I'd like to enable users of my service to write and execute CodeQL queries. I don't want to offload their execution to GitHub's / Semmle's servers. It's unclear whether this is doable, or whether I'd run into licensing issues.
In the security lab, it says "CodeQL is free for research and open source". I do want for the queries––which users write––to be open source. I don't, however, want for their execution to done by an external service.
Any thoughts would be greatly appreciated. Thank you!
The full CodeQL license terms are available here. The license states (emphasis added):
Further, except (and only to the extent) permitted by applicable law or applicable third-party license, you will not (and have no right to):
... share, publish, distribute or lend the Software, provide or make available the Software as a hosted solution (whether on a standalone basis or combined, incorporated or integrated with other software or services) for others to use, or transfer the Software or these Terms to any third party.
What you are considering is explicitly disallowed by the license.
If you'd like to explore options, I'd suggest reaching out to the GitHub Security Lab directly.
Related
Suppose there is a deployed, public website/web service. They say it is an instance of an open source codebase. Can they prove it to me?
For example, take the useful www.s3auth.com, an HTTP auth gateway for S3 that lets you password protect static sites hosted on S3 (thanks to #yegor256). Yegor graciously open-sourced the service to assuage privacy concerns:
I made this software open source mostly to guarantee to my users that the server doesn't store their private data anywhere, but rather acts only as a pass-through service. As a result, the software is on GitHub.
Can he somehow prove to users that www.s3auth.com actually uses the exact codebase on Github?
Short answer
In the general case: No, without a complete and external audit of the software, hardware and network infrastructure during a specific period of time
Explanation
Ensure that a sofware is according an specification it is not at all a trivial task. Note that even the requirement actually uses the exact codebase on Github is not clear:
- Includes any part of the repository
- Includes a full tag
- Includes a full tag at a point of time
- Includes a full tag at a point of time and uses some functionality
- Includes a full tag at a point in time and uses a significant part of the functionality
- Includes a full tag at a point in time, uses a significant portion of the functionality, and there is no additional function that substantially modifies the behavior
- Includes a full tag at a point of time, uses a significant part of the functionality, and there is no additional function
- etc
An auditor should check:
the code to ensure that the requirement is acomplished
the build process to verify that the deliverable is the expected and does not include or remove parts
The hardware infraestructure to ensure the software is deployed, not altered an used as is
The network infraestructure to verify the deployed version is really the same that the users are getting
Any change on the code or infraestructure will invalidate the audit results
The auditor should be external to ensure independence and should in turn be audited by a regulatory body that certifies that it is capable of performing the process
I think I am beating around the bush. .I want to illustrate that assert that a software meets a specification it is difficult, expensive, and sometimes not useful. Of course, this process it is not needed if both parties agree on something simpler
This kind of audits exists in the real world, especially in the world of security. For example FIPS 140 or Common Criteria evaluations certifies that Hardware Security Modules or even software packages meets some security requirements. I know also some trusted certifiers that prove that a site shows a specific content at a point of time (usually applied to e-goverment)
I know that this is going to be kind of a silly question (I'm sorry; I tried googling, but I'm still a little confused). Here's what I want to know.
Suppose that I create an asset/game with InkScape/Unity3D (or any other freeware/open source tool). Do I need permission from the organization who made the freeware/open source tool to use the created asset for commercial purposes?
Thanks.
What cjmarsh says is definitely true about software licensing in general. Although, I would not be that insistent on talking to a lawyer (unless the project generates large amounts of money, that is).
Yet, I'd like to add a brief point about the difference in the tools OP is asking about (inkscape and unity):
inkscape
You are not bound by inkscape's license in distributing drawings produced by it. The license is about code distribution, which means the code of inkscape itself. The resulting drawing of an inkscape project is in SVG (or some other format depending on preference).
SVG is a standard on its own, published by the W3C, and does not contain any piece of code from inkscape.
unity
On the other hand, when developing with unity you are using API calls that originate from the unity libraries themselves (possibly wrapped by extra functions for whichever language you're using). Moreover, you project needs to link against the unity libraries in order to work.
Since your project will use pieces of unity code, you're bound by the license obligations from unity.
Software licensing is a complicated topic and to get a definitive answer to your question you'll have to speak to a lawyer. In layman's terms: you can use open source software for commercial purposes but there are often caveats depending on the specific license used. I should also note that Unity3D is not open source, however you can use the personal edition if you gross less than $100k annually. For more details check out their licensing page.
Inkscape on the other hand is free and open source with a good license for content creators: the GNU General Public License so "In short, this means you are free to use and distribute Inkscape for any purpose, commercial or non-commercial, without any restrictions. You are also free to modify the program as you wish, but with the only restriction that if you distribute the modified version, you must provide access to the source code of the distributed version."
There are quite a few different licenses like the most liberal of all CC0 Public Domain, a license that essentially puts your stuff in the public domain, making it completely free for any purpose to everyone, without you needing to be dead for 60 years. Then there are licenses like the LGPL which still lets you use it for commerical purposes but requires you to publicly disclose any changes made to the code that was under the license and if you embed it in your application (statically link it) then you have to release your product under the same license. There's also the kind of license like CC BY 3.0, a Creative Commons license that lets you do whatever you want so long as you give an attribution, include the license, and mention if it was modified. Here's a list of more open source licenses to give you an idea of how many there are.
Without paying the fees to consult a lawyer like everyone will tell you to do and nobody actually does you can check out summaries of the different licenses at sites like tldrlegal.com as well as read through them yourself and check out the licensing page on the individual sites of the software you use. In my opinion the software author's intention for distributing the software is more important to recognize than the legalese. Although you should also recognize the legalese.
