[Koha] Proposal To Switch Koha's License to GPLv3 and AGPLv3 or AGPLv3
david at lang.hm
david at lang.hm
Tue May 11 06:46:58 NZST 2010
On Mon, 10 May 2010, Chris Nighswonger wrote:
> On Mon, May 10, 2010 at 1:25 PM, <david at lang.hm> wrote:
>
>>
>> The requirement of the AGPL to provide the exact source code running that
>> version will be seen as a problem to many security people.
>>
>> There are many cases where orginizations will not upgrade immediatly on the
>> release of a new version. Anything that requires that potential attackers
>> can see exactly what you are running greatly magnifies the risk, especially
>> for something that is going to be Internet accessable.
>>
>> As a result, I would expect that moving to AGPL would hinder the
>> acceptance/deployment of the project, not help it.
>>
>>
> Then we already have a huge security problem given that all forms of Koha
> are currently available in a public repository and in all likelihood the
> vast majority of users are running it with no security significant changes
> made. (AAMOF, many run it with default the username/password still in
> place!)
it's not the same thing to have all the released and development versions
of the code available and to have a link from the running system to say
'this is the exact version of the code, with all patches and local
modifications, that is currently running'
David Lang
More information about the Koha
mailing list