Last night at FSCONS I was awarded the Nordic Free Software Award, sharing the price with Daniel Stenberg who incidentally (or perhaps not) I have been collaborating with on some projects. Receiving a price like this is a great motivator and I feel humbled when thinking about the many excellent hackers that were attending the FSCONS that cheered me on. Thank you everyone.
Now back to coding.
The TLS-AUTHZ document (protocol spec here) describes a mechanism to add support for authorization in the TLS protocol. The idea is part of a patent application, see the patent notification to the IETF. The protocol has a complicated history in the IETF. Right now a third last call is open to request feedback from the community. I’ve written about TLS-AUTHZ before.
RedPhoneSecurity is now trying to circumvent the IETF standardization process by trying to get the document published as an ‘experimental standard’. The document earlier failed to get consensus for publication on the standards track.
The responsible IETF Area Director, Tim Polk, argues that because there exists independent implementations, the community benefits from having the document published. The argument is silly because the only independent implementation is mine and I’m opposed to publication of the standard. Further, the document will remain accessible to anyone in the community with access to the Internet since it has been published as an Internet Draft. To clarify that we have no interest in a standard with patent claims, we have decided to remove the tls-authz implementation from GnuTLS. Together with the FSF we came up with the following statement which is part of the GnuTLS 2.0.2 release announcement:
** TLS authorization support removed.
This technique may be patented in the future, and it is not of crucial importance for the Internet community. After deliberation we have concluded that the best thing we can do in this situation is to encourage society not to adopt this technique. We have decided to lead the way with our own actions.
If you are concerned about having patented standards adopted by the IETF, now is a very good time to make your voice heard! The last call ends on October 23th. Please read about the issue, and familiarize yourself with the IETF process (RFC 2026, with updates related to patents in RFC 3989) and send your feedback to email@example.com.
I have created a mailing list whose purpose is to discuss everything related to free software and the IETF, in particular themes related to copyright and patent. The idea is also to CC this list on discussions in various IETF areas that is relevant to the topic, so that everyone on this list becomes aware of what is going on. For example of useful things to CC are reviews (from a free software perspective) of documents in last call, and discussions in working groups related to patent/copyright decisions.
You may subscribe to the list.
I’ve implemented tls-authz in GnuTLS but there has been a long discussion of the patent situation for that technology on the IETF list. A few days ago there was a new IPR Disclosure with a patent license for this technology:
I evaluated this license from a free software perspective, here is my writeup:
Coverity is a tool to find security problems in code through static analysis. I’m sure it is a fine tool. There is a company behind it, Coverity Inc., and they run the tool on free software. A service like that seems like a good thing. Alas, the details of how
scan.coverity.com imply that it is a bad idea for free software supporters to use the service. Here are the mistakes they made:
- There is no notification to the project maintainer that they found problems in the code.
- The problems they have found are not available publicly. (This _may_ be desirable, in case the problems they find are exploitable.)
- They require that any maintainer who wish to review the problems enter into a license agreement with Coverity, Inc. The license is very biased, and all the advantages are with the company, and none with the developer. Further, they can change the license at any time, and you are (presumably) forced to follow it anyway. (Read below for a copy of the license.)
This sends the message that the site is just advertisement for their commercial proprietary products and services. Possibly it could be even worse, it can be seen as a bargaining a’la “Your software is insecure, agree to our evil license and we’ll tell you how to fix it”.
Therefor I suggest that all free software maintainers boycott the scan.coverity.com service until they get their act together.
A reasonable way to change their service to something more acceptable, and potentially even turn it into a positive contribution to the community, would be to send the list of problems to the official bug maintainer address of each project.
Continue reading Boycott scan.coverity.com!