Posts by Vic

Clearly :-)

> But only if you redistribute it. Otherwise you are quite free to keep

> any changes you make close to your chest*

That's a somewhat moot point; you only need to distribute source for any program you might distribute (N.B.: all the source, not just changes). Nevertheless, the code is still covered by GPL if you don't redistribute - it just doesn't mean you have to do anything to comply.

> So purchasing the commercial licence gets you what exactly?

The right to redistribute without complying with the GPL.

> Or are you saying that if you purchase a commercial licence you can

> modify the code and redistribute it as a closed source product?

Yes.

> I don't see how that can work.

You don't need to.

But if you were a closed-source vendor that wanted database functionality in your product, you might have bought a commercial licence from MySQL. They have customers...

Vic.

Re: "MySQL price"?

> Oh, you're talking about support from Oracle?

No. MySQL is dual-licenced: you either accept the GPL, or you have to pay money to use it in a non-GPL context.

Vic.

Re: Postgres

Postgres needs to think about version migration before it will get the adoption of MySQL.

I understand the reason for being cautious with opening older DBs, but for those of us that use postgres packaged by our distros, this can lead to the situation where a database is completely unavailable because the package has been up-issued. Fixing that is a headache we could all do without.

Vic.

Re: Copyright?

> How much of my code is in their code base?

That depends. On how much of your code have you given them the copyright? That will set the maximum limit.

MySQL has long had a requirement on contributions for copyright to be handed to them. If they don't get those rights, the code doesn't go in. This has allowed them to continue the dual-licencing model.

This is a double-edged sword; should one of the GPL forks become dominant, it could have features not in the "official" Oracle release - and Oracle cannot just import that code into their own codebase without entirely deswtroying their ability to sell commercial licences...

> I think I still have the right to revoke that.

No, you don't.

> Anyone got a contact to send Oracle's ISP a DMCA shutdown notice?

That would be unwise.

Vic.

Not really...

> I'm sure that I remember that MySQL is under a dual license

It is. MySQL can be had under GPL for no money, or under a commercial licence for lots.

> where the applicable license depends on what you want to do with it.

What you want to do with it makes no difference - what matters is whether or not you want the GPL version.

If you do, your derviative work (i.e. what you build with it) must also be GPL. Some people don't want that - so they have to pay Oracle a few first-born children instead.

Vic.

I don't think I am.

> That's why we should be glad that the system never went live, I guess.

But it did go live. It might not have been actually counting votes - but it is still a live application exposed to users. And it wasn't even close to being ready for that.

> flaws of this magnitude should not even have reached the testing level

Exactly. This project is broken by design.

> but chill dude, it never went live fo' realz.

Well, that rather depends on what you mean by "live fo' realz". That this story is being used in an attempt to discredit the open-source development model is plenty live enough for me.

> the project is only a few weeks old

That's what I get from the github graphs. I don't find this the easiest tool for such things - but it is rather popular at present :-(

But that doesn't excuse the fact that something as important as e-voting was entrusted to a bunch of neophytes so incompetent as to have included such trivially-avoidable beginner errors in their code. Nor does it excuse the fact that this was not picked up in code review - so that review is either very faulty or very absent.

This application had no business being presented as part of Officialdom. If it had been three skiddies playing at coding, we'd just have had a laugh. But this is a Governmental system; it provides negative publicity for Government procurement, for e-voting, for FLOSS, and for computing systems in general. And that's not good for any of us.

Vic.

How clear?

> None of the open source components were hacked, right?

Wrong. The application was hacked.

None of the platform was broken - but the designers had seen fit to give enough privilege to the the process running the application to do silly things. And the application was so poorly-written that that privilege was easily taken by anybody who wanted it.

Vic.

Credentials

> "Why is is a "Shocker" that a web application would

> have the username and password of the database

> into which it is inserting data?"

> Because it shouldn't.

I don't have aproblem with the app having *a* username/password. The problem, AISI, is that the phrase "the username and password" has any meaning...

ACL is known technology. There is no reason to give your web application any more privilege than it needs :-(

Vic.

Some misunderstandings...

> The philosophy of FLOSS is that given enough people and enough

> time to review, things will get fixed.

> Great as far as it goes - because it doesn't specify WHEN.

No. That's not what FLOSS is about.

The advantage of open-source is that your bugs get found. There are far more people looking at the code, so it gets far more testing by people who have a good idea how to stress the code in question.

