[liberationtech] Silent Phone source code available on GitHub

Karl Fogel kfogel at red-bean.com
Fri Oct 4 09:02:11 PDT 2013 

Petter Ericson <pettter at acc.umu.se> writes:
>So, Silent Circle (well, Silent Phone) is finally open source!

Thank you, Petter -- it sounds like this release was a lot of hard work.
But it doesn't appear to be actually open source.  At least, I couldn't
find a license file containing an open source license.  Actually, I
didn't see any license file at all, so I went looking for a source file,
and the first one I found was:

  https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java

...which contains this license header in a comment at the top:

  > Copyright © 2012-2013, Silent Circle, LLC. All rights reserved.
  > 
  > Redistribution and use in source and binary forms, with or without
  > modification, are permitted provided that the following conditions are met:
  > * Any redistribution, use, or modification is done solely for personal
  > benefit and not for any commercial purpose or for monetary gain
  > * Redistributions of source code must retain the above copyright
  > notice, this list of conditions and the following disclaimer.
  > * Redistributions in binary form must reproduce the above copyright
  > notice, this list of conditions and the following disclaimer in the
  > documentation and/or other materials provided with the distribution.
  > * Neither the name Silent Circle nor the
  > names of its contributors may be used to endorse or promote products
  > derived from this software without specific prior written permission.
  >
  > [...]

That first term is incompatible with open source (prohibition on
commercial use means it's not open source).  For clarification:
http://opensource.org/faq#commercial

Of course, I'd love to see the code switched to an open source license,
and am happy to help you choose one, if you'd like help.  A good place
to start is http://opensource.org/licenses.

Having the code visible to the world is still a gain from a security
perspective, and I don't mean to diminish that.  However, "visible" is
not the same as "open source".

Best,
­Karl

>At least, the previous version, with the next one coming "in a couple of weeks".
>
>This, to me, is absolutely wonderful news, as it is finally possible to get a
>proper security audit of the whole shebang.
>
>Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5
>
>The released repo: https://github.com/SilentCircle/silent-phone-android
>
>/P
>
>From: Jim Burrows <notifications at github.com>
>Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5)
>To: SilentCircle/silent-phone-base <silent-phone-base at noreply.github.com>
>Cc: pettter <pettter at acc.umu.se>
>
>@pettter, "Soon" is today, well, actually last night.
>
>We've just released the sources to Silent Phone for Android
>V1.6.5. And, yes, we released them one week after we released 1.6.6 to
>the Play Store, so they're a little bit stale, *BUT*... what delayed
>us was making sure that they were buildable from the GitHub repo
>outside our build environment. That means, assuming we got it right,
>that you can check out our repo here on GitHub, build your own APK,
>install it on your phone and run it instead of our Play Store version.
>
>And to make lemonade out of the lemons of being one release behind, we
>plan on releasing 1.6.6 in a couple of weeks, so, if you try to build
>1.6.5 and find that we blew it somehow, you can post an issue here and
>we've already got a release planned to fix it in.
>
>I'm really sorry that "soon" took this long. It was absolutely NOT my
>plan, but this summer has been really really hectic (for obvious
>reasons) and we're a small company with limited resources. The
>slowness has really frustrated me, as has the fact that when I yell,
>"What idiot set those priorities?" each time something delayed posting
>here, the answer was always "me". I can try to blame all the Snowden,
>NSA, Prism brouhaha and the time and resource pressures it has put us
>under, but in the end, I'm the one who grits his teeth and says, "Yes,
>that's more important than the GitHub release. Make it so."
>
>I'd be happy to have you sympathize with me for the decisions I've
>faced this summer, but I absolutely would not disagree with you if you
>blamed me for the delay. I own it.
>
>Silent Phone for iOS sources, Silent Text for Android, and then Silent
>Phone for Android 1.6.6 source releases are all in the pipeline, and
>if you'll forgive me for using a word that I myself have sullied, they
>should all be here "soon".
>
>----------

More information about the liberationtech mailing list