Slashdot Mirror
ADTI Whitepaper Released
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"
Wow, these guys have figured out the PERFECT career:
they get paid to troll!
Man, I gotta hook myself up with a gig like this...
The Free desktop that Just Works
and will send it to anyone who asks. rayp@unixnotwindowsnetworking.net.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
here is my mirror of the "old" report, safely out of the reach of the DMCIA...
A valid concern.
But is it more or less risky in comparison to using closed source software?
I can't be the only one saddened to see the name of Alexis de Toqueville besmirched by being associated with a think tank for hire.
His insights into America of the early 19th century were profound.
Meanwhile, the points of this paper, besides being wide of the mark in assessing the truth, are not even particularly original - other fear mongers have trotted out the same vague bogeymen prior to the publication of this report. And those objections to open source have no more basis in fact now than they did when they were originally brought out.
"Provided by the management for your protection."
While I don't agree with the position, I can understand the argument that ANY Open Source program is risky security-wise because all those "evil hackers" have access to the source, etc.
;)
This trol^H^H^H^Harticle is special because it seems to think that Open Source is ok for security, but the GPL specifically is not. How exactly the GPL is any better for SECURITY than the BSD license, etc, is the question. (Hint: there is no fucking difference.
The Free desktop that Just Works
I'm always amazed at the flat-out bullshit that gets published as "research". I guess I shouldn't be, since it all sounds good to someone who doesn't know anything about anything.
Where are the "think tanks" that actually have people who can think critically?
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
If you don't want your app to be GPL, and you've already spent 5000 hours coding it, might as well spend another 100 writing that piece instead of cutting and pasting.
Goodness, this thing is full of gramatical errors. (Grammar may be optional here, but these people are lobbying the Feds). Any of my teachers in High School would have sent this paper back if it had been submitted to them:
"harbors very close to IP infringement"
"are proponents for copyleft"
"code that reflects only 100 hours"
"knowledge of for something this critical"
Blech...
"Well it's not Victory - but then it's not Death either."
It is true that open source applications, being openly available on the internet and distributed in the same manner, are susceptible to backdooring and trojaning. Just look at IRSSI or FragRoute.
This risk factor is somewhat mitigated in commercial software, where the distribution is typically through CDs and other trusted media. Of course, someone can still somehow compromise a software developer's network, but it isn't exactly hanging out a sign saying "I'm the source code, hack me!" like the open source projects.
Just imagine, for a minute, how devastating it would be if Sourceforge was hacked and malicious code was inserted into a ton of the projects without anyone noticing for long enough that it could cause real damage? The danger is clear.
"I don't know that atheists should be considered citizens, nor should they be considered patriots." - George Bush
Yeah, there's nothing like the good ol' security through obscurity. Thank God no one knows how does the software controling 747 flight works, so now I can fly safely.
Krótko: kady Erotomek
W pimiennictwie ma swój domek.
They attempt to draw a dividing line in a community. They do this by trying to stress "differences". They list these differences with the claim that it makes software more secure, BAH!
They also ignore the aspect of the GPL that says you can keep your secret changes if you don't distribute the software outside of your organization. Where is the security leak now?
The difference between "GNU FREE" and "BSD FREE" is that the people in BSD are willing to sacrifice themselves (no reward), whereas the GNU people are willing to take up arms (we reward you, but you must reward us in return, if you use our stuff).
The comminuty is more alike that it is different. Don't let these types of papers and publicity screw that up.
Sauce for the goose is sauce for the gander; anyone can put a backdoor into an OSS program, but anyone can also see it. With closed source, you're trusting that the vendor won't put one in. Of course, now you're assuming that (1) the vendor has no malicious intent and (2) that they keep their code completely safe. Of course, that could never happen...
There is a big distinction between the GPL and the BSD-style licenses. The GPL is all about making sure that people who use GPL licensed code release their new code under the GPL too. The intention is to create more GPLed code. The BSD license is about propogating quality code. The idea is that if you think your code is a good implementation of something, you release it under the BSD, which allows anyone to use it in their own applications without being restricted in how they license their own code at all. A BSD coder doesn't care what use their code is put to or who profits from it, they just want it to be used. That's a pretty big difference :-)
One day, a group of daring young renegades discovered that there were other ways to get air, just by moving some rocks that blocked openings to the outside. And they offered their air free. At first people were hesitant to use Free Air, thinking something must be wrong with it since it was free. Initially Microshaft ignored the renegades, dismissing them as a fringe movement and minor nuisance. But eventually Microshaft saw them as a threat. They started a major marketing campaign to convince people that the Free Air was bad for their health. But people found that they actually felt better and healthier breathing the free, fresh air. Microshaft added more and more features to their air, perfuming it and coloring it with smoke to give it "added value". Many people started to dislike Microshaft's heavy, bloated air that was hard to breath and began flocking in droves to the sources of Free Air.
About this time, after some years of hard volunteer work, Open Air developers finally increased the size of a Free Air portal so that a person could actually squeeze through to the outside. The first brave individuals who ventured through it discovered that not only was there an unlimited supply of air in the outside world, there was no way you could harness and control its supply.
Alarmed, Microshaft sought to have the government declare Free Air illegal since it threatened their business model, which they had developed and rightfully earned through many years of hard work. They called the use of Free Air "theft" and claimed that the "viral" nature of the Public Breathing License advocated by many Open Air rebels would threaten the livelihood of Microshaft's suppliers and distributors. Indeed, the whole economy of the cave would collapse, they said. Laws were quickly passed and the portals of Free Air were sealed off.
A charitable organization called the Business Air Alliance was formed to help protect businesses against the threat of Free Air portals. By proving that it was theoretically possible to fund terrorist organizations with the money saved by breathing Free Air, the BAA successfully lobbied to strengthen the laws so that any attempt to make an opening to the outside became punishable by death. Possession of shovels and picks became a criminal offense, and the BAA performed random audits to help citizens comply with the law. For their protection, everyone was required to wear an Air Rights Management security device, which would send an alarm to the authorities if it didn't detect a secret mix of fumes found only in Microshaft air.
As time passed, Microshaft and the government became indistinguishable. To prevent future uprisings, a new feature was added to the air to keep the people sedated happily ever after.
by its programmer, hiding the underlying code from its user. Software can only be modified in
its "unlocked" state when source code is viewable.
This is the assumption that is the flaw in the entire argument. While having the source code makes it easier in some ways to find exploits, it of course makes it easier to find them earlier and fix them. Whereas in a closed source implementation it's more likely that there are unidentified flaws in the software because there are fewer eyes willing to parse through assembly listings. But if a 'terrorist' is dedicated enough to do that, they're more likely to find such flaws.
The GPL is one of the most uniquely restrictive product
agreements in the technology industry.
Interesting. I never thought of it that way when I can use a program for whatever purpose I want, make modifications to that program, and distribute either the original or my modified version of that program. Maybe I'm just weird like that...
By the early 90's, open source enthusiasts began to view Stallman as an extremist and fanatic. The rise in the popularity of Linus Torvalds and the Linux
open source operating system began to create new supporters. Ironically, Linux supporters
became the biggest proponents of the GPL. Although Stallman is a fallen hero in the open
source world, most open source products today are distributed under the GPL license.
While I'm not the biggest RMS fan, uhh, I can't just let that statement go. For once, I agree that not calling it GNU/Linux really misleads readers in this case. Without the GNU tools, Linux wouldn't have a leg to stand on. It's tough to dismiss RMS's importance here (but the author manages somehow..)
The article goes on (and on and on), but I think it's fair to say that this is a fairly one-sided view of the GPL that looks like it was written by MS and Kenneth Brown just signed his name to it. Nothing here, just the usual FUD.
Many of the headlines are quite revealing about their intentions. Many are about the importance of MCSE:
- Inc. 500 Shops Value Certification Most (MCSE vs college degrees)
- Familiarity Breeds Respect
- Technology Trends: Program Provides Information For New Age
- The Impact of Technology Training Programs Case Study: MCSE Training
And then there are numerous anti-trust criticism articles:"Recruiters tend to hire MCSEs just as often, if not more so, than those with a four-year college degree."
"Eighty-seven percent of human resource managers surveyed believed that MCSE's are equally or more successful than college students."
- Break up Microsoft? Rest of world pooh-poohs the notion
- Press Release: Japan, Switzerland, and the EU do NOT insist on breakup of Microsoft, unlike the U.S.
- Fine Microsoft, use funds for new competition (anti-breakup)
- Fine Microsoft and use funds to catalize new competition (anti-breakup)
- Break-up Remedy for Microsoft Not Supported by Key Democrats
- Technology and The Congressional Black Caucus (Microsoft anti-trust)
- Breaking Windows Over Antitrust Dogma
- Pause the Microsoft Case and Examine U.S. Anti-trust Policy
- Punishing Winners Hurts the Marketplace
- Suit Threatens U.S. Computer Dominance
- Taking a Byte Out of Microsoft
Etc. Also lots of articles about the precious intellectual property rights, although not specifically in relation to Microsoft.Make your own conclusions freely.
What I'd like explained to me is how the GPL could be considered somehow worse than other open source licenses for the purposes of national security. The apparent concern in using GPL software is that the source code is out there and available for hackers to look at. Even if you accept the logic that having that source code publicly available is more dangerous, I don't see how that would be different with a BSD style license.
I could, as a proprietary vendor, take a BSD style license product, and close it up and sell it to the government. At that point though, until I start adding modifications, there is no reduction in the risk of some outside source finding a bug in the code. Once I do make modifications, there's the risk of complacency. Perhaps the government doesn't realize that the code I sold them is based on a buggy open source implementation and is thus vulnerable to a potential security breach.
This just wreaks of having been written by Microsoft's PR department.
Oh, and one more comment. The notion that the GPL is somehow one of the most restricitve licenses is complete hogwash. Does microsoft let you incorporate the windows source code into your product under ANY circumstances? Hell they don't even let you see the source code in the first place (and thank god since it's apparently riddled with big security holes). So how is that MORE restrictive?
