Re: secrets and lies

[Ian Lance Taylor]

   Date: Fri, 01 Dec 2000 12:52:33 -0600
   From: "David L. Nicol" <[EMAIL PROTECTED]>

   Ian Lance Taylor wrote:
   > 
   >Date: Wed, 29 Nov 2000 18:34:59 -0800
   >From: Greg White <[EMAIL PROTECTED]>
   > 
   >I can't see any circumstances where any of Dan's sofware can be deemed
   >closed source.
   > 
   > It is not the case that all software is either open source or closed
   > source.  There is a broad continuum of licensing possibilities.
   > 
   > I already mentioned an important freedom which Dan does not permit.
   > The lack of that freedom means that Dan's software is not open source.
   > Saying that Dan's software is not open source does not mean that it is
   > closed source.  Dan's software is almost open source, it just isn't
   > quite all the way there.
   > 
   > Ian

   http://courier.sourceforge.net/ appears to be a GPL'd qmail clone, more or
   less.  Why not use it instead, you want a GPL MTA?

Huh?

I was correcting what I perceive as a vocabulary problem: Greg White
seems to want to use the term ``open source'' in a way which is
slightly but significantly different from the way it was originally
defined, and different from the way that other people use it.  Using
the same term with different meanings can only lead to confusion, so I
think it's worth some effort to ensure that everybody understands and
agrees on the meaning.

I said nothing about the GPL, and I said nothing about wanting a
different MTA.  If you happen to know my work (not that there is any
particular reason that you would), then my support for the GPL and the
FSF is fairly clear, but I feel that arguing the merits of various
licensing approaches would be inappropriate on the qmail mailing list.

I do think that arguing the merits of Dan's unique licensing approach
is on topic for the qmail list.  However, in the message to which you
are replying, I was not talking about the merits of any licensing
approach at all.

I apologize for the overly-lengthy reply, but since you already
misunderstood me once, I want to try to preemptively avoid further
misunderstanding.

Ian

Re: secrets and lies

[David L. Nicol]

Ian Lance Taylor wrote:
> 
>Date: Wed, 29 Nov 2000 18:34:59 -0800
>From: Greg White <[EMAIL PROTECTED]>
> 
>I can't see any circumstances where any of Dan's sofware can be deemed
>closed source.
> 
> It is not the case that all software is either open source or closed
> source.  There is a broad continuum of licensing possibilities.
> 
> I already mentioned an important freedom which Dan does not permit.
> The lack of that freedom means that Dan's software is not open source.
> Saying that Dan's software is not open source does not mean that it is
> closed source.  Dan's software is almost open source, it just isn't
> quite all the way there.
> 
> Ian


http://courier.sourceforge.net/ appears to be a GPL'd qmail clone, more or
less.  Why not use it instead, you want a GPL MTA?



-- 
   David Nicol 816.235.1187 [EMAIL PROTECTED]
Just when you think you're finally safe, the poets reappear

Re: secrets and lies

[Ian Lance Taylor]

   Date: Wed, 29 Nov 2000 18:34:59 -0800
   From: Greg White <[EMAIL PROTECTED]>

   I can't see any circumstances where any of Dan's sofware can be deemed
   closed source. 

It is not the case that all software is either open source or closed
source.  There is a broad continuum of licensing possibilities.

I already mentioned an important freedom which Dan does not permit.
The lack of that freedom means that Dan's software is not open source.
Saying that Dan's software is not open source does not mean that it is
closed source.  Dan's software is almost open source, it just isn't
quite all the way there.

Ian

Re: secrets and lies

[Greg White]

Russell Nelson wrote:
> 
> Greg White writes:
>  > Paul Jarc wrote:
>  > > Dan's software isn't open source.
>  >
>  > Oh, really? By whose definition?
> 
> By the Open Source Initiative's, the vice-president of which is yours
> truly.  It's okay if you don't believe us when we say it's not Open
> Source, but you'll find yourself in a small minority (dare I call them
> fanatics?)
> 
That's the one I was waiting for. I notice your use of:

Open Source

Please find that reference, and not:

open source

in the mail that I replied to. There's a big difference between the two,
and the first reference does not exist. Nor does it refer to either
'free software' or 'Free Software'. That was my point, which in
hindsight should have been made clear. A piece of software is not
'open source' when its source is closed. A piece of software is not
'Open Source' when it does not comply with the stated policies of the
Open Source Initiative. I made the (obviously incorrect) assumption that
people on this list would have immediately seen the subtle difference.
I can't see any circumstances where any of Dan's sofware can be deemed
closed source. 

GW
SNIP

Re: secrets and lies

[Russell Nelson]

Greg White writes:
 > Paul Jarc wrote:
 > > Dan's software isn't open source. 
 > 
 > Oh, really? By whose definition?

By the Open Source Initiative's, the vice-president of which is yours
truly.  It's okay if you don't believe us when we say it's not Open
Source, but you'll find yourself in a small minority (dare I call them 
fanatics?)

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: secrets and lies

[Stefaan A Eeckels]

On 27-Nov-2000 Paul Jarc wrote:
>  Programs - or rather, algorithms - *are* patentable in the US.  You
>  may think this is a ridiculous idea, and I may agree with you, but
>  it's true nonetheless.
That's not true. Algorithms are specifically _not_ patentable
in the US. What _is_ patentable is a device consisting of a (any)
computer and an algorithm. It is true that to the non-patent
professional this is the same as patenting the algorithm, but
it is not. If the applicant has not correctly written the claims,
then a specific application of the algorithm might not be covered.
If the claims are too broad, the patent will be re-examined, or
will be held invalid in court.
What remains is that _any_ patent, whether ultimately valid or
not, allows the patent holder to force their competitors to
either stop selling a product, or engage in often lengthy, and
possibly expensive, legal procedures.
The other problems are that the onus for disclosing prior art
lies with the applicant, and that the PTO is only obliged to
search its own databases for possible prior art. As devices
comprising software have only recently become patentable, there
isn't much "official" prior art, and the examiner then relies
on the disclosures made by the applicant. It then becomes
the responsibility of those affected by the patent to use
the courts to invalidate it. 

In short, in the current scheme of things, the patent system
favours the big guys with lawyers. 

Take care,

Stefaan
-- 
Ninety-Ninety Rule of Project Schedules:
The first ninety percent of the task takes ninety percent of
the time, and the last ten percent takes the other ninety percent.

Re: secrets and lies

[Paul Jarc]

Felix von Leitner <[EMAIL PROTECTED]> writes:
> Thus spake Raul Miller ([EMAIL PROTECTED]):
> > Pulling something off of a web site involves creating a copy on your
> > local machine.
> 
> Please enlighten me: who bullshitted you Americans into believing that
> one needs a license to use software?

Raul wasn't talking about using software.  He was talking about
obtaining software.

> Or that software is patentable?

Programs - or rather, algorithms - *are* patentable in the US.  You
may think this is a ridiculous idea, and I may agree with you, but
it's true nonetheless.


paul

Re: secrets and lies

[Ian Lance Taylor]

   Date: Fri, 24 Nov 2000 23:11:06 -0800
   From: Greg White <[EMAIL PROTECTED]>

   Paul Jarc wrote:
   > Dan's software isn't open source. 

   Oh, really? By whose definition? I have the source, and I have the
   actual program. I suppose if you're some ESR/RMS fanatic, this does
   not comply with your vision of "open source". The source is
   available, and by Dan's own words you can do what you like with
   it. As far as I am concerned, this meets anyone's definition of
   "open source" except a fanatic.

Actually, I can't do what I like with it: I can't modify the sources
and distribute binaries compiled from the modified sources.

I don't think one has to be a fanatic to want to do that; for example,
most vendors of GNU/Linux distributions do it.

Open source software, as defined by
http://www.opensource.org/osd.html
does permit distributing binaries produced from modified code.

Most of Dan's software is not open source, by a reasonable definition.

Ian

Re: secrets and lies

[David Dyer-Bennet]

Greg White <[EMAIL PROTECTED]> writes on 24 November 2000 at 23:11:06 -0800

 > Paul Jarc wrote:

 > > Dan's software isn't open source. 

 > Oh, really? By whose definition? I have the source, and I have the
 > actual program. I suppose if you're some ESR/RMS fanatic, this does
 > not comply with your vision of "open source". The source is
 > available, and by Dan's own words you can do what you like with
 > it. As far as I am concerned, this meets anyone's definition of
 > "open source" except a fanatic.

Might I suggest that you limit yourself to expressing your own
opinion?  This "all reasonable people agree with me" assertion is
unsupported, and I suspect overly broad.
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/

Re: secrets and lies

[Romeyn Prescott]

>
>See http://www.tuxedo.org/~esr/writings/magic-cauldron/magic-cauldron-3.html
>and other similar writings by ESR and others involved in the open source
>movement.  The motives behind Open Source are not secret -- they are readily
>available, all you need to do is look.

I can't believe I read the whole thing...  ;-)

*whew*

Some of that was pretty heavy.  I'll re-read it again when I can 
devote more attention to it.  But thank you very much.  I found it 
most enlightening!

...ROMeyn
-- 


signat-url: http://www2.potsdam.edu/dctm/prescor/signat-url.htm
cubiclecam: http://digirom.potsdam.edu/~prescor/cubiclecam.html
^^^ <--- New and improved!

Re: secrets and lies

[Adam McKenna]

On Sat, Nov 25, 2000 at 05:33:44PM -0500, Romeyn Prescott wrote:
> What, Felix, (and you probably ought to respond offline, should you 
> be so inclined, as this has precious little to do with qmail) do you 
> suggest?  How should the software "empires" of this world make their 
> money if not by charging for their software and protecting the 
> license (bought and paid for permission to use it) that goes along 
> with it?  I'm genuinely curious.

See http://www.tuxedo.org/~esr/writings/magic-cauldron/magic-cauldron-3.html
and other similar writings by ESR and others involved in the open source
movement.  The motives behind Open Source are not secret -- they are readily
available, all you need to do is look.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  6:11pm  up 168 days, 16:27,  3 users,  load average: 0.00, 0.03, 0.02

Re: secrets and lies

[Romeyn Prescott]

At 1:32 PM +0100 11/23/00, Felix von Leitner wrote:
>Thus spake Raul Miller ([EMAIL PROTECTED]):
>>  Picking up a leaflet does not involve making a copy of it.
>
>>  Pulling something off of a web site involves creating a copy on your
>>  local machine.
>
>Please enlighten me: who bullshitted you Americans into believing that
>one needs a license to use software?  Or that software is patentable?
>
>And how did he go about this feat?
>
>The bullshit level of this comes close to major religions (who tell you
>that there is an invisible man in the sky who makes you rot in hell if
>you believe in other gods, but he also loves you).
>

Ah, Felix, welcome to the wonderful world of capitalism!  I'm 
American and I don't believe I need a license to use software.  I 
simply have no LEGAL choice.  Money being a religion unto itself, 
everyone's in the software game for the money.  There IS a certain 
amount of sense to it...why spend countless hours pounding out code 
and never realizing any financial gain from your efforts?  I suppose 
that's great and groovy if you're independently wealthy or have no 
family or friends, but for most people writing/creating software, 
they are doing so as a means of financial support.  They therefore 
want/need to look out for their interest.  If a man sells 10 copies 
of his software and it gets installed on 10,000 computers, he's still 
only sold and received money for 10 copies.  Where's the profit in 
that?

And if there's no profit, why do it?  It's a question I often ask a 
friend of mine.  He's a real Open Source zealot (not a Bad Thing!) 
and writes/invents all this mind-bogglingly useful software...and 
then gives it away!!  This confuses the bejeezus out of me, and 
I'm not sure I'll ever fully understand WHY.  Not being a 
prrogrammer, I guess I'll never realize the sense of prestige or 
satisfaction one gets out of putting 1's and 0's together in an order 
that no one ever has before.  But just because there is no physical 
result or manifestation of one's toilings, does than mean, as you, 
sir, seem to imply, that one is not deserving of a portion of the 
rewards (financial or otherwise) reaped from the use of one's 
inventions or ideas?  I think that's the whole point.  If there's 
nothing to be gained by doing something, then why do it?  I guess 
that's the whole idea.  We are all, after all, rational self 
maximizers; there's no such thing as a selfless deed.

What, Felix, (and you probably ought to respond offline, should you 
be so inclined, as this has precious little to do with qmail) do you 
suggest?  How should the software "empires" of this world make their 
money if not by charging for their software and protecting the 
license (bought and paid for permission to use it) that goes along 
with it?  I'm genuinely curious.

Sincerely,
...ROMeyn
-- 


signat-url: http://www2.potsdam.edu/dctm/prescor/signat-url.htm
cubiclecam: http://digirom.potsdam.edu/~prescor/cubiclecam.html
^^^ <--- New and improved!

RE: secrets and lies

[Al]

>
> And when did a serious security professional last go through it? gd&r
> --

Since there is no way to guess the standard you would require for "serious"
and "professional" I guess there is no way to answer the question.

The OpenBSD team maintains a solid reputation for quality and security. But
I doubt they would consider themselves as "serious security professionals".
Just good coders. But then again when I see some of the people who claim to
be knowledgeable in security (i.e. John Vranesevich and Carolyn Meinel) I
just have to laugh.


-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

Re: secrets and lies

[Robin S. Socha]

* Al  <[EMAIL PROTECTED]> writes:

>> So, what is your point here? When was the last time a serious security
>> fanatic went through:
>>
>> b. BSD kernel source code.

> Answer to b would be OpenBSD.

And when did a serious security professional last go through it? gd&r
-- 
Robin S. Socha 

RE: secrets and lies

[Al]

> So, what is your point here? When was the last time a serious 
> security 
> fanatic went through:
> 
> a. Linux kernel source code.
> b. BSD kernel source code.
> c. Solaris kernel source code.
> d. etc., etc., etc.
> 
Answer to b would be OpenBSD.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU 

Re: secrets and lies

[Greg White]

Paul Jarc wrote:
> 
SNIP
> 
> Dan's software isn't open source. 

Oh, really? By whose definition? I have the source, and I have the
actual
program. I suppose if you're some ESR/RMS fanatic, this does not comply
with
your vision of "open source". The source is available, and by Dan's own
words
you can do what you like with it. As far as I am concerned, this meets
anyone's
definition of "open source" except a fanatic.

> I imagine he might value peer
> review, but I'm not aware of his having stated so - certainly not in
> regard to motivation for his distribution terms.  Also, making source
> available does not give everyone the ability to audit the software.
> It gives them permission.  But most people won't be any better able to
> do a quality audit for having the source.  Only the "select few" will
> be able to audit it well, regardless of the license, and they can
> afford to charge a hefty fee, regardless of the license.

So, what is your point here? When was the last time a serious security 
fanatic went through:

a. Linux kernel source code.
b. BSD kernel source code.
c. Solaris kernel source code.
d. etc., etc., etc.

Joe average is not capable of auditing this source code: therefore: it
is 
insecure. ;)


> 
> paul

GW

Re: secrets and lies

[David Dyer-Bennet]

Felix von Leitner <[EMAIL PROTECTED]> writes on 23 November 2000 at 13:32:03 +0100
 > Thus spake Raul Miller ([EMAIL PROTECTED]):
 > > Picking up a leaflet does not involve making a copy of it.
 > 
 > > Pulling something off of a web site involves creating a copy on your
 > > local machine.
 > 
 > Please enlighten me: who bullshitted you Americans into believing that
 > one needs a license to use software?  Or that software is patentable?

Are you making a "natural law" argument here, or what?  Or are you
just ignoring the real world and hoping it will go away?  I think the
shrink-wrap license issue, in particular, has gotten out of hand, but
I don't think stomping your feet and pretending it doesn't exist will
help any, either.
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/

Re: secrets and lies

[Greg Hudson]

> Please enlighten me: who bullshitted you Americans into believing
> that one needs a license to use software?

Since you asked, that would be MAI Systems Corporation in 1993, in a
lawsuit against Peak Computer, Inc..  See
http://www.law.berkeley.edu/journals/btlj/articles/10_1/Nicholson/html/text.html
for a discussion of the case and its implications.

The issue of "ephemeral copies" is currently a hot topic in US
copyright law, and is likely to be decided explicitly by statute in
the near-ish future.  This being US copyright law, the issue is likely
to be decided the wrong way--just one more reason to avoid proprietary
commercial software.

> Or that software is patentable?

Nobody has mentioned software patents in this thread but you, as far
as I have seen; perhaps bringing up a completely new topic in a "move
this discussion somewhere else" message isn't wise.

Re: secrets and lies

[Felix von Leitner]

Thus spake Raul Miller ([EMAIL PROTECTED]):
> Picking up a leaflet does not involve making a copy of it.

> Pulling something off of a web site involves creating a copy on your
> local machine.

Please enlighten me: who bullshitted you Americans into believing that
one needs a license to use software?  Or that software is patentable?

And how did he go about this feat?

The bullshit level of this comes close to major religions (who tell you
that there is an invisible man in the sky who makes you rot in hell if
you believe in other gods, but he also loves you).

Incredible.

Please put this discussion on a list with people who actually care about
the US patent and licensing crap.  Thank You.

Felix

RE: secrets and lies

[Al]

> On Tue, Nov 21, 2000 at 10:07:00PM -0500, Al wrote:
> > Not a lawyer but when you put something onto a web page you have
> > conformed to a well known pattern that would expect an
> action to take
> > place. For example if I put a stack of leaflets on the counter of a
> > local store that said "Rumage sale next Week" and gave an address of
> > where to go I do not think that you would have much luck charging
> > someone who took a leaflet with stealing. Even though the
> leaflet does
> > not say "take one".
>
> Picking up a leaflet does not involve making a copy of it.

Right, taking something that is not yours would be stealing, which is what I
said. The point is that when things are set up in well understood way there
is an implied agreement or permission. If you put a file on a server and
configure the http daemon to copy and transmit the file when requested you
have granted permission.

>
> Pulling something off of a web site involves creating a copy on your
> local machine.
>

No, reading a CD-ROM on my own drive and putting the contents on my hard
disk would be _me_ making a copy. Your (their, his, her) server reading a
file into memory and then sending the image across the network is a
different thing:

1) The http and/or ftp daemon was configured to perform this task. The file
must be in a location the server software can access. It required deliberate
action.

2) There is no attempt to hide or protect the files, on the contrary. The
files are placed in a location that by published standards can be be
accessed

3) This is not the same thing as leaving a door open on my house. There are
clear instructions on the web pages that show exactly where the software is
located and how to make the copy.

>
> Are you suggesting only certain file names are legal to browse?
>

I am saying that there are well known standards that create an implied
consent. If I ftp to a server and enter a user name of 'ftp' and it responds
'anonomyous logins permitted' then by convention I may access the /pub
directory and have the server send me a copy of the files that it makes. By
the same standards I may not use a defect in the ftp daemon and fetch
/etc/shadow.

If I connect to port 80 of a machine and its http daemon makes a copy of
index.html I understand that this is happening with the consent of the
server operator.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

Re: secrets and lies

[David L. Nicol]

> Instead, it poses the question: do you have the legal right to use the
> web, in the absence of explicit copyright notices on every document
> element you encounter?


Laws are never about what is allowed.  Laws are about what is prohibited.

Re: secrets and lies

[Raul Miller]

On Tue, Nov 21, 2000 at 10:07:00PM -0500, Al wrote:
> Not a lawyer but when you put something onto a web page you have
> conformed to a well known pattern that would expect an action to take
> place. For example if I put a stack of leaflets on the counter of a
> local store that said "Rumage sale next Week" and gave an address of
> where to go I do not think that you would have much luck charging
> someone who took a leaflet with stealing. Even though the leaflet does
> not say "take one".

Picking up a leaflet does not involve making a copy of it.

Pulling something off of a web site involves creating a copy on your
local machine.

> Another thing that might make a difference would be some of the rulings that
> came about when Sony was sued for the personal video recorder. What rights
> do you have to record a broadcast program? Is the Internet (or part of the
> Internet's functionality) a defacto agreement to allow the copying of
> certain files (i.e. index.html /pub etc)?

Are you suggesting only certain file names are legal to browse?

-- 
Raul

RE: secrets and lies

[zone]

>
> The Artistic License was explicitly designed to be part of a
> dual-licensing arrangement.  It's not strong enough to stand
> on its own;
> the language hasn't been hammered out nearly well enough.
>

But the idea behind it seems to apply to what may be the desired result:
retaining control.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

Re: secrets and lies

[Russ Allbery]

Al <[EMAIL PROTECTED]> writes:

> Two things come to mind the first is the Artistic under which Perl is
> released

The Artistic License was explicitly designed to be part of a
dual-licensing arrangement.  It's not strong enough to stand on its own;
the language hasn't been hammered out nearly well enough.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

RE: secrets and lies

[Al]

> Yes, and I think some do shy away from the GPL for that reason.  But
> Dan wants to prevent forking, which is incompatible with Free
> licenses.
>

Two things come to mind the first is the Artistic under which Perl is
released and the second is  the Apache license. The result would be
something like "if you want to make changes you cannot call it qmail". These
may not be some peoples favorite tools but they come to mind.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

RE: secrets and lies

[Al]

>
> Even more amusing is the idea of reading a license to
> determine if you're legally allowed to visit a web page.

Not a lawyer but when you put something onto a web page you have conformed
to a well known pattern that would expect an action to take place. For
example if I put a stack of leaflets on the counter of a local store that
said "Rumage sale next Week" and gave an address of where to go I do not
think that you would have much luck charging someone who took a leaflet with
stealing. Even though the leaflet does not say "take one".

Another thing that might make a difference would be some of the rulings that
came about when Sony was sued for the personal video recorder. What rights
do you have to record a broadcast program? Is the Internet (or part of the
Internet's functionality) a defacto agreement to allow the copying of
certain files (i.e. index.html /pub etc)?



-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

Re: secrets and lies

[Paul Jarc]

"Michael T. Babcock" <[EMAIL PROTECTED]> writes:
> Paul Jarc wrote:
> > A license has the potential to be just as ill-worded, confusing, or
> > extremely technical as anything else.  A clearly worded, easily
> > supportable legal document would be good, regardless of whether it
> > were a license.
> 
> As DJB has said ... 'so?'

So if you want a clear, legally binding statement of your rights, ask
for a clear, legally binding statement of your rights, not a license.
A license will satisfy a request for a license, but need not satisfy
those making the request if they actually wanted something else.

> > Right.  So a non-contractual license wouldn't necessarily be better
> > than a non-contractual, non-license legal statement.
> 
> Yes, it would be -- because (as I understand it) you have the right
> to waive your rights -- such as by putting something into the public
> domain (as Dan has done with libtai).

Yes, and that's an example of a non-contractual, non-license legal
statement that gives you clear rights, and so isn't any worse than a
license.


paul

Re: secrets and lies

[Paul Jarc]

"Al" <[EMAIL PROTECTED]> writes:
> Here is a question: Does anyone know if the GPL and/or BSD license has ever
> been challenged in court? What were the results?

The GPL hasn't - so its meaning really isn't known yet - but the BSD
license has.  I don't remember the case, but people are still using
the BSD license, which is a good sign that it means pretty much what
it seems to mean.

