From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/3245 Path: news.gmane.org!not-for-mail From: Rob Landley Newsgroups: gmane.linux.lib.musl.general Subject: Licensing. Date: Sun, 28 Apr 2013 16:34:38 -0500 Message-ID: <1367184878.18069.171@driftwood> References: <7DA8A203-CFF2-4559-AA2C-7CF38B5DD28E@palsenberg.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; DelSp=Yes; Format=Flowed Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1367267481 12051 80.91.229.3 (29 Apr 2013 20:31:21 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 29 Apr 2013 20:31:21 +0000 (UTC) Cc: musl@lists.openwall.com To: musl@lists.openwall.com Original-X-From: musl-return-3249-gllmg-musl=m.gmane.org@lists.openwall.com Mon Apr 29 22:31:21 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1UWujI-0007xR-FY for gllmg-musl@plane.gmane.org; Mon, 29 Apr 2013 22:31:20 +0200 Original-Received: (qmail 25846 invoked by uid 550); 29 Apr 2013 20:31:19 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 25832 invoked from network); 29 Apr 2013 20:31:19 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:date:from:subject:to:cc:in-reply-to:x-mailer:message-id :mime-version:content-type:content-disposition :content-transfer-encoding:x-gm-message-state; bh=nqT0bqmWnTibGn1J/Whft19JgT2UTexNWLe94TX+7kM=; b=IHq6C5Tp0rusSF60ZXNngbG7kggc56rNFUFg9dbBVDfw+bdU+ZdaxdFk1FeKIuw/4K MZA0kXVhluOUNVA98oyKDTwaDCz/bmvlngE+ENFpkLW4YfoRuAwOMyIIxFfnbj5Jij8+ olTzCHfxuFkdRQBa+HudxciEtL2MY+gGpUMF/MSMgcCHaeLOvgZ7VinB5NmUACOCeR/P tMvNh7JW9STBpm9kEdZDwF0h85xs3L3jyk/KTnugD4FJhJGBxOxZ6PWTd+b8hRLvZIYx RqEo0Cr+sykwOimaHiRrEnzZZYz/4eoWRQnCp89Fx7v6eSw+O5VIdiTh+OUlvAxAxp48 TLBw== X-Received: by 10.50.62.66 with SMTP id w2mr2478115igr.81.1367267467564; Mon, 29 Apr 2013 13:31:07 -0700 (PDT) In-Reply-To: <7DA8A203-CFF2-4559-AA2C-7CF38B5DD28E@palsenberg.com> (from igmar@palsenberg.com on Fri Apr 26 01:11:07 2013) X-Mailer: Balsa 2.4.11 Content-Disposition: inline X-Gm-Message-State: ALoCoQk0hb1l7SjoM+SP7lgYVNc3faxwS6VPngPPNDZcGTCVYePEzZJ4dfmJ4s5qXzCBEDf6TclP Xref: news.gmane.org gmane.linux.lib.musl.general:3245 Archived-At: On 04/26/2013 01:11:07 AM, Igmar Palsenberg wrote: >=20 > >>> incompatible licenses. The openssl library can't be used with a =20 > GNU > >>> program unless there's a waiver for it because one of the clauses =20 > in the > >>> openssl license goes against the GNU license principles. The =20 > gnutls > >> Not _used_ but _distributed_. The GPL does not restrict use ... > > What about explicitly loading the library at run-time using =20 > uselib(2) in a plug-in like fashion? Is that also considered =20 > problematic from a GNU perspective? >=20 > I consider this a grey area. I personally don't thing it is =20 > considered a problem, > but there are a number of interesting (theoretical) scenario's : Um, back up: You know how cryptographers point and laugh at non-cryptographers =20 trying to figure out whether something's breakable? You know how professional security auditors find most programmers' code =20 appallingly insecure, and the best of us have to put out regular =20 updates to fix exploits that we didn't personally find? Now imagine what lawyers think of programmers' legal theories. To write secure code you need a deep understanding of your operating =20 system. To license code securely, you have to understand your legal =20 jurisdiction. It's fundamentally not enough to know what the =20 code/license says in isolation. Programming-side example: the /tmp dir has the sticky bit set other =20 users running inotify to spot new files being created don't immediately =20 delete them and replace with a symlink so your mknod/open pair is now =20 accessing the wrong file. What your code is doing worked fine, but the =20 context it was running in made it insecure. Now imagine telling a =20 lawyer that your license usage is unexploitable in all jurisdictions, =20 and you know this because you read the license text and you're sure =20 you're using it ok. (The best a lawyer or security professional can =20 EVER say is "I can't spot where you screwed up".) Imagine that GPLv2 code has to run as root, so as soon as part of your =20 project is running as root you might as well treat the whole thing like =20 it is from a security standpoint. Your question above about mixing GPL =20 and non-GPL code is like asking "when is it safe to set the sudo bit on =20 this binary while leaving the rest non-root". Suddenly you need to know =20 a LOT more about your system's configuration and permissions and use =20 cases, and the problematic parts are written in a language (legalese) =20 that you don't code in, and the correct answer varies by distro. If GPLv2 is where everything is root, then you just don't mix untrusted =20 code in with that, period. GPLv3 has to run as Windows Administrator, =20 an incompatible type of root you can't mix with what GPLv2 needs =20 (unless you write dual-mode code full of #ifdefs from day one). Other =20 licenses are like other userids each with its own security connotations =20 when you have to run code _as_ them and not you; again, it's the mixing =20 in the same program that's most problematic. BSD/MIT/PD code requests no special permissions; legally speaking it =20 runs as your login user. It can run as anything else you need it to, =20 but doesn't _require_ it. It is not itself opening that can of worms. It's not a perfect analogy, but it should get the "here there be =20 dragons" aspect across. Viral and non-viral licensing can each be made =20 to work. Mixing them while keeping them distinct is a MINEFIELD, and =20 coming to a local consensus with non-experts doesn't help. Rob P.S. Trolls are the legal equivalent of script kiddies, trying to =20 figure out where to hit a company to make money come out. Patent =20 trolls, copyright trolls, trademark trolls, contract trolls... we've =20 even seen trade secret trolling against decss and such. Somebody who =20 comes along with an obscure legal interpretation and sends you a "pay =20 us now or we'll cost your $50,000 and several months of your life =20 defending yourself in court EVEN IF YOU WIN, so give us $20k to go =20 away" letter. The fact people have started doing this on behalf of the =20 GPL is one of the things that turned me against that license. P.P.S. I could explain how the real legal issue you were trying to =20 tackle above is whether or not something can be considered a "derived =20 work" under copyright law of the virally licensed external material, =20 but this would be like me explaining cryptography or security to you. =20 It's not the same as an audit for any specific usage for =20 exploitability, AND I'm not the domain expert you'd need to do that =20 audit anyway. I know enough to know I _don't_ know enough to reliably =20 answer this question.=