Those kind of attacks are extremely rare these days.
Really? I removed just such a link from a client's web site only a couple of months ago when their shared hosting provider was compromised. And having searched to find what the scripts that were added actually did, I found quite a few reports from other people who had had similar problems. It seems to still happen quite a bit.
Being given a big pile of code and being asked to maintain it with no test suite.
Each time you change it you could theoretically be breaking a ton of features. But there's no way to be sure.
I have an idea...write a test suite for it! Or no...perhaps that's too radical an idea.
How do you know which aspects of its behaviour are intentional and which are bugs? What if you miss a test for a corner case that isn't apparent from the documentation and/or source code?
Mandatory fields in addresses are a truly insidious form of evil. They screw everything up, because not all addresses have the same structure. I've seen address forms that have mandatory house number/name and street name fields (sure, I can fill those in for my parents' address, but you'll get them the wrong way round when you print them out and the delivery might never arrive). Here in the UK, one thing that really annoys me is mandatory county fields, which you see sometimes. Yes, we have counties, but they have officially not been part of our addresses for 15 years now. So why are you insisting I make my address incorrect so I can fill in your form? (For reference, I've lived in one of those locations where my actual county is different to the county my post town's delivery office is in, so putting the county I actually live in in my address was even more incorrect than not including a county at all. I don't think this situation is at all uncommon.)
I was expecting an answer from the owner's perspective.
In the original context, interviewing a candidate for a job, it would be highly unlikely the person in front of you is the owner.
Because providing our code to competitors could cause us to lose our competitive edge?
If your program is useful to a competitor, then perhaps the competitor's improvements to your program are useful to you.
Yes, but they would not be obliged to release those improvements (GPL requires release of source only when you distribute to a third party, and most business management software is never distributed to a third party), so it is unlikely that will help.
Better yet, if your program is useful to one of the clients or suppliers who has to interact with you, that could improve your ability to make money.
Most business software would only be useful to somebody in exactly the same line of business, so it is unlikely other users are people you would end up interacting with.
Because there's no point releasing code that wouldn't be useful to anyone other than us?
Then there's no risk in releasing it to anyone else either, is there?
No, but there is a cost (preparing the code, probably adding missing documentation, and certainly a little management and IT staff time organising the actual release) and if there's no benefit, why do it?
Are there still security issues with having JS enabled?
Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.
The HUGE difference there is that Apache doesn't have code copy-pasted from the kernel. Themes generally have a lot of code, in some cases most of their code , copied directly from the default theme. That means the theme, the entire theme, is under the GPL.
Well, sure. But not *all* of them.
In a more borderline case, say a small extension that doesn't use any code copied directly from the original project, there is a simple test for "derivative work". You said "Linux build" of Apache. The same source will build and run on FreeBSD or Mac OSX. That strongly suggests it's an independent work from the Linux kernel. On the other hand, a WordPress plugin can only run as part of WordPress. You can't consume compile a WordPress plugin for VBulletin instead. Therefore it's not separate and indrpendent from WordPress.
Ok, but that leaves a few problems. The various binary-only hardware drivers for Linux will only compile and run on a Linux kernel. Are you saying, therefore, that these can't be distributed with Linux without violating the GPL?
You're right. The Return of the Jedi was a decent film. Not up to Empire Strikes Back standards, but with Lucas writing rather than Leigh Brackett, what do you expect?
> a distributor can distribute something that is "the work" alongside (and potentially intermingled with) something that isn't "the work" without causing the two to become mixed
I'm not sure how you can have it "intermingled with" but not "mixed", but les pretend that sentence somehow makes sense. You pointed to the aggregation clause. You looked at the second half of the sentence, how about the first half of the sentence you point to:
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work,
and which are not combined with it..
So that applies to "separate and independent works" which are NOT extensions of the original work. So would that apply to the stuff on http://extensions.joomla.org/ ? Interesting URL, isn't that? Your argument can make sense only if you claim that Joomla extensions aren't extensions of Joomla.
"Mere aggregation" is when two SEPARATE works such as Apache and Firefox are burned to the same disk.
The lines are more blurred than you suggest. What about, say, the Linux kernel and Apache? The latter makes use of the services provided by the former, in much the same way that a plugin for a web application uses services provided by that application, but does that mean Linux builds of it can only be distributed under the terms of the GPL? Most people seem to assume otherwise, and I fail to see the practical distinction between the two cases discussed here.
You clearly haven't learned media-science-speak, in which "fossil" means "any remnants of something that lived more than a handful of thousands of years ago, no matter how it has been preserved".
