain
constraints.

The hard part really is defining those constraints, and determining what
constitutes anti-trust.

AWS massive subsidy of their delivery operations putting FedEx out of business
by shipping for less than cost would be ... problematic. Taking Search profits
and giving away Android for free is a form of dumping. But then without this,
some entire industries might not exist!

~~~
fauigerzigerk
_> Yes, it's 100% the case that the FTC reviews all M&A of sizes substantially
smaller than $20B in revenue._

Maybe so, but it is not the case that mergers get blocked purely based on the
size of the companies involved. It's simply not lawful for the FTC (or other
regulators) to do so.

 _> The FTC probably should allow most mergers to go through._

That is the status quo and it is clearly unsatisfactory in some areas.

 _> I suggest deference should be given to the liberal side of the equation,
with regulation affecting only within certain constraints._

I completely understand why you are saying that, and it has always been my
preference as well.

But the problem is that these constraints have become so difficult to specify
that the likelihood of ineffective, counterproductive or abusive regulation
has risen dramatically.

That's why I'm wondering whether it wouldn't be better to accept that size
itself invevitably creates problems that no case by case game of what-a-mole
will ever solve.

We need simpler rules that can be consistently enforced.

I'm far from convinced that my particular idea is any good. I'm just putting
it out there as an example for the kind of simplicity that I think we need.

------
lupire
What's the problem here? Google is being honest. It's up to the publisher to
convince the user that they are trustworthy enough to bypast Google's warning.

They can explain the issue on a web page gating the download page.

What alternative is there? Even if I trust you, how do I know a hacker hasn't
cloned your site and added malware?

------
crazygringo
Let's face it... the average user should not be downloading executables from
the web _ever_ these days, except to use Safari or Edge to download Firefox or
Chrome. (Or a handful of trusted brands like Adobe, Microsoft, etc.)

There's no trust, accountability, or security. Instead, app stores and package
managers provide these things. They're not perfect, but they're waaay better
than totally untrusted binaries.

And if you're an advanced user, you can ignore the warning. Or know to
download binaries linked from a project's GitHub page, etc.

Let's face it: the "open web" is not a secure or trustworthy place for
downloading binaries period, unless you're on a well-known trustworthy site
(again -- Mozilla, Microsoft, Adobe, etc.).

~~~
danShumway
I disagree with this on two points:

\- First, I disagree that every program an average consumer might want or need
is available on an app store.

\- Second, I strongly disagree that app stores provide security, trust, and
accountability.

App store security is really bad. At best, we have Debian repos, which are
clean-ish mostly because nobody cares about writing malware for desktop Linux
so the moderation is much easier. At worst, we have Windows store and Android.
These platforms are not effective at screening out malware, because content
moderation doesn't scale to these levels, and blocking malware is just another
form of content moderation.

Telling people to trust app stores and not downloaded binaries is like telling
them to trust Amazon and not Ebay. You're right, there is technically a
difference, but the difference is not big enough to matter. If you download
random things from _any_ source, you will mess up your computer. It'll just
happen faster with downloaded executables.

There is (unfortunately) no shortcut to get around teaching people about
security. At some point, native platforms will catch up to where the web was
10 years ago and start doing a better job of sandboxing executables, and then
the job of educating users will be easier. We're just unfortunately living in
the world where that hasn't happened yet.

"Get rid of unofficial software" is counterproductive to what we actually need
to do -- to update our native permissions and security models to match modern
users' requirements. But even though mass-moderation is a band-aide fix that
doesn't even work well right now, it's heavily promoted by companies like
Apple, Google, and Microsoft because under the guise of security it gives them
a new stranglehold over the common-user software market, which was
traditionally un-monetizable by them.

~~~
creato
> App store security is really bad.

Maybe so, but it's still significantly better than native binaries.

> Telling people to trust app stores and not downloaded binaries is like
> telling them to trust Amazon and not Ebay. You're right, there is
> technically a difference, but the difference is not big enough to matter. If
> you download random things from any source, you will mess up your computer.
> It'll just happen faster with downloaded executables.

The difference very much does matter. I suspect many people on this website
have had the same experience as me: I had to do frequent "maintenance" on my
parents computers because they get filled up with IE toolbars and whatever
other BS they could find to screw up their computers. After the switch to
phones and app stores, this doesn't happen any more.

People without family members capable of fixing that sort of old problem are
both (probably unconsciously) grateful for the app store takeover, and vastly
more numerous than indie software developers grouching about not being able to
run any code they like on anyone's computer anymore.

