pastk · Dec 6, 2024 · Dec 8, 2024
Showing with 91 additions and 0 deletions.

+88 −0 2024-12-06 DISCLOSURE OF THE CODE.md

+3 −0 wrangler.toml
diff --git a/2024-12-06 DISCLOSURE OF THE CODE.md b/2024-12-06 DISCLOSURE OF THE CODE.md
@@ -0,0 +1,88 @@
+Originally posted on 2024-12-06: https://github.com/orgs/organicmaps/discussions/9837
+
+Today I am announcing the public disclose of the source code of so-called "metaserver", that previously was available only to few people of the team. At Organic Maps, we prioritize transparency and open communication with our community and committed to making our source code publicly available, ensuring that users can fully engage with and contribute to the project.
+
+=> https://github.com/organicmaps/meta (MIT License)
+
+## What is the Metaserver?
+
+The purpose of so-called "metaserver" is to dynamically redirect users to the most suitable CDN servers containing requested map version based on their geographic location. For example, users in North America are routed to servers in the U.S., ensuring faster map downloads. Additionally, the metaserver enables dynamic server reconfiguration without requiring approval from the App Store or Google Play, which can take weeks.
+
+## How does it work?
+
+The service is implemented as a Cloudflare Worker, which returns a JSON response containing a list of servers based on the GeoIP information of the requester. Essentially, this functionality could be replaced with a few static JSON files a series of rules in an Nginx configuration. The decision to use Cloudflare Workers seems controversial at this point. It was likely an unfortunate choice that should be revisited in the near future to prevent vendor lock-in and ensure the project remains independent of large tech corporations.
+
+## Why Was It Closed?
+
+The original author of this component justified the decision to close it due to concerns about unauthorized forks. Indeed, we observed at least two forks that misused the content delivery network, funded by donations, for their private gain. However, it appears that the closed-source nature of the component did little to prevent this issue.
+
+## Why Open Now?
+
+The component was contributed by Alexandr Borsuk (a.k.a. Alexander Zolotorev) back in 2021 under the MIT license, although the repository itself was not publicly accessible. Throughout November 2024, the issue of closed-source code was discussed several times in the Telegram chats with key contributors. 
+
+On November 23, Mr. Borsuk quietly made a change, removing the MIT license while keeping his copyright. The change with the flagrant comment "No MIT yet, sorry." was discovered by me only today. A few non-significant commits were made on top of it. 
+
+
+**This subtle, almost unnoticed modification effectively privatized the open-source repository by this individual, preventing any further open-source collaboration. Furthermore, the next change of enabling the logs, clearly violates our commitment to privacy.** To my knowledge, this decision was not discussed with any other contributors, including those who had previously contributed to the repository.
+
+```
+commit 30e9911d4c8329068aca82fd6c0d896380ba99de
+Author: Alexander Borsuk <170263+biodranik@users.noreply.github.com>
+Date:   Sat Nov 23 21:33:36 2024 +0100
+
+    Update LICENSE
+
+    No MIT yet, sorry.
+
+    Signed-off-by: Alexander Borsuk <170263+biodranik@users.noreply.github.com>
+```
+
+<img width="1433" alt="image" src="https://github.com/user-attachments/assets/06bb1e8a-d096-4776-b960-ffe51292f2fe">
+
+<img width="758" alt="image" src="https://github.com/user-attachments/assets/897611d9-2a93-4257-af1e-c0d77de8a42b">
+
+link: https://github.com/organicmaps/meta/commit/30e9911d4c8329068aca82fd6c0d896380ba99de
+
+The commit following the license change enabled logging in Cloudflare...
+
+```
+commit a6ff0eb05abfc891e6a3a32faa3cd307a40c6121
+Author: Alexander Borsuk <170263+biodranik@users.noreply.github.com>
+Date:   Sun Nov 24 21:28:02 2024 +0100
+
+    Observe server abusers when needed
+
+    Signed-off-by: Alexander Borsuk <170263+biodranik@users.noreply.github.com>
+
+diff --git a/wrangler.toml b/wrangler.toml
+index bfcdcf6..bad7b47 100644
+--- a/wrangler.toml
++++ b/wrangler.toml
+@@ -23,3 +23,6 @@ route = 'meta.omaps.app/*'
+
+ [env.prod.vars]
+ DEBUG = false
++
++[observability.logs]
++enabled = true
+```
+
+<img width="1440" alt="image" src="https://github.com/user-attachments/assets/35cde1e0-0890-4b25-9033-59ff9222b50e">
+
+link: https://github.com/organicmaps/meta/commit/a6ff0eb05abfc891e6a3a32faa3cd307a40c6121
+
+## Actions Taken
+
+1. I am making the code from before November 23, 2024, publicly available again under MIT.  As one of the authors who contributed to the code while it was under the MIT license, I have the full right to take this action. Proprietary changes after "No MIT yet, sorry" and "Observe server abusers when needed" has been removed or reverted.
+3. The copyright notice has been updated to include "Copyright 2024 Organic Maps Contributors" to accurately reflect the current situation.
+4. Contributors and the community are invited to perform a thorough and independent review to verify that the code functions as expected without introducing any undocumented functionality. 
+5. This post issues an open call to replace the proprietary Cloudflare technology with an open-source alternative, though this may take some time.
+6.. Log collection has been disabled, as it was previously.
+
+--------------
+
+I, personally, apologize to the community for this matter. All necessary measures have been taken to resolve this issue. Organic Maps remains fully committed to privacy, transparency, and open-source values, which is why we are openly disclosing this issue.
+
+Regards,
+  Roman.
+
diff --git a/wrangler.toml b/wrangler.toml
@@ -23,3 +23,6 @@ route = 'meta.omaps.app/*'
 
 [env.prod.vars]
 DEBUG = false
+
+[observability.logs]
+enabled = false