It applies to derivative works, in the true legal sense of the term "derivative work."
It *also* applies to anything that is combined with GPL code to form "a larger program". This could be interpreted as anything linked (and in GPLv2 this was explicit; GPLv3 is [presumably intentionally] more ambiguous, e.g. to cover interpreted or run-time linked programs).
You're missing the effect of the "mere aggregation" clause (the paragraph after 5(d) in GPLv3), which means a distributor can distribute something that is "the work" alongside (and potentially intermingled with) something that isn't "the work" without causing the two to become mixed and without requiring their additional content to be GPL-licensed. The GPL only requires the two to be considered the same work if one is actually derivative of the other. It would be pretty hard to argue that CSS or images are derivative of the original code, IMHO. Javascript less so, but still tricky and could go either way. The question is do they combine to form "a larger program", or are they independent programs communicating over an open channel. The latter is a pretty convincing explanation, so they would be considered an aggregate rather than a single work by the GPL, IMO.
(This is not legal advice. Consult a qualified expert rather than rely on this.)
You have to not only recover it, but to read it as well. And the fine article from the post indicates they were able to actually conduct genetic analysis on it. That pulls the maximum viability date in quite a bit.
Which is why the article you cited goes on to state "[t]he DNA would cease to be readable much earlier — perhaps after roughly 1.5 million years, when the remaining strands would be too short to give meaningful information." Given that 1.5Myear figure, why is 700Kyear surprising? It's not like they're expecting a technological breakthrough to make that 1.5My figure possible: we can already sequence pretty-much any single DNA strand we want, and reconstruction from short fragments is also an existing and thoroughly-developed technology.
Technology has always advanced in fits and starts. That enthusiasm for a particular field has waned and our achievements in it have regressed does not mean it will not begin advancing again.
AIUI, in some states non-profits don't have to pay towards unemployment benefits for an employee as long as the employee continues working for them. If they have good staff retention, this can turn out to be a huge saving.
It's possibly a little late to be cagey about which well-known tech company you work for, as their identity is clearly visible in your posting history.
Which perhaps has a bit of a lesson to teach about managing online identities...
Which is a bit narrow minded, I've done probably 30 hours worth of coding in my free time last week, but none of it's in github, and never will be.
This.
Some of us are working on non-open-source projects, because we have ideas we think might be profitable.
Some of us are working on projects that may become open source but don't want to publish until they're ready for end users (which could, in many cases, take years).
Some of us are working for startups that demand 80 hours a week of our time and don't have any time left for personal projects.
Exactly. Facebook and Twitter is not "online presence" in which IT employers are interested. GitHub, Ohloh, commits to free software projects, mailing lists etc. - that's "online presence" you should care about. You'll for sure have a good impression of someone if you put his name in Google and then you immediately see commits to various VCS repositories. That's also some kind of proof of his skills.
Yeah, but so are the references from his previous employer. I know I for one *used* to contribute to free software on a regular basis, but these days rarely seem to find time. You'll find my name on mailing lists making suggestions, filing bug reports, and so on, but you probably won't see more than a handful of commits by me since long before github existed. Possibly even before git existed. That doesn't mean I haven't been doing work in a very wide variety of fields with a lot of different technologies. It's only by reading my CV and following up my references that you'd find out about that work, though. Or you could ask me in interview.
It's also not clear why an agreement signed by any nation would be binding on an individual who would (if they happenened to be a citizen of such a nation) be free to change their nationality to that of a non-signatory (and I don't think you'd be hard pressed to find a non-signatory that would be happy to welcome the citizenship of somebody who owned a siginficant portion of a celestial body).
Slashdot Mirror
Those kind of attacks are extremely rare these days.
Really? I removed just such a link from a client's web site only a couple of months ago when their shared hosting provider was compromised. And having searched to find what the scripts that were added actually did, I found quite a few reports from other people who had had similar problems. It seems to still happen quite a bit.
Being given a big pile of code and being asked to maintain it with no test suite.
Each time you change it you could theoretically be breaking a ton of features. But there's no way to be sure.
I have an idea...write a test suite for it! Or no...perhaps that's too radical an idea.
How do you know which aspects of its behaviour are intentional and which are bugs? What if you miss a test for a corner case that isn't apparent from the documentation and/or source code?