~~~
temac
The problem has not been solved mainly by the store though.

It has been solved by sandboxing.

------
NewEntryHN
Surely users savvy enough to trust a binary are savvy enough to disable the
warning.

------
nova22033
_Google has an undeniable monopoly on search, and a near-monopoly on web
browsing software via Chrome and its forks._

Why is Chrome a monopoly? It doesn't even come pre-installed with Windows.

~~~
the8472
It will soon, in the form of Edge.

~~~
nova22033
And using Chromium for Edge was entirely Microsoft's choice. They weren't
forced to use it because they had no other choice.

~~~
the8472
Doesn't change that it gives more power to google to shape web technologies.

------
cbhl
"Make it cost money" is, unfortunately, the first line of defense when dealing
with bad actors. This is why some folks get prompted for SMS 2FA if the ML
model thinks they're suspicious: a cell line costs Real Money.

Microsoft, Google, and Apple all require certificate signing for software to
show up as "trusted" ($350/year is really really annoying, but it is an
insurmountable wall for someone distributing hundreds of bad apps). Google's
approach lets popular free software get a pass without having to pay, but,
yes, it's a trade-off.

In my opinion, the easiest thing to do is to (1) put the windows binaries on a
separate domain, (2) provide screenshots (not links) telling people how to
download them from the other website, (3) include screenshots of how to bypass
the Google warning, and (4) include instructions on how to verify the
authenticity of the binary out-of-band (checksum, etc). This matches how folks
handle other unsigned binaries (for example, drivers).

~~~
steelframe
> include screenshots of how to bypass the Google warning

So it's Windows Vista UAC all over again. Truly there is nothing new under the
sun.

------
aabbcc1241
What if your site detect Google Chrome and say it's not supported, then
encourage users to download other browser, like Firefox?

Youtube did that other other browsers, so could sites do that to Chrome.

~~~
jonny_eh
I work on YouTube's front-end and we work very hard to maintain cross-browser
compatibility.

~~~
wizzwizz4
What does "cross-browser" mean? Do you test any browsers other than Firefox
and Chrome?

~~~
TingPing
At this stage there are only 3-ish modern web engines (Those plus WebKit).

------
karmakaze
> Google has an undeniable monopoly on search

This is not necessarily a lasting fact. DuckDuckGo works just for fine and as
for browsers so does Firefox. Even learning the differences in browser
devtools isn't as hard as it seems. Don't presume the premise that produces a
doomed conclusion.

Edit: why have I never run into this problem? Am I not a heavy app user or is
this mostly on Windows?

~~~
ravenstine
It may not necessarily be a lasting fact, but it probably will be. Google has
over 90% of the market share, and the average person is so asleep and so
apathetic that they'll continue to get a warm fuzzy feeling every time they
see the friendly looking Google logo.

~~~
vntok
That, plus the competition (Qwant, DDG, Bing, etc) doing a comparatively
terrible job.

~~~
iudqnolq
Plus the competition is singular in the West. Everyone packages Bing results
with some sugar on top.

Only companies with real search crawlers are Google, Baidu, Yandex, and
Microsoft.

------
squarefoot
If the web was a software or an operating system, someone would have already
forked it years before it became that f'd up.

------
diego_moita
A solution on Windows might be to make it available through the Microsoft
Store. The whole process of authentication is free and the download and
installation bypasses the browser.

I understand it is an awful solution. But, like in politics, sometimes an
awful solution might be your less bad choice.

~~~
byuu
That may possibly be a solution for many, but Microsoft and Apple both forbid
emulators (the software I create and distribute) from their app stores, in
spite of repeated and unanimous court rulings establishing their fair use
legality.

I still don't in general like the slow erosion of the web, however.