MMMMMM a big steaming pile of FUD!
This sig has been temporarily disconnected or is no longer in service
For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions...
FAA controlling the flight patterns of any aircraft is absolute nonsense! First, every pilot in the system would block it before it ever got past the talking stage, second it is just ignorant.
Maybe software to control the traffic flow? Sorry, that deflates this FUD too, since it would not apply to just one airframe and the author assumes that the people operating the aircraft are just going to let that happen too.
Maybe if he said some more nonsense about FAA requiring all 747s to have this software? Nope, that is the NTSB and the manufacturers, the latter would be marching on the Congress like you never seen before!
Humm, here is a more believeable thing to scare people with "what if all automated traffic light systems had to run Open Source, could you imagine the national security issue of flashing red lights all over the heartland"?
Eve Fairbanks says I drive a hybrid!LOL
This paper was prepared as part of The MITRE Corporation?s FY00 Mission-Oriented Investigation and Experimentation (MOIE) research project "Open Source Software in Military Systems.. This paper analyzes the business case of open source software. It is intended to help Program Managers evaluate whether open source software and development methodologies are applicable to their technology programs. In the Executive Summary, the paper explains open source, describes its significance, compares open source to traditional commercial off-the-shelf (COTS) products, presents the military business case, shows the applicability of Linux to the military business case, analyzes the use of Linux, discusses anomalies, and provides considerations for military Program Managers. The paper also provides a history of Unix and Linux, presents a business case model, and analyzes the commercial business case of Linux.
Here
The issue of whether source code is as-the-author-intended is an old one, and is very well catered for by signing the .bz2 or .gz archive with the authors GPG/PGP key.
.rpm's that are downloaded can be optionally (by default they are) checked against the GPG key - this prevents anyone from inserting their own version of /bin/login into the system... I'm assuming the machines doing the signing aren't the machines doing the delivery, but that would be an elementary mistake to make on Redhat's part...
If you subscribe to Redhat Network, all the
In short - this is not an issue.
Simon
Physicists get Hadrons!
Remember the difference between the BSD-style and GPL-style freedoms are very important to MS. MS says BSD-licensed open code is good. Since MS can use it without contributing back, this is the kind of "free" that MS likes.
MS also says GPL-licensed open code is bad. Since MS can't use it without contributing back, it can only be used by MS's free-software competitors, thus MS strongly dislikes this kind of "free".
Now back to this study. Can anyone find the basic message surprising? "BSD code is benign, GPL is threatening". Microsoft-funded study, Microsoft-approved results.
As a side note, if MS didn't make this distinction and got everyone upset about using *any* free/open code, everyone would *also* have to stop using MS software. Remember, significant portions of their OS are built upon BSD-licensed code.
I have a hard time taking anyone seriously who could write that.
Trademarks protect product labeling. Patents protect ideas.
Unlike patents and copyrights, trademarks are there to protect consumers. If I go to the store and want to buy Kraft mac and cheese, I don't want to have someone labeling some other brand as Kraft. If it says RedHat, it should be from RedHat.
The idea behind open source and trademarks are to help the end user. I don't see how they are incompatable.
'SBEMAIL!' is better than a goat!!
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
While what you say is technicaly true, at least with open source, hackers(as in the jargon file definition) have a chance to go over the source and fix any back doors implemented. If you only receive binary files, who's to say that the company themselves hasn't inserted a backdoor or left a myriad of security holes unfixed. The above quote is a bad way of looking at it, because the exact same arguement can be applied to closed source.
And how is this more dangerous than a propietary vendor discovering a flaw in there product, keeping quite and not fixing it because it costs too much money?
UNIX/Linux Consulting
> This risk factor is somewhat mitigated in commercial software, where the distribution is typically through CDs and other trusted media. Of course, someone can still somehow compromise a software developer's network, but it isn't exactly hanging out a sign saying "I'm the source code, hack me!" like the open source projects.
And then there's the pirates' CDs that consumers buy thinking they are getting the real thing. What's to stop a pirate from turning evil (heh) and burning a trojanized bootleg rather than a straight copy?
Who's to say they haven't already done that...?
> Just imagine, for a minute, how devastating it would be if Sourceforge was hacked and malicious code was inserted into a ton of the projects without anyone noticing for long enough that it could cause real damage? The danger is clear.
There was a notorious case a couple of years ago where someone put a hax0red version of a popular OSS product on a popular FTP site. It was caught in about 4 hours, and the site admins used their FTP logs to identify and notify everyone who had downloaded it during that period.
Sheesh, evil *and* a jerk. -- Jade
I'm missing the joke, here. Copyright and Copyleft rights aren't the same thing as trademarks at all, and it's perfectly acceptable to enforce your rights under one but not the other. Or neither, or both, as is your want.
Whatever irony the author tried to find in this alleged stance by "many open source enthusiasts" is lost on me.
Study is just a hack piece I am afraid.
Even Allchin (under oath no less) testified that the GPL was one of the reasons that Microsoft did not include a SUN compliant JVM with XP.
What GPL has to do with a JVM from SUN is beyond me. But, that is the lie that Allchin put out to fool the court. And, the GPL was not even an issue in the trial.
I think Microsoft is just spending any money it can on bad mouthing the ideas it does not like. It does not matter if it is true or even relevant.
Besides, some bureaucrats only need a fake excuse anyway.
This fake study is just like the one a few weeks back bad mouthing linux on mainframes. It does not make any sense except the Microsoft salesman will be sure to refer to it during their sales pitches. After all, customers are assumed to be pretty stupid by Microsoft.
NexuSys - Linux support by the best
The FAA has incredibly strict requirements for software critical to keeping a plane in the air. Open Source or not, every single line must be proven to do exactly what it needs to, and the entire system must be deterministic (meet real-time requirements, such as knowing the maximum latency for interrupt processing). The FAA itself should be giving these jokers an earful - this is pure FUD.
It's true that hackers could find exploits if they had the source -- but is that any worse than just having the exploits freely available, as is the case with (e.g.) Internet Explorer?
If the government really has a problem with open source, they can go ahead and contract to reimplement things from scratch. But for non-classified applications (such as serving documents available under the Freedom of Information Act), I see nothing wrong with open source solutions, especially if it can save the taxpayer some money! www.doe.gov, incidentally, is running Apache.
"The federal government's information systems requirements intersect countless sensitive operations."
If the federal government has done nothing wrong then I'm sure it has nothing to hide.
Of course any normal person would be utterly humiliated to have their name associated with this piece of nonsense. Perhaps that's why it has been pulled? I'd be interested if Microsoft really did pay for it. If so, I think they should feel a little cheated. The standard of FUD required in 2002 is far higher than this. Even the mainstream press are going to tear this crap to pieces.
Reality is defined by the maddest person in the room
I love the quote on backdoors and viruses. Windows systems don't have their source code publically available, and yet that doesn't seem to stop the creation of backdoor programs and viruses.
I like how they insinuate that people would just download some code from the Internet, and then immediately put that into a production air traffic control system. Talk about a straw man argument.
Someone needs to explain to this think-tank (or senseless-opinion-tank) that people can do these things called code reviews. Ya see, if I download a new version of this mail client (for example), I can look at the differences between the current source and the last version I checked. Not only could I spot back doors, but I'd likely find some bugs too.
These guys that develop safety-critical systems (like air traffic control) are real sticklers for inspections, documentation, etc. I bet most of them would be glad for more independant reviews of the code they depend on, rather than just hoping Windows doesn't have bugs in it.
As for me, my requirements aren't as critical. When I downloaded OpenOffice from some mirror in Timbuktoo, all I did was check the MD5 sum. The five seconds that took assured me that at least no third-party inserted viruses or back doors in the program.
Just in case everybody ./'s everyone else's mirror...
http://balloons.space.edu/old_opensource_whitepape r.pdf
Yes, but the reason they give is completely bogus. They assert that a programmer could hide some piece of malicious code in the program that could "could contain a critical problem, a backdoor or worse, a dangerous virus."
Uh, isn't that the problem with CLOSED source? With a closed source project, you really don't know what sort of things the programmer has hidden in there. At least with open source, you can LOOK AT THE CODE and check!
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
They play it as if it is, but by saying open-source good, GPL bad, they are clearly desperately attempting to keep the sea full of fish for MS when it needs a chunk of [stable and useful] code here and there for their projects. They hate the GPL cause theres no way they'll GPL the whole damn OS .. so this attack is specifically targetted at the GPL, with purely financial intentions in mind. The security angle is clearly just a way of getting people to read it, and to associate GPL with 'problems'. I'd imagine most decision-makers won't have to remember what those 'problems' are (much less understand them), but so long as they walk away going, 'open source good' (so MS can borrow at will, remember how much they like BSD license), 'GPL bad', they've done their job.
.. fortunately for them, in this day and age of specialization and legal and technological complexity, thats 99.9999% of the population on any particular issue.
.. "well, open source is fine, so long as we can keep the parts actually keeping the system secure obscured behind closed source?"
Ironic, huh? MS has the power and might to take and use, and they dont perceive having to apply the same standards as their code-base contributors (ie, the borrowed code) to their own product. It's flat out hypocracy to anyone with half a clue
Fuck 'em and their shareholders.
I assume by decrying the GPL for security, their lame argument is
So then why is open-source good? Seems to me that security is 80% of the benifit of open source. I guess MS's story is, 100% of the benifit of open source is 'borrowing' code, and 0% is security. Not surprising, but still infuriating.
"Old man yells at systemd"
It doesn't even have to be malicious. Awhile ago, the original author of cfingerd was heavily criticized for making a finger daemon that insisted on running as root. His response to such criticism was to simply abandon the project.
When holes were inevitably found in cfingerd, there was no one maintaining the project and thus no easy way to get it fixed short of someone actually adopting the project. In the absence of a caretaker, the last buggy version continued to live on in open source mirrors for quite a while.
