Re: FW: Re: debian & portsentry

To: "Sean 'Shaleh' Perry" <shaleh@varesearch.com>
Cc: debian-legal@lists.debian.org, "Craig H. Rowland" <crowland@psionic.com>, Guido Guenther <Guido.Guenther@uni-konstanz.de>
Subject: Re: FW: Re: debian & portsentry
From: Henning Makholm <henning@makholm.net>
Date: 21 Sep 1999 00:15:21 +0200
Message-id: <[🔎] yahemftkz5y.fsf@tyr.diku.dk>
In-reply-to: "Sean 'Shaleh' Perry"'s message of Mon, 20 Sep 1999 14:16:04 -0700 (PDT)
References: <[🔎] XFMail.990920141604.shaleh@varesearch.com>

"Sean 'Shaleh' Perry" <shaleh@varesearch.com> writes:

> 1) I need to ensure code integrity because of the nature of the tool. If a
> person makes a change to the code that seriously hurts security it
> reflects poorly on me.

It would be quite acceptable to require changed versions to announce
very prominently that they are not the original. The DFSG even has a
provision to allow a requirement that deriviates have their name
changed. (This exception is needed for TeX and so is not likely to
go away anytime soon).

You also seem to be overlooking a more concrete point: if you were to
die, become subverted by some Evil Government Agency or otherwise be
unreachable, it would be impossible to *fix* security bugs in the
software legally. And security software that cannot be fixed is de
facto useless, at least for mission critical use.

Even in a situation where your faculties are still yours, this is
a problem. Debian is takes security quite seriously does not want its
users to end up in a situation where a security fix is delayed because
the upstream author has to be contacted and respond before it can be
released. Presumably you go on vacations occasionally, or you might
end up in a job situation where your time budget and priorities are
different from what you can think of now.

Using only `main' software ought to guard Debian users agains lacking
behind securitywise. (Hmm.. this might actually be a good reason not
to use the name-change clause of the DFSG for security-critical
software).

> I need to make sure nobody bundles all my tools together and sells
> them separately.

This contradicts the needs of the DFSG quite directly. Free software
needs a distribution infrastructure, and we aren't going to get that
unless the distributors are allowed to charge money for their
services. (One might even imagine paranoid administrators that prefer
to buy CDs with security sources from multiple different vendors
rather than simply FTPing them via their possibly-tampered-with net
connection).

> My employment contract specifically excludes my tools to protect
> myself and my end users, but I don't want to stir up any problems
> where none exist.

Could you get your employer to specifically agree to your work being
made free (something like the disclaimer templates at the end of the
GPL)?

> Perhaps the person from Debian who is responsible for
> this decision can write me so we can chat?

The entity responsible for the Debian Free Software Guidelines is
the developer consensus. I'm just a subscriber to debian-legal who
is volunteering my explanations of why it's a good thing they are
as they are.

-- 
Henning Makholm                     "The effect of a go to statement leading
                               into a conditional statement follows directly
                        from the above explanation of the effect of *else*."

Reply to:

Follow-Ups:
- Re: FW: Re: debian & portsentry
  - From: "Sean 'Shaleh' Perry" <shaleh@varesearch.com>
- Re: FW: Re: debian & portsentry
  - From: "Craig H. Rowland" <crowland@psionic.com>

References:
- FW: Re: debian & portsentry
  - From: "Sean 'Shaleh' Perry" <shaleh@varesearch.com>

Prev by Date: FW: Re: debian & portsentry
Next by Date: Re: FW: Re: debian & portsentry
Previous by thread: FW: Re: debian & portsentry
Next by thread: Re: FW: Re: debian & portsentry
Index(es):
- Date
- Thread