Re: Berkeley DB 6.0 license change to AGPLv3
* Scott Kitterman:
> Sorry, I can't quite let this pass. I just went and looked at the
> AGPL v3 again and one implication of the license is that you can't
> locally fix a security issue without immediate disclosure. This
> doesn't fit my personal ethics at all and at least IMO makes it
> pretty unsuitable as a license for any network facing service.
But who can do that anyway?
By definition, most people administrating machines do not have access
to embargoed security information.
Most organizations with teams who have access to such information
cannot roll out patches because that would give hundreds, if not
thousands, of people access to the availability and nature of the fix.
This conflicts with the need-to-know principle that governs all
handling of embargoed security information.
In addition, commercial software companies are usually in the services
business as well (because they have cloud offerings), and thus compete
to some extent with their user base. Traditionally, there is a
Chinese Wall between hosted services (include its infrastructure
security part) and product security, and hosted services are treated
as just another customer, without privileged access, because of
concerns that sharing security information internally could be seen as
unfair competition (at least by the customers who pay for security
On the other hand, if the AGPL prevents organizations from sitting on
security fixes for code they depend on because they cannot be bother
to get the disclosure process going (which can admittedly be quite
time-consuming), that seems a good thing to me.