> The reason I ask this is until there is case law that supports what is put
> forth in these style of agreements then someone may not want to release
> their software into that realm.

Yes, and I think some do shy away from the GPL for that reason.  But
Dan wants to prevent forking, which is incompatible with Free
licenses.


paul

Re: secrets and lies

[Paul Jarc]

Raul Miller <[EMAIL PROTECTED]> writes:
> On Tue, Nov 21, 2000 at 05:16:17PM -0500, Paul Jarc wrote:
> > That's true of softwarelaw.html, but this bit of the thread was about
> > rights.html, which includes no such references.
> 
> rights.html doesn't say anything about the licensing of djbdns.

I know.  Neither does anything else on cr.yp.to; djbdns isn't licensed
at all.

> Instead, it poses the question: do you have the legal right to use the
> web, in the absence of explicit copyright notices on every document
> element you encounter?
> 
> It's an interesting question, but I don't see that the discussion in
> this thread really relates to that issue.

It came up in message 5952.  This branch of the thread is descended
from there.  dns-get. messages 5952, 5959, 5971, 5996, and 5997 if you
want to review.


paul

RE: secrets and lies

[Al]

> A license has the potential to be just as ill-worded, confusing, or
> extremely technical as anything else.  A clearly worded, easily
> supportable legal document would be good, regardless of whether it
> were a license.

Here is a question: Does anyone know if the GPL and/or BSD license has ever
been challenged in court? What were the results?

The reason I ask this is until there is case law that supports what is put
forth in these style of agreements then someone may not want to release
their software into that realm.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

Re: secrets and lies

[Raul Miller]

I should add:

The amusing thing about http://cr.yp.to/rights.html is that it doesn't
include a license which allows you to copy it.  So, if you don't have
the right to copy unlicensed documents which appear on the web, you
don't have the right to read that page.

Even more amusing is the idea of reading a license to determine if you're
legally allowed to visit a web page.

-- 
Raul

Re: secrets and lies

[Raul Miller]

On Tue, Nov 21, 2000 at 05:16:17PM -0500, Paul Jarc wrote:
> That's true of softwarelaw.html, but this bit of the thread was about
> rights.html, which includes no such references.

rights.html doesn't say anything about the licensing of djbdns.

Instead, it poses the question: do you have the legal right to use the
web, in the absence of explicit copyright notices on every document
element you encounter?

It's an interesting question, but I don't see that the discussion in
this thread really relates to that issue.

--
Raul

Re: secrets and lies

[Vinko Vrsalovic]

> > Right.  So a non-contractual license wouldn't necessarily be better
> > than a non-contractual, non-license legal statement.
> 
> Yes, it would be -- because (as I understand it) you have the right to waive
> your rights -- such as by putting something into the public domain (as Dan has
> done with libtai).  A license gives rights to others -- Dan's current documents
> talk about the rights he thinks you have under the law as it is.

And has he consulted a lawyer?

-- 
Vinko Vrsalovic B.   +
[EMAIL PROTECTED]   ++  Perche' la tua lingua e mia!, MIA! ++
ICQ: 9299103 ++  (Mr B.)++
Geek code will never +
be available... :-)  [Today's mode:  PSB (Power Saving Brain)] 

Re: secrets and lies

[Michael T. Babcock]

Paul Jarc wrote:

> "Michael T. Babcock" <[EMAIL PROTECTED]> writes:
> > Since the author gives no implicit license, we all come down to
> > IANAL legal battles over what is implied by his other writings.  A
> > license would clear (most of) this up -- that's the issue.
>
> A license has the potential to be just as ill-worded, confusing, or
> extremely technical as anything else.  A clearly worded, easily
> supportable legal document would be good, regardless of whether it
> were a license.

As DJB has said ... 'so?'  How does that make this argument any different?
Nobody asked for a poorly worded license ... ;-)

> Right.  So a non-contractual license wouldn't necessarily be better
> than a non-contractual, non-license legal statement.

Yes, it would be -- because (as I understand it) you have the right to waive
your rights -- such as by putting something into the public domain (as Dan has
done with libtai).  A license gives rights to others -- Dan's current documents
talk about the rights he thinks you have under the law as it is.

> The present documents are as good as a license *for some purposes*.
> For other purposes, such as packaging, we'd want irrevocable
> permission to redistribute.  But this permission need not take the
> form of a license, and a license need not grant that permission.  The
> ideas are compatible, and often come together, but they're orthogonal.
> I'll agree that a disclaimer might be beneficial in either case for
> good-faith purposes; I don't know enough to support or refute that.

--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Paul Jarc]

Raul Miller <[EMAIL PROTECTED]> writes:
> On Mon, Nov 20, 2000 at 10:34:23AM -0500, Michael T. Babcock wrote:
> > He wrote it all -- its all DJB's theories -- they may be right or
> > wrong, but he's not a lawyer so its not even really worth trusting his
> > theories at all.
> 
> Except that 
...
> [2] he provides very specific legal references, including a hyperlink
> to the text of the relevant law.

That's true of softwarelaw.html, but this bit of the thread was about
rights.html, which includes no such references.


paul

Re: secrets and lies

[Raul Miller]

On Mon, Nov 20, 2000 at 10:34:23AM -0500, Michael T. Babcock wrote:
> He wrote it all -- its all DJB's theories -- they may be right or
> wrong, but he's not a lawyer so its not even really worth trusting his
> theories at all.

Except that 

[1] he's the author, which means he owns all copy rights.

So, his expressed intent has some legal significance in this context.

[2] he provides very specific legal references, including a hyperlink
to the text of the relevant law.

So, those references are worth trusting.

On the other hand:  you're not the author of the software, you've not
provided any legal references, and you're not a lawyer.  [The same
applies to me.]

-- 
Raul

Re: secrets and lies

[Paul Jarc]

"Michael T. Babcock" <[EMAIL PROTECTED]> writes:
> Paul Jarc wrote:
> > ... I don't see ambiguity in them [dist.html or softwarelaw.html or
> > rights.html] ...
> 
> Are you not as analytical as those who criticise the situation?

Not that I'm aware of.  As I said, I think it's just that when
information is not given, it's called "ambiguity" by some, and not by
others (such as me).


paul

Re: secrets and lies

[Paul Jarc]

"Michael T. Babcock" <[EMAIL PROTECTED]> writes:
> Since the author gives no implicit license, we all come down to
> IANAL legal battles over what is implied by his other writings.  A
> license would clear (most of) this up -- that's the issue.

A license has the potential to be just as ill-worded, confusing, or
extremely technical as anything else.  A clearly worded, easily
supportable legal document would be good, regardless of whether it
were a license.

> > When talking about what might be the correct interpretation of the
> > law, it says "Some people think ..." and "Other people ...".  It
> > doesn't say "I think".
> 
> He re-iterates specific thoughts in the form of hearsay.  The
> overall picture of the file is his theory on implied rights of the
> user of software.  Since he does not quote case law (which would be
> valid in the USA or Canada at least) or other legal documents, the
> majority of that file constitues DJB's theories.

Now I understand this, but summing it up as just "Dan's theories" is
misleading.  (I, for one, was misled.)  He's describing others'
theories.  His descriptions may or may not be accurate, but the
theories themselves are not Dan's.  The descriptions are his, and you
might call them theories too, but that's how you got me confused.

> > Are you saying that these are simply false statements, and that no
> > one actually holds the views that Dan says some do?
> 
> That's not necessary for what I said originally, and you know it

I didn't know that, because I misunderstood you.

> -- so its not worth a flame-war, is it?

No, so it's a good thing we haven't started one.

> In fact, there's no guarantee that any document would form a legally
> binding contract as contracts must be accepted by both parties in
> many (most?) countries and "click" style licensing has proven not
> binding in some countries.

Right.  So a non-contractual license wouldn't necessarily be better
than a non-contractual, non-license legal statement.

> This is a point the GPL (just an example) makes by reminding the
> user that they can either accept the license as given, or ignore it,
> but if they choose to ignore it, they get no rights whatsoever to
> modification or redistribution.

Yes, although that statement is incorrect WRT modification, AFAICT.

> > If I really cared, I'd want a signed document from the University.
> > Otherwise, the present situation is as good as any other.
> 
> The present situation is clearly not as good as a well-written license and
> disclaimer.

The present documents are as good as a license *for some purposes*.
For other purposes, such as packaging, we'd want irrevocable
permission to redistribute.  But this permission need not take the
form of a license, and a license need not grant that permission.  The
ideas are compatible, and often come together, but they're orthogonal.
I'll agree that a disclaimer might be beneficial in either case for
good-faith purposes; I don't know enough to support or refute that.


paul

RE: secrets and lies

[Qmail Admin]

Why doesn't someone demonstrate their EZMLM prowess by conjuring up a list
for this thread so that those of us who are uninterested (a majority, I
would guess) don't have to hear about it anymore...
And, before someone gives me the "use a filter if you don't want to read
about it" crap, consider the relevance of this thread to the list as a whole
over your personal needs, please.
Thank You.

-Original Message-
From: Adam McKenna [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 21, 2000 12:58 PM
To: [EMAIL PROTECTED]
Subject: Re: secrets and lies


On Tue, Nov 21, 2000 at 12:32:02AM -0500, Nathan J. Mehl wrote:
> IANAL, but my feeling is that the documents in question pretty
> unambiguously lead to the conclusion that you'd be SOL in that case,
> and I would further suspect that Dan keeps the only notices about
> qmail's distribution terms in a centralized place to leave himself the
> option of refining the terms were such a case to arise.
>
> As he wrote the code, this is unquestionably his right.

If that is his intent, then it's of questionable merit.  I personally don't
believe that it is his intent, but I could be wrong.

> As I peronally could care less about the alleged moral tonic of "Free"
> or "Open Source" software and my needs are satisfied by qmail's
> default configuration, this isn't really an issue for me personally.
> People with personal or business needs for such things should probably
> consider the MTAs which explicitly set such terms, rather than hoping
> that qmail might one day satisfy them.  Based on past experience, it's
> not likely to.

I'm not arguing that Dan should change the terms under which he releases his
software, I'm arguing that he should include those terms along with the
software, so that the users of his software know the terms up front, instead
of having to rely on a potentially dynamic web page.

--Adam

--
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes,
http://flounder.net/publickey.html   |  technology's just a bunch of wires
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other
wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  2:52pm  up 164 days, 13:08, 10 users,  load average: 0.00, 0.00, 0.00

Re: secrets and lies

[Adam McKenna]

On Tue, Nov 21, 2000 at 12:32:02AM -0500, Nathan J. Mehl wrote:
> IANAL, but my feeling is that the documents in question pretty
> unambiguously lead to the conclusion that you'd be SOL in that case,
> and I would further suspect that Dan keeps the only notices about
> qmail's distribution terms in a centralized place to leave himself the
> option of refining the terms were such a case to arise.
> 
> As he wrote the code, this is unquestionably his right.

If that is his intent, then it's of questionable merit.  I personally don't
believe that it is his intent, but I could be wrong.

> As I peronally could care less about the alleged moral tonic of "Free"
> or "Open Source" software and my needs are satisfied by qmail's
> default configuration, this isn't really an issue for me personally.
> People with personal or business needs for such things should probably
> consider the MTAs which explicitly set such terms, rather than hoping
> that qmail might one day satisfy them.  Based on past experience, it's
> not likely to.

I'm not arguing that Dan should change the terms under which he releases his
software, I'm arguing that he should include those terms along with the
software, so that the users of his software know the terms up front, instead 
of having to rely on a potentially dynamic web page.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  2:52pm  up 164 days, 13:08, 10 users,  load average: 0.00, 0.00, 0.00

Re: secrets and lies

[Michael T. Babcock]

Paul Jarc wrote:

> ... I don't see ambiguity in them [dist.html or softwarelaw.html or
> rights.html] ...

