oss-sec mailing list archives
Re: Open Source only?
From: Joe MacDonald <Joe_MacDonald () mentor com>
Date: Wed, 3 Sep 2014 10:43:13 -0400
[Re: [oss-security] Open Source only?] On 14.08.27 (Wed 17:52) Kurt Seifried wrote:
On 27/08/14 05:04 PM, Solar Designer wrote:Hi, I've just rejected a posting giving the following reason: Message lacks Subject, and the software appears to be non Open Source: partial(?) source code is available, but under a EULA that doesn't appear to meet OSI definition. The message was CC'ed to full-disclosure, so it will probably appear there. While message lacking Subject is a technicality, which the sender may address (and resend the message), the issue of software that comes with source code, but isn't under an Open Source license is one we might want to decide on, if we haven't already (I think we have, which is why I mentioned it as one of two reasons to reject that posting). Also, it may at times be tricky (and unreliable and time-consuming) for list moderators to determine whether a license is Open Source or not, as well as whether the software is possibly dual-licensed. Should we perhaps err on the side of approving postings whenever in doubt?Simple: If we go with Open Source only then "is the code available under an approved license"? http://opensource.org/licenses
It's been my experience working with Open Source projects that as others have said, there are a lot of licenses that don't quite match an OSI or FSF approved license but are very close and would reasonably warrant the software being discussed here. But the "or something close" is kind of the current state of affairs which puts the onus on the moderators, which isn't ideal. I'd be inclined to suggest that the moderators use their own judgement without worrying too much about list look-ups and feel free to err on the side of letting through too much rather than too little and members are free to ask a topic be taken off-list, citing either the above (or SPDX or the FSF list, if they like, though honestly I think the FSF goes a bit far in their definition of non-free, I think PERL is perfectly fair game for this list) as the reason why it isn't relevant. Or, of course, as below. Because you're perfectly correct, lots of closed-source vendors either don't care or don't want their errors discussed openly. Either has no place here, Full Disclosure is a perfectly fine venue for that. Just my thoughts. -J.
Obviously if there needs to be an exception (e.g. a closed source/poorly licensed source interacts significantly with something Open Source it might be worth discussing). The other aspect of this: in my experience the majority of closed source vendors just don't care about security. So discussing it, especially without their input/even being aware of it is quite pointless.Alexander
-- -Joe MacDonald. :wq
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Open Source only? Solar Designer (Aug 27)
- Re: Open Source only? Kurt Seifried (Aug 27)
- Re: Open Source only? Hanno Böck (Aug 27)
- Re: Open Source only? Joe MacDonald (Sep 03)
- Re: Open Source only? Tim (Aug 27)
- Re: Open Source only? Tomas Hoger (Sep 03)
- Re: Open Source only? Kurt Seifried (Aug 27)