~~~
lupire
The web is stuffed with malware. That's not Google's fault. Our computers have
more value to protect than before. That's a good thing, but it requires
security. Instead of focusing on your download metrics for software you aren't
even charging for, think about your users who don't know the difference
between you and a thousand malware sites that look like you.

~~~
dvdkon
Security here means training users to ignore yet another popup?

------
GordonS
EV code signing certificates are expensive - the cheapest I can find is $250/y
(and only if you buy 3 years up front).

I really wish Let's Encrypt, or _someone_ would offer free or at-cost EV code
signing certificates.

------
eeZah7Ux
"stifling" is an understatement. Large companies have been coopting community-
driven Free Software into corporate-driven Open Source for decades.

Name the top 10 most hyped open source projects of the year.

Which ones are not corporate owned?

------
fulldecent2
The solution is you open a lawsuit against Google for defamation.

Then you use Hacker News and other resources to develop your arguments and
collect money from people that care to help.

------
mdale
It's simply not a good idea to download and install binaries from arbitrary
websites. It's been too heavily abused. It's not a reasonable strategy to have
Google or anyone sort through that mess outside of systems or services that
have been designed to handle this problem.

GitHub, OS and free package managers or other aggregators provide mechanisms
to share trust, moderate and review posted binaries.

Consider using these. I.e instruct users to install via their package manager.
If your audience is not technical then you need to put it in the common man's
package manager the app stores :/

~~~
GordonS
> GitHub, OS and free package managers...

I take your point, but if you download executables from Github using Chrome,
IE or Edge, you're still going to get a warning when it's deemed "uncommon".

The only real option on Windows is the Windows Store, which AFAIK is only for
UWP apps.

There is chocolatey and scoop, but I find chocolately a bit of a mess (e.g.
duplicates, never certain which is the "main" download), and while scoop is
good, the selection is still relatively small. These are also only really used
for OSS software, which doesn't help ISVs.

------
ManuelKiessling
Questions are phrased in a strange new way in the English language for some
time now?

Or is it just me (a non-native-English-speaker)?

~~~
comex
It's called a "declarative question", and it can be used in a few different
ways. The most common is when repeating someone's statement back to them:

"The sky is blue."

"The sky is blue?"

This requests confirmation, which can imply either "did I hear you correctly?"
or "are you sure?".

It can also be used to request confirmation for a statement you're not
repeating, like in these examples:

[https://www.reddit.com/r/grammar/comments/16ogm8/question_ma...](https://www.reddit.com/r/grammar/comments/16ogm8/question_marks_in_sentences_that_arent_questions/c7y51qf/)

But that tends to come off as presumptuous in most cases.

The use here is more informal. It can't be requesting confirmation, since it's
not addressed to a single person, so it's just indicating general skepticism
or uncertainty. In that case it's more of a statement than a question; you
wouldn't answer it yes or no.

------
iruoy
He could just add the windows binary to the github releases[0] and link to
that though. I'm not sure if linking directly to the binary will cause similar
problems, but he can at least publish the binary and link to the latest
release.

[0]:
[https://github.com/byuu/bsnes/releases](https://github.com/byuu/bsnes/releases)

~~~
byuu
If it happens to flag my GitHub page, I'm not really in a better position as
far as being able to distribute my software goes. It would also be problematic
if other sites began linking to my releases page instead of my official page
which also includes documentation, screenshots, feature lists, etc.

If I can get a confirmation from someone at Google that they will trust GitHub
download links more, then I'm willing to go this route for now.

~~~
gdm85
From my experience this works fine (using links to GitHub downloads), see also
my other reply.

They don't give score to "GitHub accounts" but they use some form of
score/accountability based on the domain. As far as I know the main vector
they are trying to protect users against are emails with links to binary files
hosted on random hacked servers.

------
ginko
*Is Google's Monopoly Stifling Free Software?

------
beefhash
> And that is to say nothing of the risks you take these days online by
> publishing your legal name.

I understand that you're in a risky line of “business” with emulation, where
one wrong step can get you some lovely letters from lawyers. However, for the
sake of argument: Is there any reason you couldn't get someone else to lend
you their name so that they act under their real name for you? Surely that'd
be an option for risk-averse people.

> In my own case, this has effectively prevented me from releasing compiled
> binaries of my own software going forward. If code signing is a requirement
> to distribute free software, then we need a Let’s Encrypt-style alternative
> for code signing—yesterday.

The whole point of a code signing requirement is to add a paywall so that only
two kinds of people will have access to it: Bad actors sophisticated enough to
steal a code signing certificate from someone who has purchased them.

It's a net gain for security. Software freedom, considering increasingly
prevalent SaaS and closed-source apps on mobile devices, is already lost. So
if we've already lost software freedom—as far as I can tell, more or less
irrevocably—then we might as well at least reap the security benefit for the
common person while we're there.

