<div dir="ltr"><div>Hello all,<br><br>You'll also have to consider that, in general, for crypto libraries the culture behind their development is "Don't roll your own implementations... Ever!"<br><br></div>
<div>Why? Because the cost of introducing a bug on a crypto library could be higher than just use something that everybody(or almost everybody) agreed that was working fine and then blame another person if something goes wrong.<br>
</div><br><div>The OpenSSL library was widely used and many people tought that it just worked well. So... What kind of incentives the developers could have to participate on the review/validation of a source code implementation that apparently worked OK for many years? Even code analysis tools failed to identify a problem with the sourcecode.<br>
<br></div><div>I think that trying to attribute the problem on the license that was used just miss the whole picture. And the bigges problem was that the development team behind OpenSSL didn't were diligent enough to try to peer-review their code considering that it was used for critical tasks (even when the people from OpenBSD told them about technical problems in their source-code).<br>
<br></div><div>This could have happened to any project independently of the license used. If the license was a problem then the people from OpenBSD wouldn't have started with the LibreSSL proyect that aims to correct the problems with OpenSSL using the same code-base.<br>
<br>But is a lesson for the whole open source community that, for critical applications, it's necessary to implement code-review methodologies that guarantee that the code is reviewed by a group of experts before going into production. (I think that's the way that the OpenBSD people works with their software).<br>
</div><div><br></div>Regards,<br>Mario.<br><div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 2, 2014 at 10:00 AM, J. Simmons <span dir="ltr"><<a href="mailto:jrs@mach30.org" target="_blank">jrs@mach30.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Matt,<div><br></div><div>I don't have any hard data, but I do have some thoughts on this topic. My experience as an observer of (and occasional contributor to) open source software is that licenses very much matter (both well known ones and one-off licenses). Just look at the flame wars about licenses and the corporate level decisions that happen (at places like Redhat or Apache) to be a "insert license here" shop. I think people can feel so strongly about licenses because they are a manifestation of values (if you are a proponent of "share alike" then "attribution only" would be a mere shadow of "true licenses"). And nothing gets people worked up faster than a disagreement over values.</div>
<div><br></div><div>It would not surprise me at all if reactions are magnified for less well known licenses (after all they either require potential contributors to read and understand a new license, take it on faith that the license matches their values, or just skip the project entirely). Note, I have seen other commentary from OpenBSD that points to technical concerns in OpenSSL's default error handling, so in this case, the real story behind the event is probably very complicated and has many layers of causation.</div>
<div><br></div><div>One final thought, this business about licenses manifesting personal and corporate values is one of the reasons why I think it is important to develop a range of OSHW licenses that are sanctioned as being compatible with the OSHW definition and cover the range of values we see in software licenses (GPL-like, LGPL-like, Apache/BSD-like, etc). And it is why I think it is essential for projects to declare their license choice(s) in plain site on their project pages so new users and contributors can see the project's values when they first visit the project.</div>
<div><br></div><div>Thanks for posting the link,</div><div><br></div><div> -J</div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Fri, May 2, 2014 at 11:19 AM, Matt Maier <span dir="ltr"><<a href="mailto:blueback09@gmail.com" target="_blank">blueback09@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><a href="http://www.infoworld.com/d/open-source-software/heartbleed-postmortem-openssls-license-discouraged-scrutiny-241781" target="_blank">http://www.infoworld.com/d/open-source-software/heartbleed-postmortem-openssls-license-discouraged-scrutiny-241781</a><br>
<div><br></div><div>An interesting theory about why OpenSSL got so little development help is that it has a custom license which is incompatible with standard FLOSS licenses.</div><div><br></div><div>"<span style="line-height:20.399999618530273px;font-size:12px;font-family:'Lucida Grande',Arial,sans-serif"><i>Developers would rather not deal with these issues; as such, they use the code as-is and do the least necessary to comply with the license</i>"</span></div>
<div><span style="line-height:20.399999618530273px;font-size:12px;font-family:'Lucida Grande',Arial,sans-serif"><br></span></div><div><span style="line-height:20.399999618530273px;font-size:12px;font-family:'Lucida Grande',Arial,sans-serif">Does anybody know if there is data to support this theory? Do a significant number of developers shy away from projects just because they're unfamiliar with, or annoyed by, a slightly off-of-center license? </span></div>
<span><font color="#888888">
<div><span style="line-height:20.399999618530273px;font-size:12px;font-family:'Lucida Grande',Arial,sans-serif"><br></span></div><div><span style="line-height:20.399999618530273px;font-size:12px;font-family:'Lucida Grande',Arial,sans-serif">-Matt</span></div>
</font></span></div></div></div><span class="HOEnZb"><font color="#888888"><span><font color="#888888">
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "Open Source Spaceflight Export Control" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:oss-export-control+unsubscribe@googlegroups.com" target="_blank">oss-export-control+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank">https://groups.google.com/d/optout</a>.<br>
</font></span></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>J. Simmons, President <div>Mach 30: Foundation for Space Development<div><div><a href="http://mach30.org" target="_blank">http://mach30.org</a><br>
</div><div><div style="color:rgb(136,136,136);font-size:13px;font-family:arial,sans-serif"><div dir="ltr"><div style="text-align:left;padding:5px 0pt;font-size:13.3px"><a href="https://www.facebook.com/Mach30" style="color:blue;padding:0pt 2px;font-size:10pt" target="_blank"><img src="http://mach30online.files.wordpress.com/2012/07/facebook.png"></a> <a href="http://twitter.com/mach_30" style="color:rgb(17,85,204)" target="_blank"><img src="http://mach30online.files.wordpress.com/2012/07/twitter.png"></a> <a href="https://plus.google.com/u/0/b/104373960473278544446/104373960473278544446/posts" style="color:rgb(17,85,204)" target="_blank"><img src="http://mach30online.files.wordpress.com/2012/07/google-plus-new-16px.png"></a></div>
<div style="text-align:center;padding:5px 0pt;font-size:13.3px"><i style="color:rgb(0,0,0);font-family:arial;font-size:small;text-align:-webkit-auto">~ ad astra per civitatem ~<br></i><span style="color:rgb(0,0,0);font-family:arial;font-size:small;text-align:-webkit-auto">to the stars through community</span></div>
</div></div></div></div></div>
</font></span></div>
<br>_______________________________________________<br>
discuss mailing list<br>
<a href="mailto:discuss@lists.oshwa.org">discuss@lists.oshwa.org</a><br>
<a href="http://lists.oshwa.org/listinfo/discuss" target="_blank">http://lists.oshwa.org/listinfo/discuss</a><br>
<br></blockquote></div><br></div>