David Presotto wrote: [ ... ]
I understand where someone wouldn't want their code destroyed, perverted, whatever. However, broken or malicious is a bit of a judgement call, is it not? I have a hard time seeing where the line would be drawn.
I agree with you that it's hard to draw the line exactly.
Furthermore, I bet there will exist ambiguous cases regardless of where the line *is* drawn. However, I submit that there also exist unambiguous cases of "broken or malicious" distributions of software, such as those identified by CERT (http://www.cert.org/advisories/):
CA-2002-30: Trojan Horse tcpdump and libpcap Distributions CA-2002-28: Trojan Horse Sendmail Distribution CA-2002-24: Trojan Horse OpenSSH Distribution
OSD #4 already provides a way for an author to distinguish what constitutes an `authentic' version. Might that not be enough? Then a body (person whatever) can bless the authentic/proven-correct/secure/whatever version but everyone can still distribute modifications.
I'm not sure, so I guess I need to think more about this. :-)
In the case where someone wants to fork a new version of a project for "good reasons" (left undefined due to the problem of 'drawing the line exactly'), clearly distinguishes their version from the parent project, that should be permitted by all open source software.
I think a canonical example of this would be the XEmacs project compared with GNU Emacs: the forked version is clearly identified, provides a clear justification/raison d'etre, provides reference back to the parent project, etc.
If RMS were to claim that XEmacs was a "deliberately broken or malicious distribution of GNU Emacs" and ask for a legal injunction that RCN.net to take down the XEmacs site, the XEmacs authors could respond, and the judge could decide whether the XEmacs project was violating the GPL. The answer in this case should be no, of course.
On the other hand, the people breaking into sites to trojan sendmail or OpenSSH are highly unlikely to want to be identified, and thus aren't going to contest if the authors of sendmail don't want a trojaned sendmail distribution distributed.
-- -Chuck
-- license-discuss archive is at http://crynwr.com/cgi-bin/ezmlm-cgi?3
