Re: [liberationtech] Silent Phone source code available on GitHub
Joseph Lorenzo Hall writes: >Definitely what I call "disclosed source". I doubt they'd license with >an open source license, let alone accept external commits. As long as >the license allows review, static analysis, debugging compilation, etc. >-- i.e., things needed for technical evaluation -- that's a good thing. >Right? Sure; "good" is a rather wider domain than "open source" :-). My point is just don't call it "open source" if it isn't -- people are counting on those words meaning something specific & dependable. They'll think they can fork the code, or, you know, base a business on it, and then be surprised when the license bites them. -K >On Fri Oct 4 12:02:11 2013, Karl Fogel wrote: >> Petter Ericson writes: >>> So, Silent Circle (well, Silent Phone) is finally open source! >> >> Thank you, Petter -- it sounds like this release was a lot of hard work. >> But it doesn't appear to be actually open source. At least, I couldn't >> find a license file containing an open source license. Actually, I >> didn't see any license file at all, so I went looking for a source file, >> and the first one I found was: >> >> >> https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java >> >> ...which contains this license header in a comment at the top: >> >> > Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. >> > >> > Redistribution and use in source and binary forms, with or without >> > modification, are permitted provided that the following conditions are >> met: >> > * Any redistribution, use, or modification is done solely for personal >> > benefit and not for any commercial purpose or for monetary gain >> > * Redistributions of source code must retain the above copyright >> > notice, this list of conditions and the following disclaimer. >> > * Redistributions in binary form must reproduce the above copyright >> > notice, this list of conditions and the following disclaimer in the >> > documentation and/or other materials provided with the distribution. >> > * Neither the name Silent Circle nor the >> > names of its contributors may be used to endorse or promote products >> > derived from this software without specific prior written permission. >> > >> > [...] >> >> That first term is incompatible with open source (prohibition on >> commercial use means it's not open source). For clarification: >> http://opensource.org/faq#commercial >> >> Of course, I'd love to see the code switched to an open source license, >> and am happy to help you choose one, if you'd like help. A good place >> to start is http://opensource.org/licenses. >> >> Having the code visible to the world is still a gain from a security >> perspective, and I don't mean to diminish that. However, "visible" is >> not the same as "open source". >> >> Best, >> Karl >> >>> At least, the previous version, with the next one coming "in a couple of >>> weeks". >>> >>> This, to me, is absolutely wonderful news, as it is finally possible to get >>> a >>> proper security audit of the whole shebang. >>> >>> Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 >>> >>> The released repo: https://github.com/SilentCircle/silent-phone-android >>> >>> /P >>> >>> From: Jim Burrows >>> Subject: Re: [silent-phone-base] Impact of ZRTP library critical security >>> vulnerabilities (#5) >>> To: SilentCircle/silent-phone-base >>> Cc: pettter >>> >>> @pettter, "Soon" is today, well, actually last night. >>> >>> We've just released the sources to Silent Phone for Android >>> V1.6.5. And, yes, we released them one week after we released 1.6.6 to >>> the Play Store, so they're a little bit stale, *BUT*... what delayed >>> us was making sure that they were buildable from the GitHub repo >>> outside our build environment. That means, assuming we got it right, >>> that you can check out our repo here on GitHub, build your own APK, >>> install it on your phone and run it instead of our Play Store version. >>> >>> And to make lemonade out of the lemons of being one release behind, we >>> plan on releasing 1.6.6 in a couple of weeks, so, if you try to build >>> 1.6.5 and find that we blew it somehow, you can post an issue here and >>> we've already got a release planned to fix it in. >>> >>> I'm really sorry that "soon" took this long. It was absolutely NOT my >>> plan, but this summer has been really really hectic (for obvious >>> reasons) and we're a small company with limited resources. The >>> slowness has really frustrated me, as has the fact that when I yell, >>> "What idiot set those priorities?" each time something delayed posting >>> here, the answer was always "me". I can try to blame all the Snowden, >>> NSA, Prism brouhaha and the time and resource pressures it has put us >>> under, but in the end, I'm the one who grits his teeth and says, "Yes, >>> that's more important than the GitHub release. Make it so." >>> >>> I
Re: [liberationtech] Silent Phone source code available on GitHub