This says nothing whatsoever about how you go about *fixing* those bugs - it just provides a mechanism for discovering them.

> But what about projects and software that ABSOLUTELY

> have to go live in a short amount of time?

You pay someone to debug the code - just as you would in a closed-source application. Being open-source does not hamper this development flow at all - it just provides additional volunteer testing resources.

> When is there the time for FLOSS to be reviewed, discovered, and fixed?

> And then those fixes themselves reviewed and tested?

Being FLOSS does not preclude exactly the same reviewing and testing that closed-source would require - so the same job can be done. Being FLOSS does get extra testing for free.

The only thing that FLOSS precludes is security through obscurity. For a voting system in particular, that is a very god thing to prevent...

> But let's at least examine when it MIGHT have limitations

Sure. This is not one of them.

> such as short time-frame deliverables on systems that have to be verified.

Short-time deliverables is when I absolutely would want to go open very early - get people on-board and helping out.

You appear to be describing FLOSS as projects with no paid, fuill-time staff. This is not even close to the truth. FLOSS has the same development resources available as closed-source - but it *also* has unpaid volunteers looking over the code to help find bugs. This is additional resource, not alternative.

Vic.

Not open source?

> The voting software which contained the flaw was

> NOT open source so therefore it was NOT examined.

http://github.com/trustthevote/DCdigitalVBM

Vic.

Freedom of Speech?

> I still don't see how this doesn't fall completely under freedom of speech.

*What* freedom of speech?

We have no Bill of Rights in the UK. We have convention, which permits freedom of speech, but precious little legislation to back that up.

> I would suggest that using coercion to force us

> to reveal our conversation is an infringement our

> freedom of speech.

I would suggest that the freedom you espouse is illusory.

However, the Police have no specific authority to force you to decode your made-up, verbal language, so you could do this (and this is, apparently, the source of Cockney Rhyming Slang).

In the case of digitally-encrypted data, though, there is a significant difference: RIPA 2000 is enacted legislation that grants certain people the authority to require you to hand over your decryption keys. Failure to do so is a criminal offence.

> The medium is irrelevant, as is the reason they don't understand it.

This is not true (even if it ought to be).

Vic.

@AC

> If the Police have a warrant to search your computer

What about when they don't have a warrant to search your computer?

None is required for a Section 49 notice :-(

Vic.

Not Double Jeopardy

> Double Jeopardy.

This is incorrect.

> He's refusing to give the password for the same encrypted volume he refused to before.

Doesn't matter. He's guilty of failing to comply with a section 49 notice. He's not been charged with respect to the curernt notice before, so there is no "double jeopardy" involved.

Claiming that this is the same offence is like claiming that a recidivist burglar shouldn't be tried for subsequent burglaries, because he's already served time for it. That was a different burglary. That was a different Section 49 notice.

> Worst that can happen here is being found in contempt of court

No, the worst that can happen is that he can be sent down for another 5 years (if they mention "national security" often enough) *and* face a large fine.

> and being returned to jail every time he refuses to give the password, but that's not within the

> remit of s49

It's within the remit of a new Section 49 notice. There is no stated limit to the number of successive notices that can be issued - only that the issuer must have "reasonable grounds" to believe that the defendant has the decryption keys sought.

Vic.

Perhaps

> Can the ask him again, treat it as a separate offence and charge him with it?

The issuance of a Section 49 notice does require that the issuer has "reasonable grounds" to believe that the victim[1] has the encryption keys being sought. If the poor sod has already done time for failing to cough up the keys, there is eventually going to be some room to claim that those grounds are unreasonable, and thus that the notice is unlawful.

But that won't necessarily stop second and subsequent notices from being issued - it just gives some sort of defence in court.

Vic.

No safeguards

> Do the police have to obtain a search warrant for your computer

No.

A Section 49 notice can be issued by a number of Authorised Persons. Many of these are not in the judiciary.

There is no legal oversight. There should be.

Vic.

Another title

> If you couldn't recall a password for an encrypted file and pleaded that

> you had forgotten it, then it would be up to the prosection to prove

> beyond reasonable doubt that this was not the case.

That is not the case.

RIPA 2000 makes it a criminal offence to fail to supply a password in response to a Section 49 notice. This notice may be issued by a number of "authorised" persons (many of whom are not judiciary) if that authorised person believes that there is encrypted info in your possession. It is not even a defence to claim that the alleged encrypted dump is nothing of the sort - a court could still send you inside for up to 5 years.

