[Koha] Proposal To Switch Koha's License to GPLv3 and AGPLv3 or AGPLv3
Chris Cormack
chris at bigballofwax.co.nz
Tue May 11 05:59:21 NZST 2010
2010/5/11 Chris Nighswonger <cnighswonger at foundations.edu>:
> On Mon, May 10, 2010 at 1:25 PM, <david at lang.hm> wrote:
>>
>> The requirement of the AGPL to provide the exact source code running that
>> version will be seen as a problem to many security people.
>>
>> There are many cases where orginizations will not upgrade immediatly on
>> the release of a new version. Anything that requires that potential
>> attackers can see exactly what you are running greatly magnifies the risk,
>> especially for something that is going to be Internet accessable.
>>
>> As a result, I would expect that moving to AGPL would hinder the
>> acceptance/deployment of the project, not help it.
>>
>
> Then we already have a huge security problem given that all forms of Koha
> are currently available in a public repository and in all likelihood the
> vast majority of users are running it with no security significant changes
> made. (AAMOF, many run it with default the username/password still in
> place!)
>
Yeah, I'm not sure I buy the security by obscurity argument, it
logically extends to saying all free software is insecure because
people can see the code.
I personally don't edit the kernel source before each compile, and I'm
sure most people don't either. I actually trust the fact that people
can see the source to make me safer, not less safe. There is more
chance a good person will find the security bug and fix it if the code
is open.
Chris
More information about the Koha
mailing list