Date: Wed, 27 Aug 2014 17:52:30 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Open Source only? On 27/08/14 05:04 PM, Solar Designer wrote: > Hi, > > I've just rejected a posting giving the following reason: > > Message lacks Subject, and the software appears to be non Open Source: > partial(?) source code is available, but under a EULA that doesn't > appear to meet OSI definition. > > The message was CC'ed to full-disclosure, so it will probably appear > there. > > While message lacking Subject is a technicality, which the sender may > address (and resend the message), the issue of software that comes with > source code, but isn't under an Open Source license is one we might want > to decide on, if we haven't already (I think we have, which is why I > mentioned it as one of two reasons to reject that posting). Also, it > may at times be tricky (and unreliable and time-consuming) for list > moderators to determine whether a license is Open Source or not, as well > as whether the software is possibly dual-licensed. Should we perhaps > err on the side of approving postings whenever in doubt? Simple: If we go with Open Source only then "is the code available under an approved license"? http://opensource.org/licenses Obviously if there needs to be an exception (e.g. a closed source/poorly licensed source interacts significantly with something Open Source it might be worth discussing). The other aspect of this: in my experience the majority of closed source vendors just don't care about security. So discussing it, especially without their input/even being aware of it is quite pointless. > Alexander -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