Date: Thu, 28 Aug 2014 03:04:02 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Open Source only? Hi, I've just rejected a posting giving the following reason: Message lacks Subject, and the software appears to be non Open Source: partial(?) source code is available, but under a EULA that doesn't appear to meet OSI definition. The message was CC'ed to full-disclosure, so it will probably appear there. While message lacking Subject is a technicality, which the sender may address (and resend the message), the issue of software that comes with source code, but isn't under an Open Source license is one we might want to decide on, if we haven't already (I think we have, which is why I mentioned it as one of two reasons to reject that posting). Also, it may at times be tricky (and unreliable and time-consuming) for list moderators to determine whether a license is Open Source or not, as well as whether the software is possibly dual-licensed. Should we perhaps err on the side of approving postings whenever in doubt? Here's a relevant example, where the decision was not to proceed to discuss the issue on oss-security as soon as it was pointed out that the product in question wasn't Open Source: http://www.openwall.com/lists/oss-security/2012/03/08/3 I now tried to find a counter-example, where a non Open Source issue was actually discussed on oss-security with no one objecting to that, and I could not. The closest I found are some interactions between behavior of non-OSS and OSS, e.g. Tavis' posting on vmware-tools vs. dash, which is clearly appropriate for oss-security due to dash: http://www.openwall.com/lists/oss-security/2013/08/22/12 I think this falls in the same category too (so is appropriate): "[OSSA 2014-017] Nova VMWare driver leaks rescued images (CVE-2014-2573)" http://www.openwall.com/lists/oss-security/2014/05/29/14 Maybe such a counter-example already exists somewhere in the list archives, but anyhow what do we want our policy on this to be going forward? Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