Rant below. Decided not to tone it down.
On Mon, Nov 14, 2005 at 12:11:57AM -0500, Geir Magnusson Jr. wrote:
Comments welcome.
I like everything but the references to "Black Duck Software". I took
a look at their website and their licensing policies and everything
about it "feels" wrong. I don't like basing a big part of our
processes
on some commercial black box "service-like" offering.
Taking another look around the web for similar companies, they
seem to
be about "open source risk management" where the risk is to avoid
"contaminating" propietary stuff with "open source" stuff. I
resent the
idea of "open source" being "contaminating" or anything like that
(GPL
is viral, but most other stuff is not). There's this entire
category of
companies who capitalize on FUD. I can imagine SCO having stock
options
on some of 'em.
I think we should avoid the ASF being seen as being part of any of
that.
---
Leading Open Source Foundation Does Not Trust Its Own Processes
The ASF has recently started using the same tools that intellectual
property sharks use when figuring out whom to send cease and desist
letters.
When asked for comments, the ASF said: "We finally gave up trying to
understand why people are so scared of open source, so now we're just
using some incomprehensible piece of commercial software which
makes us
feel secure. We think its pretty silly, but if we already have run
the
tools, at least companies like SCO can't really use them as
grounds for
suing us since we'll look pretty clean when they run the tool."
Darl McBride said: "We think the ASF is making a very smart decision
by employing code scanning techniques. Its the only way to be safe
from
prosecution. Of course, most other open source organisations don't
employ code scanning techniques (since they do have a brain of their
own) so we're just going to sue all of those."
IP firm XXX said: "What Darl said. Don't use any of that scary open
source stuff. Even the ASF understands that now. Won't be long before
they turn into a commercial entity themselves!"
---
Grrrrr.
Hmm. Didn't SCO run keyword scanners and the like? Didn't they
find out
that they'd actually taken code from open source codebases? Didn't
much
of the same happen at JBoss some time ago?
I doubt there's a lot of keyword scanning tools or any kind of other
automated technology that I wouldn't be able to circumvent with a few
hours of work. Its just such a stupid idea. If I take source code
from
(say) the sun jdk, work on it for a few weeks to make it look
completely
different so no line of the original code remains, I still have a
derivative work but no scanner is going to be able to detect that.
Just
like spam still manages to make it into my inbox.
I can imagine how some people or companies would feel safe if we were
to say "we scanned everything using this intellectual property risk
management tool XXX" but we'd be legitimizing something silly and
giving a
false sense of security.
Now, if these tools were open source and I'd be able to take a
look at
how they work I might put some trust in them. But fancy websites,
lots
of press releases, not a lot of technical details, anal usage
restrictions and total lack of a "download" button just sets off a
lot
of alarm bells.
With my infra@ hat on I'd probably be against running this kind of
black box software under this kind of policy on ASF hardware. With
something like jira, I at least know how it works (or doesn't
work) and what
technology is under the cover and can get at the source code if I
want to.