~~~
byuu
> However, for the sake of argument: Is there any reason you couldn't get
> someone else to lend you their name so that they act under their real name
> for you?

It's possible, but I would find it to be rather unethical. I am much more
willing to allow an EV certificate to sign my software, or if I could get the
BBB to respond to my requests to register with them, I could even consider
purchasing my own EV certificate for my LLC. (my understanding is that the EV
validation process confirms your business' validity through its BBB listing,
and an article of incorporation is not enough.)

> The whole point of a code signing requirement is to add a paywall so that
> only two kinds of people will have access to it

Why is the web and Let's Encrypt any different? Websites execute code that can
potentially harm your computer (via zero-days.) A paywall harms free software
developers who can't afford hundreds of dollars a year for certificates, which
is not a problem for me, but would be for many folks.

~~~
lupire
Locks and keys harm poor people who can't afford them. Filtering water harms
poor people who can't afford to remove pollution. Blame the criminals, not the
security providers and consumers.

------
dragonwriter
> Google has an undeniable monopoly on search

Google has a large share of search activity, but it's not at all clear that
they have pricing power on search (the usual yardstock for a monopoly) or that
search is even a market at all, since no one pays for it.

Search _advertising_ is a different story, of course.

~~~
byuu
Google receives 92.42% of US search results. If you want new customers or
users to find you, there's no choice but to do as they say. Also see AMP and
media publishers.

~~~
vntok
Google _earns_ 92.42% of those search results, by being better, at least
subjectively, than their competition.

Now if you listen to the various whines of said competition, Google sure looks
objectively better too, using extreme personalization to drive more relevant
search results to their userbase.

There is no pressure there. If alternate search engines were subjectively (not
even objectively!) better, people would switch overnight. After all, they are
just a click away.

~~~
byuu
> Google earns 92.42% of those search results, by being better, at least
> subjectively, than their competition.

Have you tried Google search lately?

It is almost never the case in technology that the superior product wins. It's
the first to market with a really killer product. It takes massive inertia to
displace an incumbent, and Google managed it because search engines prior to
it were nearly useless portals (Yahoo, AltaVista, AskJeeves, etc.)

The requirements and conditions to displace Google now are virtually
impossible, and that's even _before_ factoring in their massive data profiling
advantage.

------
marcus_holmes
I'm assuming this is free-as-in-beer software? Because the default
distribution mechanism for free-as-in-speech software is Github, these days.

Can't you add it to the Windows/Mac/Ubuntu App Store, though? There seems to
be lots of free apps on there...

~~~
thristian
Some developers like to establish a relationship directly with their users,
not pay (in dollars, or advertising) a middle-man like GitHub, GitLab, or an
App Store.

~~~
marcus_holmes
OK, I get this.

But look at it from the other point of view: how does a non-technical user
determine if a binary download is malicious?

And how, then, does Google/Microsoft/Apple protect those users from their
ignorance?

Given that the internet is full of people attempting to get non-technical
users to download malicious software, often my mimicking exactly the sort of
site the OP has created, then is it really practical to insist that
Google/Microsoft/Apple allow the OP's site to download software to a user's
machine freely?

