On Tue, 11 May 2010, Lars Wirzenius wrote:
On ma, 2010-05-10 at 11:46 -0700, david@lang.hm wrote:
it's not the same thing to have all the released and development versions of the code available and to have a link from the running system to say 'this is the exact version of the code, with all patches and local modifications, that is currently running'
It is true that local modifications may introduce security problems, but it is way more likely that there is a problem in the Koha code that everyone else is using as well. And the attacker does not need to know which version the target is running, they can just blindly try every known Koha security problem on every Koha site. That's what computers are for, automating boring things.
So I don't think it is particularly important for security whether the code is out there or not. You are either vulnerable to a specific attack or you're not, and if you are, you're living on borrowed time. Frequent security updates are key to server survival on the public Internet.
Can we put this sub-thread to rest now?
I disagree with your evaluation, and I'm calling out that I believe that many other people will as well. I especually expect to see problems from security people who do not have that much experiance with opensource programs. I don't expect that you will see specifc complaints from such people, I expect that instead what will happen is that Koha would just get eliminated as a possibility early in the process due to the use of AGPL. I'll drop this now, but I hope you don't go that route. David Lang