Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Aug 2014 03:04:02 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Open Source only?

Hi,

I've just rejected a posting giving the following reason:

Message lacks Subject, and the software appears to be non Open Source:
partial(?) source code is available, but under a EULA that doesn't
appear to meet OSI definition.

The message was CC'ed to full-disclosure, so it will probably appear
there.

While message lacking Subject is a technicality, which the sender may
address (and resend the message), the issue of software that comes with
source code, but isn't under an Open Source license is one we might want
to decide on, if we haven't already (I think we have, which is why I
mentioned it as one of two reasons to reject that posting).  Also, it
may at times be tricky (and unreliable and time-consuming) for list
moderators to determine whether a license is Open Source or not, as well
as whether the software is possibly dual-licensed.  Should we perhaps
err on the side of approving postings whenever in doubt?

Here's a relevant example, where the decision was not to proceed to
discuss the issue on oss-security as soon as it was pointed out that the
product in question wasn't Open Source:

http://www.openwall.com/lists/oss-security/2012/03/08/3

I now tried to find a counter-example, where a non Open Source issue
was actually discussed on oss-security with no one objecting to that,
and I could not.  The closest I found are some interactions between
behavior of non-OSS and OSS, e.g. Tavis' posting on vmware-tools vs.
dash, which is clearly appropriate for oss-security due to dash:

http://www.openwall.com/lists/oss-security/2013/08/22/12

I think this falls in the same category too (so is appropriate):

"[OSSA 2014-017] Nova VMWare driver leaks rescued images (CVE-2014-2573)"
http://www.openwall.com/lists/oss-security/2014/05/29/14

Maybe such a counter-example already exists somewhere in the list
archives, but anyhow what do we want our policy on this to be going
forward?

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