Re: [liberationtech] Silent Phone source code available on GitHub
Definitely what I call disclosed source. I doubt they'd license with an open source license, let alone accept external commits. As long as the license allows review, static analysis, debugging compilation, etc. -- i.e., things needed for technical evaluation -- that's a good thing. Right? best, Joe On Fri Oct 4 12:02:11 2013, Karl Fogel wrote: Petter Ericson pett...@acc.umu.se writes: So, Silent Circle (well, Silent Phone) is finally open source! Thank you, Petter -- it sounds like this release was a lot of hard work. But it doesn't appear to be actually open source. At least, I couldn't find a license file containing an open source license. Actually, I didn't see any license file at all, so I went looking for a source file, and the first one I found was: https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java ...which contains this license header in a comment at the top: Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Any redistribution, use, or modification is done solely for personal benefit and not for any commercial purpose or for monetary gain * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name Silent Circle nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. [...] That first term is incompatible with open source (prohibition on commercial use means it's not open source). For clarification: http://opensource.org/faq#commercial Of course, I'd love to see the code switched to an open source license, and am happy to help you choose one, if you'd like help. A good place to start is http://opensource.org/licenses. Having the code visible to the world is still a gain from a security perspective, and I don't mean to diminish that. However, visible is not the same as open source. Best, Karl At least, the previous version, with the next one coming in a couple of weeks. This, to me, is absolutely wonderful news, as it is finally possible to get a proper security audit of the whole shebang. Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 The released repo: https://github.com/SilentCircle/silent-phone-android /P From: Jim Burrows notificati...@github.com Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5) To: SilentCircle/silent-phone-base silent-phone-b...@noreply.github.com Cc: pettter pett...@acc.umu.se @pettter, Soon is today, well, actually last night. We've just released the sources to Silent Phone for Android V1.6.5. And, yes, we released them one week after we released 1.6.6 to the Play Store, so they're a little bit stale, *BUT*... what delayed us was making sure that they were buildable from the GitHub repo outside our build environment. That means, assuming we got it right, that you can check out our repo here on GitHub, build your own APK, install it on your phone and run it instead of our Play Store version. And to make lemonade out of the lemons of being one release behind, we plan on releasing 1.6.6 in a couple of weeks, so, if you try to build 1.6.5 and find that we blew it somehow, you can post an issue here and we've already got a release planned to fix it in. I'm really sorry that soon took this long. It was absolutely NOT my plan, but this summer has been really really hectic (for obvious reasons) and we're a small company with limited resources. The slowness has really frustrated me, as has the fact that when I yell, What idiot set those priorities? each time something delayed posting here, the answer was always me. I can try to blame all the Snowden, NSA, Prism brouhaha and the time and resource pressures it has put us under, but in the end, I'm the one who grits his teeth and says, Yes, that's more important than the GitHub release. Make it so. I'd be happy to have you sympathize with me for the decisions I've faced this summer, but I absolutely would not disagree with you if you blamed me for the delay. I own it. Silent Phone for iOS sources, Silent Text for Android, and then Silent Phone for Android 1.6.6 source releases are all in the pipeline, and if you'll forgive me for using a word that I myself have sullied, they should all be here soon. -- -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy Technology 1634 I ST NW
Re: [liberationtech] Silent Phone source code available on GitHub
Joseph Lorenzo Hall j...@cdt.org writes: Definitely what I call disclosed source. I doubt they'd license with an open source license, let alone accept external commits. As long as the license allows review, static analysis, debugging compilation, etc. -- i.e., things needed for technical evaluation -- that's a good thing. Right? Sure; good is a rather wider domain than open source :-). My point is just don't call it open source if it isn't -- people are counting on those words meaning something specific dependable. They'll think they can fork the code, or, you know, base a business on it, and then be surprised when the license bites them. -K On Fri Oct 4 12:02:11 2013, Karl Fogel wrote: Petter Ericson pett...@acc.umu.se writes: So, Silent Circle (well, Silent Phone) is finally open source! Thank you, Petter -- it sounds like this release was a lot of hard work. But it doesn't appear to be actually open source. At least, I couldn't find a license file containing an open source license. Actually, I didn't see any license file at all, so I went looking for a source file, and the first one I found was: https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java ...which contains this license header in a comment at the top: Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Any redistribution, use, or modification is done solely for personal benefit and not for any commercial purpose or for monetary gain * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name Silent Circle nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. [...] That first term is incompatible with open source (prohibition on commercial use means it's not open source). For clarification: http://opensource.org/faq#commercial Of course, I'd love to see the code switched to an open source license, and am happy to help you choose one, if you'd like help. A good place to start is http://opensource.org/licenses. Having the code visible to the world is still a gain from a security perspective, and I don't mean to diminish that. However, visible is not the same as open source. Best, Karl At least, the previous version, with the next one coming in a couple of weeks. This, to me, is absolutely wonderful news, as it is finally possible to get a proper security audit of the whole shebang. Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 The released repo: https://github.com/SilentCircle/silent-phone-android /P From: Jim Burrows notificati...@github.com Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5) To: SilentCircle/silent-phone-base silent-phone-b...@noreply.github.com Cc: pettter pett...@acc.umu.se @pettter, Soon is today, well, actually last night. We've just released the sources to Silent Phone for Android V1.6.5. And, yes, we released them one week after we released 1.6.6 to the Play Store, so they're a little bit stale, *BUT*... what delayed us was making sure that they were buildable from the GitHub repo outside our build environment. That means, assuming we got it right, that you can check out our repo here on GitHub, build your own APK, install it on your phone and run it instead of our Play Store version. And to make lemonade out of the lemons of being one release behind, we plan on releasing 1.6.6 in a couple of weeks, so, if you try to build 1.6.5 and find that we blew it somehow, you can post an issue here and we've already got a release planned to fix it in. I'm really sorry that soon took this long. It was absolutely NOT my plan, but this summer has been really really hectic (for obvious reasons) and we're a small company with limited resources. The slowness has really frustrated me, as has the fact that when I yell, What idiot set those priorities? each time something delayed posting here, the answer was always me. I can try to blame all the Snowden, NSA, Prism brouhaha and the time and resource pressures it has put us under, but in the end, I'm the one who grits his teeth and says, Yes, that's more important than the GitHub release. Make it so. I'd be happy to have you sympathize with me for the decisions I've faced this summer, but I absolutely would not disagree with you if you blamed me for the delay. I
