[Koha] Proposal To Switch Koha's License to GPLv3 and AGPLv3 or AGPLv3

david at lang.hm david at lang.hm
Tue May 11 12:17:23 NZST 2010


On Tue, 11 May 2010, Lars Wirzenius wrote:

> On ma, 2010-05-10 at 11:46 -0700, david at lang.hm wrote:
>> it's not the same thing to have all the released and development versions
>> of the code available and to have a link from the running system to say
>> 'this is the exact version of the code, with all patches and local
>> modifications, that is currently running'
>
> It is true that local modifications may introduce security problems, but
> it is way more likely that there is a problem in the Koha code that
> everyone else is using as well. And the attacker does not need to know
> which version the target is running, they can just blindly try every
> known Koha security problem on every Koha site. That's what computers
> are for, automating boring things.
>
> So I don't think it is particularly important for security whether the
> code is out there or not. You are either vulnerable to a specific attack
> or you're not, and if you are, you're living on borrowed time. Frequent
> security updates are key to server survival on the public Internet.
>
> Can we put this sub-thread to rest now?

I disagree with your evaluation, and I'm calling out that I believe that 
many other people will as well. I especually expect to see problems from 
security people who do not have that much experiance with opensource 
programs.

I don't expect that you will see specifc complaints from such people, I 
expect that instead what will happen is that Koha would just get 
eliminated as a possibility early in the process due to the use of AGPL.

I'll drop this now, but I hope you don't go that route.

David Lang


More information about the Koha mailing list