From what I understand, the project was eventually continued and cleaned up, but the interim had a dead, unsafe piece of code sitting right next to its safer/more maintained breathren. At least with commercial code, the EOL'd stuff is usually explicitly EOL'd. On the other hand, in a non-source provided context, you're still beholden to the vendor for patches. But I believe in this case, the group is advocating commercial code that comes with the source.
Check out Thomas Greene's article at the Register, a great critique.
The open source debate is about keeping secrets. Completed (written) software is often locked by its programmer, hiding the underlying code from its user.
Not so sure about this... I think we've all met programmers whose binaries were more readable than their source.
;)
Just where would you be if you slipped in 100 hours of Microsoft proprietary code you got your hands on?
What would that do your 5000 hour product?
The GPL is less disruptive than borrowing other code that comes with limitations.
Besides, if you use code from other sources you certainly should know the impact of doing so. The GPL is not different in that regard.
I guess Microsoft thinks that proprietary code should be outlawed because if it should mistakenly get its way into an application, you could be sued, right?
NexuSys - Linux support by the best
I wonder if there's any "argument" in this ADTI diatribe Villanueva hasn't answered already in the letter you mention. If there is, I can't wait for Our Man In The Andes' response.
NIH syndrome is more prevalent than people blatantly ripping off open source code or commiting 'acts of IP theft'. I think moreso than people give it credit for.
Even Mandrake rewrote their installer to "differentiate" between Red Hat. Redhat doesn't include fontdrake, or any of their competitor GPL tools. It seems alot more like a bazaar of cathedrals to use the analogy.
If I write the ultimate Linux app, what are the chances that someone is going to 'steal my IP', or even if it is GPL, contribute back? Look at the ton of duplicate GPL programs.
If I were a programmer I think I'd GPL my software so people can look at the code and contribute patches - chances are some other OSS programmer is going to not like the language it was written in, which widget set I used, or whatever, and just rewrite it to suit their needs.
I have no numbers to back this up, just seems that most programmers and/or companies prefer to write their own software, regardless of reusable code or license.
Wish I had kept my old sig...
"Don't like the 'viral' nature of the GPL? Try this: WRITE YOUR OWN CODE"
If a business doesn't want to give away their code, they shouldn't weave in GPL source to begin with. If they do so, it's their OWN damn fault, not the GPL's.
Secondly, I still fail to see how this has anything to do with security. Open source is open source - whether released BSD/MIT style or GPL, it's STILL "open to hackers", which I thought was the point of the whole "risk" of Open Source security in the first place.
The Free desktop that Just Works
If we blindly take the assumptions of this article then only some DoD funded Unix should be used for Mission/Life critical systems.
The appendix listing open source licenses is missing one obvious license: the Microsoft Shared Source License (SSL)(www.microsoft.com/licensing/sharedsource/def ault.asp) under which you can download stuff like the Java killer ( aka .NET) open source project.
Wondering if this is not considered an Open Source license enough after all, even with all the fuss that Microsoft made about it...
Microsoft is just playing the game they want here, one day supporting Open source, the other day, bitching about it. Make up your mind, MSFT!
PPA, the girl next door.
-- I feel better now. Thanks for asking.
The solution then is to not include any GPL code in your security-critical application, not to denigrate the GPL. Look, if they went with a closed source OS and wanted to write the same application in-house and didn't want to include any GPL'd code this wouldn't even get airtime. They'd just write the stinkin' code - ALL of it (or they'd steal some good GPL'd stuff and just not tell anybody - no, nobody'd do that). What's the difference? If I don't want to share my 50bajillion lines of IP then I can probably figure out a non-GPL'd alternative to those 100 lines of code that I'm missing - including nabbing some BSD nuggets. Just because part of my solution is open source doesn't mean it all has to be.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
since you have to publish any changes you might make to the original software.
That is incorrect. You are allowed to take a GPL'ed program, modify it to your hearts' content, and never release a single line of source code to anyone. Only if you then *distribute* the code to anyone else do you have to offer up the code. You have the right to not share. But, if you do share, you have to share completley.
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
The GPL is one of the most uniquely restrictive product agreements in the technology industry.
And, Yes, they have clicked ok to proprietary licenses much more restrictive than the GPL. These lines appear within their PDF file:
This simple fact can be easily verified with a command such as "stringsold_opensource_whitepaper.pdf| grep^/"
PJRC: Electronic Projects, 8051 Microcontroller Tools
How many people have intimate knowlege of the internal code is irrelavent. What is relavent is how many experts have examined the code to be sure that it is correct. Before code is used for something like flight controll I would expect experts to examine it closely to be sure it worked right. (actually not, game programers with an AI can probably do a better job just rewarding their system for smooth flights even in turbluant weather, but that is a different debate)
100 experts paid by the goverment to assure the code is correct is not as good as 100 paid experts, plus 1000 amatures doing the same. And the existance of a few amatures sabotaging their work makes it better because it forces the experts to think things through. (when everything is expected to work you can be lazy with the rubber stamp, when some parts are suspected to be sabotaged you have to look closely)
There is a theory of testing which says you put some number of known bugs in the code without telling the testers. Don't stop testing until they find all the known bugs because that gives you the best chance of stumbling across the unknown bugs. (the countery argument is fixing known bugs cna introduce more so it isn't a clear win, but it is still a point to consider)
I guess you are probably not successful if you program open source. What do you suppose he means be successful?
Can I bum a sig?
You're correct about the risk, but the Government has strict standards that systems must adhere to, both when they go into production and when they are in initial development. The Common Criteria site has a listing of protection profiles that basicly spell out all the requirements a system must adhere to in order to be considered 'secure.' In the Labeled Security Protection Profile (and likely the others...I'm only familiar with this one) there is a section that basicly states that "the developer must use a content management system" and provide all documentation for how it functions, is administered, and how changes to the content are tracked.
In other words if any government group were to use an open source product or start one of their own they are still required to keep their copy of the source tree for the code under rigid, monitored control to ensure what happened to irssi and FragRoute could not happen to their project.
I'm not saying that CVS will be the total solution to this problem, but it's nice to see that they do have measures built-in to mitigate the risks.
--Kylus
Idiot-proof something, and Life will build a better Idiot.
if it doesn't make sense, it's economics.
--
E_NOSIG
> But I believe in this case, the group is advocating commercial code that comes with the source.
.. then it should be closed.'
/. arguments on whether OS is more or less secure than CS, so we dont need to go into that. But really, they like it when companies can borrow source (heaven forbid they have to actually hire as many skilled programmers as it takes to build any given application .. I mean, they have execs and marketers to pay, doncha know!) .. but hate it when they have to give that source back.
.. its just the thought of holding the quality of their software accountable to a community that scares the shit out of them. Anyone following what the multinationals have been doing for the last 20 years in order to divest themselves from ALL possible negative public reaction understands this position. Just like Nike no longer technically employs their sweatshop workers (they're contracted, so the accountability is divested from Nike to their contractors), companies want to be able to take 'tried and true' code, use it, not have to hold their use of the code (and the rest of their code) accountable to the community, and PLUS they get the benifit of passing the buck to the open-source author should problems be found! (Since in a closed source product, nobody can proove it _wasnt_ the open source chunk that caused the problems or indroduced the security hole or whatever.)
No, they ad advocating that open source is good, because commercial companies can use it to cut costs (and profit on the backs of others' work), but that those companies should not have to repay the community for reasons of security.
It really should read 'borrowable open-source good, except when the source code is mine
We all know the usual
I've been watching the commercial world come to the realization that open-source isn't what they should be scared of (MS has borrowed BSD'd code many a time)
It's the usual power mongering, and desire to not be held accountable for any of it.
"Old man yells at systemd"
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? "
first of all, if the 100 hours is GPLd, then the GPL isn't 'arguing' anything -- the rest *is* GPLd, according to the GPL. using the verb 'argue' here is like saying that my rental agreement 'puts forth the assertion' that i have to pay my landlord every month. it's not appropriate, because there's nothing to argue, no ambiguity. the GPL is very clear here.
second, if GPL'd software is, as the statement is clearly implying, a negligible part of the final product, what's the big deal with spending the other 100 hours to build that part yourself? no one's making you use that 100 hours worth of software.
and imagine how stupid that argument sounds when phrased this way: "i just built a huge program that only makes use of [some copyrighted product] in passing -- why should i have to conform to that company's contract terms in order to use it?" would anyone argue that degree of use is going to make any difference at all here? and if you don't like corporate-bashing, consider this example -- "sure, i stole $100 from you, but i put it towards this car that cost $5000, so why should I owe you anything at all?"
this is a stupid point. if you don't want to use GPLd code, don't, and if you do, understand the terms.
god is just pretend.
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL?
This "argument" really bothers me. What would they say to this: "If a software application represeting 5000 hours uses proprietary code reflecting only 100 hours, should the author really be guilty of copyright infringment?"
Last time I checked, no one was forced to use GPL code in their products. I think everyone would agree that the author of a piece of code is well within their rights to dictate the terms under which other people are allowed to use it. People who use the GPL effectively say, "I will share my code with you, however, you must share your code with me if you intend to use my code in your project".
Some people (e.g. those who use the BSD license) don't mind if others use their code without sharing in return. That is their perogative.
--
There is a big distinction between the GPL and the BSD-style licenses. The GPL is all about making sure that people who use GPL licensed code release their new code under the GPL too.
.gov could pick up a bunch of GPL code, hire some hakers (or use the NSA) to brew their own system and simply make the decision not to share the code. That's nice and legal. They'd simply make distribution a matter of national security.
Except that using GPL code doesn't compel you to "release" anything. It only means that if you elect to share your code with another party, you do so under the terms of the GPL.
The
The only security issue with the GPL is the security of companies who derive revenue from selling proprietary code.
Howard Dean for president
Okay, is it just me or is the difference b/w these pretty much nonexistent? I assume there are other open-source licenses, but they'd all do the same thing anyway.