Are you not as analytical as those who criticise the situation?
--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Michael T. Babcock]

Paul Jarc wrote:

> > So when a lot of people download the files, they don't know what the
> > licensing is and have to ask on the list(s)
>
> True, but not relevant to the question of what is legal.

The question is what the author permits the user to do -- this is what a license
is about.  Since the author gives no implicit license, we all come down to IANAL
legal battles over what is implied by his other writings.  A license would clear
(most of) this up -- that's the issue.

> > He wrote it all -- its all DJB's theories -- they may be right or wrong, but
> > he's not a lawyer so its not even really worth trusting his theories at all.
>
> Have you even read rights.html?

Many times unfortunately.

>  When talking about what might be the
> correct interpretation of the law, it says "Some people think ..." and
> "Other people ...".  It doesn't say "I think".

He re-iterates specific thoughts in the form of hearsay.  The overall picture of
the file is his theory on implied rights of the user of software.  Since he does
not quote case law (which would be valid in the USA or Canada at least) or other
legal documents, the majority of that file constitues DJB's theories.

> Are you saying that
> these are simply false statements, and that no one actually holds the
> views that Dan says some do?

That's not necessary for what I said originally, and you know it -- so its not
worth a flame-war, is it?

>  Even if so, why does it matter?  He says
> "I promise I won't sue you for copyright violation for downloading
> documents from my server."

Like I said -- where's the disclaimer from his employer if he's ever used
university time to write that software?

> Would you be more satisfied with something
> like "I hereby waive my right to sue ..."?  It still wouldn't be a
> contract.  He could still go back and edit it.  You'd still need
> others' copies to support your claim that you got it legally.

In fact, there's no guarantee that any document would form a legally binding
contract as contracts must be accepted by both parties in many (most?) countries
and "click" style licensing has proven not binding in some countries.  This is a
point the GPL (just an example) makes by reminding the user that they can either
accept the license as given, or ignore it, but if they choose to ignore it, they
get no rights whatsoever to modification or redistribution.

> There's also no statement that he wrote any of his software on the
> University's time.

More appropriately, there's no statement that he didn't.

> He could publish a statement (by himself, or by
> University officials) that he in fact is the copyright holder, but why
> would you trust such an explicit statement over the implicit one,
> since that statement could be false anyway?

Because then I could show my good faith that the statement was true, which makes a
legal case in my favor -- depending on an assumption considering the lack of such
a statement is strange.

>  If I really cared, I'd
> want a signed document from the University.  Otherwise, the present
> situation is as good as any other.

The present situation is clearly not as good as a well-written license and
disclaimer.
--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Nathan J. Mehl]

([EMAIL PROTECTED] snipped due to overwhelming qmail-centrism)

In the immortal words of Adam McKenna ([EMAIL PROTECTED]):
> 
> You don't, but others do.  For instance, I can distribute a package that
> contains pristine qmail source and patches, and include a script which 
> applies the patches, changes conf-home, and compiles and installs qmail.  
> According to dist.html, that would be fine.  But what if Dan found out 
> someone was doing this and got angry?  Maybe he'd think about changing 
> dist.html.  After he changed it, could I then continue distributing this 
> package without fear of being sued?

IANAL, but my feeling is that the documents in question pretty
unambiguously lead to the conclusion that you'd be SOL in that case,
and I would further suspect that Dan keeps the only notices about
qmail's distribution terms in a centralized place to leave himself the
option of refining the terms were such a case to arise.

As he wrote the code, this is unquestionably his right.

As I peronally could care less about the alleged moral tonic of "Free"
or "Open Source" software and my needs are satisfied by qmail's
default configuration, this isn't really an issue for me personally.
People with personal or business needs for such things should probably
consider the MTAs which explicitly set such terms, rather than hoping
that qmail might one day satisfy them.  Based on past experience, it's
not likely to.

<[EMAIL PROTECTED]>
 Dear Future Employer: Who's your daddy? Who's your daddy? I think
we know. Thanks! $100,000 a year, I'll be there on monday, please.
  -chelleMarie

Re: secrets and lies

[Adam McKenna]

On Mon, Nov 20, 2000 at 04:21:51PM -0500, Paul Jarc wrote:
> Adam McKenna <[EMAIL PROTECTED]> writes:
> > Maybe he'd think about changing dist.html.  After he changed it,
> > could I then continue distributing this package without fear of
> > being sued?
> 
> If the new dist.html said no, then it would seem clear that you
> couldn't.  This is not an ambiguity in the current or potential future
> dist.html, but I think I see your point now: you want to know what you
> will *always* be allowed to do with qmail, not just what you are
> allowed to do today.  (Right?)

Allowing someone to download and use a piece of software under certain terms, 
and then changing the terms after that person has made an investment of 
time/money in order to use that software is not acceptable.

All I'm saying is that I'd like the redistribution terms/terms of use to come 
with the software.  That way I don't have to be paranoidically checking
dist.html every day to make sure Dan hasn't changed the terms.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  5:37pm  up 163 days, 15:53, 11 users,  load average: 0.23, 0.14, 0.05

RE: secrets and lies

[Jamin Collins]

I may be missing some of the point here, but the way I see it, there is a
distinct desire to have a license provided with the software indicating what
is and isn't allowed.  This is a fairly normal practice in the software
industry (open and closed source alike).  

IMHO, the license included with the software serves as a static marker of
sorts.  While future versions of the license may change and be included with
future versions of the software, they don't apply to previous versions of
the software that where shipped with another license.

It is this peace of mind that I too would like to see.  I'm in no way
attempting to take away the author's right to change a license for their
software.  However, if I've accepted one license on a piece of software
because it meets my needs and I can deal with any requirements of the
license, I would like to know that the license is not going to change.  This
is not too much to ask.

If the author then wants to put a web page up with the most current version
of the license, great.  However, I think there are many others like myself
out there, that would like to see a copy of the license (as it pertains to
the software at the time the software was released) included with the
software.

Note:
If anyone out there knows of a company that successfully changed their
license for software and made those changes effective retroactively, I would
like to know.

Jamin W. Collins

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 20, 2000 3:22 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: secrets and lies


Adam McKenna <[EMAIL PROTECTED]> writes:
> Maybe he'd think about changing dist.html.  After he changed it,
> could I then continue distributing this package without fear of
> being sued?

If the new dist.html said no, then it would seem clear that you
couldn't.  This is not an ambiguity in the current or potential future
dist.html, but I think I see your point now: you want to know what you
will *always* be allowed to do with qmail, not just what you are
allowed to do today.  (Right?)

Well, barring future changes in copyright law (which could potentially
invalidate *any* statement we might make today), you will always be
allowed to patch, compile, back up, and run qmail.  You will always be
allowed to distribute your patches, since you hold copyright on them
(I think).  Additionally, you can redistribute vanilla qmail today.
You do not have the guarantee that you will always be allowed to
redistribute qmail, but this is not ambiguous - it's clearly, if
implicitly, unspecified.  If you agree with this but call it
"ambiguous" instead of "unspecified", then I guess we'll just have to
be more careful how we use such words to avoid confusion.


paul

Re: secrets and lies

[Paul Jarc]

"Michael T. Babcock" <[EMAIL PROTECTED]> writes:
> Paul Jarc wrote:
> > The GPL doesn't give you permission to get a copy of Emacs; it
> > only specifies what you can do once you have.
> 
> For a lot of people, being able to obtain said software isn't the
> problem -- its the right to use it in the ways they wish to do so in
> the long term.

Yes, I know, but the message I was responding to addressed this point
specifically.


paul

Re: secrets and lies

[Paul Jarc]

Adam McKenna <[EMAIL PROTECTED]> writes:
> Maybe he'd think about changing dist.html.  After he changed it,
> could I then continue distributing this package without fear of
> being sued?

If the new dist.html said no, then it would seem clear that you
couldn't.  This is not an ambiguity in the current or potential future
dist.html, but I think I see your point now: you want to know what you
will *always* be allowed to do with qmail, not just what you are
allowed to do today.  (Right?)

Well, barring future changes in copyright law (which could potentially
invalidate *any* statement we might make today), you will always be
allowed to patch, compile, back up, and run qmail.  You will always be
allowed to distribute your patches, since you hold copyright on them
(I think).  Additionally, you can redistribute vanilla qmail today.
You do not have the guarantee that you will always be allowed to
redistribute qmail, but this is not ambiguous - it's clearly, if
implicitly, unspecified.  If you agree with this but call it
"ambiguous" instead of "unspecified", then I guess we'll just have to
be more careful how we use such words to avoid confusion.


paul

Re: secrets and lies

[David Dyer-Bennet]

Paul Jarc <[EMAIL PROTECTED]> writes on 20 November 2000 at 13:21:16 -0500
 > Adam McKenna <[EMAIL PROTECTED]> writes:
 > > I want an unambiguous license included with the software that
 > > explicitly defines what I am allowed to do with it.  If you don't
 > > need that then fine, but please don't argue that it's not needed,
 > > because there are clearly a number of people on this list that
 > > desire it.
 > 
 > Please don't confuse need with desire.  You may not like dist.html or
 > softwarelaw.html or rights.html, but I don't see ambiguity in them,
 > and I don't see how including them in the software distributions would
 > make them any more legally significant.

Equally, you should not confuse *your* needs (or lack thereof) with
other people's needs.
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/

Re: secrets and lies

[Adam McKenna]

On Mon, Nov 20, 2000 at 01:21:16PM -0500, Paul Jarc wrote:
> Adam McKenna <[EMAIL PROTECTED]> writes:
> > I want an unambiguous license included with the software that
> > explicitly defines what I am allowed to do with it.  If you don't
> > need that then fine, but please don't argue that it's not needed,
> > because there are clearly a number of people on this list that
> > desire it.
> 
> Please don't confuse need with desire.  You may not like dist.html or
> softwarelaw.html or rights.html, but I don't see ambiguity in them,

You don't, but others do.  For instance, I can distribute a package that
contains pristine qmail source and patches, and include a script which 
applies the patches, changes conf-home, and compiles and installs qmail.  
According to dist.html, that would be fine.  But what if Dan found out 
someone was doing this and got angry?  Maybe he'd think about changing 
dist.html.  After he changed it, could I then continue distributing this 
package without fear of being sued?

> and I don't see how including them in the software distributions would
> make them any more legally significant.

Including them in the tarball would set specific terms on specific pieces of 
software.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  2:52pm  up 163 days, 13:08, 11 users,  load average: 0.28, 0.08, 0.03

Re: secrets and lies

[Michael T. Babcock]

Paul Jarc wrote:

> It's the same situation as with, say, Emacs.  The GPL doesn't give you
> permission to get a copy of Emacs; it only specifies what you can do
> once you have.  The nearest I could find to explicit permission to
> download it is "By FTP we provide source code for all GNU software,
> free of charge." at
> http://www.gnu.org/software/software.html#HowToGetSoftware>, and
> that covers only the GNU site itself, not mirrors.  I think
> rights.html is clearer.

For a lot of people, being able to obtain said software isn't the problem -- its
the right to use it in the ways they wish to do so in the long term.  That's what
licenses are about.  The fact that GNU software happens to be mirrored all over
the globe pretty much eliminates the obtaining factor ... especially since anyone
who has a copy has full rights to redistribution under the GPL.
--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Paul Jarc]

Adam McKenna <[EMAIL PROTECTED]> writes:
> I want an unambiguous license included with the software that
> explicitly defines what I am allowed to do with it.  If you don't
> need that then fine, but please don't argue that it's not needed,
> because there are clearly a number of people on this list that
> desire it.

