[Koha] Proposal To Switch Koha's License to GPLv3 and AGPLv3 or AGPLv3

Lars Wirzenius lars at catalyst.net.nz
Tue May 11 11:08:52 NZST 2010


On ma, 2010-05-10 at 11:46 -0700, david at lang.hm wrote:
> it's not the same thing to have all the released and development versions 
> of the code available and to have a link from the running system to say 
> 'this is the exact version of the code, with all patches and local 
> modifications, that is currently running'

It is true that local modifications may introduce security problems, but
it is way more likely that there is a problem in the Koha code that
everyone else is using as well. And the attacker does not need to know
which version the target is running, they can just blindly try every
known Koha security problem on every Koha site. That's what computers
are for, automating boring things.

So I don't think it is particularly important for security whether the
code is out there or not. You are either vulnerable to a specific attack
or you're not, and if you are, you're living on borrowed time. Frequent
security updates are key to server survival on the public Internet.

Can we put this sub-thread to rest now?

(If I may say so, those security updates will be a bit easier to do with
Debian packages, or any other form of easily upgraded packages, as
opposed to installing from source.)



More information about the Koha mailing list