Bottom line is you don't need explicit permission from the author because they already give it in the form of an open source license, so long as you satisfy the conditions of the license.
is there good copy protection mechanism to protect my jar file from being copied DVD or is there licensing which can limit number of machine installation.
I have software which i require to distribute on DVd. i want my client to just run the application in machine.
advance thanks for your help.
Copy protection can't prevent your file to be copied but you can make it fail when it is run on unlicensed machines. Selection of a copy protection mechanism is a matter of budget and time. There are many companies with many products.
You can go with not yet cracked technologies like iLok etc. This is applicable for very high revenue cases. But if your target audience is less than 1000 people then a simple in-house solution might work. Consequence of a complex method is typically many calls to support line and unhappy customers.
Things got a lot easier after clients are all connected to internet. You can make some simple parts to run on server which a cracker would never dive into for a replacement. Or the app might download the contents from server after installation. Latter is what I did for my app and I never had any problems.
I would like to know what types of protection they are using with the Github Enterprise (http://enterprise.github.com) solution. As I don't own a company that could potentially be buying it, I don't feel confortable to lie, just to get a copy and try to see it by myself.
But I'm really interested to know what kind of strategies they used to protect the code they deliver, as it potentially can be used by any other rails application.
This question is not "How to protect my Ruby Code", but how they protected and entire appliance with not just Ruby code but a lot more dependent services, running on an ubuntu linux server.
I have some theories that could help:
They could be using Ruby Encoder to protect the ruby code
They could be using TrueCrypt to create a special partition to install all the code and needed application and have created a special loader to somehow execute that code without giving read/write permission to any other user on the system.
They are currently using a modified RubyEncoder.
Source: I asked
I don't know Ruby but they say:
Does the license include access to the source code?
No. Licenses cover the use of the software only. Modification and redistribution are not permitted.
It doesn't necessarily have to be protected using any technology, which can eventually be broken. You are singing a contract, if you do not follow the regulations in it, you may end up in court. I guess it's a matter of mutual trust.
According to this page:
No central approval process for adding packages. When you upload a package to the NuGet Package Gallery (which doesn’t exist yet), you won’t have to wait around for days or weeks waiting for someone to review it and approve it. Instead, we’ll rely on the community to moderate and police itself when it comes to the feed. This is in the spirit of how CodePlex.com and RubyGems.org work.
This makes me feel uneasy. Before I download a Firefox add-on, I know it should not contain malicious code, because AFAIK all add-ons on addons.mozilla.org are reviewed by Mozilla. Before I download a open source project from codeplex.com or code.google.com, I know it should be safe because anyone can check it's source code. And I can also use WOT (web of trust) to check how other people think about the project.
But before I download a package from NuGet official package source. Take this one for example. I do no know who made this package, nor what is contained in the package. It seems to me that anyone can pack anything into a package, give it any name they want (like "Microsoft Prism", as long as the name is not taken), then upload it to the official package source.
Should I be worried about the safety of the packages on NuGet official package source?
Your uneasyness should apply to software you obtain from any source:
Binaries downloaded from Sourceforge.net, Codeplex.com, etc could feasibly contain malicious code (either planted by the original submitter or, more likely, inserted by a hacker into the website) that may pass unnoticed until someone (you?) gets bitten and raises the alarm.
Even if you compile your own binaries from source downloaded from one of the former websites, it could still perform malicious acts unless you go over all the source code and understand what it does.
Even software downloaded from 'app stores' (e.g. Apple iTunes, Android Market) could feasibly contain malicious code; some of these review processes are partially automated but are still not infallible, and the human review that also occurs is definitely not infallible!
There have been examples in the past of boxed software containing malware!
Perhaps there is a continuum of trust that you can have in software (delivered as binaries or source code), and something like the Nuget Package Gallery (and CodePlex.com and RubyGems, etc) probably lies on the less-trustworthy end of the continuum.
There are potential solutions to this sort of problem, such as those proposed by the Trusted Computing Platform Alliance, however they come with huge restrictions on the freedoms that we currently enjoy in developing software and sharing the software we develop as we see fit, without the need for licenses or cryptographic keys obtained from central authorities at great expense.
I believe that the community will come up with conventions and mechanisms for ensuring that Nuget becomes a trustworthy source of software libraries for .Net developers, whilst retaining the agility it has with not requiring a formal review process. However, the ultimate responsibility rests with yourself as a user to ensure that your IT security isn't compromised, and the precautions you take are a function of the criticality of IT security in the context of the software you are writing (e.g. home projects; probably low. Banking, medical, process control projects; probably high!)
NuGet doesn't manage trust. Even if it did, you would still have to be concerned about trusting what NuGet trusts.
You should absolutely be concerned about the safety of the code in a NuGet package. You should be concerned about the safety of any code you are not familiar with.
The approach I take to using packages, both personally and professionally, through NuGet and NPM are below:
Lock in the semantic version number completely. Explicitly specify the major, minor, and patch numbers. Don't assume that new updates will be safe or that their semantic version will be accurate.
Use only well known current versions for production.
Experiment with anything in a test environment with limited access e.g. under an account which isn't a local administrator, no local access to highly privileged credentials, no access rights to privileged resources granted to the test machine's IP.
Check the vendor. For example if the package is released by Amazon and it's an AWS SDK, then that package is probably safe to use if you trust Amazon.
For example the only packages I would trust right now to just go and add them in a production environment are Newtonsoft.Json and Nhibernate. My biggest concern with new open source packages that anyone can publish, is that they actually work as described before I buy-in and waste my time on something that doesn't meet my needs.
I feel as though if you did enough research on the package to see if it's suitable for a production environment, you probably have learned enough about the software and its community to determine if you can trust it's not doing anything maliciously. Researching the software and it's community really means more to me than NuGet's stamp of approval decided by one central authority that we all pray is perfect.