Re: [liberationtech] Silent Phone source code available on GitHub
Petter Ericson pett...@acc.umu.se writes: So, Silent Circle (well, Silent Phone) is finally open source! Thank you, Petter -- it sounds like this release was a lot of hard work. But it doesn't appear to be actually open source. At least, I couldn't find a license file containing an open source license. Actually, I didn't see any license file at all, so I went looking for a source file, and the first one I found was: https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java ...which contains this license header in a comment at the top: Copyright © 2012-2013, Silent Circle, LLC. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Any redistribution, use, or modification is done solely for personal benefit and not for any commercial purpose or for monetary gain * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name Silent Circle nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. [...] That first term is incompatible with open source (prohibition on commercial use means it's not open source). For clarification: http://opensource.org/faq#commercial Of course, I'd love to see the code switched to an open source license, and am happy to help you choose one, if you'd like help. A good place to start is http://opensource.org/licenses. Having the code visible to the world is still a gain from a security perspective, and I don't mean to diminish that. However, visible is not the same as open source. Best, Karl At least, the previous version, with the next one coming in a couple of weeks. This, to me, is absolutely wonderful news, as it is finally possible to get a proper security audit of the whole shebang. Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 The released repo: https://github.com/SilentCircle/silent-phone-android /P From: Jim Burrows notificati...@github.com Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5) To: SilentCircle/silent-phone-base silent-phone-b...@noreply.github.com Cc: pettter pett...@acc.umu.se @pettter, Soon is today, well, actually last night. We've just released the sources to Silent Phone for Android V1.6.5. And, yes, we released them one week after we released 1.6.6 to the Play Store, so they're a little bit stale, *BUT*... what delayed us was making sure that they were buildable from the GitHub repo outside our build environment. That means, assuming we got it right, that you can check out our repo here on GitHub, build your own APK, install it on your phone and run it instead of our Play Store version. And to make lemonade out of the lemons of being one release behind, we plan on releasing 1.6.6 in a couple of weeks, so, if you try to build 1.6.5 and find that we blew it somehow, you can post an issue here and we've already got a release planned to fix it in. I'm really sorry that soon took this long. It was absolutely NOT my plan, but this summer has been really really hectic (for obvious reasons) and we're a small company with limited resources. The slowness has really frustrated me, as has the fact that when I yell, What idiot set those priorities? each time something delayed posting here, the answer was always me. I can try to blame all the Snowden, NSA, Prism brouhaha and the time and resource pressures it has put us under, but in the end, I'm the one who grits his teeth and says, Yes, that's more important than the GitHub release. Make it so. I'd be happy to have you sympathize with me for the decisions I've faced this summer, but I absolutely would not disagree with you if you blamed me for the delay. I own it. Silent Phone for iOS sources, Silent Text for Android, and then Silent Phone for Android 1.6.6 source releases are all in the pipeline, and if you'll forgive me for using a word that I myself have sullied, they should all be here soon. -- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Silent Phone source code available on GitHub
So, Silent Circle (well, Silent Phone) is finally open source! At least, the previous version, with the next one coming in a couple of weeks. This, to me, is absolutely wonderful news, as it is finally possible to get a proper security audit of the whole shebang. Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 The released repo: https://github.com/SilentCircle/silent-phone-android /P - Forwarded message from Jim Burrows notificati...@github.com - From: Jim Burrows notificati...@github.com To: SilentCircle/silent-phone-base silent-phone-b...@noreply.github.com Cc: pettter pett...@acc.umu.se Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5) @pettter, Soon is today, well, actually last night. We've just released the sources to Silent Phone for Android V1.6.5. And, yes, we released them one week after we released 1.6.6 to the Play Store, so they're a little bit stale, *BUT*... what delayed us was making sure that they were buildable from the GitHub repo outside our build environment. That means, assuming we got it right, that you can check out our repo here on GitHub, build your own APK, install it on your phone and run it instead of our Play Store version. And to make lemonade out of the lemons of being one release behind, we plan on releasing 1.6.6 in a couple of weeks, so, if you try to build 1.6.5 and find that we blew it somehow, you can post an issue here and we've already got a release planned to fix it in. I'm really sorry that soon took this long. It was absolutely NOT my plan, but this summer has been really really hectic (for obvious reasons) and we're a small company with limited resources. The slowness has really frustrated me, as has the fact that when I yell, What idiot set those priorities? each time something delayed posting here, the answer was always me. I can try to blame all the Snowden, NSA, Prism brouhaha and the time and resource pressures it has put us under, but in the end, I'm the one who grits his teeth and says, Yes, that's more important than the GitHub release. Make it so. I'd be happy to have you sympathize with me for the decisions I've faced this summer, but I absolutely would not disagree with you if you blamed me for the delay. I own it. Silent Phone for iOS sources, Silent Text for Android, and then Silent Phone for Android 1.6.6 source releases are all in the pipeline, and if you'll forgive me for using a word that I myself have sullied, they should all be here soon. - End forwarded message - -- Petter Ericson (pett...@acc.umu.se) -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