Please don't confuse need with desire.  You may not like dist.html or
softwarelaw.html or rights.html, but I don't see ambiguity in them,
and I don't see how including them in the software distributions would
make them any more legally significant.


paul

Re: secrets and lies

[Adam McKenna]

On Mon, Nov 20, 2000 at 11:43:44AM -0500, Paul Jarc wrote:
> The same way as if rights.html were included in qmail-1.03.tar.gz: I'd
> ask people who had copies to present them, to support my claim.  There
> would be more such copies if it were included in qmail-1.03.tar.gz,
> but I'm not going to waste time worrying about it.

You're not, because you're not thinking from the perspective of someone who
wants to distribute.

> It's the same situation as with, say, Emacs.  The GPL doesn't give you
> permission to get a copy of Emacs; it only specifies what you can do
> once you have.  The nearest I could find to explicit permission to
> download it is "By FTP we provide source code for all GNU software,
> free of charge." at
> http://www.gnu.org/software/software.html#HowToGetSoftware>, and
> that covers only the GNU site itself, not mirrors.  I think
> rights.html is clearer.

You're still thinking too narrowly.  I want an unambiguous license included 
with the software that explicitly defines what I am allowed to do with it.
If you don't need that then fine, but please don't argue that it's not
needed, because there are clearly a number of people on this list that desire
it.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
 12:35pm  up 163 days, 10:52, 11 users,  load average: 0.14, 0.10, 0.03

Re: secrets and lies

[Paul Jarc]

"Michael T. Babcock" <[EMAIL PROTECTED]> writes:
> Paul Jarc wrote:
> > "Pavel Kankovsky" <[EMAIL PROTECTED]> writes:
> > > But there are ABSOLUTELY no references to dist.html or
> > > softwarelaw.html in the source tarballs.
> >
> > So what?
> 
> So when a lot of people download the files, they don't know what the
> licensing is and have to ask on the list(s)

True, but not relevant to the question of what is legal.

> > I see no theories of his [in rights.html].  The only part there he
> > attributes to himself is:
> 
> He wrote it all -- its all DJB's theories -- they may be right or wrong, but
> he's not a lawyer so its not even really worth trusting his theories at all.

Have you even read rights.html?  When talking about what might be the
correct interpretation of the law, it says "Some people think ..." and
"Other people ...".  It doesn't say "I think".  Are you saying that
these are simply false statements, and that no one actually holds the
views that Dan says some do?  Even if so, why does it matter?  He says
"I promise I won't sue you for copyright violation for downloading
documents from my server."  Would you be more satisfied with something
like "I hereby waive my right to sue ..."?  It still wouldn't be a
contract.  He could still go back and edit it.  You'd still need
others' copies to support your claim that you got it legally.

> > which makes it clear to me that downloading, e.g., qmail-1.03.tar.gz
> > won't get me in trouble.
> 
> No, because there's no statement about whether the University he
> works at thinks that they own the Copyright on software he may have
> worked on while being paid by them -- he doesn't include a waiver
> statement by them either.

There's also no statement that he wrote any of his software on the
University's time.  He could publish a statement (by himself, or by
University officials) that he in fact is the copyright holder, but why
would you trust such an explicit statement over the implicit one,
since that statement could be false anyway?  If I really cared, I'd
want a signed document from the University.  Otherwise, the present
situation is as good as any other.


paul

Re: secrets and lies

[Paul Jarc]

Adam McKenna <[EMAIL PROTECTED]> writes:
> On Sun, Nov 19, 2000 at 09:05:04PM -0500, Paul Jarc wrote:
> > : I don't know which of these theories will succeed in court.  I also
> > : don't think you should have to care.  So I promise I won't sue you
> > : for copyright violation for downloading documents from my server.
> > 
> > which makes it clear to me that downloading, e.g., qmail-1.03.tar.gz
> > won't get me in trouble.
> 
> Unless Dan decides at a later date to remove that page from his website.  At
> that point, how will you prove that you obtained the software legitimately?

The same way as if rights.html were included in qmail-1.03.tar.gz: I'd
ask people who had copies to present them, to support my claim.  There
would be more such copies if it were included in qmail-1.03.tar.gz,
but I'm not going to waste time worrying about it.

It's the same situation as with, say, Emacs.  The GPL doesn't give you
permission to get a copy of Emacs; it only specifies what you can do
once you have.  The nearest I could find to explicit permission to
download it is "By FTP we provide source code for all GNU software,
free of charge." at
http://www.gnu.org/software/software.html#HowToGetSoftware>, and
that covers only the GNU site itself, not mirrors.  I think
rights.html is clearer.


paul

Re: secrets and lies

[David Dyer-Bennet]

Michael T. Babcock <[EMAIL PROTECTED]> writes on 20 November 2000 at 10:34:23 
-0500
 > Just like many others, IANAL, but ...
 > 
 > Paul Jarc wrote:

 > > I see no theories of his there.  The only part there he attributes to
 > > himself is:
 > 
 > He wrote it all -- its all DJB's theories -- they may be right or wrong, but
 > he's not a lawyer so its not even really worth trusting his theories at all.

But his statements about what he will and won't do in the future might
be considered binding.  For that matter, his belief that it's okay for
us to download stuff from his server, coupled with his placing stuff
on his server, could be interpreted as permission for us to download
that stuff.  

Or not.  I'd be happier with a clearcut license, and if I were trying
to get qmail into corporate environments I'd probably find the lack of
license a big problem.
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/

Re: secrets and lies

[Michael T. Babcock]

Just like many others, IANAL, but ...

Paul Jarc wrote:

> "Pavel Kankovsky" <[EMAIL PROTECTED]> writes:
> > But there are ABSOLUTELY no references to dist.html or softwarelaw.html in
> > the source tarballs.
>
> So what?

So when a lot of people download the files, they don't know what the licensing
is and have to ask on the list(s) -- if he refered to those URLs at least (in
all distributions) and/or included text versions (is it really that hard?),
people would know what they're getting.

> I see no theories of his there.  The only part there he attributes to
> himself is:

He wrote it all -- its all DJB's theories -- they may be right or wrong, but
he's not a lawyer so its not even really worth trusting his theories at all.

> which makes it clear to me that downloading, e.g., qmail-1.03.tar.gz
> won't get me in trouble.

No, because there's no statement about whether the University he works at thinks
that they own the Copyright on software he may have worked on while being paid
by them -- he doesn't include a waiver statement by them either.  In fact, the
only thing that's very clear from his documents on Copyright is that he either
doesn't like licenses, or he is afraid to use one because it won't hold up in
court and he'll lose the control he likes having.

Both those reasons are valid to me, btw.
--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Adam McKenna]

On Sun, Nov 19, 2000 at 09:05:04PM -0500, Paul Jarc wrote:
> : I don't know which of these theories will succeed in court.  I also
> : don't think you should have to care.  So I promise I won't sue you
> : for copyright violation for downloading documents from my server.
> 
> which makes it clear to me that downloading, e.g., qmail-1.03.tar.gz
> won't get me in trouble.

Unless Dan decides at a later date to remove that page from his website.  At
that point, how will you prove that you obtained the software legitimately?

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  9:22pm  up 162 days, 19:38, 12 users,  load average: 0.00, 0.01, 0.00

Re: secrets and lies

[Paul Jarc]

"Pavel Kankovsky" <[EMAIL PROTECTED]> writes:
> But there are ABSOLUTELY no references to dist.html or softwarelaw.html in
> the source tarballs.

So what?

> Moreover, softwarelaw.html is about using the software ``once you've
> legally downloaded [it]'', dist.html is about (re)distribution of qmail
> (again, once you've...). The mere fact something is published on the
> Internet does not make downloading it legal (DJB's theories in
> http://cr.yp.to/rights.html notwithstanding),

I see no theories of his there.  The only part there he attributes to
himself is:

: I don't know which of these theories will succeed in court.  I also
: don't think you should have to care.  So I promise I won't sue you
: for copyright violation for downloading documents from my server.

which makes it clear to me that downloading, e.g., qmail-1.03.tar.gz
won't get me in trouble.


paul

Re: secrets and lies

[Andy Bradford]

Thus said Raul Miller on Sun, 19 Nov 2000 12:33:30 EST:

> Or do you have similar problems deciding whether ATM means automated
> teller machine or asychronous transfer mode?  Or deciding whether
> ASP means active server pages or application service provider?  Or ...

Not generally, however, I must admit that when...

[EMAIL PROTECTED] said:
> Don't care. What I care about is what the words mean in an actual
> language. In this case English. I do not recognize OSI as a standards
> body and do not care what definition of Open Source can be found at
> opensource.org or the 

I was thrown off for a bit---I have never seen Open Source Initiative 
turned into an acronym, so the first time I say OSI I immediately 
thought he had qualms with the OSI model, because that was the only 
instance of OSI that I had ever seen (and I have been using "open 
source" software for a while now).

Andy
-- 
[---[system uptime]]
 12:19pm  up 17 days, 14:39,  4 users,  load average: 1.20, 1.35, 1.31

Re: secrets and lies

[Raul Miller]

Thus said "Michael T. Babcock" on Sat, 18 Nov 2000 13:41:20 EST:
> > OSI == "Open Source Initiative" I believe ...

On Sat, Nov 18, 2000 at 11:52:03AM -0700, Andy Bradford wrote:
> That's funny, I always thought that OSI was the _Open Systems 
> Interconnection_ internet model proposed by the ISO.  I guess this 
> goes to show that context really does matter. :-)

Yep.

Or do you have similar problems deciding whether ATM means automated
teller machine or asychronous transfer mode?  Or deciding whether
ASP means active server pages or application service provider?  Or ...

-- 
Raul

Re: secrets and lies

[Pavel Kankovsky]

On Fri, 17 Nov 2000, Felix von Leitner wrote:

> Software security _is_ easy.
> The correct paradigms have been published for decades.

And ignored by most people for decades. :)

> Had you actually read the Schneier, you would know that no testing in
> the world can prove the security of a system.  Testing can only prove
> that a system is not secure.

Unless a finite set of tests can exhaust all the desired behaviour of the
system. Most systems are not finite in this sense but a few are. (Anyway,
I guess that he meant testing in a wider sense.)

> And source code is a formal representation of an algorithm, not a proof.

There is a thing called Howard-Someone correspondence (I can't recall the
second name now, sorry) translating logical formulas to lambda terms and
vice versa. This can be used to show that proofs of theorems of a certain
form correspond to programs (i.e. lambda terms) and programs correspond to
proofs.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Re: secrets and lies

[Pavel Kankovsky]

On 15 Nov 2000, Chris K. Young wrote:

> I say that dist.html should be considered authoritative. There are
> references in the qmail and djbdns documentation that contain the
> URL to their respective pages.

But there are ABSOLUTELY no references to dist.html or softwarelaw.html in
the source tarballs. I have examined qmail 1.03 (including the bundled
sort-of documentation) and dnscache 1.00 (I do not think the most djbdns
is so different to justify the costs of downloading it right now, via a
slow modem link).

Moreover, softwarelaw.html is about using the software ``once you've
legally downloaded [it]'', dist.html is about (re)distribution of qmail
(again, once you've...). The mere fact something is published on the
Internet does not make downloading it legal (DJB's theories in
http://cr.yp.to/rights.html notwithstanding), esp. when the thing in
question does not carry any ``you can copy me'' label (for the same
reasons the mere fact I neglected to close and lock the door of my house
does not give you the right to enter and take my stuff).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

RE: secrets and lies

[Russell Nelson]

Al writes:
 > It means that the software license conforms to the requirements put forth by
 > the Open Source Initiative, an unincorporated nonprofit entity.

