Monday, July 28, 2008

GPL Project Watch List for Week of 07/25

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for July 11th through July 18th, 2008.

This Week:
  • Week Summary
  • New Projects
  • Software 101: Open Source vs. Free Software Movement
  • User Contributions
Back on Track
Over the past few weeks we were backed up in our GPL3 numbers due to some maintenance issues on the Sourceforge website. We have spent this past week catching up and with the hard work of the team we have almost caught up on our data.
This week our GPL v3 count is at 2846 GPL v3 projects, and increase of 38 GPL v3 projects. There was speculation as to whether the AGPL v3 would draw projects from the GPL v3 conversion rates, but this does not seem to be happening. The AGPL v3 count is up 5 projects bringing it to 130 AGPL v3 projects. The LGPL v3 number is at 273 LGPL v3 projects, up 1 project from last week.



New project conversions this week include:
  • JabberCommander: JabberCommander is a tool made in Java that makes a connection between the computer and a Jabber Client (eg. Google Talk) allowing the user to send order to the computer: launch programs and scripts, retrieve the output of certain commands (ls,ps,dir...)

  • SocialDNS: SocialDNS is a novel naming infrastructure for locating information in the World Wide Web. It is an open network of Web servers that maintain and resolve domain names under a new URL scheme (go://).

  • Cadmium: Cadmium is a Java port of the Objective Caml virtual machine. It is part of the OCaml-Java project.
Software 101: Open Source vs. Free Software Movement
While both the Open Source software as well as the Free Software Movement has been in existence for quite some time now, some of you may be wondering, what's the difference? Don't both ideas basically proclaim free software for all? While some may see both ideas basically reach the same conclusion of free software for everyone, philosophically the ideas are very different. This was most evident in our conversation with Richard Stallman. He is quick to point out the differences when he stated, "You've described the activity using the ideas associated with the term "open source". The free software movement's goal is not even included in that description."

So then, what is the difference between open source and free software? The Free Software Movement started in 1983 as a social movement proclaiming that software should be free for all and that proprietary software is ethically and morally wrong. The social issues behind the free software movement made some uncomfortable leading to the founding of the Open Source Software movement in 1998, which viewed the availability of free software and open source code as a development methodology, focusing the practical applications of free software rather than the social and political aspects. On the GNU website, the Free Software Movement briefly explains the difference,

"The fundamental difference between the two movements is in their values, their ways of looking at the world. For the Open Source movement, the issue of whether software should be open source is a practical question, not an ethical one. As one person put it, "Open source is a development methodology; free software is a social movement." For the Open Source movement, non-free software is a suboptimal solution. For the Free Software movement, non-free software is a social problem and free software is the solution."

While both movements have been in existence for some time now, what of the future of these movements and their affect on the software market? We see that the availability of source code as a development model definitely has upside, but what of the social aspects? With proprietary software so deeply entrenched in the mainstream market, will the increasing influence of open source software also strengthen the Free Software Movement? These are some of the questions that we hope will be answered in the near future. If you have any comments please feel free to respond. Thank you.

-Edwin Pahk
References:
http://gpl3.blogspot.com/2008/06/gplv3-one-year-anniversary-edition.html
http://www.gnu.org/philosophy/free-software-for-freedom.html


Thanks for the Continued Support and Contributions
Our database is partly maintained by our team of researchers as well by the contributions that are received from the community. Here is a submission we received last week through our web interface:

******************************

**********************************************
Muldis Rosetta

Description:
The Muldis Rosetta DBMS framework is a powerful but elegant system, which makes it easy to create and use relational databases in a very reliable, portable, and efficient way. This "Rosetta" file provides a 10,000 mile view of the Muldis Rosetta framework as a whole, and the detail documentation for each component is included with that component. The distribution containing this "Rosetta" file is the Muldis Rosetta core distribution.

Newest Release:
Muldis-Rosetta-0.7.0
****************************************************************************
We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Link Partners
If you are willing to copy and tranlate the content weekly, please let me know - you will receive the content as soon as it is available, and you site will be listed as a translation. I can send you a bit of tracking code so that you get credit for your contribution to the readership of this site
Post your link on the bottom of the blog page.

