[Discuss] free/open licenses could discourage participation just because they're unusual

Jordan Miller jrdnmlr at gmail.com
Tue May 6 13:47:11 UTC 2014 

afaik heartbleed didn't happen due to lack of code review or lazy or
scared developers; it happened because no one ever paid the $100k for a
total code audit. a professional total code audit can be contracted by
anyone no matter what license is chosen. but no large company ever sprang
for this "cost".

Jordan


On Tuesday, May 6, 2014, J. Simmons <jrs at mach30.org> wrote:

> That is very interesting, Alicia.  I think I remember reading the results
> of that survey, but I had forgotten that part.  I wonder what a similar
> question in the open source software community would reveal.  And I wonder
> if the Creative Commons approach on their website of explaining their
> licenses leads to wider adoption because of greater understanding.
>
> Thanks,
>
>  -J
>
>
> On Tue, May 6, 2014 at 12:00 AM, alicia <amgibb at gmail.com> wrote:
>
> To the original question whether we have any data on this topic, we have
> some data that is slightly tangential but interesting to the conversation.
> When we asked the oshw community in a survey (2013 & 2012) nearly half the
> people did not use any type of open license with their files. When asked
> why, the main response was that the licenses were too difficult for a
> non-lawyer to understand.
>
> Alicia
>
>
> On Mon, May 5, 2014 at 11:52 AM, Mario Gómez <mxgxw.alpha at gmail.com>wrote:
>
> I don't completely agree with that... We are talking about a widely used
> piece of software not an obscure project that no-one knew.
>
> If the licensing could have been an important factor, then not many people
> would have been using it in the first place. I mean, it's like saying that
> you don't want to collaborate on the development because the licensing used
> but at the same time you fully agree to incorporate it on your software or
> use software that incorporates it. That doesn't make a lot of sense.
>
> As JS said on his reply, this problem could have many layers of
> causations, but I don't agree that the licensing could be the main reason.
>
> However, as many of you already said, there is practically no reasons to
> create a new license when you have a pretty well defined catalog of
> different "approved" licenses that could be used on different contexts.
> Also I fully agree that using a custom license just because you'll want to
> be "different" it's a really bad practice.
>
> For me, appears that heartbleed is the result of the conjunction of
> several bad practices that could happen on any Open Source (or even
> closed-source) software.
>
> 1-A small (under-funded?) team working on a critical software application.
> This is not bad as the team know their own limitations. I mean, no one
> cared seriously about funding OpenSSL until a dangerous vulnerability was
> found, now all the "big players" (even Microsoft) want to fund them.
>
> 2-Ignoring expert technical advice about security issues on the code. This
> was evidenced by the feedback provided by the OpenBSD team over several
> vulnerabilities on the code that was ignored in favor of performance
> optimizations.
>
> 3-Failing to implement a strong peer-review and code auditing
> methodologies to early spot security flaws. As I understand there was only
> one review to the commit that generated the heartbleed bug. How it's
> possible that a critical piece of source code was reviewed only by one
> person?
>
> Looking at those other issues, I fail to see how the decision made about
> the license used could have prevented any of that happening. It's really
> possible that some developers were discouraged to participate, but the
> people that really cared (OpenBSD team) participated on trying to fix many
> bugs before Heartbleed came and none of them has said that the license
> prevented them to participate on the development.
>
> I would say, about licenses, that the problem it's not the license used,
> but instead the fact that many of the developers doesn't care about the
> license of the software... The lawyers in corporate environments are the
> ones that care (As Chris exemplified on his experience)... just look at the
> statistics of github,  50% of the repositories hosted over there doesn't
> even specify a license and that doesn't prevent many developers to
> participate over it.
>
> Regards,
> Mario.
>
>
>
>
>
> On Fri, May 2, 2014 at 10:00 AM, Chris Sigman <cypris87 at gmail.com> wrote:
>
> I had a client once that wouldn't let us use any OSS, even though before
> licenses it would save a 250K, all because his lawyer didn't feel there was
> enough legal precedent around the licenses. Not quite the same, but
> illustrates the conservatism of some people related to licensing.
>
> Chris
>
> --
> J. Simmons, President
> Mach 30: Foundation for Space Development
> http://mach30.org
>  <https://www.facebook.com/Mach30>  <http://twitter.com/mach_30> <https://plus.google.com/u/0/b/104373960473278544446/104373960473278544446/posts>
>
> *~ ad astra per civitatem ~*to the stars through community
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oshwa.org/pipermail/discuss/attachments/20140506/36139fb6/attachment.html>

More information about the discuss mailing list