The advantage of the middle-man is that it acts as a trust agent (not
necessarily well, of course). If you download a malicious binary from an App
Store, that is the App Store's fault for letting it on there in the first
place.

~~~
thristian
Sure, you need some kind of middle-man as a trust agent, but
Google/Microsoft/Apple are not the only possible trust-agents, and their model
is inherently biased towards certain useful software production models.

Let's say I keep bees as a hobby, and I write some small piece of software
that tracks and calculates something to do with honey production. I post it to
my favourite bee-keeping forum, other people try it and like it, and when a
new bee-keeper joins the forum they're often advised by forum regulars to try
my software out too.

That kind of software can be a huge help to people, but it's not a good fit
for an appstore because it's never going to turn a profit, and at least on
Apple's store (with the $99/year publishing fee) it'll drain money quite
predictably and regularly.

A bee-keeping forum will never be trusted by as many people as
Google/Microsoft/Apple, but the people who do trust it probably trust it a lot
more.

------
tytso
The article talks about "free and open source" software in its text, so it's
clear that "free" is referring to FSF version of free.

But then it talks about distributing binaries. Cry my a river; most FOSS can
and should be distributed primarily in source form, in a git repo hosted on a
site like github. FOSS software can be released via distributions that can
supply controlled, and accountable, and digitally signed binary packages to
end users who aren't skilled enough to build from source. This includes
Debian, SuSE, Google Play Store, Amazon App Store, Microsoft store, etc.

Training users to download binaries from random web sites? That's a security
disaster, and it's a Good Thing that web browsers discourage such reckless
behavior.

~~~
temac
This also affects freeware / shareware / people who want to avoid "store"
monopolies and their associated tax. This also affects people who are used to
download binaries from reputable sites, because Google did not manage to
understand correctly what is reputable or not (and honestly trying to automate
_everything_ in this area is a recipe for disasters)

~~~
bshacklett
One alternative is a package manager like
[https://scoop.sh/](https://scoop.sh/). It's built-in repositories are
vetted/curated, free to publish on and simple to install/use.

There is the downside that it's a cli-based app, but that's easily overcome
with a GUI frontend add-on.

One of my favorite parts of it's architecture is that it's got a mechanism for
adding third party repositories (buckets), so while the publishing policy for
the main bucket is mostly limited to development tools, it wouldn't be hard
for the community to build a new bucket for independent software developers to
use as a general distribution mechanism.

------
staticvar
FWIW, if you distribute your app as an installable PWA, the google guidelines
are clear for reducing install friction on Windows/Chrome/Mac/Android and
Let's Encrypt is your cert generator. Perhaps platform vendors treat binaries
malicious by default because it so often leads to privilege escalation. Build
an app in the web context and you have a cross platform sandbox with a
standardized permission model. Alas, this is not very helpful advice for folks
who haven't grown up developing for the web.

~~~
zozbot234
OP develops emulators (and high-fidelity ones, for that matter), these have to
be native apps in order to attain the required performance. Webcrap just
doesn't cut it, you can go to the archive.org games showroom and watch it peg
your cpu to 100% and spin up your fans (while looking terrible and adding huge
latency) if you want proof. No offense intended for archive.org, they're great
at what they do. But still.

~~~
jraph
> Webcrap

No need to be this dismissive.

> if you want proof

While I agree that there are many reasons to prefer native technologies in
many cases, this is not a proof. A clue, at best.

------
creato
I think these layers of security against native binaries are a good thing,
even though it upsets indie software developers (me included).

I used to distribute some small freeware tools for windows computers for a
long time (~10 years). I stopped distributing binaries and only distribute
source now (despite the fact that this likely cuts the user base literally to
probably 0), because I decided it was simply impossible for me to guarantee
the safety of these binaries.

I also got hassled by these security measures from MS/Google/etc., but
honestly, they're right. I was making non-reproducible builds with
dependencies I couldn't fully control on an insecure computer, uploading to a
web host that I can't really trust, and letting the binaries sit there for
months/years.

I used WordPress for a while, and it _did_ get hacked a few times, despite
keeping it reasonably up to date. I was first alerted to these hacks by google
telling me they found malware on my site and were alerting people to that
fact. My first reaction was obviously to be mad at google, but they were
right.

Eventually I switched to a static website. But even that is hard to be fully
confident in. I'm still trusting a cheap web host to keep their Apache (and
whatever else) up to date. I bet cpanel is a cesspool of vulnerabilities given
how janky I've observed it to be.

I suspect some or all of the above is true for the majority of the developers
negatively affected by these security measures.

If you _can_ actually be fully confident in your whole build and distribution
stack, then you can probably easily afford the compliance/certificate costs to
meet MS/Google/Apple's requirements to avoid getting flagged by these security
measures.

