Re: Open Source only?

[Joe MacDonald <Joe_MacDonald () mentor com>]

[Re: [oss-security] Open Source only?] On 14.08.27 (Wed 17:52) Kurt Seifried wrote:

> On 27/08/14 05:04 PM, Solar Designer wrote:
> > Hi,
> >
> > I've just rejected a posting giving the following reason:
> >
> > Message lacks Subject, and the software appears to be non Open Source:
> > partial(?) source code is available, but under a EULA that doesn't
> > appear to meet OSI definition.
> >
> > The message was CC'ed to full-disclosure, so it will probably appear
> > there.
> >
> > While message lacking Subject is a technicality, which the sender may
> > address (and resend the message), the issue of software that comes with
> > source code, but isn't under an Open Source license is one we might want
> > to decide on, if we haven't already (I think we have, which is why I
> > mentioned it as one of two reasons to reject that posting).  Also, it
> > may at times be tricky (and unreliable and time-consuming) for list
> > moderators to determine whether a license is Open Source or not, as well
> > as whether the software is possibly dual-licensed.  Should we perhaps
> > err on the side of approving postings whenever in doubt?
>
> Simple: If we go with Open Source only then "is the code available under
> an approved license"?
>
> http://opensource.org/licenses

It's been my experience working with Open Source projects that as others
have said, there are a lot of licenses that don't quite match an OSI
or FSF approved license but are very close and would reasonably warrant
the software being discussed here.  But the "or something close" is kind
of the current state of affairs which puts the onus on the moderators,
which isn't ideal.

I'd be inclined to suggest that the moderators use their own judgement
without worrying too much about list look-ups and feel free to err on
the side of letting through too much rather than too little and members
are free to ask a topic be taken off-list, citing either the above (or
SPDX or the FSF list, if they like, though honestly I think the FSF goes
a bit far in their definition of non-free, I think PERL is perfectly
fair game for this list) as the reason why it isn't relevant.

Or, of course, as below.  Because you're perfectly correct, lots of
closed-source vendors either don't care or don't want their errors
discussed openly.  Either has no place here, Full Disclosure is a
perfectly fine venue for that.

Just my thoughts.

-J.

> Obviously if there needs to be an exception (e.g. a closed source/poorly
> licensed source interacts significantly with something Open Source it
> might be worth discussing).
>
> The other aspect of this: in my experience the majority of closed source
> vendors just don't care about security. So discussing it, especially
> without their input/even being aware of it is quite pointless.
>
> > Alexander
-- 
-Joe MacDonald.
:wq

Attachment: signature.asc
Description: Digital signature