Actually, we're incorporated.  Not only that, but we're
IRS-501(c)3-compatible.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

RE: secrets and lies

[Al]

> Oh?  And what does "OSI Certified Open Source Software" mean
> in an actual
> language, in this case English?
>

It means that the software license conforms to the requirements put forth by
the Open Source Initiative, an unincorporated nonprofit entity.

[It is a good idea to use the full name before the use of the acronym in a
document to help reduce confusion when context may be insufficient (i.e.
_Open Systems Interconnection_ )]

One could also put forth the argument that by putting the term "Open Source"
into the leading caps form you are moving from a general noun to a proper
name. It may be even better to use "open-source software" as the hyphen sets
the term as an adjative (as in open-ended). Of course nobody said "you mean
'open-source software' not 'Open Source Software' at the start of all this

> > I do not recognize OSI as a standards body
>
> Sounds like a personal issue.  But I'm interested in how you assign
> meaning to "OSI Certified Open Source Software" given your refusal
> to recognize something that you're willing to talk about.

It means that they do not have a right to define the term "open source" (or
maybe "open-source") any more than the organization that brands something
with "the good housekeeping seal of approval" has a right to  say that
because a blender does not have their seal, it is not in fact a blender.
Even if they were the first ones to use the term blender as it relates to a
kitchen appliance.

They are a group of people who got together and decided they wanted to
control the term "Open Source" via a trademark. After having their attempt
rejected (due to the nature of trademark law and no fault of their own) have
created the certification program. The certification process is a perfect
method to do exactly what they want, which is to define which software has
their blessing. They are not evil folk, bad guys or a threat to themselves
or others. I like a lot of what they are doing.

So how about we return this list to is normal use and let this tread die as
it is not getting anybody anywhere.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

Re: secrets and lies

[Andy Bradford]

Thus said "Michael T. Babcock" on Sat, 18 Nov 2000 13:41:20 EST:

> OSI == "Open Source Initiative" I believe ...

That's funny, I always thought that OSI was the _Open Systems 
Interconnection_ internet model proposed by the ISO.  I guess this 
goes to show that context really does matter. :-)

Andy
-- 
[---[system uptime]]
 11:52am  up 16 days, 14:11,  4 users,  load average: 1.28, 1.33, 1.29

Re: secrets and lies

[Michael T. Babcock]

Raul Miller wrote:

> On Fri, Nov 17, 2000 at 10:43:50PM -0500, Al wrote:
> > Don't care. What I care about is what the words mean in an actual
> > language. In this case English.
>
> Oh?  And what does "OSI Certified Open Source Software" mean in an actual
> language, in this case English?

OSI == "Open Source Initiative" I believe ...

http://www.opensource.org/osd.html

> > I do not recognize OSI as a standards body
>
> Sounds like a personal issue.  But I'm interested in how you assign
> meaning to "OSI Certified Open Source Software" given your refusal
> to recognize something that you're willing to talk about.

I don't understand that either ;-).
--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Raul Miller]

> > Nope. If it's not free, it's not OSI Certified Open Source Software.
> > I'm on the board; you have my personal guarantee that that will
> > remain the case as long as I am.

On Fri, Nov 17, 2000 at 10:43:50PM -0500, Al wrote:
> Don't care. What I care about is what the words mean in an actual
> language. In this case English.

Oh?  And what does "OSI Certified Open Source Software" mean in an actual
language, in this case English?

> I do not recognize OSI as a standards body

Sounds like a personal issue.  But I'm interested in how you assign
meaning to "OSI Certified Open Source Software" given your refusal
to recognize something that you're willing to talk about.

-- 
Raul

RE: secrets and lies

[Al]

> -Original Message-
> From: Russell Nelson [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, November 18, 2000 9:37 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: secrets and lies
> 
> 
> Ian Lance Taylor writes:
>  >From: "Al" <[EMAIL PROTECTED]>
>  >Date: Fri, 17 Nov 2000 22:43:50 -0500
>  > 
>  >Don't care. What I care about is what the words mean in 
> an actual language.
> 
> Oh, so "Microsoft" means small software?  And "Ian Lance Taylor" is
> someone who sews with a really long needle?  I'm sorry, Al, but you're
> being an idiot.  Words have context, and you discard meaning when you
> intentionally lose context.

Thanks for resorting to name calling to prove my point.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU 

 

Re: secrets and lies

[Russell Nelson]

Ian Lance Taylor writes:
 >From: "Al" <[EMAIL PROTECTED]>
 >Date: Fri, 17 Nov 2000 22:43:50 -0500
 > 
 >Don't care. What I care about is what the words mean in an actual language.

Oh, so "Microsoft" means small software?  And "Ian Lance Taylor" is
someone who sews with a really long needle?  I'm sorry, Al, but you're
being an idiot.  Words have context, and you discard meaning when you
intentionally lose context.

 > Cool.  ``Open source'' was invented because people thought ``free
 > software'' was a misuse of English.  Now we can see the same thing
 > happen to ``open source.''

Yep.  THAT was a botch.  We should have invented a word, like Debian,
Zembu, qmail, or djbdns.

 > The way I use the terms, DJBware is neither free software nor open
 > source.  It's source-available and no-cost, but it's not
 > modified-redistributable.

Yeah, but it's just so, so close to being free software.  I think that 
it's not being modified-redistributable affects its acceptance in the
community, but when I wear my qmail user's hat (as opposed to
developer's hat), the difference is immaterial.  I've got the source,
I've got permission to make changes, and I've got permission to
redistribute patches.

That said, modified-redistributable is a required permission to be
OSI Certified Open Source.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: secrets and lies

[Andre Oppermann]

Mate Wierdl wrote:
> 
> On Wed, Nov 15, 2000 at 08:48:31AM +0100, Andre Oppermann wrote:
> > Another possible qmail attack is it's late bouncing for non-existent
> > users. Using a false envelope sender address you could fill up the
> > queue with double bounces. I consider this a more serious problem.
> > The decision to handle bouncing this way was appearently part of the
> > security and modularity concept of qmail.
> 
> Vietse's attack was (modified a bit):
> 
> while true; do
>   qmail-queue&
>   kill $!
> done
> 
> This creates 0 length files in /var/qmail/queue/mess until inodes get
> exhausted.  And manual intervention/recovery certainly seems needed.

Yes, unless qmail-clean would clean them up (as well as in queue/pid).

> Dan's response was that this is not completely anonymous since people
> are supposed to do process accounting.  (On RH Linux, btwy, the user
> is easy to catch since users have their own group).
> 
> My question is why is not it better for qmail-queue *immediately* write
> the "received" line identifying the user?

In theory this could be done. The problem is, you'll see this when you
look at the code, a race condition. A pid file is being created, then
inode number is taken and then the whole thing is linked/unlinked
(transaction) from queue/pid to queue/mess. I can't imagine a fix
other than cleaning up with qmail-clean.

-- 
Andre

Re: secrets and lies

[Adam McKenna]

On Fri, Nov 17, 2000 at 10:43:50PM -0500, Al wrote:
> Don't care. What I care about is what the words mean in an actual language.
> In this case English. I do not recognize OSI as a standards body and do not
> care what definition of Open Source can be found at opensource.org or the
> FSF. When I look up the words "open" and "source" in my Websters I am not
> going to cut out big chucks of what fits because some people have some kind
> of agenda they are trying to promote.

If you want to have your own definition of "Open Source", that's fine.  Just
keep it to yourself.  When you use the words "Open Source" in a public forum,
people will generally assume that you are talking about software that
complies with the OSD.  To publically claim that software is "Open Source",
based on your own personal definition is just boorish and arrogant, and
invites (semantic) arguments.

All the king's horses, etc.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  4:56am  up 161 days,  3:12, 12 users,  load average: 0.00, 0.00, 0.00

Re: secrets and lies

[Ian Lance Taylor]

   From: "Al" <[EMAIL PROTECTED]>
   Date: Fri, 17 Nov 2000 22:43:50 -0500

   > Lipscomb, Al writes:
   >  > Open Source is often used to describe software that has
   > its source code
   >^ incorrectly
   >  > available regardless of the license involved. "Free
   > Software" as promoted by
   >  > the Free Software Foundation (FSF) is a different thing. I
   > belive that the
   >  > DJB software is Open Source, but not free.
   >
   > Nope.  If it's not free, it's not OSI Certified Open Source Software.
   > I'm on the board; you have my personal guarantee that that
   > will remain
   > the case as long as I am.

   Don't care. What I care about is what the words mean in an actual language.
   In this case English. I do not recognize OSI as a standards body and do not
   care what definition of Open Source can be found at opensource.org or the
   FSF. When I look up the words "open" and "source" in my Websters I am not
   going to cut out big chucks of what fits because some people have some kind
   of agenda they are trying to promote.

Cool.  ``Open source'' was invented because people thought ``free
software'' was a misuse of English.  Now we can see the same thing
happen to ``open source.''

What will the next term be? ``Software for which source available and
for which others are not restricted from redistributing changed
versions?''  How about ``redistributable source?''

The way I use the terms, DJBware is neither free software nor open
source.  It's source-available and no-cost, but it's not
modified-redistributable.

Ian

RE: secrets and lies

[Al]

>
> Lipscomb, Al writes:
>  > Open Source is often used to describe software that has
> its source code
>^ incorrectly
>  > available regardless of the license involved. "Free
> Software" as promoted by
>  > the Free Software Foundation (FSF) is a different thing. I
> belive that the
>  > DJB software is Open Source, but not free.
>
> Nope.  If it's not free, it's not OSI Certified Open Source Software.
> I'm on the board; you have my personal guarantee that that
> will remain
> the case as long as I am.
>

Don't care. What I care about is what the words mean in an actual language.
In this case English. I do not recognize OSI as a standards body and do not
care what definition of Open Source can be found at opensource.org or the
FSF. When I look up the words "open" and "source" in my Websters I am not
going to cut out big chucks of what fits because some people have some kind
of agenda they are trying to promote.

-
"One of the best examples of pure democracy in action is the lynch mob"
- AA4YU

RE: secrets and lies

[Russell Nelson]

Lipscomb, Al writes:
 > Open Source is often used to describe software that has its source code
   ^ incorrectly
 > available regardless of the license involved. "Free Software" as promoted by
 > the Free Software Foundation (FSF) is a different thing. I belive that the
 > DJB software is Open Source, but not free.

Nope.  If it's not free, it's not OSI Certified Open Source Software.
I'm on the board; you have my personal guarantee that that will remain 
the case as long as I am.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: secrets and lies

[Russell Nelson]

Robin S. Socha writes:
 > * Felix von Leitner <[EMAIL PROTECTED]> writes:
 > 
 > [...]
 > 
 > > The OpenBSD guys lost their credibility as software security authority
 > > when they decided to include sendmail as standard MTA.  
 > 
 > Well, we all know why they cannot include qmail. :-/

What you mean "we", kimosabe?

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: secrets and lies

[Russell Nelson]

Dave Sill writes:
 > >So has any expert ever audited qmail or djbdns?
 > 
 > No. Any audit worth doing would be prohibitively expensive for a
 > freeware project. $1000 wouldn't even begin to cover it, at least for
 > qmail.

Still, I've read an awful lot of Dan's code.  I've seen a few places
where I said "Hey, that's a security hole."  But on further
investigation, I can see that there's just no way (e.g. formatting a
16-bit integer into digits stored in a fixed-length string without
bothering to ensure that the string won't get overflown by MiGs and
strafed).

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: secrets and lies

[Russell Nelson]

Dave Sill writes:
 > That's exactly what happened with Wietse Venema's "audit" of qmail
 > that turned up the qmail-smtpd DOS (which is trivially prevented by
 > proper installation (which INSTALL still doesn't cover, BTW)), which
 > prompted Dan's "audit" of Postfix that turned up the problems with the
 > world-writable maildrop.