The advantage of open source is that your customers can continue to maintain and upgrade your code after you go bankrupt.
-a
---
When the man in front of you is shot, pick up his gun and start shooting.
How to rationalize theft.
You only have to give the code to the people who are recieveing the software, in this case, the control towers.
Even this may not be necesary. The GPL's definition of distribution could be interpreted in such a way that, since the software is never leaving the FAA, the FAA isn't "distributing" it and would thus not be obligated to release its modifications.
If the FAA decided to sell this or give it away to private entities or foreign governments, it would only then be obligated to release their source code.
This key point seems to be missed pretty frequently by critics of the GPL. If an entity maintains ownership and control of GPL'd software and does not release it, they are not bound to tell anyone about the modifications they've performed. Their code can be just as closed and proprietary as they like.
Following the old Usenet tradition that every spelling and grammar flame must contain at least one spelling or grammar error, you meant "its." There's no apostrophe. See Bob The Angry Flower for details.
This story came out early last week and is just a load of FUD. ADTI has no credibility and is funded by MicroSoft (which Microsoft admitted to).
These are the same guys who claimed that second hand smoke isn't harmful. Their panel of experts contained Scientists and Doctors who had previously been employeed by the Tobacco industry.
Article Link
Do a search for ADTI in article.
You can view the article at Phillip Morris Tobaccos archive.
See:
Article Link
Or the PDF at:
PDF Link
Their main points are that GPL is flawed due to requiring anything which uses GPLd code [no matter how little] to be licensed under the GPL; and, that most GPL projects encourage many unvarifiable developers to take part in the project, resulting in potential malicious code being inserted without anyone else taking notice.
Please, take a moment and read the GPL. Then come back and ask people questions about it. (I believe there was an Ask Slashdot about it awhile ago...)
Using GPL'd code does not mean you have to automatically release all of your code. First off, the GPL cannot override other more restrictive licenses. If you don't have the right to GPL the code that you've included then you can't release it, you have to remove the GPL'd code instead. Second, the GPL's release/publish conditions are only invoked if you release/publish your code. This is a very important distinction. If you develop something "in house" for your company's use, then you don't have to release the resulting code. If you don't distribute it then you don't have to publish it.
As far as "malicious code" goes, look at all of the "easter eggs" and "bugs" in current "professional" code. How much overall code review do you think goes on when an entire flight simulator gets packed into a spreadsheet application? (You may have noticed how a Service Release deactivated it.)
In the Open Source world, if you doubt some code then you can simply audit it. Good luck if you think there's some backdoor lurking in the latest MS code. (Look at MS's WMP EULA that gives them permission to force downloads on your box in the name of "DRM".)
There's a reason that people use the cover of darkness to perform questionable/malicious acts. Having the source code for full review and scrutiny is the best way to shine a bright light into all corners.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
And that's not their only gaff. Read the Netscape part:
"Not only did Netscape crush competition with its free browser model, but it also infuriated members of the open source community by aggressively introducing proprietary standards to the public Internet, something they felt no one should own. Conveniently, Netscape turned its enemies to Microsoft and their new browsers, Internet Explorer".
Count the number of bald factual errors, and false insinuations. In just two sentences.
I just said a bunch of random stuff and not all of it is accurate or precise or true or meaningful
Well at least you admit it.
Look, the GPL does not compel you to release, share or even present your source code if you're using a GPL-coded application. It only stipulates that if you share your code (in source or compiled binary form), you must do so under the terms of the GPL.
The government could easily act as a single entity here (an umbrella over all the various agencies, e.g FAA, FBi, etc) and use all the GPL'ed software it wants and be under zero obligation to share with anyone. That is, of course, assuming the develop it in-house. If they want the participation of the worldwide OSS/Libre Software development community, it becomes a bit more tricky. Hoever, they could always have the spooks scramble a few bits and keep the kinks to themselves.
Howard Dean for president
If you have something to say, why not start a petition? Why not write a well-written (as opposed to the one above) article and try to have a newspaper or respected journal publish it? Write your congressman (as I have done) and explain in a well-thought-out manner the points and counter points of why open source software is essential in maintaining the rate of innovation in the computer industry.
I'm not complaining, or trying to be a troll, but even if you copied and pasted some of these very good comments that appear here into an e-mail to some of the powers that be, it would do far more good, and would probably make you feel much better about your day as well.
Just my $0.02.
today is spelling optional day.
Yes, Microsoft's security sucks, and every one knows there are open security holes, and it takes ages for them to be patched... But Microsoft's OSes do have one advantage over all the current open source OSes -- Windows Update.
It may take MS too long to patch their stuff, but when the patch does come out, access to that patch is quick and easy. An update facility for *nix would be a huge step in combatting bugs and security problems. The facility need not be centralized, either; individual distributions or packages could have their own repositories.
Such a system could even go one step further than Microsoft and report when an unpatched hole is found, and give the option to disable that service 'til a fix is discovered. This would be highly appropriate for individuals, companies and governments who are worried about keeping their systems secure, and would keep them safer than any closed-source software can.
See the thing is that the GPL says that if I give you a piece of software then I must provide soure code with it. So, the code that the governmnet adds does not need to become a matter of public knowledge unless the software is being given to the public.
As I understand it, if the FBI got a copy of Linux, they could modify the source code and distribute as they wanted to within the FBI and never be compelled to give that source code to anybody else. It's only if the FBI started taking that code and giving it out to other organiaztions that it might be at issue.
This sig has been temporarily disconnected or is no longer in service
You're missing the point of the parent post. A business may have certain portions of an app that they'd like to give away as Open Source, part of which may already use Open Source'd code. This is, of course, the benefit of Open Source. However, one part of this app is proprietary and they do not wish to give out that source, even though parts of the app are Open Source'd. With the GPL, this is not possible.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
On a lighter note, while many open source advocates atre proponents for copyleft, they insist on trademark protection for their ideas.
...by posting notices in publications and websites that their trademarks are protected. For example, the notice on the OSI website reads, "... To identify your software distribution as OSI Certified, you must attach one of the following two notices..." The same is true for a number of prominent open source firms including VA Linux.
You bet they do, or else commercial interests would steal their work and profit from it, without due compensation to the creator.
I hear the Red Cross and Salvation Army have trademarks as well, which they zealously protect, even though they are in the business of giving stuff away to those in need.
The Free Software Foundation, the Open Source Initiative and a number of other organized GPL enthusiasts protect their "marks"...
Putting the word "marks" in quotes in this context seems to imply that not-for-profit trademark holders are not holding "real" trademarks, and therefore the author of the paper feels entitled to sneer at them.
This is the most damning section of the entire document, im my opinion. The author betrays his contempt for the fact that open source advocates utilize the copyright system as it was intended: to control the distribution of their works. What burns this author the most however, is that he knows they are correct and the GPL succeeds at its aims, which is preventing GPL code from being hijacked by proprietary, closed source projects. This makes him very angry, and he can barely conceal it in this paragraph.
While each of these firms would insist that they are not against copyright protection, invoking the protections argues that they are against people copying their marketing documents and symbols.
He left out the crucial phrase at the end of the sentence: "without authorization." This guy is really burned that the GPL is successful. And it seems clear to me now that "this guy" is the Microsoft FUD^WMarketing department. Their past FUD releases on this topic have been infamous for conflating trademark and copyright, as well as copyright and copy-prevention.
Now I gotta go take a walk, because I am worked up. But man, this is the most blatant and desperate FUD I have read in a long, long time.
Edith Keeler Must Die
According to the BLS Computer and Mathematical Occupations employ 2,932,810 total employment. Of those 374k are employeed in the development or the customization of applications.
was that you again, Bill? That's disgusting!!
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Because of said deterministic requirements, you couldn't just release patches to air traffic controller code - but wouldn't it be cool to find a bug and send in a fix? A lazy Saturday afternoon spent reading code could make every air traveller in the sky safer.
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
If you're worried about backdoors and trojan horses being inserted during a transfer over the net, then contact the author and order the source on CD. The author doesn't offer CDs? Throw him some cash and I'm sure he'd be happy to burn you one. It would still be less expensive than ordering a commercial package.
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
Even worse! It could contain a gaping hole allowing virus writers to distribute email lightening fast throughout the world! Even worse, such a problem ignored for years, or only be fixed in a newer version!!!
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]
The economic implications are staggering! Wealth is replicated and distributed instantly at little to no cost! If only we could do that with cars and houses!!!
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
You mean after GIVING away thier hard work, they shouldn't ATLEAST be able to ask for CREDIT???
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
Is it fair that you STEAL my 100 hours of code, which I donated to the community just because you're 50 times bigger? Is it fair to deny me the option to distribute MY work so people can't exploit my work for thier profit?
You don't even let me USE your software unless I pony up $$$, whereas I let you USE, SHARE, and MODIFY for NOTHING, so long as you don't exploit me work.
AND you expect me to let you exploit me because your software is 50 times bigger? Geeze, Why don't we set up the courts so whoever has the most money wins while we're at it.
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"
This is the only tough question of the bunch. More people seeing the source code doesn't nessecarily mean it's going to be more secure. The only thing I can counter with commercial software, is there is no option to audit the security by looking through the source code. You pretty much have to take the vendor's word and hope if there are security holes, they will fix them promptly.
"Communism is like having one [local] phone company " - Lenny Bruce
What exactly was the difference again between executable software and binary code?
All proprietary licenses that I've ever seen place restrictions on how a user may use the software. The GPL contains no such restrictions. The GPL only resticts the way in which he can redistribute a modified version of the software, an activity expressly prohibited by proprietary licenses. Simply put, any claim that the GPL is more restrictive than proprietary licenses is laughably incorrect.
According to the Open Source Initiative, "the 'open source' label itself came out of a strategy session held on February 3rd 1998," in reaction to "Netscape's accouncements that it planned to give away the source of its browser." The term's purpose was "to dump the confrontational attitude that has been associated with 'free software' in the past and sell the idea strictly on the same pragmatic, business-case grounds that motivated Netscape." The attempt to paint the FSF as a radical offshoot of the open source movement is completely without factual basis.
