Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Aug 2014 17:52:30 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Open Source only?

On 27/08/14 05:04 PM, Solar Designer wrote:
> Hi,
> 
> I've just rejected a posting giving the following reason:
> 
> Message lacks Subject, and the software appears to be non Open Source:
> partial(?) source code is available, but under a EULA that doesn't
> appear to meet OSI definition.
> 
> The message was CC'ed to full-disclosure, so it will probably appear
> there.
> 
> While message lacking Subject is a technicality, which the sender may
> address (and resend the message), the issue of software that comes with
> source code, but isn't under an Open Source license is one we might want
> to decide on, if we haven't already (I think we have, which is why I
> mentioned it as one of two reasons to reject that posting).  Also, it
> may at times be tricky (and unreliable and time-consuming) for list
> moderators to determine whether a license is Open Source or not, as well
> as whether the software is possibly dual-licensed.  Should we perhaps
> err on the side of approving postings whenever in doubt?

Simple: If we go with Open Source only then "is the code available under
an approved license"?

http://opensource.org/licenses

Obviously if there needs to be an exception (e.g. a closed source/poorly
licensed source interacts significantly with something Open Source it
might be worth discussing).

The other aspect of this: in my experience the majority of closed source
vendors just don't care about security. So discussing it, especially
without their input/even being aware of it is quite pointless.

> Alexander

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.