back to article Some thoughts on the mod_security acquisition

First, a public service announcement. The next European ApacheCon event will be held in Amsterdam, in the first week of May. The Call for Papers is now open at There will be a US ApacheCon in November. Now to the column. Many products are moving from commercial closed-source to open or part-open source …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    One possible reason for aquisition

    An upcoming clause in the new multi-card PCI standard requires that in most circumstances e-commerce sites must run an application-level firewall such as mod_security.

  2. A J Stiles

    Beauty of the GPL

    The whole beauty of the GPL is that it prevents closed-source forks. Nobody can take a GPL product, modify it and chain up the resulting modified product.

    One could say that licences such as the Apache and BSD licences, which permit the development of Closed Source forks, do not prevent the original developers from releasing an Open Source clone of any Closed Source fork; and the use of the GPL to prevent this is laziness on the part of developers. However, some of those who dislike the GPL are the very ones who would like nothing better than to take an existing piece of Open Source software and release a Closed Source derivative, as opposed to writing a piece of Closed Source software from scratch. Is this not also laziness?

    As for the incompatibility between the GPL and Apache licences, that is unfortunate; but there is nothing to stop the copyright holders dual-licencing mod_security if they all agree to do so. If the licence is specified as "GPL 2.0 or later", then it is probable that GPL 3.0 will be compatible. In fact, the licences are incompatible in jurisdictions where software patents are legally valid. In the EU and the UK, where software patents are explicitly disallowed, ASL 2.0 §3 (which would conflict with GPL 2.0 §6) is meaningless (since no-one can initiate legal proceedings that would invoke this section). In any case, incompatibly-licenced modules can always be loaded at runtime, since this particular use of a copyrighted work falls under the doctrine of Fair Dealing / Fair Use.

    At least with mod_security under the GPL, it can remain Open Source forever. That can only be a good thing.

    Closed source software is damaging to everyone. Every problem with every piece of closed source software exists and persists because, and for no other reason than that, the Source Code is not available to independent developers. When a security flaw is discovered in Firefox, patches are available within hours if not minutes. When a security flaw is discovered in Microsoft Internet Explorer, patches are available when Microsoft say so.

    But the problems with Closed Source are not limited to security. Access to the Source Code would enable an organisation to adapt an existing program to suit better the way they used to do business before computerisation. (The adaptation of software to an organisation's paradigms is a Service which has Value and could conceivably be delegated to a third party.) Without access to the Source Code, businesses must instead adapt their operating procedures to suit the workflow imposed by the software, wasting many person-hours over the course of a year; and competent programmers are being deprived of a potential business opportunity.

    The proprietary data file formats associated with Closed Source software enable vendors to extort millions of pounds from users, who must upgrade to the latest versions of software (often given away with new PCs, so as to stimulate adoption of the "new and improved" save formats) in order to maintain the ability to read and edit one another's documents. The data file formats of Open Source software are available to any programmer; if the introduction of a new feature necessitates a radical change in data file formats, a simple translation program can be created. Closed Source vendors are in a position to create such tools; but will not, because to do so would prevent them from selling the newest versions of their software.

    Closed Source software also is responsible for significant migration of funds: it makes the rich richer and the poor poorer. If a business buys Closed Source software "off the shelf", then money is transferred to the software vendor, who may be located overseas. If a business instead employs a local programmer to modify existing Open Source software to suit their needs, that money essentially remains within the local economy: after all, local programmers pay local taxes, shop at local stores, visit local tourist attractions with their friends and families, and contribute to local good causes.

    I still have faith that one day, it may be the Law of the Land that all software must be supplied with Source Code. But the need for such a law may well be obviated by the development of a usable decompiler -- a (so far, mostly hypothetical) program which, given some binary object code, outputs source code which would produce identical object code when compiled.

This topic is closed for new posts.