It's one of the worst laws we have on the books. I hope this example might get someone in authority to repeal such draconian nonsense - but I doubt anyone will :-(

Vic.

Title

> What on earth has that to do with patent infringment?

It's called the "unclean hands" defence. It's a back-stop position in case the court finds any merit in Oracle's claims - if they are found to have a point, they might still be unable to extract any penalty if they have been found to be acting in bad faith.

I doubt it will be important if this should ever come to trial, but it's good lawyering to get all your defences in place while you still have the option to do so...

Vic.

Don't confuse "open source" with "public domain"

> How is this even possible, as by definition open-source software is free to copy or modify to your

> heart's content?

No it isn't.

It is copyrighted code. And rights to copy or redistribute are dependent on the terms of the licence being followed.

This is usually quite easy, but several companies have managed to fail to do so. Microsoft is one such infringer.

Vic.

@Trevor

> It's a simple front-end to use SpamAssassin to filter for exchange.

Yes. I've run out many MTAs - I recommend one to pretty much all my customers. I still don't really get why you think I should be reading your blog post...

>it has in the past caused me more problems than the minor % of spam that gets through without it

Then you have misunderstood SPF. It is *NOT* an anti-spam tool. It is an anti-forgery tool.

> The point was that you can get away with not needing anything but Webmin to manage Sendmail

Yes you can. But care needs to be taken if you are going to use any other tools as well, because Webmin does not keep the .mc and .cf files synchronised.

> but I think it's a pretty exceptional scenario (clustering of Sendmail perhaps) where this might be an issue.

Absolute rubbish.

Try using any of the basic setup tools in Webmin - say, "sendmail options" (the very first entry on the page in my version). Make some changes there.

Now do something that needs the .mc file to be edited - say, add a milter with the "sendmail M4 configuration" tool. Rebuild the config with the button on that page.

Oh look - all those changes you made beforehand have disappeared.

This isn't rocket science - it just needs a little caution. Endless responses about how you don't think it's a problem just show that you aren't taking this in. I find it worrying that you set yourself up as an authority on this topic without understanding the propensity for this to go very wrong indeed; your advice so far is likely to leave anyone following it with a configuration they don't understand, and which is likely to roll back their changes without warning. This is not a responsible position to take.

> Small enoguh at least ot make it a very viable tool for single servers and small businesses without any of the fancier config tools.

Yes, and I've said all along that I am a fan of Webmin, and I use it on almost every machine I build. But, as I said at the very beginning, it has a few foibles that need to be treated very carefully. Its manner of dealing with the sendmail config files is one of those foibles.

Vic.

No thank you.

> Hey Vic, wanna join a LUG?

No thanks.

> At the moment the membership is me.

Depending on how long you continue your head-in-the-sand approach to issues laid out to you, I suspect it might continue at that level.

> The local LUG and I didn't get along all to well

I can see their point.

> but I don't mind any but the worst of the Reg commenters...so why not a Reg LUG? We can argue amidst threads just like we always have…

And is this going to be a group set up to try to advance its members'[1] knowledge of Linux, or is it a grandstanding and point-scoring exercise? The latter is unlikely to last long.

Vic.

[1] I decided to be charitable and not spell that "member's".

Hmmm.

> Why do I have to recompile a kernel to get some stuff installed?

You don't. That's very old, very stinky bait.

> Why do I *have* to upgrade the OS to get recent builds of software installed?

Some authors require certain underlying suppprt code. That is true on many OSes.

> However I was unable to install an upgrade because more recent versions of Clam require an OS upgrade.

Hardy has a version of ClamAV that will work just fine. There are a variety of reasons why you might not have it - but they all boil down to you not installing updates in a timely fashion.

> SO Hardy was what, 2007 and it's effectively dead already.

No. Hardy was an LTS release, so it will have desktop support for 3 years - that takes you to next April.

> Not because Canonical don't support it but because software suppliers are not minded to look after backwards compatibility.

ClamAV had good reason to change the way they do things. I'd have preferred a slightly less catastrophic failure mechanism - but then every problem installation had been flagging the problem for about a year before they did this, so a "soft" fail would probably have been ignored.

The distributions I use all had packages ready to roll for the new ClamAV engine. That you didn't get it installed would appear to be a local administration problem, because the repos had the code you needed.

