On Mon, 10 May 2010, Chris Nighswonger wrote:
On Mon, May 10, 2010 at 1:25 PM, <david@lang.hm> wrote:
The requirement of the AGPL to provide the exact source code running that version will be seen as a problem to many security people.
There are many cases where orginizations will not upgrade immediatly on the release of a new version. Anything that requires that potential attackers can see exactly what you are running greatly magnifies the risk, especially for something that is going to be Internet accessable.
As a result, I would expect that moving to AGPL would hinder the acceptance/deployment of the project, not help it.
Then we already have a huge security problem given that all forms of Koha are currently available in a public repository and in all likelihood the vast majority of users are running it with no security significant changes made. (AAMOF, many run it with default the username/password still in place!)
it's not the same thing to have all the released and development versions of the code available and to have a link from the running system to say 'this is the exact version of the code, with all patches and local modifications, that is currently running' David Lang