[nzlug] OSS Census and trust

tich at clad.co.nz tich at clad.co.nz
Thu May 1 14:34:56 NZST 2008 

I asked the OSS Census people for their views.  This is the reply I 
received:

-------- Original Message --------
Subject: 	RE: OSS Census and trust
Date: 	Wed, 30 Apr 2008 16:29:10 -0600
From: 	Jeb Bolding <JBolding at openlogic.com>
To: 	Richard Thomas <richard.thomas at clad.co.nz>



Richard,

As with any new software that has an audit purpose, we realize that we
need to do everything we can to build trust. This is especially
important since the OSS Discovery tool is used to scan user systems
and/or servers. For The Open Source Census project to successfully
provide data about open source projects deployed in the US and abroad,
the Census project is dependent upon the good will of the community.
Diligent as the IT and Open Source communities are, any privacy
violation or malicious misstep by The Open Source Census would be
rapidly caught and communicated throughout the communities. To ensure
that we develop trust, Open Logic, as the progenitor of this project has
put in place several protections to mitigate any concerns; protections
that serve the project now and in the future as the community takes a
more active role in maintenance of the software.

As a guide, here are some key protections we have already put in place
to address these types of concerns.  We are also open to additional
suggestions from the community about how to build trust.

Concern about malicious software activity

1. One of the main ways that we build trust is through transparency.
OSS Discovery uses the open source GNU Affero General Public License
Version 3 (AGPLv3). As you pointed out in your initial email, as with
all GPL licenses, users may take look at the Discovery code to ensure
that nothing malicious is occurring.

2. OSS Discovery is installed in a single directory.  It doesn't install
any services on any system, nor does it run across the network. Thus, it
can be removed, at will, without any residual of hidden files or
processes on the system.

3. Because there is no inherent network requirement to run, The Open
Source Census can be tested in a disconnected, sandbox environment. If
someone is concerned about the impact the software might have on a
system, this is a good test mechanism.

4. The Open Source Census is being supported by a variety of well-known
companies and community members, including Jim Jagielski, Chairman of
the Apache Software Foundation, Tony Wasserman of Carnegie Mellon West,
IDC, CollabNet (hosting the project), Unisys, Open Source Alliance and
the Open Source Business Foundation. These sponsors and advisors are all
part of the Open Source Census Steering Committee that helps drive
decisions around the project.

Concern about privacy

1. During the optional registration, the only information we ask for is
home/corporate use, country, industry type and company size. We do not
ask for company name, email address, IP address, name or any other
identifying information to participate in The Open Source Census.
Because we do not ask for, collect or store any personal information,
participants in The Open Source Census do not have to worry about how
their data might be accessed or used.

2. The scan creates a file called (what is exact name).  The file is a
plain text file that can be easily reviewed before being submitted to
The Open Source Census.  Again, there is no identifying information
collected in this file.  It does include an anonymous hash to identify a
machine and prevent duplicate submissions.  All of this can be reviewed
by the user before deciding whether to submit data to The Open Source
Census.

3. The user must explicitly decide to submit data to The Open Source
Census - either specifying a command line parameter when running OSS
Discovery or by accessing a web page and upload the results file once
the scan is complete.

I hope this helps.  You can also refer to the census website -
www.osscenus.org/privacy.php - for more details on privacy.  You can
also access the privacy policy from this page as well.  Any feedback you
or others have is welcome.

Regards,

Jeb

Jeb Bolding  |  Product Manager
jeb.bolding at openlogic.com
720 240 4551 |  phone
720 240 4556 |  fax
1 888 OpenLogic |  toll free

www.openlogic.com
OpenLogic, Inc.
Headquarters, Broomfield, Colorado 80021

More information about the NZLUG mailing list