Mandatory fields in addresses are a truly insidious form of evil. They screw everything up, because not all addresses have the same structure. I've seen address forms that have mandatory house number/name and street name fields (sure, I can fill those in for my parents' address, but you'll get them the wrong way round when you print them out and the delivery might never arrive). Here in the UK, one thing that really annoys me is mandatory county fields, which you see sometimes. Yes, we have counties, but they have officially not been part of our addresses for 15 years now. So why are you insisting I make my address incorrect so I can fill in your form? (For reference, I've lived in one of those locations where my actual county is different to the county my post town's delivery office is in, so putting the county I actually live in in my address was even more incorrect than not including a county at all. I don't think this situation is at all uncommon.)
Because the owner says so
I was expecting an answer from the owner's perspective.
In the original context, interviewing a candidate for a job, it would be highly unlikely the person in front of you is the owner.
Because providing our code to competitors could cause us to lose our competitive edge?
If your program is useful to a competitor, then perhaps the competitor's improvements to your program are useful to you.
Yes, but they would not be obliged to release those improvements (GPL requires release of source only when you distribute to a third party, and most business management software is never distributed to a third party), so it is unlikely that will help.
Better yet, if your program is useful to one of the clients or suppliers who has to interact with you, that could improve your ability to make money.
Most business software would only be useful to somebody in exactly the same line of business, so it is unlikely other users are people you would end up interacting with.
Because there's no point releasing code that wouldn't be useful to anyone other than us?
Then there's no risk in releasing it to anyone else either, is there?
No, but there is a cost (preparing the code, probably adding missing documentation, and certainly a little management and IT staff time organising the actual release) and if there's no benefit, why do it?
Does this break noscript functionality as well? That would be massively unappealing.
No. NoScript is a plug-in that refuses to load undesirable JavaScript references. They are stopped before they get into your browser.
The mechanism you describe wouldn't work against inline javascript, so I must conclude that this is not how NoScript actually works.
Well if the JS is just manipulating the DOM (as is the most common case) it should be as good or bad as the average web page
Depends. A lot of sites seem to get built these days that assume the user has a way to trigger onmouseover events. This isn't necessarily true.
Are there still security issues with having JS enabled?
Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.
There are also direct browser attacks that would require javascript to function, e.g. http://www.mozilla.org/security/announce/2013/mfsa2013-53.html or http://www.mozilla.org/security/announce/2013/mfsa2013-46.html (to pick a couple from the last month or two).
So, yes, your system is still less secure if you have JS enabled than if you don't.
The HUGE difference there is that Apache doesn't have code copy-pasted from the kernel.
Themes generally have a lot of code, in some cases most of their code , copied directly from the default theme. That means the theme, the entire theme, is under the GPL.
Well, sure. But not *all* of them.
In a more borderline case, say a small extension that doesn't use any code copied directly from the original project, there is a simple test for "derivative work". You said "Linux build" of Apache. The same source will build and run on FreeBSD or Mac OSX. That strongly suggests it's an independent work from the Linux kernel. On the other hand, a WordPress plugin can only run as part of WordPress. You can't consume compile a WordPress plugin for VBulletin instead. Therefore it's not separate and indrpendent from WordPress.
Ok, but that leaves a few problems. The various binary-only hardware drivers for Linux will only compile and run on a Linux kernel. Are you saying, therefore, that these can't be distributed with Linux without violating the GPL?
Come on, the last Star Wars film was decent.
You're right. The Return of the Jedi was a decent film. Not up to Empire Strikes Back standards, but with Lucas writing rather than Leigh Brackett, what do you expect?
> a distributor can distribute something that is "the work" alongside (and potentially intermingled with) something that isn't "the work" without causing the two to become mixed
I'm not sure how you can have it "intermingled with" but not "mixed", but les pretend that sentence somehow makes sense.
You pointed to the aggregation clause. You looked at the second half of the sentence, how about the first half of the sentence you point to:
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work,
and which are not combined with it ..
So that applies to "separate and independent works" which are NOT extensions of the original work.
So would that apply to the stuff on http://extensions.joomla.org/ ? Interesting URL, isn't that? Your argument can make sense only if you claim that Joomla extensions aren't extensions of Joomla.
"Mere aggregation" is when two SEPARATE works such as Apache and Firefox are burned to the same disk.
The lines are more blurred than you suggest. What about, say, the Linux kernel and Apache? The latter makes use of the services provided by the former, in much the same way that a plugin for a web application uses services provided by that application, but does that mean Linux builds of it can only be distributed under the terms of the GPL? Most people seem to assume otherwise, and I fail to see the practical distinction between the two cases discussed here.
Some of us are working for startups that demand 80 hours a week of our time and don't have any time left for personal projects.
Is there a reason why the entire stack of line-of-business code created for this startup has to consist entirely of "non-open-source projects"?