Send me a note at rdgroup@airius.com that you are using some or all of the content
I will make sure that we host links to your sites, and we will be able to use your content within this site as well.

************************************************************

Notable Mention

The Research Group actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe:gpl3".

To start receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "subscribe:gpl3".

************************************************************

Our Sponsor, Palamida, Inc.

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects.

The opinions expressed within the GPL3 Information Blog are exlusively those of Ernest Park, the subjects interviewed and the contributing authors, and are not intended to reflect the positions of Palamida, Inc and its employees.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

************************************************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com.

Please mention the GPL3 site when you reach out to Palamida.


The Research Group (rdgroup@airius.com)

Ernest Park
Antony Tran
Edwin Pahk
Kevin Howard

Saturday, July 19, 2008

GPL Project Watch List for Week of 07/18

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for July 11th through Juky 18th, 2008.

This Week:

  • Week Summary
  • New Projects
  • Sourceforge Now Lists GPLv3 and LGPLv3
  • User Contributions
Catching Up
Over the past couple of weeks, Sourceforge has been doing some maintenance and updates. This backed up some of their data which we use to keep track of the GPL3 numbers. However, as mentioned in our last blog, their last push has updated their files and has added some new licenses, which we will go over in a section below. So now we are catching up on our data collection to bring them back up to date. Three weeks worth of Sourceforge data is quite a lot and will take us a week or two to update. But we do not expect that the rate has changed much during the down time, so the last two weeks of slow numbers should balance out with the next two weeks of high numbers, averaging a rate of approximately 50 GPL v3 projects.

This week our GPL v3 count is at 2808 GPL v3 projects, and increase of 57 GPL v3 projects. There was speculation as to whether the AGPL v3 would draw projects from the GPL v3 conversion rates, but this does not seem to be happening. The AGPL v3 count is up 5 projects bringing it to 125 AGPL v3 projects. The LGPL v3 number is at 272 LGPL v3 projects, up 7 projects from last week.






















New project conversions this week include:
  • OpenCms Scripting Language Integrations: This project integrates other scripting and dynamic languages than JSP into OpenCms. It also provides hooks for an easy integration of future languages.
  • jquantum: jQuantum is a Java program to simulate a quantum computer, to design quantum circuits, and to visualize the execution of quantum algorithms.
  • Java Application Template Portal: JAT is an easy to extend Java framework. It supplies modular and flexible basic functionalities to develop Web and/or standalone applications.

GPLv3 and LGPLv3 Now on Sourceforge
After the release of the GPLv3 and AGPLv3 many repositories made a separate license category for the new licenses, such as Freshmeat and Rubyforge. Sourceforge, however, did not at the time for reasons unknown to us. Perhaps they wanted to see if the license would catch on before changing their already gigantic database to take on a new license. Perhaps they felt the generic GPL category they had at the moment was sufficient for all GPL versions. Whatever the reason, it kept them from distinguishing between the GPLv2 and the GPLv3, that is until this week.

Now projects hosted on Sourceforge have the option to distinguish their GPL and LGPL version. The options developers have to choose from now are between "
GNU General Public License (GPL) " and "GNU General Public License version 3.0 (GPLv3) ", as well as their LGPL counterparts. As you can see the distinction is between a generic form of the license name and one specific to version 3 and not between version 2 and version 3. This means that developers have the option to specify that they are using version 3 but do not necessarily have to. We cannot assume that the projects using the generic GPL category are using the GPLv2. It would be a mistake to do so since there are still thousands of projects that are using the GPLv3 and are still listed under the the generic license name. It will take a while for more of the projects to migrate to these new license categories since they have just been implemented this week. It also is a possibility that many will never migrate over since the generic listing covers all versions. For this reason we are going to keep our eye on both categories to see if developers actually do change their license listing. I believe that they will and that the GPLv3 listing will fill up quite quickly. As of this week there are only about 20 projects in the new license category but I expect this to grow at an increasing rate.