That's why we need qmail-1.04 -- to fix these documentation flaws.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: secrets and lies

[Mate Wierdl]

On Fri, Nov 17, 2000 at 12:09:15AM +0100, Felix von Leitner wrote:
> Thus spake Mate Wierdl ([EMAIL PROTECTED]):
> > My question is why is not it better for qmail-queue *immediately* write
> > the "received" line identifying the user?
> 
> Then the attacker could still kill qmail-queue.

Indeed, but there is (IMO) a big difference.  If you do

qmail-queue &
kill $!

You get an empty file with no user identification:

# ls -l /var/qmail/queue/mess/17
total 0
-rw-r--r--1 qmailq   users  0 Nov 17 13:22 112303

But if you do

echo| qmail-queue

You get

# cat /var/qmail/queue/mess/7/112293 
Received: (qmail 23027 invoked by uid 500); 17 Nov 2000 21:15:28 -

so the UID of the user shows up making it possible to identify the
attacker. 

> 
> Mate, you have posted dozens of dumb emails to the mailing list.
> You raise issues that you don't understand and waste everybodies time
> with this.

Indeed, I still do not understand why qmail-queue does not immediately
write the received line upon startup if it helps to deal with this
attack.  Of course, if I was not this dumb, I'd go read the code, and
convince myself that modifying qmail-queue this way is not feasible.
All the happy nondumbs out there already know the secret, and they
enable ps accounting on all their qmail boxes with a smile on their
face.

Mate

Re: secrets and lies

[D. J. Bernstein]

> Dan's "audit" of Postfix

I didn't look at the Postfix code; I merely noticed that one of the
documented ``security features'' was an obvious design error. See

   http://cr.yp.to/maildisasters/postfix.html

for the complete story.

---Dan

Re: secrets and lies

[Peter van Dijk]

On Thu, Nov 16, 2000 at 11:01:13AM -0600, Mate Wierdl wrote:
[snip]
> My question is why is not it better for qmail-queue *immediately* write
> the "received" line identifying the user?

That will not solve the problem, just create a race-condition.

Greetz, Peter
-- 
dataloss networks
'/ignore-ance is bliss' - me
'Het leven is een stuiterbal, maar de mijne plakt aan t plafond!' - me

Re: secrets and lies

[Felix von Leitner]

Thus spake Mate Wierdl ([EMAIL PROTECTED]):
> I thought it was possible that Dan would give some hints on his view
> on secure programming in these notes.

Don't talk.
Read his code and you will understand.

> > Software is secure iff the architecture and trust model is sound, which
> > you can verify yourself in a few hours. 
> You make software security look easy, and Schneier's book tells me
> otherwise.

Software security _is_ easy.
The correct paradigms have been published for decades.

It is only non-trivial to write good (and secure) software if you use
legacy APIs that make it unnecessarily hard on you.  That's why Dan
decided to not use many routines from the standard C library.  Actually,
he has written many notes on his reasoning, you just have to look
instead of posting here and thinking that maybe others do the work for
you.

> 1) It seems that systematic (scientific?) testing of qmail
>or djbdns has not happened---except by Dan.

Had you actually read the Schneier, you would know that no testing in
the world can prove the security of a system.  Testing can only prove
that a system is not secure.

> 2) The only way we could get a hint on the guiding ideas of Dan on
>secure computing is to read the source code he writes.

Or you could read a few books or papers about security.
The guidelines are easy and easily understood and implemented.

For example, minimizing the trusted computing base and 

>But this is reverse engineering, and is similar to trying to
>undertand Gauss's ideas by reading his proofs---good luck.

Reconstructing the source code from a binary program is reverse
engineering.  Reading the source code is not.

And source code is a formal representation of an algorithm, not a proof.
An algorithm would tell you how to prove something.  Understanding Gauss
by his proofs is like understanding djb by looking at an RPM.  It is
still possible, by the way, because the man pages are great.

> Or does everybody on this list who read qmail's sources is writing
> 100% secure software now?

Why don't just read the sources yourself and find out?

> Does everybody have a clear idea what Dan considers a security
> problem?

A buffer overflow on the stack, for example.

> For example, he clearly does not care about preventing some
> DoS attacks.

Your oversimplifications border on intention deconstructivism.
Read his fscking web pages and find your questions answered.

Felix

Re: secrets and lies

[Matthias Andree]

Adam McKenna <[EMAIL PROTECTED]> writes:

> I said "sounds like".  And in the context in which his opinion was presented,
> it sounds a lot like MS's.

I read it as if he meant (not a quote, but my interpretation): 

  Don't rely on people testing your software, even if you offer money
  for found holes, but if you want reliable audits, go hire somebody.

In fact, the SDMS (secure digital music anything) has rewarded some $$$
for cracking their stuff, which is utterly nonsense. If someone is to
make them feel sorry and ashamed, they'll wait until the "contest" is
closed and file their crack afterwards. Apart from the obvious
impossibility to protect against the final -- decrypted -- information
delivery.

-- 
Matthias Andree

Re: secrets and lies

[Mate Wierdl]

On Wed, Nov 15, 2000 at 08:48:31AM +0100, Andre Oppermann wrote:
> Another possible qmail attack is it's late bouncing for non-existent
> users. Using a false envelope sender address you could fill up the
> queue with double bounces. I consider this a more serious problem.
> The decision to handle bouncing this way was appearently part of the
> security and modularity concept of qmail. 

Vietse's attack was (modified a bit):

while true; do
  qmail-queue&
  kill $!
done

This creates 0 length files in /var/qmail/queue/mess until inodes get
exhausted.  And manual intervention/recovery certainly seems needed.

Dan's response was that this is not completely anonymous since people
are supposed to do process accounting.  (On RH Linux, btwy, the user
is easy to catch since users have their own group).

My question is why is not it better for qmail-queue *immediately* write
the "received" line identifying the user?

Mate

Re: secrets and lies

[Andre Oppermann]

Mate Wierdl wrote:

[included qmail list again]

> On Wed, Nov 15, 2000 at 12:29:14AM +0100, Andre Oppermann wrote:
> > I, as the author of the qmail-ldap patch, have looked deeply into the
> > guts of qmail and found it to be secure. If one actually reads the
> > source and see's the way Dan writes software he would find that qmail
> > is secure. The only possible holes are OS bugs or issues.
> 
> Now that sounds really good.  Does this mean you ran several
> systematic tests?  Do you have any observation on DoS attacks like the
> "distributed" qmail-smtpd attack of Russ or the "queue attack" of
> Vietse where a local user could fill up the queue in seconds with
> 0 length files?

DoS attacks were not part of the evaluation. Since the focus of
qmail-ldap is closed non-shell mail servers also local attacks have
not been looked at in very deep detail.

What can be said truely is that qmail is safe from any remote attacks
in terms of exploiting bugs of buffer overflows via SMTP or POP3.

There are two kinds of DoS attacks; attacks that last as long as they
are mounted, as soon as it stop everything goes back to normal. And
attacks that make a system require manual intervention to make it
fulfill it's purpose again.

Given enough resources it is very well possible indeed to DoS qmail
by consuming all available SMTP sessions. While this attack qmail
will not bog down the whole machine and as soon as the attack is over
it will simply return to normal processing of messages. Sendmail on
the other hand (at least used to) fork until the whole machine bogs
down.

Another possible qmail attack is it's late bouncing for non-existent
users. Using a false envelope sender address you could fill up the
queue with double bounces. I consider this a more serious problem.
The decision to handle bouncing this way was appearently part of the
security and modularity concept of qmail. Qmail-ldap contains many
enhancements to check the envelope sender to make this more unlikely.
Never the less it is still possible. Whereas I still rest well at
night because this kind of attack requires significant remote
resources and is not likely to happen. Anyway, this kind of attack
can be mounted against other MTA's as well. It's simply a problem of
finite resources.

While not perfect in any given aspect qmail is surely one of the best,
if not the best, MTA you can run and trust on.

-- 
Andre

Re: secrets and lies

[Adam McKenna]

On Wed, Nov 15, 2000 at 10:01:18PM +0100, Matthias Andree wrote:
> Of course, the presentation of your opinion, calling somebody you don't
> know names, left room for desires.

I said "sounds like".  And in the context in which his opinion was presented,
it sounds a lot like MS's.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  5:17pm  up 158 days, 15:33, 10 users,  load average: 0.06, 0.02, 0.00

Re: secrets and lies

[Matthias Andree]

Adam McKenna <[EMAIL PROTECTED]> writes:

> When, exactly, did I say he was a bad person?  You are putting words in my
> mouth.

I extracted that from the term "M$-weenie".

> And I responded in context.  Whether or not you or Mr. Scheiier like it,
> Microsoft has been using almost this exact argument to advocate their
> software over Free Software for quite a while now.

Yes, and we can see how long it takes Microsoft to fix these issues,
particularly for localized software. You don't see the audit reports,
you don't know who makes them, and so on. You know that. Security by
obscurity cannot be alleviated by FUD.

> I admit that I did not go look up "Secrets and Lies", buy it, read it, and 
> then read other material by B. Schneier before posting a reply, but whether 
> or not I am a self-proclaimed "security expert" (I'm not), I am relatively
> informed and knowledgable about computer security, and I am entitled to my 
> opinion(s), whether or not they agree with Mr. Schneier's opinions, or the 
> opinions of anyone else on this list.

Of course, the presentation of your opinion, calling somebody you don't
know names, left room for desires.

-- 
Matthias Andree

Re: secrets and lies

[Dave Sill]

Adam McKenna <[EMAIL PROTECTED]> wrote:
>On Wed, Nov 15, 2000 at 01:21:40PM -0500, Dave Sill wrote:
>>
>> An audit by some random "security
>> firm" might not mean anything, but an audit by a recognized authority
>> would.
>
>It might.  It also might not, because even the best auditors could miss
>something.

No, it *would* mean something. The fact that audit won't be perfect
and might miss something doesn't mean that audits are worthless, it
just means that they can't guarantee security.

-Dave

Re: secrets and lies

[David Dyer-Bennet]

Dave Sill <[EMAIL PROTECTED]> writes on 15 November 2000 at 13:09:25 -0500
 > "David Dyer-Bennet" <[EMAIL PROTECTED]> wrote:
 > 
 > >Dan is probably right that no special permissions are needed to make
 > >normal uses of his code (which is what he says on his web pages), but
 > >if the corporate lawyer isn't in agreement with him, he's going to say
 > >"no".  That's a corporate lawyer's job, after all.
 > 
 > Anyone's lawyers disagree with Dan? If not, I don't see why Dan should 
 > concern himself with convincing hypothetical lawyers...real lawyers
 > are enough of a challenge.

Given the prevalence of licenses distributed with free software, I
believe LOTS of people's lawyers are of the opinion that it's of
value. 
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/

Re: secrets and lies

[Ryan Russell]

On 15 Nov 2000, Paul Jarc wrote:

> > If you want to see some of the tests he does, check out rts.tests that
> > comes in the djbdns distribution.
> 
> That sort of thing has its place, but it's not really related to
> auditing at all.  Mostly, it's good for detecting compilation
> problems.
> 

Several of the things he checks for are related to too-long requests.  In
my mind, that's checking for buffer overflows.  Perhaps that wasn't the
intention.

Ryan

Re: secrets and lies

[Adam McKenna]

On Wed, Nov 15, 2000 at 01:21:40PM -0500, Dave Sill wrote:
> Adam McKenna <[EMAIL PROTECTED]> wrote:
> 
> >I think "select few" as you have used it needs clarification -- even if only
> >one half of one percent of all advanced C programmers are part of the "select
> >few", that's still hundreds or thousands of people, and many of those people 
> >are part of the open source community.
> 
> That estimate may well be high. I've never seen books or training
> covering the topic of security auditing C code. Where'd you get that
> 0.5%?

