Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Aug 2014 03:04:02 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Open Source only?

Hi,

I've just rejected a posting giving the following reason:

Message lacks Subject, and the software appears to be non Open Source:
partial(?) source code is available, but under a EULA that doesn't
appear to meet OSI definition.

The message was CC'ed to full-disclosure, so it will probably appear
there.

While message lacking Subject is a technicality, which the sender may
address (and resend the message), the issue of software that comes with
source code, but isn't under an Open Source license is one we might want
to decide on, if we haven't already (I think we have, which is why I
mentioned it as one of two reasons to reject that posting).  Also, it
may at times be tricky (and unreliable and time-consuming) for list
moderators to determine whether a license is Open Source or not, as well
as whether the software is possibly dual-licensed.  Should we perhaps
err on the side of approving postings whenever in doubt?

Here's a relevant example, where the decision was not to proceed to
discuss the issue on oss-security as soon as it was pointed out that the
product in question wasn't Open Source:

http://www.openwall.com/lists/oss-security/2012/03/08/3

I now tried to find a counter-example, where a non Open Source issue
was actually discussed on oss-security with no one objecting to that,
and I could not.  The closest I found are some interactions between
behavior of non-OSS and OSS, e.g. Tavis' posting on vmware-tools vs.
dash, which is clearly appropriate for oss-security due to dash:

http://www.openwall.com/lists/oss-security/2013/08/22/12

I think this falls in the same category too (so is appropriate):

"[OSSA 2014-017] Nova VMWare driver leaks rescued images (CVE-2014-2573)"
http://www.openwall.com/lists/oss-security/2014/05/29/14

Maybe such a counter-example already exists somewhere in the list
archives, but anyhow what do we want our policy on this to be going
forward?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.