[liberationtech] Silent Phone source code available on GitHub

Karl Fogel kfogel at red-bean.com
Sat Oct 5 21:13:03 PDT 2013 

Joseph Lorenzo Hall <joe at cdt.org> writes:
>Definitely what I call "disclosed source". I doubt they'd license with 
>an open source license, let alone accept external commits. As long as 
>the license allows review, static analysis, debugging compilation, etc. 
>-- i.e., things needed for technical evaluation -- that's a good thing. 
>Right?

Sure; "good" is a rather wider domain than "open source" :-).  My point
is just don't call it "open source" if it isn't -- people are counting
on those words meaning something specific & dependable.  They'll think
they can fork the code, or, you know, base a business on it, and then be
surprised when the license bites them.

-K

>On Fri Oct  4 12:02:11 2013, Karl Fogel wrote:
>> Petter Ericson <pettter at acc.umu.se> writes:
>>> So, Silent Circle (well, Silent Phone) is finally open source!
>>
>> Thank you, Petter -- it sounds like this release was a lot of hard work.
>> But it doesn't appear to be actually open source.  At least, I couldn't
>> find a license file containing an open source license.  Actually, I
>> didn't see any license file at all, so I went looking for a source file,
>> and the first one I found was:
>>
>>   https://github.com/SilentCircle/silent-phone-android/blob/master/src/com/silentcircle/silentphone/TiviPhoneService.java
>>
>> ...which contains this license header in a comment at the top:
>>
>>   > Copyright © 2012-2013, Silent Circle, LLC. All rights reserved.
>>   >
>>   > Redistribution and use in source and binary forms, with or without
>>   > modification, are permitted provided that the following conditions are met:
>>   > * Any redistribution, use, or modification is done solely for personal
>>   > benefit and not for any commercial purpose or for monetary gain
>>   > * Redistributions of source code must retain the above copyright
>>   > notice, this list of conditions and the following disclaimer.
>>   > * Redistributions in binary form must reproduce the above copyright
>>   > notice, this list of conditions and the following disclaimer in the
>>   > documentation and/or other materials provided with the distribution.
>>   > * Neither the name Silent Circle nor the
>>   > names of its contributors may be used to endorse or promote products
>>   > derived from this software without specific prior written permission.
>>   >
>>   > [...]
>>
>> That first term is incompatible with open source (prohibition on
>> commercial use means it's not open source).  For clarification:
>> http://opensource.org/faq#commercial
>>
>> Of course, I'd love to see the code switched to an open source license,
>> and am happy to help you choose one, if you'd like help.  A good place
>> to start is http://opensource.org/licenses.
>>
>> Having the code visible to the world is still a gain from a security
>> perspective, and I don't mean to diminish that.  However, "visible" is
>> not the same as "open source".
>>
>> Best,
>> ­Karl
>>
>>> At least, the previous version, with the next one coming "in a couple of weeks".
>>>
>>> This, to me, is absolutely wonderful news, as it is finally possible to get a
>>> proper security audit of the whole shebang.
>>>
>>> Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5
>>>
>>> The released repo: https://github.com/SilentCircle/silent-phone-android
>>>
>>> /P
>>>
>>> From: Jim Burrows <notifications at github.com>
>>> Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5)
>>> To: SilentCircle/silent-phone-base <silent-phone-base at noreply.github.com>
>>> Cc: pettter <pettter at acc.umu.se>
>>>
>>> @pettter, "Soon" is today, well, actually last night.
>>>
>>> We've just released the sources to Silent Phone for Android
>>> V1.6.5. And, yes, we released them one week after we released 1.6.6 to
>>> the Play Store, so they're a little bit stale, *BUT*... what delayed
>>> us was making sure that they were buildable from the GitHub repo
>>> outside our build environment. That means, assuming we got it right,
>>> that you can check out our repo here on GitHub, build your own APK,
>>> install it on your phone and run it instead of our Play Store version.
>>>
>>> And to make lemonade out of the lemons of being one release behind, we
>>> plan on releasing 1.6.6 in a couple of weeks, so, if you try to build
>>> 1.6.5 and find that we blew it somehow, you can post an issue here and
>>> we've already got a release planned to fix it in.
>>>
>>> I'm really sorry that "soon" took this long. It was absolutely NOT my
>>> plan, but this summer has been really really hectic (for obvious
>>> reasons) and we're a small company with limited resources. The
>>> slowness has really frustrated me, as has the fact that when I yell,
>>> "What idiot set those priorities?" each time something delayed posting
>>> here, the answer was always "me". I can try to blame all the Snowden,
>>> NSA, Prism brouhaha and the time and resource pressures it has put us
>>> under, but in the end, I'm the one who grits his teeth and says, "Yes,
>>> that's more important than the GitHub release. Make it so."
>>>
>>> I'd be happy to have you sympathize with me for the decisions I've
>>> faced this summer, but I absolutely would not disagree with you if you
>>> blamed me for the delay. I own it.
>>>
>>> Silent Phone for iOS sources, Silent Text for Android, and then Silent
>>> Phone for Android 1.6.6 source releases are all in the pipeline, and
>>> if you'll forgive me for using a word that I myself have sullied, they
>>> should all be here "soon".
>>>
>>> ----------
>
>--
>Joseph Lorenzo Hall
>Senior Staff Technologist
>Center for Democracy & Technology
>1634 I ST NW STE 1100
>Washington DC 20006-4011
>(p) 202-407-8825
>(f) 202-637-0968
>joe at cdt.org
>PGP: https://josephhall.org/gpg-key
>fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8

More information about the liberationtech mailing list