I pulled it out of somewhere.

> >A hell of a lot more, anyway, than 
> >are working at so-called "security firms", ready to stamp their approval on 
> >any product they get six or seven digit payments to "certify".
> 
> ``So-called "security firms"'' that don't know what they're doing will 
> eventually be discovered for the frauds that they are. In the security 
> business, reputation is everything. An audit by some random "security
> firm" might not mean anything, but an audit by a recognized authority
> would.

It might.  It also might not, because even the best auditors could miss
something.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  2:18pm  up 158 days, 12:35, 10 users,  load average: 0.00, 0.00, 0.00

Re: secrets and lies

[Robin S. Socha]

* Felix von Leitner <[EMAIL PROTECTED]> writes:

[...]

> The OpenBSD guys lost their credibility as software security authority
> when they decided to include sendmail as standard MTA.  

Well, we all know why they cannot include qmail. :-/

> Theo is rumored to have said something like "There were no remote root
> exploits for two years, so it must be secure now, right?"

I don't have any sort of sexual relationship with Theo, but that's not
quite true. It's more like "we've had a look at the code and it looks
secure now, right?". And I know that *my* copies of OpenBSD are not
running sendmail.
-- 
Robin S. Socha 

Re: secrets and lies

[Michael T. Babcock]

Bennett Todd wrote:

> 2000-11-14-16:37:06 Lipscomb, Al:
>> "Free Software" as promoted by the Free Software Foundation (FSF)
>> is a different thing. I belive that the DJB software is Open
>> Source, but not free.
> 
> Unlike Open Source, the phrase "free software" strongly predates the
> Free Software Foundation and they've made no attempt at branding it;
> rather, they pursue branding the GNU General Public License (GPL),
> which is stricter than (but compatible with) the Open Source
> Definition.

I must disagree with you here -- the FSF does indeed spend time and 
effort to make sure that the term "Free Software" brings the FSF to 
peoples' minds.  Feel free to read the recent discussion between a 3D 
library programmer and RMS (last week's slashdot articles?) -- RMS 
spends much time pointing out that he will talk about "free software" 
but not "open source" because "open source" is one thing and "free 
software" is what the FSF is about.--
Michael T. Babcock, C.T.O. FibreSpeed
http://www.fibrespeed.net/~mbabcock

Re: secrets and lies

[Paul Jarc]

Ryan Russell <[EMAIL PROTECTED]> writes:
> On Tue, 14 Nov 2000, Mate Wierdl wrote:
> > Indeed, it would be interesting what kind of testing he is running on
> > qmail, say (he says there are over 100 tests), and how he is trying to
> > make sure his software is secure. 
> 
> If you want to see some of the tests he does, check out rts.tests that
> comes in the djbdns distribution.

That sort of thing has its place, but it's not really related to
auditing at all.  Mostly, it's good for detecting compilation
problems.


paul

Re: secrets and lies

[Adam McKenna]

On Wed, Nov 15, 2000 at 02:16:38PM +0100, Matthias Andree wrote:
> Adam McKenna <[EMAIL PROTECTED]> writes:
> 
> > On Tue, Nov 14, 2000 at 09:11:32PM +0100, Matthias Andree wrote:
> > > Mr. Schneier is respected for his expertise and cryptography, and just
> > > because he states that head money for bugs is no good, does not make him
> > > an M S type weenie.
> > 
> > You're right, Bruce Scheiner is a god, and I'm really sorry for disagreeing
> > with him.
> 
> That is not what I meant, even subtracting sarcasm, irony and
> exaggeration. I'm saying that one particular opinion on a marginal topic
> that you disagree with does not make Mr. Schneier a bad person. Get a
> clue, in that you try to find out about that person as a whole before
> judging him.

When, exactly, did I say he was a bad person?  You are putting words in my
mouth.

Mate posted the following:

"He also thinks that even having a software out and used for a few
years without incidence does not imply that it is secure.  He says,
the best way to evaluate the security of a product is to have it
audited by security experts."

And I responded in context.  Whether or not you or Mr. Scheiier like it,
Microsoft has been using almost this exact argument to advocate their
software over Free Software for quite a while now.

I was informed (rather nastily) by Schneier disciples in subsequent postings 
that this opinion is not actually held by Mr. Schneier, and I (rather 
sarcastically) retracted my comments.  Do we really need to dwell on this 
anymore?  Or are we just arguing for the sake of arguing?

I admit that I did not go look up "Secrets and Lies", buy it, read it, and 
then read other material by B. Schneier before posting a reply, but whether 
or not I am a self-proclaimed "security expert" (I'm not), I am relatively
informed and knowledgable about computer security, and I am entitled to my 
opinion(s), whether or not they agree with Mr. Schneier's opinions, or the 
opinions of anyone else on this list.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  1:45pm  up 158 days, 12:01, 10 users,  load average: 0.00, 0.00, 0.00

Re: secrets and lies

[Dave Sill]

Bennett Todd <[EMAIL PROTECTED]> wrote:

>And a case could be made that the charming and personable way qmail
>has been represented in various public fora makes this audit-by-fire
>even better: at this point, there are enough people around the world
>who hate djb's guts and would never touch anything that he even
>advocated much less wrote, just because of how much they like his
>way of carrying on discussions in public mailing lists, that I kinda
>expect more than one person has gone wading through qmail with blood
>in his eye, desperately hoping to wipe the smug grin off djb's face
>and get him to knock off the damned gloating already. Hasn't
>happened yet. _That's_ trial by fire.

That's exactly what happened with Wietse Venema's "audit" of qmail
that turned up the qmail-smtpd DOS (which is trivially prevented by
proper installation (which INSTALL still doesn't cover, BTW)), which
prompted Dan's "audit" of Postfix that turned up the problems with the
world-writable maildrop.

-Dave

Re: secrets and lies

[Dave Sill]

Adam McKenna <[EMAIL PROTECTED]> wrote:

>I think "select few" as you have used it needs clarification -- even if only
>one half of one percent of all advanced C programmers are part of the "select
>few", that's still hundreds or thousands of people, and many of those people 
>are part of the open source community.

That estimate may well be high. I've never seen books or training
covering the topic of security auditing C code. Where'd you get that
0.5%?

>A hell of a lot more, anyway, than 
>are working at so-called "security firms", ready to stamp their approval on 
>any product they get six or seven digit payments to "certify".

``So-called "security firms"'' that don't know what they're doing will 
eventually be discovered for the frauds that they are. In the security 
business, reputation is everything. An audit by some random "security
firm" might not mean anything, but an audit by a recognized authority
would.

-Dave

Re: secrets and lies

[Dave Sill]

"David Dyer-Bennet" <[EMAIL PROTECTED]> wrote:

>Dan is probably right that no special permissions are needed to make
>normal uses of his code (which is what he says on his web pages), but
>if the corporate lawyer isn't in agreement with him, he's going to say
>"no".  That's a corporate lawyer's job, after all.

Anyone's lawyers disagree with Dan? If not, I don't see why Dan should 
concern himself with convincing hypothetical lawyers...real lawyers
are enough of a challenge.

-Dave

Re: secrets and lies

[Adam McKenna]

On Wed, Nov 15, 2000 at 11:07:43AM -0500, Paul Jarc wrote:
> Adam McKenna <[EMAIL PROTECTED]> writes:
> > On Wed, Nov 15, 2000 at 08:18:29PM +1300, Chris K. Young wrote:
> > > I say that dist.html should be considered authoritative. There are
> > > references in the qmail and djbdns documentation that contain the
> > > URL to their respective pages.
> > 
> > That's what you say.  But there isn't a definitive license (i.e. LICENSE or
> > COPYING) in the qmail distribution that explains those rights
> 
> There's nothing magical about those names.  The names "dist.html" and
> "softwarelaw.html" are just as good, and I don't see why they should
> have to be included in the distribution.
> 
> > some web page could be altered or taken down at any time, leaving
> > users without any rights whatsoever.
> 
> IANAL (are you?), but I doubt that a copyright holder can revoke
> permission already granted in this way.  The *record* (or rather,
> *one* record) of permission could be removed, but how does that affect
> the permission itself?

No, I'm not a lawyer, but to defend a copyright infringement claim in court
you would need some sort of proof that you had been given that permission,
and if a web page that can be taken down or modified at any time is the only
source, I can see how that would be unsettling to advocates of Free Software.
If a license had been included in the source tarball, then everyone who had
downloaded that tarball would also have a copy of the license, making it much
easier to prove the terms under which the software was released.

I'm not saying Dan would ever sue anyone for infringement, but then again I'm
not the person deciding whether or not something should go in main or
non-free (and if I was, I'd probably still put it in non-free, even though I
believe it loosely conforms.)

It's also worth mentioning that while softwarelaw.html describes Dan's
feelings about software/copyright law, it may or may not describe actual 
software/copyright law (case law or otherwise).  As far as I know, Dan is not 
a lawyer either.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
 12:48pm  up 158 days, 11:04, 11 users,  load average: 0.05, 0.06, 0.01

Re: secrets and lies

[David Dyer-Bennet]

Mate Wierdl <[EMAIL PROTECTED]> writes on 15 November 2000 at 00:07:35 -0600
 > On Tue, Nov 14, 2000 at 04:13:19PM -0500, Bennett Todd wrote:
 > > efforts is on monitoring and risk management. With that as a given,
 > > I expect he runs sendmail and BIND; things like qmail and djbdns are
 > > for those of us who haven't given up on really completely securing
 > > our systems:-).
 > 
 > First I thought B.S. runs qmail and ezmlm, but it seems his
 > mailinglist is run by DD-B. counterpane.com servers run postfix and
 > sendmail---as you indicated. 

Just for nit-picky precision, I don't run the list; it's run by one of
Bruce's employees, using my system, and the software I have installed
there.
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/

Re: secrets and lies

[David Dyer-Bennet]

Paul Jarc <[EMAIL PROTECTED]> writes on 15 November 2000 at 11:07:43 -0500
 > Adam McKenna <[EMAIL PROTECTED]> writes:
 > > On Wed, Nov 15, 2000 at 08:18:29PM +1300, Chris K. Young wrote:
 > > > I say that dist.html should be considered authoritative. There are
 > > > references in the qmail and djbdns documentation that contain the
 > > > URL to their respective pages.
 > > 
 > > That's what you say.  But there isn't a definitive license (i.e. LICENSE or
 > > COPYING) in the qmail distribution that explains those rights
 > 
 > There's nothing magical about those names.  The names "dist.html" and
 > "softwarelaw.html" are just as good, and I don't see why they should
 > have to be included in the distribution.

In terms of convincing a corporate lawyer that it's okay to install
software on a corporate system, a specific license distributed with
the software specifically granting various permissions would be
extremely useful.

Dan is probably right that no special permissions are needed to make
normal uses of his code (which is what he says on his web pages), but
if the corporate lawyer isn't in agreement with him, he's going to say
"no".  That's a corporate lawyer's job, after all.

 > > some web page could be altered or taken down at any time, leaving
 > > users without any rights whatsoever.
 > 
 > IANAL (are you?), but I doubt that a copyright holder can revoke
 > permission already granted in this way.  The *record* (or rather,
 > *one* record) of permission could be removed, but how does that affect
 > the permission itself?

Demonstrating that the permission was granted gets harder if the pages
are taken down.
-- 
David Dyer-Bennet  /  Welcome to the future!  /  [EMAIL PROTECTED]
SF: http://www.dd-b.net/dd-b/  Minicon: http://www.mnstf.org/minicon/
Photos: http://dd-b.lighthunters.net/