Monday, August 11, 2008

GPL Project Watch List for Week of 08/08

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for July 25th through August 8th, 2008.

This Week:

* Week Summary
* New Projects
* Software and Security: Social Responsibility in the Open Source Software Community
* User Contributions

A Project Transition

We would like to say farewell to the maintainer of this blog for the past year, Antony Tran, who has left our team to pursue other endeavors. We wish him only the best. Edwin Pahk, who has been with this team for over a year now, will be taking over his position. Due to management and team transition, our collection numbers and blog have been a little slow these past two weeks.

This week our GPL v3 count is at 2875 GPL v3 projects, and increase of 29 GPL v3 projects. There was speculation as to whether the AGPL v3 would draw projects from the GPL v3 conversion rates, but this does not seem to be happening. The AGPL v3 count is at 130 AGPL v3 projects. The LGPL v3 number is at 273 LGPL v3 projects.
















New project conversions this week include:

* Disk Manager: disk manager is a CD/DVD archiving tool. It storys the directory contents of any media so you can search it later. Its also designed as file explorer which makes it easy to find big files. Windows Version supports native file context menus.

* PDFResurrect: PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. It can also "scrub" or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.

* Smuxi: Smuxi is a flexible, cross-platform IRC client for advanced users, targeting the GNOME desktop.

Software and Security: Does a Social Responsibility exist in the Open Source Software Community?

When I first learned of open source software and its many advantages (most importantly because it was free and I was in college), the first thought that came to my mind was, is it safe? How can I trust a program if hackers can see exactly what I'm using and exploit it? I viewed the security of open source software to the equivalent of handing over the schematics of a bank vault to a robber. But as I continued to learn about open source software I realized that this is a common misconception and that open source software has the potential to be even more secure than proprietary software.

How can open source software be more secure? To put it simply, open source software allows anyone to access the source code, which allows more people can view and test the software for its weaknesses and vulnerabilities. Sure, hackers can find things wrong with it, but general users can do the same. Imagine a 1000 people testing and finding weaknesses in a piece of software vs. the 10 people on a security team working for a proprietary company. One can see the definite potential of OSS becoming more secure.

Even though there is great potential in OSS being more secure than proprietary software, there is a big difference between potential and what actually is being done. Here is a scenario to think about. What if someone has access to a piece of software, and knowing that everyone else has the same access, ended up doing nothing to see whether the software has vulnerabilities thinking that someone else will do it. What if an entire community ended up with this mentality? Although a scenario like this may not be plausible, the social dilemma can still exist. In order for the OSS security model described above to work, there is a social responsibility that must be felt by the community in order to provide secure software to all. The question is does this social responsibility exist?

An experiment was conducted by our team leader, Ernest Park, concerning a vulnerability that was found in the program BIND. Emails were sent out to 41 projects that had BIND or the possibility of BIND in the code, asking maintainers and security teams about whether the vulnerability was addressed and how it was remedied. We received responses from 9 of these maintainers/security teams and of those only 4 contained any significant or relevant information. The lack of response indicates more than anything, that these maintainers and security teams have no obligation to respond to the community concerning security issues with their software. This raises a serious question about the social responsibility that open source software maintainers have towards the security of their projects. Where if at all does the responsibility for security lie?

It appears that in the end, users of the software must be ultimately responsible for their own security. This is primarily due to the fact that the OSS community is governed mostly by licenses that absolve the developer from any kind of liability. A service market has arisen comprised of people dedicated to maintaining and fixing software vulnerabilities, but as we have seen from the experiment above, they don't have any real obligation to anyone to explain how they are securing software. While the OSS market is as transparent as ever, how do we trust people that don't disclose how they secure software with no liability to the user, to secure our software? As open source presents itself as a legitimate alternative to developing one's own software, companies will be burdened with a greater responsibility to understand what they are inserting into their code and IT systems. This burden may discourage companies as well as other users to trust OSS and the benefits it provides. As stated by Joseph Jarzombek in a previous conversation with us,

"Joe Jarzombek: The OSS community still needs a mature and widely-recognized OSS governance regime. If organizations were to adopt OSS, then our acquisition and security personnel need to become more OSS-savvy. They would need to establish an OSS security expert role for verifying and enforcing OSS conformance to organizational requirements and policy."

Is this the best solution to address OSS security and can something like this be accomplished? Unfortunately for an idea as free as open source, everyone's opinion about what the community is differs. Until a singular view can be established, security will continue to be an issue that will limit the effectiveness of open source software in today's market.

-Edwin Pahk


References:
-Goertzel-Jarzombek-OSS_Security SwA.ppt


Thanks for the Continued Support and Contributions
Our database is partly maintained by our team of researchers as well by the contributions that are received from the community. Here is a submission we received last week through our web interface:

******************************

**********************************************
launchpadlib

Description:
A free Python library for scripting Launchpad through its web services interface.

Newest Release:
Pre-Release
****************************************************************************
We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Link Partners
If you are willing to copy and tranlate the content weekly, please let me know - you will receive the content as soon as it is available, and you site will be listed as a translation. I can send you a bit of tracking code so that you get credit for your contribution to the readership of this site
Post your link on the bottom of the blog page.

Send me a note at rdgroup@airius.com that you are using some or all of the content
I will make sure that we host links to your sites, and we will be able to use your content within this site as well.

************************************************************

Notable Mention

The Research Group actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe:gpl3".

To start receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "subscribe:gpl3".

************************************************************

Our Sponsor, Palamida, Inc.

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects.

The opinions expressed within the GPL3 Information Blog are exlusively those of Ernest Park, the subjects interviewed and the contributing authors, and are not intended to reflect the positions of Palamida, Inc and its employees.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

************************************************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com.

Please mention the GPL3 site when you reach out to Palamida.


The Research Group (rdgroup@airius.com)

Ernest Park
Edwin Pahk
Kevin Howard

No comments: