[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web application licenses

On Mon, Aug 02, 2004 at 10:22:39PM -0700, Josh Triplett wrote:
> > But standard advice on network security is *not* to advertise specific
> > banners.  I don't think much of that advice, but I sure do see a lot
> > of it.  Is it free to make this kind of requirement of users of the
> > software, that they ignore good security practice?
> 
> If your network would be insecure if someone knew the versions of
> software you run, then your network is insecure.

In practice, you're both right: security by obscurity, alone, isn't secure,
but in practice it's a very real gain to not advertise immediately what
your set of bugs are--if it gives you five more minutes to respond to a
security advisory, then it's a win.

I won't overgeneralize; some free licenses do place restrictions on security-
related decisions (the GPL prevents me from adding some security-related
features and not releasing the source for the above reason), but I don't
think it's a good thing in general.  I should decide my security philosophy,
not anyone else.

-- 
Glenn Maynard
Reply to: