Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1367184878.18069.171@driftwood>
Date: Sun, 28 Apr 2013 16:34:38 -0500
From: Rob Landley <rob@...dley.net>
To: musl@...ts.openwall.com
Cc: musl@...ts.openwall.com
Subject: Licensing.

On 04/26/2013 01:11:07 AM, Igmar Palsenberg wrote:
> 
> >>> incompatible licenses.  The openssl library can't be used with a  
> GNU
> >>> program unless there's a waiver for it because one of the clauses  
> in the
> >>> openssl license goes against the GNU license principles.  The  
> gnutls
> >> Not _used_ but _distributed_. The GPL does not restrict use
...
> > What about explicitly loading the library at run-time using  
> uselib(2) in a plug-in like fashion?  Is that also considered  
> problematic from a GNU perspective?
> 
> I consider this a grey area. I personally don't thing it is  
> considered a problem,
> but there are a number of interesting (theoretical) scenario's :

Um, back up:

You know how cryptographers point and laugh at non-cryptographers  
trying to figure out whether something's breakable?

You know how professional security auditors find most programmers' code  
appallingly insecure, and the best of us have to put out regular  
updates to fix exploits that we didn't personally find?

Now imagine what lawyers think of programmers' legal theories.

To write secure code you need a deep understanding of your operating  
system. To license code securely, you have to understand your legal  
jurisdiction. It's fundamentally not enough to know what the  
code/license says in isolation.

Programming-side example: the /tmp dir has the sticky bit set other  
users running inotify to spot new files being created don't immediately  
delete them and replace with a symlink so your mknod/open pair is now  
accessing the wrong file. What your code is doing worked fine, but the  
context it was running in made it insecure. Now imagine telling a  
lawyer that your license usage is unexploitable in all jurisdictions,  
and you know this because you read the license text and you're sure  
you're using it ok. (The best a lawyer or security professional can  
EVER say is "I can't spot where you screwed up".)

Imagine that GPLv2 code has to run as root, so as soon as part of your  
project is running as root you might as well treat the whole thing like  
it is from a security standpoint. Your question above about mixing GPL  
and non-GPL code is like asking "when is it safe to set the sudo bit on  
this binary while leaving the rest non-root". Suddenly you need to know  
a LOT more about your system's configuration and permissions and use  
cases, and the problematic parts are written in a language (legalese)  
that you don't code in, and the correct answer varies by distro.

If GPLv2 is where everything is root, then you just don't mix untrusted  
code in with that, period. GPLv3 has to run as Windows Administrator,  
an incompatible type of root you can't mix with what GPLv2 needs  
(unless you write dual-mode code full of #ifdefs from day one). Other  
licenses are like other userids each with its own security connotations  
when you have to run code _as_ them and not you; again, it's the mixing  
in the same program that's most problematic.

BSD/MIT/PD code requests no special permissions; legally speaking it  
runs as your login user. It can run as anything else you need it to,  
but doesn't _require_ it. It is not itself opening that can of worms.

It's not a perfect analogy, but it should get the "here there be  
dragons" aspect across. Viral and non-viral licensing can each be made  
to work. Mixing them while keeping them distinct is a MINEFIELD, and  
coming to a local consensus with non-experts doesn't help.

Rob

P.S. Trolls are the legal equivalent of script kiddies, trying to  
figure out where to hit a company to make money come out. Patent  
trolls, copyright trolls, trademark trolls, contract trolls... we've  
even seen trade secret trolling against decss and such. Somebody who  
comes along with an obscure legal interpretation and sends you a "pay  
us now or we'll cost your $50,000 and several months of your life  
defending yourself in court EVEN IF YOU WIN, so give us $20k to go  
away" letter. The fact people have started doing this on behalf of the  
GPL is one of the things that turned me against that license.

P.P.S. I could explain how the real legal issue you were trying to  
tackle above is whether or not something can be considered a "derived  
work" under copyright law of the virally licensed external material,  
but this would be like me explaining cryptography or security to you.  
It's not the same as an audit for any specific usage for  
exploitability, AND I'm not the domain expert you'd need to do that  
audit anyway. I know enough to know I _don't_ know enough to reliably  
answer this question.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.