Fwd: Re: Updated license - please comment

Chuck Swiger chuck at codefab.com
Mon Jun 23 18:08:24 UTC 2003 

David Presotto wrote:
[ ... ]
> I understand where someone wouldn't want their code destroyed, perverted,
> whatever.  However, broken or malicious is a bit of a judgement call, is
> it not?  I have a hard time seeing where the line would be drawn.

I agree with you that it's hard to draw the line exactly.

Furthermore, I bet there will exist ambiguous cases regardless of where the line 
*is* drawn.  However, I submit that there also exist unambiguous cases of 
"broken or malicious" distributions of software, such as those identified by 
CERT (http://www.cert.org/advisories/):

CA-2002-30: Trojan Horse tcpdump and libpcap Distributions
CA-2002-28: Trojan Horse Sendmail Distribution
CA-2002-24: Trojan Horse OpenSSH Distribution

> OSD #4 already provides a way for an author to distinguish what constitutes
> an `authentic' version.  Might that not be enough?  Then a body (person
> whatever) can bless the authentic/proven-correct/secure/whatever version
> but everyone can still distribute modifications.

I'm not sure, so I guess I need to think more about this.  :-)

In the case where someone wants to fork a new version of a project for "good 
reasons" (left undefined due to the problem of 'drawing the line exactly'), 
clearly distinguishes their version from the parent project, that should be 
permitted by all open source software.

I think a canonical example of this would be the XEmacs project compared with 
GNU Emacs: the forked version is clearly identified, provides a clear 
justification/raison d'etre, provides reference back to the parent project, etc.

If RMS were to claim that XEmacs was a "deliberately broken or malicious 
distribution of GNU Emacs" and ask for a legal injunction that RCN.net to take 
down the XEmacs site, the XEmacs authors could respond, and the judge could 
decide whether the XEmacs project was violating the GPL.  The answer in this 
case should be no, of course.

On the other hand, the people breaking into sites to trojan sendmail or OpenSSH 
are highly unlikely to want to be identified, and thus aren't going to contest 
if the authors of sendmail don't want a trojaned sendmail distribution distributed.

-- 
-Chuck

--
license-discuss archive is at http://crynwr.com/cgi-bin/ezmlm-cgi?3

More information about the License-discuss mailing list