Because the owner says so, and I don't have enough influence to convince him otherwise?
Because providing our code to competitors could cause us to lose our competitive edge?
Because there's no point releasing code that wouldn't be useful to anyone other than us?
There are a whole stack of reasons for not open-sourcing business code, which is why 99%+ of businesses never do it.
You clearly haven't learned media-science-speak, in which "fossil" means "any remnants of something that lived more than a handful of thousands of years ago, no matter how it has been preserved".
It applies to derivative works, in the true legal sense of the term "derivative work."
It *also* applies to anything that is combined with GPL code to form "a larger program". This could be interpreted as anything linked (and in GPLv2 this was explicit; GPLv3 is [presumably intentionally] more ambiguous, e.g. to cover interpreted or run-time linked programs).
You're missing the effect of the "mere aggregation" clause (the paragraph after 5(d) in GPLv3), which means a distributor can distribute something that is "the work" alongside (and potentially intermingled with) something that isn't "the work" without causing the two to become mixed and without requiring their additional content to be GPL-licensed. The GPL only requires the two to be considered the same work if one is actually derivative of the other. It would be pretty hard to argue that CSS or images are derivative of the original code, IMHO. Javascript less so, but still tricky and could go either way. The question is do they combine to form "a larger program", or are they independent programs communicating over an open channel. The latter is a pretty convincing explanation, so they would be considered an aggregate rather than a single work by the GPL, IMO.
(This is not legal advice. Consult a qualified expert rather than rely on this.)
You have to not only recover it, but to read it as well. And the fine article from the post indicates they were able to actually conduct genetic analysis on it. That pulls the maximum viability date in quite a bit.
Which is why the article you cited goes on to state "[t]he DNA would cease to be readable much earlier — perhaps after roughly 1.5 million years, when the remaining strands would be too short to give meaningful information." Given that 1.5Myear figure, why is 700Kyear surprising? It's not like they're expecting a technological breakthrough to make that 1.5My figure possible: we can already sequence pretty-much any single DNA strand we want, and reconstruction from short fragments is also an existing and thoroughly-developed technology.
Technology has always advanced in fits and starts. That enthusiasm for a particular field has waned and our achievements in it have regressed does not mean it will not begin advancing again.
But 22 light years is pretty close in galactit terms.
You made a huge boob in your post.
A Freudian nipple-slip, I suspect.
AIUI, in some states non-profits don't have to pay towards unemployment benefits for an employee as long as the employee continues working for them. If they have good staff retention, this can turn out to be a huge saving.
Because Social Security wasn't money I earned, taken against my will from my paycheck, to be given back to me later.
So you'll stop claiming when they've paid you as much as you've paid in, right?
This is true. There is no other language which enables programs written in COBOL to run.
Then understand that people who do find time to do those things will stand out more than you.
So I'm being penalized for working an 80 hour week for my current employer?
Is that really a sensible hiring policy?
It's possibly a little late to be cagey about which well-known tech company you work for, as their identity is clearly visible in your posting history.
Which perhaps has a bit of a lesson to teach about managing online identities...
Which is a bit narrow minded, I've done probably 30 hours worth of coding in my free time last week, but none of it's in github, and never will be.
This.
Some of us are working on non-open-source projects, because we have ideas we think might be profitable.
Some of us are working on projects that may become open source but don't want to publish until they're ready for end users (which could, in many cases, take years).
Some of us are working for startups that demand 80 hours a week of our time and don't have any time left for personal projects.
Not everyone can be judged by the same metrics.
Exactly. Facebook and Twitter is not "online presence" in which IT employers are interested. GitHub, Ohloh, commits to free software projects, mailing lists etc. - that's "online presence" you should care about. You'll for sure have a good impression of someone if you put his name in Google and then you immediately see commits to various VCS repositories. That's also some kind of proof of his skills.
Yeah, but so are the references from his previous employer. I know I for one *used* to contribute to free software on a regular basis, but these days rarely seem to find time. You'll find my name on mailing lists making suggestions, filing bug reports, and so on, but you probably won't see more than a handful of commits by me since long before github existed. Possibly even before git existed. That doesn't mean I haven't been doing work in a very wide variety of fields with a lot of different technologies. It's only by reading my CV and following up my references that you'd find out about that work, though. Or you could ask me in interview.
It's also not clear why an agreement signed by any nation would be binding on an individual who would (if they happenened to be a citizen of such a nation) be free to change their nationality to that of a non-signatory (and I don't think you'd be hard pressed to find a non-signatory that would be happy to welcome the citizenship of somebody who owned a siginficant portion of a celestial body).