The FSF has expressed no position on the patenting of inventions, in general, but only on the patenting of software.
According the NCSA's Procedures for Licensing NCSA Mosaic, "the software is not public domain, freeware or shareware." But then, we already knew that...
If it required a commercial partner to do this licensing, then clearly it wasn't even open source (as the term came to mean, when it was coined five years later), much less in the public domain!
At this point, I get tired of counting. This paper allegedly "details the complex issues surrounding open source," but fails to demonstrate even the most basic understanding of the term itself, competing licensing models, or the technology involved. It is, quite simply, not worthy of any serious consideration.
When or if RMS writes a response to this "paper", I hope he forgoes his usual moral high ground and lengthy expositions and calls it exactly what it is: garbage.
Very of little of that paper makes sense or raises valid points, and what it does is irrelavent to its thesis.
This paper is a comical inverse of Senetor Nuñez's letter to Microsoft: poorly thought out, badly written, and unable to withstand the application of basic logic. "GPL the most restrictive license" indeed ... the GPL can be ignored completely, leaving you with basic copyright law, while last I checked, Microsoft's license must be followed to the letter just to USE the software.
I'm sure everyone here can read through that paper and find all kinds of nuggets (not of wisdom, for sure). For instance in one sentence they claim that with Free Software you don't know what you're getting, but in the next deride programmers for using trademarks to protect their reputations (i.e., so they can ensure that you do in fact "know what you're getting").
And the usual "programmers need money so they can write code". Well, this has nothing to do with the government choosing software, unless the government is starting a new "software author welfare program".
The usual "if you combine GPL with another software, it all has to be GPL". Pray tell, what license do I use when I combine Windows XP with my own program and sell the combination? None, the men with guns come by, and I get put in jail. Don't redistribute GPL software if you don't like the terms. At least the GPL gives you a way to redistribute!
And finally the paper concludes with a rosy comment about the BSD license. I suppose when a company releases their software under the BSD license, somehow their secrets are better protected than under the GPL?
Finally, I like the graph on page 18.. apparently Windows XP has 30 million lines of code (30,000,000.00 to be exact, based on the legend), and Linux Kernel (apparently now an entire operating system on its own) only has 2 million or so. I'll take 2 million possible bugs over 30 million any day!
This risk factor is somewhat mitigated in commercial software, where the distribution is typically through CDs and other trusted media. Of course, someone can still somehow compromise a software developer's network
You must be referring to that time not too long ago when Microsoft's network was compromised, and possibly unknown things placed into the source code for their products.
Just imagine, for a minute, how devastating it would be if Sourceforge was hacked and malicious code was inserted into a ton of the projects without anyone noticing for long enough that it could cause real damage? The danger is clear.
Yes, I suppose it is -- but as the source code for things on Sourceforge exists in many copies all around the globe, it can be cleaned up somewhat more easily than, say Microsoft cleaning up their compromised source code repositories. Assuming they even tried. Some journalist should ask them about that -- "What effort has Microsoft made to inspect and clean their code of viruses, backdoors and trojans inserted when their network security was breached recently?" I'd love to see that question asked by, say, the Wall Street Journal. Or even The Register.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
In the case of Red Hat, I believe their public key is on the original distribution CD. How hard would it be to trojanize a shrink-wrapped product?
This doesn't cover individual authors and their tarballs on the Internet, of course. But if you're really paranoid about security, either you'll only install stuff prepared by your distribution vendor, or comb through any untrusted source code yourself.
iSKUNK!
If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL?
If a software application representing 5000 hours of work uses proprietary Microsoft code that only required 100 hours to develop, would Microsoft be correct in claiming that its copyright had been violated?
TheFrood
If you say "I'll probably get modded down for this..." then I will mod you down.
If those 10 lines make your work a derivative work, yes. If those 10 lines don't make your program a derivative, but fall under fair use, then you don't have to GPL it. That question is outside the purview of the GPL, and would have to be decided on a case-by-case basis in the courts.
It would depend not only on how many lines of code are involved, but on what those lines do, and what the new program does.
The issue of whether a work is derivative is not specific to software. For example, if I write a 10 line poem and you include it in an anthology without my permission, you're violated copyright. But if you quote 10 lines of a 200 page novel in a paper, you're almost certainly engaged in fair use.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
...are the politest things I can say about this.
The author has transparently started with the objective of rubbishing the GPL - then crudely constructs "evidence" to support this rubbishing.
It presents a world view that as a software developer I find difficult to recognise.
It probably isn't worth spending much effort reading or responding to this. So I will just pick on one aspect which struck me as interesting: The complete omission of any reference to standards and specifications. In my world software systems are underpinned if not driven by standards and specifications. Many of these standards are open and freely available. Some are ad-hoc. But they are always there.
Not so in Mr Brown's world. Everything is secret and proprietry. It is a given that for a piece of hardware, there will be no published specifications. The only way that a GPL driver for that hardware can be created is by reverse engineering the manufacturers own driver. Like wise there are no standards or even specifications for software systems. Everything is closed and therefore a GPL author must inevitably "steal" the creators "intellectual property"....
Sigh. There is lots more to be criticised but the premises are so illogical and falacious that it is soul destroying even to have to start.
Now I personally think that there is a role in the world for GPL, BSD and proprietry software licences. But this article neither makes the case for a multitude of licenses nor suceeds in saying why there is no place for the GPL (at least in any rational or credible way).
I would really like to see IBM explaining why they endorse the GPL, as this paper is sure to get a lot of coverage in the media - especially if Microsoft have paid for the article as has been rumoured.
Comment removed based on user account deletion
RMS probably isn't the best person to write the rebuttal since the paper is written largely from a business perspective, RMS's arguments may be somewhat orthogonal to the main thrust of this paper. Also, the fact that the paper attacks RMS directly (suggesting that he is not widely respected within the Free Software/Open Source community - which IMHO is bullsh1t) would make it awkward for him to respond without sounding too defensive. ESR might be a better bet - even though I have always seen him as a-little too preoccupied with self-aggrandizement. I would say that Bruce Schneier would be the best person to rebut this given his level of respect in the security community.
If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming
To that you say...
Is it fair that you STEAL my 100 hours of code, which I donated to the community just because you're 50 times bigger? Is it fair to deny me the freedom to distribute MY work so people can't exploit my work?
You don't even let me USE your software unless I pony up $$$, whereas I let you USE, SHARE, and MODIFY for NOTHING, so long as you don't exploit my work. Yet, you don't think it's fair that I take measure to make sure you don't exploit my hard work?
"Communism is like having one [local] phone company " - Lenny Bruce
i.e. it's partly open. It has been viewed by hundreds or thousands of MS programmers, any one of whom might be an enemy spy. Windows src has already been distributed to certain colleges and corporations. Furthermore, MS's internal networks have been broken into in the past. Go ahead Bill, swear on a stack that no terrorists have the source to Windows.
Unless MS, Oracle, Sun, et al. do all their development under the same security controls as, say ICBMs, the "need for secrecy" argument works no better for their code than for OpenSource.
Maybe there are a few situations which call for Top Secret Source, but most do not. Use hardware as an analogy.
The U.S. armed forces use plenty of off-the-shelf type hardware. Many types of military aircraft are based on the same platforms as commercial craft. SR-71 Blackbirds are secret, 747-based AWACS share many of the same vulnerabilities as those flown by Trans American. F-xx fighters have been sold to questionable foreign governments, lost in battle, etc. How secret are they?
If the U.S. adopts this "Secret Source" philosophy, our computers will turn out the be the equivalent of those goofy cars (Trabant?) Russians were forced to drive all those years.
And your point, Mr. Brown, is exactly what?
First point: Today I mistakenly started up IE's infamous "Windows Update" feature for the Win2K installation on the SunPCI card in my Ultra 10. The first "update" it wanted to install was the MS "Automatic Updater" so that Microsoft could cram changes to my system software down my throat whenever they chose to. Mr. Gates does not own my hardware, the State of Texas does. Given Microsoft's track record in the security area, please explain to me the exact difference between this "feature" and a "back door or worse, a dangerous virus"?
Second point: Microsoft's "Windows update" service is ONLY available over the internet and is usually the ONLY source for critical security fixes and other patches for Microsoft products. Please tell me exactly how that differs from the normal distribution channel for GPL software.
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications."
Please show me your bar number before you start rendering legal opinions, Mr. Brown. The only class of Intellectual Property that is infringed by reverse engineering is patents. Specifically, so-called "clean room" reverse engineering of copyrighted works has been repeatedly blessed by the courts as an exercise of the fair-use doctrine.
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
Mr. Brown, this "lighter note" comment of yours is little more than a cheap shot that openly displays your lack of understanding of the subject matter on which you write.
"Open source enthusiasts" not only avail themselves of trademark protection, they also assert and defend their rights as copyright holders. This in no way conflicts with their advocacy of the principle of copyleft. What it DOES do is give them the power to enforce the particular license (GPL, LGPL BSD, or other) under which they choose to release their software.
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
Answering your questions in order:
Yes, if it's my GPL code, it most certainly IS fair. If Microsoft, Adobe, Symantec or whoever, wants to license my code for use in their proprietary product, I will be HAPPY to negotiate a special *non-exclusive* license with them for a SUBSTANTIAL fee. HOWEVER, if their objective is to take my code without payment and claim it as their own they had better be ready for MAJOR litigation.
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as:
They already do. The FAA's Air Traffic Control Database uses Oracle 9i Real Application Clusters running on Dell PowerEdge servers and (surprise!) Red Hat Linux.
Apparently the FAA thinks it's a better gamble than hoping that no one with an old copy of debug.exe will find a buffer overflow in Windows 2000 Advanced Server.
