2010/5/11 Chris Nighswonger <cnighswonger@foundations.edu>:
On Mon, May 10, 2010 at 1:25 PM, <david@lang.hm> wrote:
The requirement of the AGPL to provide the exact source code running that version will be seen as a problem to many security people.
There are many cases where orginizations will not upgrade immediatly on the release of a new version. Anything that requires that potential attackers can see exactly what you are running greatly magnifies the risk, especially for something that is going to be Internet accessable.
As a result, I would expect that moving to AGPL would hinder the acceptance/deployment of the project, not help it.
Then we already have a huge security problem given that all forms of Koha are currently available in a public repository and in all likelihood the vast majority of users are running it with no security significant changes made. (AAMOF, many run it with default the username/password still in place!)
Yeah, I'm not sure I buy the security by obscurity argument, it logically extends to saying all free software is insecure because people can see the code. I personally don't edit the kernel source before each compile, and I'm sure most people don't either. I actually trust the fact that people can see the source to make me safer, not less safe. There is more chance a good person will find the security bug and fix it if the code is open. Chris