Date: Sun, 28 Apr 2013 16:34:38 -0500 From: Rob Landley <rob@...dley.net> To: musl@...ts.openwall.com Cc: musl@...ts.openwall.com Subject: Licensing. On 04/26/2013 01:11:07 AM, Igmar Palsenberg wrote: > > >>> incompatible licenses. The openssl library can't be used with a > GNU > >>> program unless there's a waiver for it because one of the clauses > in the > >>> openssl license goes against the GNU license principles. The > gnutls > >> Not _used_ but _distributed_. The GPL does not restrict use ... > > What about explicitly loading the library at run-time using > uselib(2) in a plug-in like fashion? Is that also considered > problematic from a GNU perspective? > > I consider this a grey area. I personally don't thing it is > considered a problem, > but there are a number of interesting (theoretical) scenario's : Um, back up: You know how cryptographers point and laugh at non-cryptographers trying to figure out whether something's breakable? You know how professional security auditors find most programmers' code appallingly insecure, and the best of us have to put out regular updates to fix exploits that we didn't personally find? Now imagine what lawyers think of programmers' legal theories. To write secure code you need a deep understanding of your operating system. To license code securely, you have to understand your legal jurisdiction. It's fundamentally not enough to know what the code/license says in isolation. Programming-side example: the /tmp dir has the sticky bit set other users running inotify to spot new files being created don't immediately delete them and replace with a symlink so your mknod/open pair is now accessing the wrong file. What your code is doing worked fine, but the context it was running in made it insecure. Now imagine telling a lawyer that your license usage is unexploitable in all jurisdictions, and you know this because you read the license text and you're sure you're using it ok. (The best a lawyer or security professional can EVER say is "I can't spot where you screwed up".) Imagine that GPLv2 code has to run as root, so as soon as part of your project is running as root you might as well treat the whole thing like it is from a security standpoint. Your question above about mixing GPL and non-GPL code is like asking "when is it safe to set the sudo bit on this binary while leaving the rest non-root". Suddenly you need to know a LOT more about your system's configuration and permissions and use cases, and the problematic parts are written in a language (legalese) that you don't code in, and the correct answer varies by distro. If GPLv2 is where everything is root, then you just don't mix untrusted code in with that, period. GPLv3 has to run as Windows Administrator, an incompatible type of root you can't mix with what GPLv2 needs (unless you write dual-mode code full of #ifdefs from day one). Other licenses are like other userids each with its own security connotations when you have to run code _as_ them and not you; again, it's the mixing in the same program that's most problematic. BSD/MIT/PD code requests no special permissions; legally speaking it runs as your login user. It can run as anything else you need it to, but doesn't _require_ it. It is not itself opening that can of worms. It's not a perfect analogy, but it should get the "here there be dragons" aspect across. Viral and non-viral licensing can each be made to work. Mixing them while keeping them distinct is a MINEFIELD, and coming to a local consensus with non-experts doesn't help. Rob P.S. Trolls are the legal equivalent of script kiddies, trying to figure out where to hit a company to make money come out. Patent trolls, copyright trolls, trademark trolls, contract trolls... we've even seen trade secret trolling against decss and such. Somebody who comes along with an obscure legal interpretation and sends you a "pay us now or we'll cost your $50,000 and several months of your life defending yourself in court EVEN IF YOU WIN, so give us $20k to go away" letter. The fact people have started doing this on behalf of the GPL is one of the things that turned me against that license. P.P.S. I could explain how the real legal issue you were trying to tackle above is whether or not something can be considered a "derived work" under copyright law of the virally licensed external material, but this would be like me explaining cryptography or security to you. It's not the same as an audit for any specific usage for exploitability, AND I'm not the domain expert you'd need to do that audit anyway. I know enough to know I _don't_ know enough to reliably answer this question.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.