[nycphp-talk] somewhat OT: open source code auditing
Matt Morgan
matt at jiffycomp.com
Mon Aug 22 21:47:37 EDT 2005
Hans Zaunere wrote:
>
>
>>Hey Folks,
>>
>>This is slightly off-topic, but I've just had the "higher-ups" come to
>>me asking about open source and coding audits. I'm not speaking about
>>collaborative tools or auditing from a security perspective, but rather
>>from a legal perspective. Simply put, how do you know were a piece of
>>code really came from?
>>
>>
>
>Maybe the SCO lawyers can help with this :)
>
>
>
>>I'm hoping that others on the list have gone through this (or are
>>actually going through it now) and can provide some insight.
>>
>>Some general questions:
>>1. When you decide to use a piece of open source software, what do you
>>document? (package name, authors, download location, website, license,
>>date/time, etc)
>>2. Do you feel the need to actually verify that they wrote it? Or is
>>it enough to say, "This is a popular package, and it is generally
>>accepted that this person wrote it."
>>
>>
>
>This really comes down to the license. If it's GPL, you basically are legally bound to make your "derived works" public as well. Of course, what defines derived works is not something clearly defined.
>
>
OK, I'm a little out of my element here, but I think that's not true.
The GPL requires you to release the source for any derived works that
you release. You are not required to release anything; it's just that if
you do release something, you must also release the source. GPL-derived
code that you want to keep internal to your organization is A-OK.
>
>
>>As this could relate to PHP:
>>1. The PEAR and PECL repositories - is there anything built into the
>>package approval process that looks for this? I didn't see anything on
>>the website. I would imagine that some Google searches probably occur
>>just to make sure this package
>>2. Code posted on the PHP site by users? Is that "free" to use?
>>
>>
>
>Ugh - there's that word again, free :)
>
>
>
>>I realize that most of us aren't lawyers, and we're getting help from
>>our legal team, but any help you can provide is greatly appreciated.
>>
>>
>
>It's certainly a sticky area. But, keep in mind, that most of the larger open source projects, like PHP and Apache, are licensed using a BSD style license. These questions should only be answered by lawyers, but most source from PEAR and PECL should have a header indicating the license. Typically, this is the PHP license, and so you're likely safe - but again, no one really knows :)
>
>H
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050822/1de50936/attachment.html>
More information about the talk
mailing list