> Of course the seasoned Linuxer will comment that I've done it all wrong.

Yes, I'm afraid so.

> There's great comfort in being reasonably sure the OS will be around for a few years and that

> vendors software will probably run on it.

There are flavours of Linux around that provide a very stable platform - I'm using one right now. But you chose a distribution that has a stated policy of bringing out a new OS every six months.

Vic.

@Trevor

> M4 Config is your friend

It certainly is.

But that doesn't address the point I made - it is important to be careful when using Webmin with sendmail because most of the options on the page do not change the sendmail.mc file, they change the sendmail.cf file. This leads to inconsistencies - the .mc file gets out of date, and using it to make subsequent changes will over-write changes to the .cf file, removing all the work you've done beforehand.

I'm not claiming Webmin cannot be used - I use it myself.

I am saying that there is a pitfall here, and the unwary can be caught out.

> Oh, and a nugget of fun for you

Errr - what am I looking for? It's a mail server setup. And you haven't included an SPF milter.

Vic.

LUGs

> Maybe otehr LUGs are less elitist

As with any self-ortganising group of people, the quality of LUGs varies dramatically.

I've joined two. One was awful - one of the members started putting conditions on reading his posts on the mailing list, FFS. I flounced out - there was no way I was going to remain part of that lot.

The other one[1] is truly excellent. There are some odd-bods in there, and there is the occasionaly "difference of opinion", but by and large, everyone works towards helping each other out. It's great.

Vic.

[1] I suspect this might be the same LUG as Jacqui belongs to...

Bah.

> but if you've used sendmail for anything that is controlled by sendmail.cf, your files are now out of sync.

That should, of course, have read "but if you've used Webmin for anything that is controlled by sendmail.cf, your files are now out of sync."

Vic.

@HolyMackerelBatman

> Thing is I didn't know what apt-get is

Did you try to find out?

Very few fora care about people being ignorant - we all were at some time. What annoys people is when new users assiduously refuse to try to help themselves. You'll see 1000-word flames from people who won't even put the term they don't understand into a search engine.

>,it's not easy to find if you've never heard of it before.

On the contrary. Google is my search engine of choice - typing "apt-get" into the search box gives me lots of results pertaining to apt-get - just as it would had I searched on some other term I don't understand.

Now occasionally, you might be so stumped by something as not even to know where to start searching. That's a perfectly reasonable thing to post to a forum - someone will respond with some appropriate search terms, at the very least. What they're unlikely to do is to do all your research for you...

Vic.

There are lots of clueless idiots

> The Internet respondeth (paraphrased): “zomfgwtf are you doing using such a pathetic distro,

You encountered a cock. There are lots of them in most fora - Windows, Linux, you name it. Please don't judge the entire community by the bottom-quartile twats.

If you are having problems with a RH-based distro (such as is CentOS), you could do worse than to grab the Red Hat Deployment Guide. It's available online, but install it on your machine as well - it's invaluable. I don't know if CentOS have it in the repository - if they don't, grab the SRPM from Red Hat and rebuild[1].

Vic.

[1] If you don't know how to rebuild SRPMs from RedHat - learn! it's a singularly vital skill. Just download the SRPM from RH's FTP site & type "rpmbuild --rebuild wotijustdownloaded.src.rpm".

You need to read the court judgements more carefully...

> As has (largely) been established, Novell still own Unix IP

No, that has *not* been established.

What the Court ruled was that Novell did not transfer its Unix copyrights to SCO.

What the Court did not addresss - because there was no need to, if for no other reason - was what Unix copyrights Novell owned in the first place.

The USL vs BDSi settlement shows us that quite a few of the copyrights weren't owned by AT&T in the first place, and never went into USL.

This is part of why Darl McBride's attempts to convince the world of the strength of SCO's claims was so comical - he kept pulling up examples of BSD-owned code, which were never owned by AT&T, USL, Novell or SCO.

Vic.

Linux is not Unix

It doesn't matter who own Unix - not that this purported sale would havemuch effect on that anyway.

There is no part of Unix unlawfully put into Linux. Any commonality there might be is under a BSD licence or similar, and so it is perfectly permissible to incopropate it.

So whilst we can't stop the trolls from filing specioius lawsuits, we can stop them from winning. And, given the recent changes to US court procedure, the SCO nonsense can't be repeated; new plaintiffs will have to show some sort of case before they're allowed to proceed.

Vic.