[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Slashdot article SQL-Ledger license change



On 4/14/07, Peter Houppermans <..hidden..> wrote:

 I've dealt with people like this before - they have a blind spot and it
won't do you any good whatsoever belabouring the point.  Look at the bright
side: this may still hit the IT sites like Slashdot and The Register after
the weekend (El Reg generally falls asleep in the weekend) and it will serve
beautifully to create awareness of LedgerSMB.  You may get your Slashdotting
after all.

Personally, I don't think we want to be too closely entangled with
SQL-Ledger at this point.  However, I agree on your above points.

 I read the text in the 'new' license and I don't think this will enhance
the possibility of more SQL Ledger users, for a couple of reasons:

 (1) it's unprofessional.  I can see why he thinks he has a grief, but AFAIK
he dug that hole for himself.  You can't build a project with community help
and then all of a sudden dig a moat around it and call it exclusively yours.

Sure you can.  Just get permission from the contributors first.  There
are companies (like Digium) which do exactly this, but they go about
it in a better way.

Also some companies, like EnterpriseDB do that with other peoples'
code (again, with their permission).  It isn't wrong or underhanded as
long as it is transparent, understood, and legal.  Joshua can correct
me if I am wrong, but I believe that "Mammoth PostgreSQL" was licensed
under a proprietary license for a while.

 And disputes are not solved
publicly, I've seen that mistake made over and over again.  Golden rule:
praise in public, argue privately.

Agreed.  I would rephrase that as "defend, as much as possible,
whoever is not in the room."

 (3) Security, security, security (no, I don't work for Microsoft :) ).
This code deals with key financial business information, and is likely to be
exposed to the Net by the average SME.  There is NO excuse for not
implementing security improvements if they are offered.  Security issues are
also a risk most of us can do without.

Ok.  I think there needs to be a clarification here (see my phrasing
above).  When I have sent Dieter security complaints, he has made an
honest effort to fix them if they can be exploited without prior
authentication.  These are not direct vectors for stranger attacks (or
at least he does make an effort not to be vulnerable in this way).

However, the security issues that are ignored are the hostile user
issues.  I.e. ones that might allow for embezzlement of funds by one
employee while making it look like another was responsible.  These
also are serious issues but are of a different sort.  If the problem
was misunderstood, I appologize.

Finally I would point out that we are aware of security issues we have
not yet been able to fix.  The biggest one is listed in our manual, in
fact (the fact that ACLs are not really enforced in any meaningful
way).  So while we are committed to solving these, I would not suggest
that we are yet to the point where we don't have problems.  1.3 should
be close, however.

 (4) It makes it appear SQL Ledger is a one man band development.

It is.

I've
counted 3 people involved so far with Ledger SMB, which provides a feeling
of good reduncancy and longetivity to the project.

We actually have 5 people who regularly commit large amounts of code
on a regular bases (Joshua Drake, me, Chris Murtagh, Seneca
Cunningham, and Jason Rodrigues) and a larger number who send us
patches.

 Not the mention the
almost hyperactive support (grin) which has left me wondering if I should
wait a bit more before I upgrade a clean 1.2.0 install.

Good to hear.

 At this rate there
will be a 1.2.5 by the time I've downloaded 1.2.3 :-).  So, again, from a
business risk perspective this feels much safer - especially in the light of
the original reasons for the fork.  I am nothing but impressed by the almost
instantaneous responses - do you guys ever sleep?

Sometimes ;-)

 I consider it very unlikely that I'll be the only one with this train of
thought..


Best WIshes.
Chris Travers