Again, you clearly demonstrate your lack of knowledge in this field, Mr. Brown. GPL software is NOT public domain. It is private property released for public use under license. It is no more public domain software than Windows XP. And
However, a more cogent inquiry would be "If the FAA's Air Traffic Control System is exposed to access from the public internet, shouldn't we fire all the boneheaded bureaucrats that decided it SHOULD be?"
Most of the
Mr. Brown, your white paper exhibits a failure of understanding of your subject that I find very disappointing in one who would call his operation a "think-tank". You entitle your publication "Opening the Open-Source Debate,"
utter rubbish
Almost like when MicroSoft got hacked... except of course in the instance of closed sourced software, only your vendor can audit the code for trojans and backdoors. Kind of similiar???
Or maybe it is more like the time Microsoft placed a virus on their corporate update website???
Guess you don't have a point... is Bill paying you for this?
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
> a "social problem, not a technological problem, therefore Not Our Problem(TM)".
:)
:)
It is a social problem. If you want to consider it a technical problem, you might as well be advocating that humans be installed with biochips.
Face it, you can't trust anyone, and thus can trust everyone, to some degree. Life is a series of risk analysis', followed by decisions. The Perfect Secure Trusted World is both undefinable and impossible to implement.
So, by utilizing one's brains, one can decide where to get ones sources from, depending on the various levels of 'risk' one would be exposing themselves to during the intended use of the software. I would hope the government would get their sources from distributors for which they have high levels of trust - and given who they are, even visiting the home of the original developer to get the sources isn't out of the question. It's not like they'd be installing secure software from tarbells off public ftps or Kazaa - and if they did, to make a reference, that's their own social problem. Not a technical one.
To that end, GPG/PGP raises the bar on what must be done to commit fraud or tamper with data, and thus you can assume a certain higher level of trust for the authenticity of the data being sent. It doesn't mean you'll never fall victim to a man-in-the-middle, but like the club (or the condom!), it'll deter detremental events, even if its not always 100% effective.
PGP protects against certain types of data tampering - not all. I hope you dont feel this means its 100% worthless. At any rate, I suspect PGP would claim to be more about deterring evesdropping rather than ensuring 100% the authenticity of data (or even the sender). I think md5 is typically more suited to checking the authentiticy of data against a trusted published md5 signature, but I'm no expert.
"Old man yells at systemd"
Good idea. We could go back to the way it was before money was invented. I do directory services consulting for a living. I could get paid in pigs, fresh fish, computers and the like. Then all I'd have to do is figure out how to transform the pig I got in Chicago to an airline ticket plus some thing of value that I could both take with me on the plane, and use when I get home to convert into food for my family, to compensate the electric company with, and so forth.
Maybe we could set up exchanges, so that when I'm in Chicago, I could go to the local exchange and give my pig to someone who needs a pig and has an airline ticket and other goods useful to me, or some more complicated transaction that an exchange could facilitate. In any case, the exchange would only have value proportional to the number of people using it and the diversity of goods being exchanged. This system would work better if we could link all of the exchanges together, so that I could give my pig, in Chicago, to someone in New York who has the airline ticket I need and some other goods, and the other goods could go to someone in California in exchange for some goods useful to me to be delivered to my home in Texas. The linking of exchanges would increase the number of users and diversity of goods and services available.
This would be an even more useful idea if we had the ability to assign a value to a good or service, based on how in demand that product or service was, or how much work was used to make it, or how necessary it was to life (fresh water is far more needed than, say, a computer, but it's also more available, and easier to obtain). That way, we wouldn't have to actually move my pig to New York, and wait for the airline ticket and goods to come from New York to Chicago. We could just give our pig to someone in Chicago in exchange for the appropriate units of value, which we could then send (much more simply) to New York. The person in New York could give his airline ticket to the exchange there, and the excess units of value could be kept on account so that he could get something else from the exchange later. Heck, we could even eliminate the entire idea of exchanges, and just pass the units of value back and forth. Oh, damn! I just invented money.
Well, let's try again. Perhaps we could have a moneyless society where all production was given freely to whomever needed it. For example, I could consult on computers for free, but I could also help myself to whatever food, toys, computers, airline tickets, or whatever I needed. There would be plenty for everyone, and everything would be free. Of course, if I could get all of my needs and wants met for free, I could stop working. In fact, retirement is my goal, and this would speed this up very nicely. Of course, then my consulting services wouldn't be available, but that's OK because someone would do it for free, just for the love of it. Certainly, there would be enough people who would generously give of their time cleaning public toilets and such to make it possible for the rest of us to still get our food and toys and such.
Well, OK, I admit that this isn't a good deal because in reality the majority of people are not willing to work if they don't have to, or more than they have to. This can be fixed, though. For example, I could get a work ticket that showed I had worked 10 hours today, and by presenting that ticket to the local food vendor, I could get my food. I could present the ticket to the local computer vendor and get my computer. Of course, it takes a lot more time to make a computer than to, say, clean a house. So we'll have to have some unit of value assigned to each product, based on, say, the amount of time that it takes to make it. A computer could have a value of 100 hours, and cleaning a house could have a value of five hours. Now, to get my computer, I could present 100 hours worth of my directory services consulting tickets. Hmmm...but anyone can clean a house, and not very many people can do directory services consulting. We need a way to add value to the hours of work based on how much effort was put into being able to do those hours of work. Using house cleaning as a base, let's say that it takes 40 hours of education, plus the attendant living costs during that time, for a total of, say, 50 hours, for each hour that it takes to learn to clean a house. In that case, I could buy a computer with two hours of my labor, since it would be two hours with a value of 100 hours of house cleaning (or whatever the base labor task was). Wait a minute, I've invented money again.
Perhaps you could enlighten us on how this would work? I seem to be out of ideas.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
I trust that Slashdot readers will not confuse this "Tocqueville" institution with any level of sophistication or insight. Taken as a whole, their web site declares positions and malformed thought on a whole range of issues. There is a clearly intentional lack of background information on their "scholars".
ADTI's inability to parse basic issues surrounding open source software calls into question their credibility on other issues.
Ken Brown would be well advised to keep this paper away from informed scrutiny. Perhaps he will fine some like-minded light-weight industry types who, finding their desired points parroted with considerable precision, will scurry away to create a dog-pack chorus of agreeing howls.
We are faced with trying to determine if Brown is simply incompetent (distinctly possible, as the piece reads like a high school essay), or deliberately trying to cloud the discussion of a real issue: What is the role of open source software in current and future society?
Most modern software professionals will agree that open source can play a significant and important role in furthering the development of systems. Most would also agree that the GPL, in particular, is highly appropriate to certain kinds of development.
I think the important questions are as follows. Who funds ADTI? Who is Ken Brown, and what is his background? What media exposure is this report likely to generate? What are the most precise rebuttals to this document?
Ofcourse this guy is funded under the table by Gates and his minions.
I googled for Andre Carter of Irimi Corpn whose comments Mr. Kenneth (or whatever frickin name he has) values more than anything else and this is what I found :
One pro-Microsoft observer credited Gates with being precise and helpful. "His testimony has been soaked with real-world examples, [and it shows] he understands the ramifications of how the states [want to affect his business]," said E. Andre Carter, CEO of Irimi, a Washington-based mobile and wireless consultancy, who also works for the pro-Microsoft lobbying group Americans for Technology Leadership.
BINGO!
When idiots like these make money by lying through their teeth, spread FUD and otherwise confuse the idiots who make decisions in the Senate and everywhere else, this industry, this country and the world we live in has such a fucked up future.
Rapid Nirvana
But things like Ken Thompson's compiler hack take it to another level, and would be much more difficult to catch.
I'm not sure where exactly a hack of this level could be inserted into the current environment--gcc, the linux kernel, and glibc are all probably a bit obvious at this point--but how many different programs are there out there that are depended on by lots of other programs to convert from source to a running executable?
Somebody in a below post mentions inserting a hack into an Apache module; I don't think that would be enough. It would have to be something like insert a hack into an Apache library such that, when a certain module was compiled, it was compiled with a door enabled.
Could something like that make it past the many readers out there? If so, in which projects, and how nasty would it be?
I think it could happen, but it would have to be somebody who really had something to prove, and was a Roaring BadAss like Ken Thompson was. Who doesn't think Linux could hack the linux kernel to his own benefit?
C'mon, people, don't let them get you so head-up over a stupid piece of paper written stupidly. Check the site, especially their "touted accomplishments". It's a hard-right group for hire making hay with a good-sounding name and a crappy website. Nobody who knows the industry pays any attention to these morons, it's just red meat for the pro-MS crowd, bought & paid for.
God, how one can look at the painful stupidity of their arguments and not laugh is amazing. It's the most tortured piece of predetermined reasoning I've seen in a while. It's sad, when there are real think tanks that do real thorough work ala Rand Corp, that fly-by-nighters like this can give the industry a bad name so easily.
The only tool you've got against psychosis is experience.
Then they can use LGPLd stuff instead. ;)
but seriously...
Yet AGAIN this misses the original point: is Open Source secure or not? If you do a full source release, how does the *license* affect the security of that *particular* product?
If the argument is that security could be enhanced through the use of proprietary, closed extensions to the program, courtesy of a BSD-like license, then that modified product would go back under the "closed" catagory, and not under the open source catagory it started in. So again we're brought back to the original question: Is Open Source less secure than proprietary stuff? That's debatable, but the license still doesn't matter - released source is released source. For the terms of security, all OSS liceneses are equal for a given product release.
The Free desktop that Just Works
I was surprised to see that Google is currently showing this bogus Microsoft shell of a think tank as the #1 result for the query "Alexis de Toqueville". I am afraid that recent publicity from the Linux news sites may have moved them into this spot. This bogosity is easily fixed.
Those of you who run popular sites should do the following: add links to your more popular pages saying something like
Learn more about <a href="SOME-SITE_HERE">Alexis de Toqueville</a>
As the link target, use one of the more academically respectable Toqueville sites, like www.toqueville.org or the one at the University of Virginia. Remember, the purpose is to allow Google to provide better results to people who want to find out more about Toqueville, and to make this set of imposters less visible.
