harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: [legal] Proposed changes for the Bulk Contributor Questionnaire
Date Mon, 14 Nov 2005 14:57:48 GMT
Leo Simons wrote:
> Rant below. Decided not to tone it down.
> On Mon, Nov 14, 2005 at 12:11:57AM -0500, Geir Magnusson Jr. wrote:
>> Comments welcome.
> I like everything but the references to "Black Duck Software". I took
> a look at their website and their licensing policies and everything
> about it "feels" wrong. I don't like basing a big part of our processes
> on some commercial black box "service-like" offering.
> Taking another look around the web for similar companies, they seem to
> be about "open source risk management" where the risk is to avoid
> "contaminating" propietary stuff with "open source" stuff. I resent the
> idea of "open source" being "contaminating" or anything like that (GPL
> is viral, but most other stuff is not). There's this entire category of
> companies who capitalize on FUD. I can imagine SCO having stock options
> on some of 'em.
> I think we should avoid the ASF being seen as being part of any of that.
> ---
> Leading Open Source Foundation Does Not Trust Its Own Processes
> The ASF has recently started using the same tools that intellectual
> property sharks use when figuring out whom to send cease and desist
> letters.
> When asked for comments, the ASF said: "We finally gave up trying to
> understand why people are so scared of open source, so now we're just
> using some incomprehensible piece of commercial software which makes us
> feel secure. We think its pretty silly, but if we already have run the
> tools, at least companies like SCO can't really use them as grounds for
> suing us since we'll look pretty clean when they run the tool."
> Darl McBride said: "We think the ASF is making a very smart decision
> by employing code scanning techniques. Its the only way to be safe from
> prosecution. Of course, most other open source organisations don't
> employ code scanning techniques (since they do have a brain of their
> own) so we're just going to sue all of those."
> IP firm XXX said: "What Darl said. Don't use any of that scary open
> source stuff. Even the ASF understands that now. Won't be long before
> they turn into a commercial entity themselves!"
> ---
> Grrrrr.
> Hmm. Didn't SCO run keyword scanners and the like? Didn't they find out
> that they'd actually taken code from open source codebases? Didn't much
> of the same happen at JBoss some time ago?
> I doubt there's a lot of keyword scanning tools or any kind of other
> automated technology that I wouldn't be able to circumvent with a few
> hours of work. Its just such a stupid idea. If I take source code from
> (say) the sun jdk, work on it for a few weeks to make it look completely
> different so no line of the original code remains, I still have a
> derivative work but no scanner is going to be able to detect that. Just
> like spam still manages to make it into my inbox.
> I can imagine how some people or companies would feel safe if we were
> to say "we scanned everything using this intellectual property risk
> management tool XXX" but we'd be legitimizing something silly and giving a
> false sense of security.
> Now, if these tools were open source and I'd be able to take a look at
> how they work I might put some trust in them. But fancy websites, lots
> of press releases, not a lot of technical details, anal usage
> restrictions and total lack of a "download" button just sets off a lot
> of alarm bells.
> With my infra@ hat on I'd probably be against running this kind of
> black box software under this kind of policy on ASF hardware. With
> something like jira, I at least know how it works (or doesn't work) and what
> technology is under the cover and can get at the source code if I want to.



View raw message