Definitely what I call "disclosed source". I doubt they'd license with an open source license, let alone accept external commits. As long as the license allows review, static analysis, debugging compilation, etc. -- i.e., things needed for technical evaluation -- that's a good thing. Right? best, Joe On Fri Oct 4 12:02:11 2013, Karl Fogel wrote: > Petter Ericson writes: >> So, Silent Circle (well, Silent Phone) is finally open source! > > Thank you, Petter -- it sounds like this release was a lot of hard work. > But it doesn't appear to be actually open source. At least, I couldn't > find a license file containing an open source license. Actually, I > didn't see any license file at all, so I went looking for a source file, > and the first one I found was: > > > https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java > > ...which contains this license header in a comment at the top: > > > Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. > > > > Redistribution and use in source and binary forms, with or without > > modification, are permitted provided that the following conditions are > met: > > * Any redistribution, use, or modification is done solely for personal > > benefit and not for any commercial purpose or for monetary gain > > * Redistributions of source code must retain the above copyright > > notice, this list of conditions and the following disclaimer. > > * Redistributions in binary form must reproduce the above copyright > > notice, this list of conditions and the following disclaimer in the > > documentation and/or other materials provided with the distribution. > > * Neither the name Silent Circle nor the > > names of its contributors may be used to endorse or promote products > > derived from this software without specific prior written permission. > > > > [...] > > That first term is incompatible with open source (prohibition on > commercial use means it's not open source). For clarification: > http://opensource.org/faq#commercial > > Of course, I'd love to see the code switched to an open source license, > and am happy to help you choose one, if you'd like help. A good place > to start is http://opensource.org/licenses. > > Having the code visible to the world is still a gain from a security > perspective, and I don't mean to diminish that. However, "visible" is > not the same as "open source". > > Best, > Karl > >> At least, the previous version, with the next one coming "in a couple of >> weeks". >> >> This, to me, is absolutely wonderful news, as it is finally possible to get a >> proper security audit of the whole shebang. >> >> Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 >> >> The released repo: https://github.com/SilentCircle/silent-phone-android >> >> /P >> >> From: Jim Burrows >> Subject: Re: [silent-phone-base] Impact of ZRTP library critical security >> vulnerabilities (#5) >> To: SilentCircle/silent-phone-base >> Cc: pettter >> >> @pettter, "Soon" is today, well, actually last night. >> >> We've just released the sources to Silent Phone for Android >> V1.6.5. And, yes, we released them one week after we released 1.6.6 to >> the Play Store, so they're a little bit stale, *BUT*... what delayed >> us was making sure that they were buildable from the GitHub repo >> outside our build environment. That means, assuming we got it right, >> that you can check out our repo here on GitHub, build your own APK, >> install it on your phone and run it instead of our Play Store version. >> >> And to make lemonade out of the lemons of being one release behind, we >> plan on releasing 1.6.6 in a couple of weeks, so, if you try to build >> 1.6.5 and find that we blew it somehow, you can post an issue here and >> we've already got a release planned to fix it in. >> >> I'm really sorry that "soon" took this long. It was absolutely NOT my >> plan, but this summer has been really really hectic (for obvious >> reasons) and we're a small company with limited resources. The >> slowness has really frustrated me, as has the fact that when I yell, >> "What idiot set those priorities?" each time something delayed posting >> here, the answer was always "me". I can try to blame all the Snowden, >> NSA, Prism brouhaha and the time and resource pressures it has put us >> under, but in the end, I'm the one who grits his teeth and says, "Yes, >> that's more important than the GitHub release. Make it so." >> >> I'd be happy to have you sympathize with me for the decisions I've >> faced this summer, but I absolutely would not disagree with you if you >> blamed me for the delay. I own it. >> >> Silent Phone for iOS sources, Silent Text for Android, and then Silent >> Phone for Android 1.6.6 source releases are all in the pipeline, and >> if you'll forgive me for using a word that I myself have sullied, they >> should all be here "soon". >> >> -- --
Re: [liberationtech] Silent Phone source code available on GitHub
Petter Ericson writes: >So, Silent Circle (well, Silent Phone) is finally open source! Thank you, Petter -- it sounds like this release was a lot of hard work. But it doesn't appear to be actually open source. At least, I couldn't find a license file containing an open source license. Actually, I didn't see any license file at all, so I went looking for a source file, and the first one I found was: https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java ...which contains this license header in a comment at the top: > Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. > > Redistribution and use in source and binary forms, with or without > modification, are permitted provided that the following conditions are met: > * Any redistribution, use, or modification is done solely for personal > benefit and not for any commercial purpose or for monetary gain > * Redistributions of source code must retain the above copyright > notice, this list of conditions and the following disclaimer. > * Redistributions in binary form must reproduce the above copyright > notice, this list of conditions and the following disclaimer in the > documentation and/or other materials provided with the distribution. > * Neither the name Silent Circle nor the > names of its contributors may be used to endorse or promote products > derived from this software without specific prior written permission. > > [...] That first term is incompatible with open source (prohibition on commercial use means it's not open source). For clarification: http://opensource.org/faq#commercial Of course, I'd love to see the code switched to an open source license, and am happy to help you choose one, if you'd like help. A good place to start is http://opensource.org/licenses. Having the code visible to the world is still a gain from a security perspective, and I don't mean to diminish that. However, "visible" is not the same as "open source". Best, Karl >At least, the previous version, with the next one coming "in a couple of >weeks". > >This, to me, is absolutely wonderful news, as it is finally possible to get a >proper security audit of the whole shebang. > >Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 > >The released repo: https://github.com/SilentCircle/silent-phone-android > >/P > >From: Jim Burrows >Subject: Re: [silent-phone-base] Impact of ZRTP library critical security >vulnerabilities (#5) >To: SilentCircle/silent-phone-base >Cc: pettter > >@pettter, "Soon" is today, well, actually last night. > >We've just released the sources to Silent Phone for Android >V1.6.5. And, yes, we released them one week after we released 1.6.6 to >the Play Store, so they're a little bit stale, *BUT*... what delayed >us was making sure that they were buildable from the GitHub repo >outside our build environment. That means, assuming we got it right, >that you can check out our repo here on GitHub, build your own APK, >install it on your phone and run it instead of our Play Store version. > >And to make lemonade out of the lemons of being one release behind, we >plan on releasing 1.6.6 in a couple of weeks, so, if you try to build >1.6.5 and find that we blew it somehow, you can post an issue here and >we've already got a release planned to fix it in. > >I'm really sorry that "soon" took this long. It was absolutely NOT my >plan, but this summer has been really really hectic (for obvious >reasons) and we're a small company with limited resources. The >slowness has really frustrated me, as has the fact that when I yell, >"What idiot set those priorities?" each time something delayed posting >here, the answer was always "me". I can try to blame all the Snowden, >NSA, Prism brouhaha and the time and resource pressures it has put us >under, but in the end, I'm the one who grits his teeth and says, "Yes, >that's more important than the GitHub release. Make it so." > >I'd be happy to have you sympathize with me for the decisions I've >faced this summer, but I absolutely would not disagree with you if you >blamed me for the delay. I own it. > >Silent Phone for iOS sources, Silent Text for Android, and then Silent >Phone for Android 1.6.6 source releases are all in the pipeline, and >if you'll forgive me for using a word that I myself have sullied, they >should all be here "soon". > >-- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Silent Phone source code available on GitHub
So, Silent Circle (well, Silent Phone) is finally open source! At least, the previous version, with the next one coming "in a couple of weeks". This, to me, is absolutely wonderful news, as it is finally possible to get a proper security audit of the whole shebang. Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 The released repo: https://github.com/SilentCircle/silent-phone-android /P - Forwarded message from Jim Burrows - From: Jim Burrows To: SilentCircle/silent-phone-base Cc: pettter Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5) @pettter, "Soon" is today, well, actually last night. We've just released the sources to Silent Phone for Android V1.6.5. And, yes, we released them one week after we released 1.6.6 to the Play Store, so they're a little bit stale, *BUT*... what delayed us was making sure that they were buildable from the GitHub repo outside our build environment. That means, assuming we got it right, that you can check out our repo here on GitHub, build your own APK, install it on your phone and run it instead of our Play Store version. And to make lemonade out of the lemons of being one release behind, we plan on releasing 1.6.6 in a couple of weeks, so, if you try to build 1.6.5 and find that we blew it somehow, you can post an issue here and we've already got a release planned to fix it in. I'm really sorry that "soon" took this long. It was absolutely NOT my plan, but this summer has been really really hectic (for obvious reasons) and we're a small company with limited resources. The slowness has really frustrated me, as has the fact that when I yell, "What idiot set those priorities?" each time something delayed posting here, the answer was always "me". I can try to blame all the Snowden, NSA, Prism brouhaha and the time and resource pressures it has put us under, but in the end, I'm the one who grits his teeth and says, "Yes, that's more important than the GitHub release. Make it so." I'd be happy to have you sympathize with me for the decisions I've faced this summer, but I absolutely would not disagree with you if you blamed me for the delay. I own it. Silent Phone for iOS sources, Silent Text for Android, and then Silent Phone for Android 1.6.6 source releases are all in the pipeline, and if you'll forgive me for using a word that I myself have sullied, they should all be here "soon". - End forwarded message - -- Petter Ericson (pett...@acc.umu.se) -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
