Peter and Eric,
As for my Q I believe Amir gave answer already through his clarification
about how the "OpenSSL exception" clause should be interpreted, however
if not else than for completeness find here response to your posts,
thanks.
Peter,
On 2014-05-13 17:52, Peter Todd wrote:
> For Bitcoin and other security related software a key issue is that
> source code *must* be available to the user in all circumstances so
> that
> they can be sure the code has not been backdoored or otherwise
> compromised.
For security auditing and other purposes, the official version of the
library sourcecode must be available - completely agreed.
As for everyone to be able to inspect themselves that it is not
backdoored or compromised - am 100% with you.
> Very strongly opensource licenses, such as the Affero GPL,
> provide that guarantee in ways that lesser and *less* free, licenses do
> not. Remember that when we talk about freedom, we're talking about the
> user's freedom to use, modify, and inspect the software that keeps
> their
> Bitcoins safe and protects their privacy, not the freedom of people who
> want to restrict that right.
>
> Thus I strongly support distributing LibBitcoin under the maximally
> free
> license possible, the Affero GPL.
Users can do this independent of if the license is Affero GPL or MIT -
LibBitcoin's official sources are inspectable at GitHub independent of
which license it has.
The social difference between MIT and Affero GPL is that Affero has a
quality of forcing certain users and developers to release their
particular patches.
If someone has a LibBitcoin patch that's not publically released, then
the use of that patch won't go very far between different parties'
LibBitcoin deployments anyhow, and it's at first at that level having a
normative inspectable LibBitcoin source is of value;
There's no point in that LibBitcoin would be like a concept that noone
is allowed not to patch. Security issues in a Bitcoin setup that uses
LibBitcoin can come from a zillion sources that are external to
LibBitcoin, such as heap overflows or key management issues in code of
programs that use LibBitcoin directly or indirectly, so what sense in
forcing release of anyone's patches.
Eric,
On 2014-05-13 18:17, Eric Voskuil wrote:
> I agree. There is little if any commercial (or other) value to be
> gained in serving up or distributing Bitcoin software without full
> source disclosure.
If it's ordinary wallet software yes.
Though someone might want to make a special integration of LibBitcoin
with his proprietary embedded solution or whatever, why force release of
those updates, what if it would be so special that he'd want to keep his
patch, for instance.
There, the AGPL quickly stops making sense and makes a niché library out
of an AGPL library in comparison - what about LGPL?
> Really we have the opposite problem. We need to make it easier for the
> user to prove that the software he/she is running is intended.
> Deterministic build is hard. And of course even with source, ensuring
> correctness is also very hard (as highlighted by the recent trail of
> SSL/TLS bugs/backdoors). Them there's the hardware...
>
> http://en.m.wikipedia.org/wiki/Tailored_Access_Operations
>
> e
Yes, the biggest challenge is to prove that the software is running as
intended.
This is why the source is openly available at GitHub.
It will be, even if it would be under another OS license.
On this topic, perhaps something like an Affero LGPL would be justified,
http://stackoverflow.com/questions/3330792/why-isnt-there-a-lesser-affero-general-public-license#4419776