Well, to be completely honest I wouldn't use security software with a
proprietary GUI myself. But I'm not most people, and it would be better for
your business logic to be open source than for the whole thing to be subject to
the terms you describe.
-Jonathan
On Friday, October 3, 2014 9:07 PM, Greg <g...@kinostudios.com> wrote:
Dear Rich,
I echo Jonathan's reply to your email.
At the same time, I do feel a certain empathy and understanding of the feeling
behind your words. If there was anything in your email that I came closest to
agreeing with, it would be this:
You can't have the former without the latter: it's not a sufficient condition,
but it's certainly a necessary one.
That idea of "necessary but insufficient" is a the strongest argument for
letting others look at our code, and it is what drove me to make our source
available.
Now, the rest of your email, however, is simply misleading/untrue.
Specifically, this accusation is untrue:
And the reason there is no way to know is that Tao Effect is refusing to
freely/openly/completely publish the full source code
Let's break up those slashes.
- "freely" We _are_ making our code available for _free_.- "openly" We _are
not_ making it 100% open.- "completely" We _are_ making _all_ of our code
available.
So let's please keep this discussion honest. Give us our due credit where it is
deserved, and throw criticism at us where we deserve it, but always be truthful.
You may also be misunderstanding our NDA. We are not merely copy/pasting
legalese boilerplate that we found somewhere. This is our NDA, and it is unique
in its terms (at least I haven't see anything like it).
So, on that:
> And can't be, since you've exemptedanyone who doesn't meet your criteria and
> since anyone who signs
your NDA is quite clearly no longer independent.
Half-true. Yes, we have exempted anyone who doesn't meet our criteria, and this
is because we want to do our best to keep the software in the hands of honest,
trustworthy folks, for the sake of everyone who uses our software.
However, those who agree to the NDA do maintain their independence.
The terms _explicitely_ enumerate the following rights:
- You may build and release copies of Espionage using the original and
unmodified source code that we send you (and all associated materials). You may
not: sell, re-brand, or add anything to the copies that you distribute that was
not included in the original materials that we sent you. Additional terms may
apply. See full terms in the contract we send you.
- You may publish and document any security vulnerabilities that you find in
Espionage as long as you do so in the manner specified in the agreement (see
previous terms).
The "previous terms" refer primarily to an embargo of 3 months, the purpose of
which is to give us time to fix any problems found in the audit.
That, again, is for the safety of everyone who uses our software.
One final point that you ignored:
As mentioned previously, we are incapable of open sourcing all of the crypto
that Espionage uses, because it belongs to Apple.
We _are_ trying to fix that by moving Espionage's architecture away from
Apple's sparsebundles, but that is going to take a lot of time and research to
do properly, and therefore our time is better spent doing *that*, than on
figuring out how to make our code open source while avoiding TrueCrypt's fate.
You want us to stay in business after all, right? We are the folks who dedicate
our hours to this program. We are the ones who answer your support emails. We
are the ones who implement your feature requests. We are the ones who fix
Espionage when things go wrong.
All of that must be paid for. Going 100% open source (say, after we find a
replacement for sparsebundles) is a risk not only for us, but to everyone who
uses Espionage. There is the very real risk that if we do that in a couple of
months or years someone will be posting an email to this list entitled
"Espionage Alternatives?"
That is a lose-lose for everyone.
We are taking the Middle Way here: making all of our code available for review,
while keeping Espionage alive.
Still, community feedback is valuable to us, so thank you for sharing your
perspective. As soon as we see a better idea that works, we will work to
implement it.
Kind regards,Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with
the NSA.
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