Statements like these, from the paper, are also pure rethoric:
What it comes down to is that a group of people with a pompous name, a conservative ax to grind, with funding from Microsoft, and with few security-related credentials put out a paper saying that the government shouldn't use open source and linking open source to terrorism in some underhanded way. What a surprise. The conservatives in this country have been using fear of terrorism to push a pro-corporate and anti-democractic agenda since 9/11.
While I'm not necessarily the biggest proponent of the GPL or even much of a believer in many open source principals, there are times when the dumbfuckery surrounding the GPL is just ludicrous.
First, if you don't distribute your code you're not required to release the source code to it but you can use all the GPLed code you want in it. I can hire someone on a contractural basis to write a program using GPLed components and neither of us is required to release the source code for anything if I'm not releasing my program to a third party. Section 2 of the GPL only applies to work you distribute or publish. If I write Jackassnix using GPL code and I never release it I don't have to provide anything to anybody. Thus, if the government contracted a group to modify and write software based on GPL software or including GPL software, the GPL would not supercede any other licensing or distribution rules covering the developed software. The author of the article seems to think your code is relicensed if you use GPL code which is simply retarded.
It is also pretty ridiculous to talk about insecurity when it comes to open source software. It is no better or worse than any other bit of software. Per so many lines of code there will be so many bugs. It doesn't matter how many eyes are looking over the code either. Many levels of government use different contractors and agencies for different tasks. There's no single standard between two government office buildings let alone the entire government body. Using software with a Free license (whatever it may be) would be a good idea in my opinion. Any government body or agency can hire their own contractors and give them the source code from the last contractor. This is arguably more secure than closed source review because the agency in question can has the code they paid for for later. The agency in question can hire other contractors to review and validate or secure the code they've got as well. A city wanting to use Windows XP Server can't exactly hire a security consulting company to review IIS for security holes. If they were using Free code they could. A dollar spent on security can save fifty in damages.
The FAA flight control system example is complete shit. Whatever code was used for the system would be reviewed by both FAA contractors as well as the NTSB. Given the current call for "security" it wouldn't be assanine to think said code might also end up reviewed by the FBI or NSA before it was pushed into mainstream use. Using the FAA as an example is just retarded scaremongering. Why would the FAA use some bit of GPL code written by some 15 year old Danish high school student anyways? Is there some bit of coding magic she did that revolutionized flight control software? As much as I hate the FUD acronym because of its flagrant and retarded use on slashdot, that example is pure FUD tactics.
Hopefully if you're reading this you've read the paper, it is one steaming pile of shit after another. One of the most interesting parts is when the author goes into open source software not having a warranty. Now some contracted code (for medical equipment or flight control systems) is going to be well tested and warrantied, most of the software using by everybody is provided as is. Microsoft and Sun's licenses tell you flat out they aren't responsible if their software pours sugar in your car's gas tank while giving your mother a deep colonic. Even if you used GPL software in a flight control system, it would still have to pass the same scrutiny as privately developed close source software. No one is going to load JumboJet OS onto a 767 they downloaded off fucking SourceForge.
I'm a loner Dottie, a Rebel.
Microsoft builds in deliberate gaps and then hopes no one thinks to break through the thin screen covering that gap: in housing design, that'd be called a Window.
So if an exploit results from using a pre-designed gap, as compared to actually breaking through what was supposed to be good security, call it a security window.
You miss the point: the government can use and modify GPL'ed software without releasing it. The GPL license only requires you to distribute the source code if you release software that uses GPL code to the public. However, it does not require you to release that software at all if you don't want to (and I assume the government won't). So, the government can use and modify GPL'ed software all it wants without releasing any of it. Same thing for the NYSE, or any other software that is not meant for public release. So the whole point is moot.
Reminder: find a new sig
He's right: Apache has about double the market share of IIS. Mind you, about half of those Apache servers run on Windows, but it doesn't matter: Apache is OSS. So in this it seems market exposure is not a factor in determining the number of exploits and/or viruses plaguing IIS...and the proof that OSS can be as secure (if not more) than proprietary software.
Reminder: find a new sig
Not necessarily. Finding holes in software can take time - in other words, it is not very cost-effective, and not profitable from a business point of view (as long as you've cleared the most severe bugs out of the way). Black hats, however, do it for "the love of the game". As we can see in the real world, a lot of exploits are discovered not by the teams of professional coders who wrote the software, but by hackers working on their free time. So the real-world answer to your question is no.
Reminder: find a new sig
Comment removed based on user account deletion
These guys aren't programmers. They aren't developers, hackers, or coders. In a nutshell, they don't know what they're talking about.
Their claims are so ridiculous it's mind boggling. They start out by stating that "Completed (written) software is often locked
by its programmer, hiding the underlying code from its user." Truth is, nothing is locked, sealed or hidden away. It's only been translated.
That they can't even comprehend the basic nature of software taints this entire piece. These guys aren't programmers, and have about as much business commenting on software development as my physician or auto mechanic.
A Government Is a Body of People, Usually Notably Ungoverned
Unfortunately, his countrymen didn't learn very well from his writings, as France has been through at least 7 forms of government since their revolution.
For more info, see his book: Democracy in America
No, you miss the point.
The code is NOT public domain. If you wish to use it, you need to obey the terms of the licence. For entities that make their money by selling their code to others, such an arrangement should not be too terribly hard to grok.
The GPL is meant to benefit the END USER, not the Robber Baron wannabe. Only kooks like ESR have ever claimed otherwise.
A Pirate and a Puritan look the same on a balance sheet.
The page was generated with Adobe Go Live, and the mission statement is an image or something else difficult to copy, so I had to type it by hand for your enjoyment.
Since 1988, the Alexis de Toqueville Institution has studied the spread and perfection of democracy around the world. I'm not impressed
In this we follow the principles of Toqueville himself...
At the root, perhaps, is a populist belief in the basic goodness, perfectibility, and nobility of mankind and of the human community....
Our principles guide the selection of which issues are critical to the advancement of freedom - but we don't rush to judgment about which means will be most effective in producing it.
I'm afraid that they have rushed to judgment and condemned one of the most important documents protecting freedom of speech today. The GPL is the only document that insures that you will have control of your computer and therefore your publications will not be censored at the source. It does this by insuring that the possesor of GPL code will always have the ability to use, understand, modify and distribute that code as they see fit without reducing the rights of other users to do the same. Code that does not insure this right has all of the security flaws and fears raised in Ken Browns paper as the owner does not know what the machine is doing or have the ability to change it. ADTI completely misses the point and condemn the GPL because they fear it can not be comercialized in the conventional fashion and many other incorrect and confused reasons. This is a shame because there is nothing more important for "democracy" and freedom than the free exchange of information the GPL ultimately protects.
The greatest contradiction is seems to be their main reason for rejecting the GPL as a license worth using: that volunteer efforts can not match commercial ones, and that the GPL community of volunteers is a myth. Well, I'm sitting here with my mythical OS, typing into a mythical text editor, for a mythical browser. All are far better than commercial alternatives. All were developed and rely on tools created by volunteers and others who really do believe in the goodness and freedoms of their users. No one who has respect for his neighbor would ever say that people could not co-operate without a profit motive, but this is what Ken concludes,
What utter hogwash. The GPL enables all to participate in the development of new technology and removes many artificial barriers. The fruit of all the mentioned government programs has been brought to me in a form I can manipulate by Debian. The number of sound scientific programs I now have access to, through GNU compilers, is uncountable. There are few academic publishers who would have it any other way, they exist to teach and promote their various specialties. To top it off, large companies will continue to pour money into the exploitation of these technologies because it is in their best financial interest. So much the better if that means their derivative works will be available to me as well. How can anyone intellectually honest say otherwise, especially while espousing freedom and the goodness of man?
Oh, enough. The more I read of this MicroSoft parrot's garbage, the angrier I get. Especially unkind and untrue is the assertion that RMS is a "fallen hero" viewed as radical. I respect that man more every day. Ken Brown, you are a 1/4 watt bulb.
Friends don't help friends install M$ junk.
This is a horribly naive view. If you REALLY want your code "to be used" then you should be interested in ensuring that it is used in a manner that can be audited. If you just release code into the wild and go hide your head in the sand you really have no clue what people are doing with your code. By making your "good code" free to all with no restrictions, you infact are asking people to use your code and then "mangle it".
The BSDl is not the logical licence for the sort of coder you describe unless that coder is horribly naieve.
BSD Sockets are the perfect example of this. Microsoft took what was essentially a "public domain" implementation and then did their usual "embrace and extend". The end result neither conformed to the established specification, nor was the end product something that one could confidently presume was a instance of some generous coders' "good code".
The license that infact achieves the objectives that you speak of is the Lesser LGPL. Such code can be perpetuated fairly freely and plays nicely with proprietary applications (like Oracle 9i, WordPerfect & Sim City 3000). Also, what gets spread around still remains open to scrutiny. Plus, any "extensions" are required to be shared.
You simply can't audit Embrace-and-Extend-ware to verify that your "perpetuate good code" objectives are actually being met.
A Pirate and a Puritan look the same on a balance sheet.
...or as is more common: merely keep the source to winsock.dll available and copylefted while the rest of WinDOS remains unmolested.
Few modular software components are actually licenced as GPL. So bringing it up in such contexts is either quite dishonest or simply clueless.
A Pirate and a Puritan look the same on a balance sheet.
- It was probably pretty cheap (based on the low quality content and diminutive scale of the report)
- It is prime FUD
- FUD works
Microsoft (among others) has learned that a false statement repeated often enough will become indistinguishable from the truth. This is simply another statement proclaiming their alternative truth.
Furthermore this report, aimed at an audience on Capitol Hill, was carefully targeted. It adds to a substantial existing body of anti-GPL and pro-Microsoft propoganda. And it includes keywords (airplanes, security, jobs) intended to evoke emotional -- not logical -- reactions on the part of the intended audience.
