[nycbug-talk] gpl on /.

Marc Spitzer mspitzer
Mon Oct 3 04:48:55 EDT 2005 

On 10/3/05, Chris Clymer <cclymer at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Are you actually arguing that software is more secure if its
> closed-source?  I thought that history had done a pretty good job of
> disproving this.

No. There are different trade offs in this:

open source: Everyone can read the code, this includes bad people who
can use the code of the application to craft exploits, and submit
patches

closed source: no one, in general, can read the source, this includes
bad people who can *not* read the code to craft exploits, so they can
not submit patches

it cuts both ways especially when dam near all end users are not
capable of submitting a patch or even reading code.

I think it is 6 of 1 and 1/2 dozen of another.  Now the difference on
how specific projects/companies handle the issue is different.  Now
some companies suck at this as do some projects.

What I think makes the difference is if you engage in good engineering
practices, for example:

bad:  We will write code that will not have any bugs

good: we will try to write code with no bugs in it, but we are not
always that good so we will design the application in such a way that
a compromise is not going to cause much of a problem

bad: big honken monolithic process that is full of very complex logic
and runs as root

good: lots of separate unprivileged processes that each do one thing
and unless absolutely necessary they do not run as root

I could go on with lots of others but I think you get my idea.

Now one of the big problems is that people buy shit, so companies are
in the business of selling it to them.  Now if you look at one area
where people generally do not buy/use shit, enterprise DB's, you will
not see the problem as much, word gets around when the db ate my
business.

>
> That said, this stuff about the GPL3 is defintly interesting.  What if i
> have a db.inc file in my web app full of sensitive information?  Can i
> put just that file under a different license?  Its still PHP code thats
> part of the same app...

from what I understood no, it is linked to the gpl3 parts so must be
downloaded.  And it makes no difference what licence you put it under
it is hit by the viral clause, its not your choice once you use gpled
code.

Also please do not top post, it makes things hard to follow.

marc


--
"We trained very hard, but it seemed that every time we were beginning to
form into teams we would be reorganized. I was to learn later in life that
we tend to meet any new situation by reorganizing, and a wonderful method it
can be for creating the illusion of progress, while producing confusion,
inefficiency and demoralization."
-Gaius Petronius, 1st Century AD

More information about the talk mailing list