[nzlug] OSS Census and trust

Greg Fawcett greg at vig.co.nz
Thu May 1 14:54:32 NZST 2008 

If they had more prominently mentioned that it has no network connection
(you have to manually upload the results according to this) and installs
entirely in one directory, I'd have been happier to run it. If it had been
simply a java program (no run-time - surely everyone has the java runtime by
now) without ruby that would have sealed the deal - much smaller download
too.

It's a nice idea, but very flawed in execution.

2008/5/1 <tich at clad.co.nz>:

> I asked the OSS Census people for their views.  This is the reply I
> received:
>
> -------- Original Message --------
> Subject:        RE: OSS Census and trust
> Date:   Wed, 30 Apr 2008 16:29:10 -0600
> From:   Jeb Bolding <JBolding at openlogic.com>
> To:     Richard Thomas <richard.thomas at clad.co.nz>
>
>
>
> Richard,
>
> As with any new software that has an audit purpose, we realize that we
> need to do everything we can to build trust. This is especially
> important since the OSS Discovery tool is used to scan user systems
> and/or servers. For The Open Source Census project to successfully
> provide data about open source projects deployed in the US and abroad,
> the Census project is dependent upon the good will of the community.
> Diligent as the IT and Open Source communities are, any privacy
> violation or malicious misstep by The Open Source Census would be
> rapidly caught and communicated throughout the communities. To ensure
> that we develop trust, Open Logic, as the progenitor of this project has
> put in place several protections to mitigate any concerns; protections
> that serve the project now and in the future as the community takes a
> more active role in maintenance of the software.
>
> As a guide, here are some key protections we have already put in place
> to address these types of concerns.  We are also open to additional
> suggestions from the community about how to build trust.
>
> Concern about malicious software activity
>
> 1. One of the main ways that we build trust is through transparency.
> OSS Discovery uses the open source GNU Affero General Public License
> Version 3 (AGPLv3). As you pointed out in your initial email, as with
> all GPL licenses, users may take look at the Discovery code to ensure
> that nothing malicious is occurring.
>
> 2. OSS Discovery is installed in a single directory.  It doesn't install
> any services on any system, nor does it run across the network. Thus, it
> can be removed, at will, without any residual of hidden files or
> processes on the system.
>
> 3. Because there is no inherent network requirement to run, The Open
> Source Census can be tested in a disconnected, sandbox environment. If
> someone is concerned about the impact the software might have on a
> system, this is a good test mechanism.
>
> 4. The Open Source Census is being supported by a variety of well-known
> companies and community members, including Jim Jagielski, Chairman of
> the Apache Software Foundation, Tony Wasserman of Carnegie Mellon West,
> IDC, CollabNet (hosting the project), Unisys, Open Source Alliance and
> the Open Source Business Foundation. These sponsors and advisors are all
> part of the Open Source Census Steering Committee that helps drive
> decisions around the project.
>
> Concern about privacy
>
> 1. During the optional registration, the only information we ask for is
> home/corporate use, country, industry type and company size. We do not
> ask for company name, email address, IP address, name or any other
> identifying information to participate in The Open Source Census.
> Because we do not ask for, collect or store any personal information,
> participants in The Open Source Census do not have to worry about how
> their data might be accessed or used.
>
> 2. The scan creates a file called (what is exact name).  The file is a
> plain text file that can be easily reviewed before being submitted to
> The Open Source Census.  Again, there is no identifying information
> collected in this file.  It does include an anonymous hash to identify a
> machine and prevent duplicate submissions.  All of this can be reviewed
> by the user before deciding whether to submit data to The Open Source
> Census.
>
> 3. The user must explicitly decide to submit data to The Open Source
> Census - either specifying a command line parameter when running OSS
> Discovery or by accessing a web page and upload the results file once
> the scan is complete.
>
> I hope this helps.  You can also refer to the census website -
> www.osscenus.org/privacy.php - for more details on privacy.  You can
> also access the privacy policy from this page as well.  Any feedback you
> or others have is welcome.
>
> Regards,
>
> Jeb
>
> Jeb Bolding  |  Product Manager
> jeb.bolding at openlogic.com
> 720 240 4551 |  phone
> 720 240 4556 |  fax
> 1 888 OpenLogic |  toll free
>
> www.openlogic.com
> OpenLogic, Inc.
> Headquarters, Broomfield, Colorado 80021
>
>
>
> _______________________________________________
> NZLUG mailing list NZLUG at linux.net.nz
> http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
>



-- 
Phone: +64 3 409 8165
Mobile: +64 21 333 291
Fax: +64 3 974 6810
Web: www.vig.co.nz

More information about the NZLUG mailing list