The fact that the content is ridiculous is largely irrelevant; Microsoft doesn't care if anyone actually reads it, especially since most of the people in the intended audience scarcely know the first thing about technology to begin with. As long as it's occasionally and casually mentioned in conversations as being against GPL, it will have the intended effect.
Think carefully about the last time well founded logic, clear thinking, or common sense interfered with lawmaking in the areas of technology or security. I'm not holding my breath that this report will suddenly be skeptically and thoughtfully analyzed by the lawmakers whose interests are served by it!
Also keep in mind: the Greeks were wrong; it's not our capacity for logic that makes us different from the other animals. It's our capacity for creative and abstract delusion that makes us different.
Assume I have two software modules (A and B, why not?). A has GPL code in it. B has private proprietary UberSecretsOfDoom(TM) in it.
If I link the two in the same app, presumably if I'm GPL compliant, A and B must be returned as source to the public domain.
What if, on the other hand, A and B are embedded in seperate skeleton apps that communicate via sockets?
Or via shared files? Or Pipes?
I _assume_ that GPL wouldn't then force revelation of the contents of module B. My assumption is based on the fact that otherwise anyone whose GPL'd product talked to another system via a network (mail clients, nntp clients, web browsers and servers, etc) would then have a sudden need to be public.
Now if I am correct, this imposes design constraints, but it does mean you can design a system with GPL code in it without actually checking the other parts in to public archives. Just park the other proprietary bits out across some IPC channel or network channel, and then you may protect them (as all you exchange is "data").
Anyone care to tell me if this has a flaw in it? And if so, what?
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
I didn't mean to advocate the BSD there, and I agree that the end result is sometimes the odious embrace-and-extend. But for the times that has happened to the BSD TCP/IP stack, there have been hundreds if not thousands of times it has been reused in other applications, particularly embedded systems. In that context, the other reason for the BSD, the one I forgot earlier, comes out - interoperability. The other motivation I have heard for using the BSD is that you want to promote software interoperability by getting your implementation of a standard into as many different applications as possible. The downside of course is when a vendor with a strong market position just does an embrace-and-extend, which gives the double disrespect of abusing your code and damaging the environment for interoperability.
Anyway, I was trying to highlight the philosophical difference, not the pratical outcomes.
OK, do you have an opinion on what constitutes 'distributing'? This has been bothering me for some time. I have often seen people claim that you can use your GPL-derrivative for internal use without having to distribute source code, but I don't understand the basis of the claim.
For sure you don't have to put the source code up on a public FTP to let anyone have a copy. But don't you still have to make the source available, under the GPL, to anyone you distribute a binary? So there is nothing legally stopping someone inside your organisation demanding the code, then distributing it to the rest of the world. Its not even as if you could fire the guy, as he wouldn't have done anything wrong, just acting within his legal rights under the GPL.
Sometimes a cigar is just a cigar.
A Pirate and a Puritan look the same on a balance sheet.
This reads like a recent Canadian Government scandle...it seems like all the esteemed Toqueville Inst. did was re-write some MS FUD, and copy some text off the internet.
I do love the "...Numbers of Line of Code" in the OS chart...WinXP is big and tall, while Linux is short and stubby...gee, do they think that XP gives you a bigger dick? What drugs are these guys smoking?
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Remember: Open-Source does not mean FREE software, it doesnt even mean "Libre" software, it just means that you can see the code. That is _ALL_ it means.
When will you nutbags stop propogating this ridiculous fiction. Some of these Slashdot clowns are starting to believe it.
Go read the OSI's Open Source Definition. Then go read the FSF's Free Software Definition. The definitions are of course different, having been written by different people, but the spirit and intent of both definitions are identical: to classify a particular category of software having particular attributes.
Both allow the software to be used, copied, modified, the original distributed, and the deriviatives distributed. To say that Open Source merely means you can see the source code is either a result of your ignorance or your deception. Either get informed or stop lying.
A Government Is a Body of People, Usually Notably Ungoverned
This volunteer system works well as an
academic model, but not as a business one. It would be tenuous at best, to expect a volunteer
model to compete with a for-profit model. The underlying premise of capitalism is that
compensation is the best universal tool for motivating individuals to succeed. Full-time
programming teams produce innovations for pay and turn to IP protection to market their
products. However, without an incentive to create commercial software, filings for copyrights
and patents would immediately decline. Thus, it can be expected that innovation would be
adversely impacted if the financial incentives for innovating were affected.
This is not a logical conclusion to an almost correct statement. First of all there are incentives in producing products that if they work well would be invaluable to the consumer (you don't see me writing my own Photoshop, even though I can actually write the algorythms needed to do most of its functionality.)
A decline in patent filing does not mean a decline in innovation, it only means a decline in patent filing.
You can't handle the truth.
I politely told them they were being silly before the release, and why, and some of their caveats bear a suspicious similarity to some of my points. I haven't been paid anything for trimming back their embarrassment.
Perhaps Microsoft own Saab? Some Saabs carry a sticker saying `made by trolls in trollhagen'.
Got time? Spend some of it coding or testing
> I've been seing some decimal on slashdot, which geeks hate.
.. well, dont get me wrong, its a fairly funny ploy, but it just doesn't have enough legs to warrent its own login. :/
Yes, they hate decimals. Thats why all CVS versioning is done in hex. Thats why all software versioning is done in hex. Thats why all file sizes are listed in hex. Thats why
"Old man yells at systemd"
Several from here
`Democracy and socialism have nothing in common but one word, equality. But notice the difference: while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude.' Hmmm. So in AdeT's view, restricting Gummint to OSS is socialist, but OSS itself is democratic in nature?
He as a word to Microsft as well: `Nothing is quite so wretchedly corrupt as an aristocracy which has lost its power but kept its wealth and which still has endless leisure to devote to nothing but banal enjoyments. All its great thoughts and passionate energy are things of the past, and nothing but a host of petty, gnawing vices now cling to it like worms to a corpse.' (-:
Got time? Spend some of it coding or testing
Hmmm... no. If it's a tiny little bit, then after looking at how BillyBob did it in his GPL'd proggy, you figure out how to WRITE IT YOUR-FUCKING-SELF.
People are so goddamned lazy.
Oh and there's the alternative. "Hey BillyBob, we'll give you $5000 dollars if you release the code to us under an unrestricted license."
My personal favorite.
Black holes are where the Matrix raised SIGFPE
Too late. He died in 1859, got a weejie board? (-:
Google, 0.27 seconds. Slack.
Got time? Spend some of it coding or testing
Purveyors of `hard' science like physics, geology and biology are as prone to opinionitis as anybody.
Whenever someone says `think tank' I always associate it with `drunk tank'. Not sure why, but it works reasonably well in practice. (-:
Got time? Spend some of it coding or testing
But if they choose to use Gecko to render HTML for a HUD, or use RTLinux as a platform for some embedded device, they should be all worried because we're going to get to see how the rest of the system works?
;)
News flash, we wouldn't even know about it to begin with. And if it were my software and I knew they were using it, I wouldn't care enough to pay a lawyer to push that issue. They're not making money off me, just safely landing planes.
And how would knowing that RTLinux is used for some control system help make it somehow less secure? If I knew that they were running Solaris I could find hacks to blow that door open. If they felt comfortable with choosing GPL over propietary code somewhere, they obviously had a good reason. If they never intended to distribute the product, then they can keep secret any changes they made to make it hardened from evildoers and such. Where's the problem? At least they could make the changes to begin with. GPL doesn't restrict that.
Black holes are where the Matrix raised SIGFPE
Run a Linux or BSD box in bridge mode and it can be an invisible network link, monitoring or altering through traffic and the only external symptom is that it's slightly slower than a piece of wire.
I'm not sure how GPL would help a missile-tracking system, but Open Sourcing certain missile _guidance_ systems in the hope that your enemy adopted them would be a useful cold-war tactic. )-:
When I'm sitting on a large Airbus over many kilometers of thin air, it would cheers me to know that the code flying it had been `randomly' audited in an open source fashion in addition to the normal checks. It wouldn't be accessible to crackers (nobody would be twit enough to put an airliner's control systems anywhere near the internet), but finding a suitable platform to run it up on in your shed might be a hassle.
Got time? Spend some of it coding or testing
Like Microsoft. Open source one day, open protocol (like ODBC), and then the door slammed in your face another day. I never thought I'd be comparing MSFT to a woman.
Damn, I can't win! Mark this -1 for loser. :)
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
When one of those first IIS worms hit (was it Code Red? It said "hacked by the chinese"), windowsupdate.microsoft.com was compromized. Upload a backdoored version of some critical updates, and voila! You've got yourself several thousand backdoored computers for you to further compromise.
Stop the brainwash
software != air. Its not like there's all this naturally growing software out there that Microsoft is trying to charge us to access... Jeez.
I read it like this:
information is like air
Information, like air, is all around us. Owned by no one. Free to be gathered and used by anyone who stumbles upon it. Arranging and organizing it does not mean that you own it. And that is what software is: merely a particular arrangement of information.
I don't make the rules. I just make fun of them.
Check Appendix 1 in the document (it's a graphic, so I can't post it here, but it's worth the trip)
Are you sure they're giving you the binary? Did they give you that nice monitor on your desk, or would you say its still owned by the company?
The Wizard utters the word 'frobnoid!' and cackles gleefully
> Yes, if you're fighting for the enemy.
The point is, who gets to decide if you're fighting for the enemy? Is the mere accusation sufficient for revoking your constitutional rights?
No, the whole point of the constitutional guarantee of a trial by a jury of your peers is to keep the state from arbitrary acts of "justice". The jury acts as a buffer between the state and their accused peer.
Sheesh, evil *and* a jerk. -- Jade
I have nothing useful to contribute to this discussion
Today's Sesame Street was brought to you by the number e.
You thought you read 319 million. I checked it, it reads 319,000
"Communism is like having one [local] phone company " - Lenny Bruce