Though we do not know why Sourceforge did not create a separate license listing for the GPLv3 from the beginning, the creation of it now does show that the license has gained enough significance in its own right. The GPLv3 has gained many supporters as we have shown through our data and this new development continues to prove what we have been saying all along, the GPLv3 is an important new license. Some developers may not care about the difference between the GPLv2 and the GPLv3, but there crucial differences between the two and how they can be used. This is most evident by all the controversy that revolved around the GPLv3 when it was released that still goes on today. We are glad that Sourceforge has chosen to differentiate between these licenses on their site so that developers can specify how they would like their projects to be used. The previous grouping of all the versions made the terms of the projects on Sourceforge listed under the GPL ambiguous, but now projects can specify their version, at least for the GPLv3. Perhaps if the migration goes well, the generic license will be changed to GPLv2.

References:
http://sourceforge.net/index.php

-Antony Tran


Thanks for the Continued Support and Contributions
Our database is partly maintained by our team of researchers as well by the contributions that are received from the community. Here is a submission we received last week through our web interface:

****************************************************************************
Omnidic


Description:
Omnidic is a free open source dictionary / translator for mobile phones.It works on mobile phones compatible with java (MIDP 1.0 and MIDP 2.0). The program can contain several dictionaries at the same time. For the use of the Omnidic it is not necessary connection to Internet, the dictionaries are saved in mobile.

Newest Release:
Omnidic-1.0.zip

****************************************************************************
We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Much Appreciated,

Palamida R&D Group


Link Partners
If you are willing to copy and tranlate the content weekly, please let me know - you will receive the content as soon as it is available, and you site will be listed as a translation. I can send you a bit of tracking code so that you get credit for your contribution to the readership of this site
Post your link on the bottom of the blog page.

Send me a note at rdgroup@airius.com that you are using some or all of the content
I will make sure that we host links to your sites, and we will be able to use your content within this site as well.

************************************************************

Notable Mention

The Research Group actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe:gpl3".

To start receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "subscribe:gpl3".


******************************
******************************

Our Sponsor, Palamida, Inc.

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects.

The opinions expressed within the GPL3 Information Blog are exlusively those of Ernest Park, the subjects interviewed and the contributing authors, and are not intended to reflect the positions of Palamida, Inc and its employees.

This work is licensed under a Creative Commons Attribution-Noncommercial-
Share Alike 3.0 United States License .

******************************
******************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com.

Please mention the GPL3 site when you reach out to Palamida.


The Research Group (rdgroup@airius.com)

Ernest Park
Antony Tran
Edwin Pahk
Kevin Howard



Friday, July 11, 2008

GPL Project Watch List for Week of 07/04, 4th of July Edition

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3/AGPLv3 adoption for June 27th through July 4th, 2008.

This Week:


  • Can OSS Secure of Our Nation?

  • Trust but Verify

  • Software Security Perspectives from Joe Jarzombek from The Department of Homeland

  • Richard Stallman comments - update

  • Followup - Google Code Repository

  • Weekly Count

Can Open Source and Free Software Impact the Security of Our Nation?

In this issue of our blog we see it fitting that we focus on our nation and the security of it through open source. The United States was founded on principals of freedom, so it makes sense that now we look towards "free software" to protect her. However, a question that beckons to be asked is, is open source ready to protect the United States' networks, or is the democratic development and decentralized distribution potentially our downfall? There are obvious benefits to open source software, but at the same time there are flaws to it that need to be addressed before it can be considered secure enough for government's systems.

The recent Debian OpenSSL issue has brought much needed attention to the security of open source software. For those of you unfamiliar with the Debian OpenSSL security problem, on May 13th, 2008 http://www.metasploit.com/ announced that OpenSSL distributed in Debian-based systems had a line of code removed with drastically reduced the number of encryption keys and made them predictable. "Instead of mixing in random data for the initial seed, the only "random" value that was used was the current process ID." This affected releases that were distributed between September 2006 and May 13th, 2008. The code was removed because of incompatibility issues between Valgrind and OpenSSL. This security bug would have large repercussions if the government was using one of those Debian releases. Imagine our nation's security reduced to only 32,767 possible encryption keys that were also guessable.

Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. With in the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.

With proprietary software, there are fewer people looking over the code, but they are more obligated to find bugs since they are being paid by their employer to do so. I am not saying that proprietary software is necessarily more secure than open source software. The Debian OpenSSL bug could have gone by for two years in a proprietary model just the same, since the number of eyes on the code is drastically less due to the closed source code. So perhaps the solution to open source being used by the organizations are bounty systems, such as the $500 dollar bounty Mozilla offers for bug discovery, for bugs that are found in OSS that they are using. Another solution would be to have proprietary third party software analysis to review the security of open source code. Ultimately using open source code has many time and functionality benefits that would be foolish to ignore, but seeing as it is America's security on the line, extra steps must be implemented to ensure the code is safe to use in exchange for the "free" software.

References
http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/2008/dsa-1571
http://www.linux.com/feature/135270
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html




Trust but Verify (from :http://the-opensource.blogspot.com/2008/07/trust-but-verify.html)

Ronald Reagan
Farewell Address to the Nation, Oval Office, January 11, 1989



"If they persist, pull the plug. It's still trust but verify. It's still play, but cut the cards. It's still watch closely. And don't be afraid to see what you see."




http://www.reaganlibrary.com/reagan/speeches/farewell.asp





This is a file from the Wikimedia Commons. The description on its description page there is shown below. Commons is a freely licensed media file repository.


This is the first time that I have had the justification to quote the late President Ronald Reagan to make an obvious point. In the Debian example, the open source community trusted that someone else would look and find the problem. Users believed that the power of community review would reduce the risk of using the software. Users were lulled into a complacency whereby nobody felt the obligation to "verify". Just like when an accident happen, we cannot all just assume that someone else will call 911, offer assistance, get involved. If we accept the socialism of free software, then we must mutually accept the responsibilities associated with the use of such software, or we must impose the obligations of these responsibilities onto the vendors that offer service agreements for such software.

I in no way single out open source software from proprietary software. The point is that just because there is nobody to blame does not mean we cannot look for problems. In the use of open source software, we must be prepared to know how to look, qualify the process by which software is checked and validated, and then centrally and proactively share this information.

Forums exist for the distribution of risk issues, and copious amounts of data has been amassed to allow management of complex environments. Regardless of whether the applications being used are "open source" or proprietary, objective rules and guidelines must be put in place and enforced in order to assure that the power of the community actually means something.

I tend to believe that long past are the days when each user would be forced to review source of any distribution prior to compiling for one's own platform. We as users find it too easy to download the bits, decompress and run. We entrust that in the community of users, someone else will find the problem. This complacency to decentralized responsibility can lead to big problems. The use of open source alternatives to prorietary software is not more risky, it just imposes objective responsibilities and processes that must be abided to in order for open source solutions to continue offering an advantage in the workplace.

Users need to realize that nothing comes free. If we look at the real savings of open source software as that of time, the budget usually allocated to the purchase of commercial solutions can be spent to provide diligent review and management of "open" applications, following documented guidelines, with results of such copious review being continually shared with the community.

Software Security Perspectives with Joe Jarzombek from The Department of Homeland Security (from: http://the-opensource.blogspot.com/2008/07/software-security-perspectives-with-joe.html)


Joseph Jarzombek serves as Director for Software Assurance in the Policy and Strategic Initiatives Branch of the National Cyber Security Division (NCSD) within the Department of Homeland Security (DHS). He hosts and sponsors many public-private collaboration efforts focused on software security. He recently spoke at the AIE Conference on Military Open Source Software, and he shared his perspectives on “Security Considerations in the Use of Open Source Software". The following is my commentary and his words from the conference. Joe Jarzombek also provided the presentation for readers to download.


Ernest Park: The weakness in blind trust of a decentralized community was clearly pointed out with the Debian issue. Without objective mandatory and measurable delivery against processes, software flaws can go unnoticed for periods of time. Joe, is this an example of existing complacency in the use of open source software, and who should accept responsibility for this major security oversight?


