[nycphp-talk] somewhat OT: open source code auditing
Hans Zaunere
lists at zaunere.com
Tue Aug 16 09:47:31 EDT 2005
> Hey Folks,
>
> This is slightly off-topic, but I've just had the "higher-ups" come to
> me asking about open source and coding audits. I'm not speaking about
> collaborative tools or auditing from a security perspective, but rather
> from a legal perspective. Simply put, how do you know were a piece of
> code really came from?
Maybe the SCO lawyers can help with this :)
> I'm hoping that others on the list have gone through this (or are
> actually going through it now) and can provide some insight.
>
> Some general questions:
> 1. When you decide to use a piece of open source software, what do you
> document? (package name, authors, download location, website, license,
> date/time, etc)
> 2. Do you feel the need to actually verify that they wrote it? Or is
> it enough to say, "This is a popular package, and it is generally
> accepted that this person wrote it."
This really comes down to the license. If it's GPL, you basically are legally bound to make your "derived works" public as well. Of course, what defines derived works is not something clearly defined.
> As this could relate to PHP:
> 1. The PEAR and PECL repositories - is there anything built into the
> package approval process that looks for this? I didn't see anything on
> the website. I would imagine that some Google searches probably occur
> just to make sure this package
> 2. Code posted on the PHP site by users? Is that "free" to use?
Ugh - there's that word again, free :)
> I realize that most of us aren't lawyers, and we're getting help from
> our legal team, but any help you can provide is greatly appreciated.
It's certainly a sticky area. But, keep in mind, that most of the larger open source projects, like PHP and Apache, are licensed using a BSD style license. These questions should only be answered by lawyers, but most source from PEAR and PECL should have a header indicating the license. Typically, this is the PHP license, and so you're likely safe - but again, no one really knows :)
H
More information about the talk
mailing list