Joseph Lorenzo Hall <j...@cdt.org> writes: >Definitely what I call "disclosed source". I doubt they'd license with >an open source license, let alone accept external commits. As long as >the license allows review, static analysis, debugging compilation, etc. >-- i.e., things needed for technical evaluation -- that's a good thing. >Right?
Sure; "good" is a rather wider domain than "open source" :-). My point is just don't call it "open source" if it isn't -- people are counting on those words meaning something specific & dependable. They'll think they can fork the code, or, you know, base a business on it, and then be surprised when the license bites them. -K >On Fri Oct 4 12:02:11 2013, Karl Fogel wrote: >> Petter Ericson <pett...@acc.umu.se> writes: >>> So, Silent Circle (well, Silent Phone) is finally open source! >> >> Thank you, Petter -- it sounds like this release was a lot of hard work. >> But it doesn't appear to be actually open source. At least, I couldn't >> find a license file containing an open source license. Actually, I >> didn't see any license file at all, so I went looking for a source file, >> and the first one I found was: >> >> >> https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java >> >> ...which contains this license header in a comment at the top: >> >> > Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. >> > >> > Redistribution and use in source and binary forms, with or without >> > modification, are permitted provided that the following conditions are >> met: >> > * Any redistribution, use, or modification is done solely for personal >> > benefit and not for any commercial purpose or for monetary gain >> > * Redistributions of source code must retain the above copyright >> > notice, this list of conditions and the following disclaimer. >> > * Redistributions in binary form must reproduce the above copyright >> > notice, this list of conditions and the following disclaimer in the >> > documentation and/or other materials provided with the distribution. >> > * Neither the name Silent Circle nor the >> > names of its contributors may be used to endorse or promote products >> > derived from this software without specific prior written permission. >> > >> > [...] >> >> That first term is incompatible with open source (prohibition on >> commercial use means it's not open source). For clarification: >> http://opensource.org/faq#commercial >> >> Of course, I'd love to see the code switched to an open source license, >> and am happy to help you choose one, if you'd like help. A good place >> to start is http://opensource.org/licenses. >> >> Having the code visible to the world is still a gain from a security >> perspective, and I don't mean to diminish that. However, "visible" is >> not the same as "open source". >> >> Best, >> Karl >> >>> At least, the previous version, with the next one coming "in a couple of >>> weeks". >>> >>> This, to me, is absolutely wonderful news, as it is finally possible to get >>> a >>> proper security audit of the whole shebang. >>> >>> Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 >>> >>> The released repo: https://github.com/SilentCircle/silent-phone-android >>> >>> /P >>> >>> From: Jim Burrows <notificati...@github.com> >>> Subject: Re: [silent-phone-base] Impact of ZRTP library critical security >>> vulnerabilities (#5) >>> To: SilentCircle/silent-phone-base <silent-phone-b...@noreply.github.com> >>> Cc: pettter <pett...@acc.umu.se> >>> >>> @pettter, "Soon" is today, well, actually last night. >>> >>> We've just released the sources to Silent Phone for Android >>> V1.6.5. And, yes, we released them one week after we released 1.6.6 to >>> the Play Store, so they're a little bit stale, *BUT*... what delayed >>> us was making sure that they were buildable from the GitHub repo >>> outside our build environment. That means, assuming we got it right, >>> that you can check out our repo here on GitHub, build your own APK, >>> install it on your phone and run it instead of our Play Store version. >>> >>> And to make lemonade out of the lemons of being one release behind, we >>> plan on releasing 1.6.6 in a couple of weeks, so, if you try to build >>> 1.6.5 and find that we blew it somehow, you can post an issue here and >>> we've already got a release planned to fix it in. >>> >>> I'm really sorry that "soon" took this long. It was absolutely NOT my >>> plan, but this summer has been really really hectic (for obvious >>> reasons) and we're a small company with limited resources. The >>> slowness has really frustrated me, as has the fact that when I yell, >>> "What idiot set those priorities?" each time something delayed posting >>> here, the answer was always "me". I can try to blame all the Snowden, >>> NSA, Prism brouhaha and the time and resource pressures it has put us >>> under, but in the end, I'm the one who grits his teeth and says, "Yes, >>> that's more important than the GitHub release. Make it so." >>> >>> I'd be happy to have you sympathize with me for the decisions I've >>> faced this summer, but I absolutely would not disagree with you if you >>> blamed me for the delay. I own it. >>> >>> Silent Phone for iOS sources, Silent Text for Android, and then Silent >>> Phone for Android 1.6.6 source releases are all in the pipeline, and >>> if you'll forgive me for using a word that I myself have sullied, they >>> should all be here "soon". >>> >>> ---------- > >-- >Joseph Lorenzo Hall >Senior Staff Technologist >Center for Democracy & Technology >1634 I ST NW STE 1100 >Washington DC 20006-4011 >(p) 202-407-8825 >(f) 202-637-0968 >j...@cdt.org >PGP: https://josephhall.org/gpg-key >fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8 -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.