Joe Jarzombek: The OSS community still needs a mature and widely-recognized OSS governance regime. If organizations were to adopt OSS, then our acquisition and security personnel need to become more OSS-savvy. They would need to establish an OSS security expert role for verifying and enforcing OSS conformance to organizational requirements and policy.


Ernest Park: It seems like a well organized group with political or financial motivations could wreak havoc on our country using open source software to open the doors to an attack. Is the government concerned about open source applications being used to hide intentionally hidden trojans and coding flaws, such that institutions using such software can be exposed to highly targeted attacks?


Joe Jarzombek: As part of enterprise risk management, organizations should evaluate the trustworthiness of suppliers, and that includes enhanced due-diligence to better understand the pedigree or provenance of the software and the capabilities of the suppliers to deliver secure products and services before acquiring any developers' OSS. Generally the significant OSS projects are maintained by well known developers in the community. They would have to make sure the project team monitored each developer's initial contribution or only his/her later modifications and updates. Their process would also need to include checks/controls to establish developers' identities and trustworthiness. The developers' geographical locations, nationalities, affiliations, ideologies, and loyalties are also easier to obtain with OSS. On OSS projects, it's often possible to discover developers' identities (at least who they claim to be). The same is not true of many proprietary software projects/developers.


Ernest Park: The FLOSS, OSS, FOSS, free software, open source community is a non-centralized ‘socialist’ network. Does the lack of perceived central responsibility pose a higher obligation of risk awareness and mitigation on enterprise users of these applications?


Joe Jarzombek: First, people should understand that many of the issues identified with OSS are equally true for proprietary software. The ability to determine pedigree/provenance should be one factor, but not the only factor, in decision-making on whether or how to proceed with software security evaluation. If there is inadequate information then there needs to be deeper security analysis, vulnerability mitigation and environment-level isolation and constraints to separate “not yet trusted” from “more trusted” software. If there is no pedigree/provenance information then that has sometimes been used as a reason to reject the software especially if it were to be used in national security systems with US only content requirements.



Ernest Park: Do you feel that enterprises are exposing themselves to undue risk if they choose to save money by using open source applications without budgeting for additional resources to manage and oversee such applications?




Joe Jarzombek: Many organizations are already looking into additional resources to manage and oversee applications that they might use. Several companies such as Palamida and Black Duck Software offer discovery programs that will find "hallmarks" in the source code, COTS products, and large software systems. Several companies now offer services that focuses on software security. We have also collaborated with vendors who have made a business out of scrutinizing OSS code, such as Fortify Software, Ounce Labs, Coverity, Cigital, and others. OSS "commodification" potentially provides the best of both worlds: OSS design/code openness and vendor support.



Ernest Park: I have run into some efforts to increase usage of open source within government. Has DHS been involved with these efforts, and is any policy defined to assure high operational security for all applications going forward?


Joe Jarzombek: DHS has sponsored the Vulnerability Discovery and Remediation Open Source Hardening Project in which Coverity, in collaboration with Symantec and Stanford University, evaluated popular OSS to discover and remediateexploitable vulnerabilities.. In this project 40+ OSS packages, including Linux, Apache, MySQL, Perl/Python/PHP were evaluated for vulnerabilities. 11 packages were remediated.




Ernest Park: What should we be doing as a minimum to insure that we are diligent, responsible technology users and proud citizens defending our homeland?




Joe Jarzombek: The broader stakeholder community needs to be security-aware with a better appreciation of just how much our enterprise missions are more at risk because of exploitable software. These risks have to be mitigated during development and in use. We need more security-informed procurements. As consumers we need to exercise more due-diligence in selecting software suppliers and products More comprehensive software diagnostic capabilities need to be used by developers and testers. Also problems that are found need to be reported as soon as possible so that they can get fixed immediately, ideally before code is released. And users should also keep their software up to date by installing the latest patches.




Ernest Park: Has anyone assembled a best practices guideline for using your data sources to more securely and proactively manage our computing environments?

Joe Jarzombek: Our DHS Software Assurance “Build Security In” website offers many publicly available resources which are free to download. BSI at https://buildsecurityin.us-cert.gov/ offers several sound practices from respected practitioners of software security. David A. Wheeler is well know for his contributions in OSS endeavors. He has released papers and projects on OSS and security, including "Open Source Software (OSS) and the U.S. Department of Defense (DoD) – Webinar". If people are interested in further collaboration on software security practices, I would invite the to join us in future Software Assurance Forums and working group sessions which are publicized on our BSI web site under Events.

Ernest Park: We are repeatedly told that the next big attack will come via the internet. What steps can I do to empower myself, my fellow software users and my country to proactively defend, and more predictively manage my environment?

Joe Jarzombek: Software users should, as a minimum, perform a security evaluation on the programs they choose to use that answer these questions:



  • Are the software's security assumptions consistent with the security assumptions made by and about the component that the software will implement?

  • Can unused functions and interfaces be removed, disabled, or fully isolated without affecting the correct execution of other functions?

  • Does the software expose and provide access paths (intended or unintended) to its vulnerabilities?

  • What are the common exploitable weaknesses in the code, and what form of static or dynamic code analysis has been performed to determine the resiliency of that code?

The open design and source code availability of OSS should make security evaluation easier.



References:


http://ttcus.com/oss/

The Military Open Source Software Conference

April 21-22, 2008

-Goertzel-Jarzombek-OSS_Security SwA.ppt


Weekly Count, Sourceforge Backed up


If our numbers seem lacking this week, its because they are. One of our largest sources of data is backed up at the moment. Sourceforge seems to have stopped updating files past June 22. Once SF is caught up on their files to the present, our numbers will catch up to the expected rate. We emailed the maintainers at Sourceforge and that they informed us that they have located the problem. They notified us that he problem will be fixed within the next couple days when they make their next push. For this week, the GPL v3 count is at 2751 GPL v3 projects. The LGPL v3 count remains at 265 LGPL v3 project. And the AGPL v3 number is up 3, bring the total to 120 AGPLv3 projects.







***********************************************************************************


Richard Stallman comments - update
In my last post (http://gpl3.blogspot.com/2008/06/gplv3-one-year-anniversary-edition.html), I included comments from Richard Stallman in an "interview" section. I had hoped that Mr. Stallman would welcome the opportunity to comment on an objective, non-commercial, free effort to openly track adoption rates of GPLv3 related licensing in new software releases over its first year. Instead, through a series of email exchanges, Mr. Stallman indicated more of a philosophical disdain with this information effort, and a dislike for Palamida, the company that continues to generously sponsor this effort.



It seems that Mr. Stallman has clear views with how "free" software needs to be described, referred to, counted.





Richard Stallman: "The free software movement is not merely personal. It is a political movement like the environmental movement, the civil rights movement, etc."





Mr. Stallman contacted me after, asking me to clarify his comments clearly in the context in which they were elicited.





Prior to 6/29/08, I asked a series of questions, and did inform him that his responses would be published in their entirety. From an email exchange between Mr. Stallman and I that followed the publication on 6/29/08:






  • ernest park: I can clarify the post. As a note, I was very clear with my intention to publish all of your words, unedited, which I did.

  • richard stallman: You invited me to contribute something and said you would publish it unedited. But I did not do that; I instead said why I did not want to.

  • ernest park: Redhat, MySQL, Sun, IBM - and others all generously sponsor the existence of open source projects through their proprietary commercial activities.

  • richard stallman: I am an activist for free software and freedom; open source is not what I support.

It is clear that Mr. Stallman and I do not see eye to eye. While the various GPL (v2, v3, etc) are specific to the non-commercial aspects of the code, and the availability of the underlying code, aka source code, his position is of "free software being more of a philosophical movement rather than a legal construct around the use and propagation of community developed software.


Followup - Google Code Repository
My views on the licensing restrictions at http://code.google.com/ changed significantly after our talk with Chris DiBona (http://gpl3.blogspot.com/2008/06/gplv3-one-year-anniversary-edition.html). His position of license proliferation is a practical argument. When we see all the licenses out there with prohibitive and vague language, contradictory language, or possibly hidden agendas, perhaps Chris is heading in the better overall direction.


I always think that Creative Commons has always had it right. There is no confusion with what a CC license allows or does not allow. If licenses for open source software were standardized into a simple menu format like CC, how many distinct permutation would really be required? Would the OSS community be better served with less licenses that are clear, with defined interaction and use conditions?



It is a shame that OSI (http://www.opensource.org/licenses) does not require documented interoperability for approval. In this way, even OSI has been party to the unfortunate proliferation of licenses that say similar things, do not cooperate with each other, and create more confusion and complexity for use. As an interesting point, Chris used to be a member of OSI, and consistently lobbied for less approved licenses. OSI approval should really mean much more than the fact that the document passed a spell check (I am being sarcastic).





Chris and I agree on this issue - less licenses with clear terms and documented interoperability will protect the future utility of open source software.
********************************************************************************************************


Missing Week, and what's new?




Time off
We all took a week off for July 4th. It seems that our time off was aligned well to other issues in open source software. Sourceforge was having issues posting updated information, and as of recently, their information was still queued up. We contacted friends at Sourceforge right away, and they acknowledged that they discovered the issue and things would be back to normal.




Farewell Antony, welcome aboard Edwin
As of this week, Antony Tran is stepping down as Project Manager for the GPL3 Information Search site and blog. Antony has been with the Research Group for over a year, and has handled a number of significant research projects specific to open source software worldwide. He is taking time for himself, and may start the arduous process of interviewing at graduate schools.
The team will miss Antony's contributions and leadership. Starting over the course of the next few weeks, Edwin Pahk will take over project management duties for the information site starting next week. Edwin has been with our team for more than one year after graduating from Berkeley.





Change in format going forward
We accurately tracked GPLv3 adoptions over the last year, and despite quotations and interpretations in all directions, I have to say that the integration of GPLv3 variants in project releases was and continues to be at a steady and growing rate, with over 3000 releases using GPLv3, AGPLv3 and LGPLv3 in the last year, and nearly 7000 "or later" releases. The focus of this information site is moving more into the future of open source - news, security, topical stories. You may have noticed over the course of the last few months the addition of interviews. We will continue the interview format, and are eager to continue to make sure you "read it hear first".


If you wish to participate in an interview, or if you want information from me, please send a note to rdgroup@airius.com.


LINKS BACK - Please help!
We ENCOURAGE you to copy the content of this site. The Creative Commons license asks only for non-commercial use, and credit. I would like to ask that you also cooperate with the requests herein without my requiring a modified license. Please send me a note if you do so regularly. This site is translated into half a dozen languages weekly that I can find, and on any week, I can find hundreds of partial or complete copies of the site content on other sites.



  • Feedburner - RSS of this site is available via subscription

  • Email - For those that want the content delivered, email delivery is available. Information about subscribing is on the bottom.

  • With the hundreds of copies of this site that go out weekly via subscription, along with the hundreds of copies on other sites, the stats are out of skew. We use Google Analytics to track usage. When the site is copied, the "tracking script" is not copied. As a result, while I can verify hundreds of links and potentially thousands of readers, Google Analytics does not know about it. Please help.

Link Partners
If you are willing to copy and tranlate the content weekly, please let me know - you will receive the content as soon as it is available, and you site will be listed as a translation. I can send you a bit of tracking code so that you get credit for your contribution to the readership of this site
Post your link on the bottom of the blog page.


Send me a note at rdgroup@airius.com that you are using some or all of the content
I will make sure that we host links to your sites, and we will be able to use your content within this site as well.


********************************************************************************************************




Notable Mention

The Research Group actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.

The Research Group (rdgroup@airius.com)

Ernest Park
Edwin Pahk
Kevin Howard
********************************************************************************************************


Subscription

For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "subscribe:gpl3".

********************************************************************************************************


Our Sponsor, Palamida, Inc.

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects.

The opinions expressed within the GPL3 Information Blog are exlusively those of Ernest Park, the subjects interviewed and the contributing authors, and are not intended to reflect the positions of Palamida, Inc and its employees.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

********************************************************************************************************


Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com.

Please mention the GPL3 site when you reach out to Palamida.