chris23 Posted February 6, 2008 Posted February 6, 2008 Hi, I'm probably missing something fundamental here but how does the requirement to supply modified source code (after distribution to a client) effect config.php? I can foresee instances where there this file may, in addition to the client's MySQL passwords, contain sensitive data relevant to several clients' accounts (eg web services passwords that belong to me as a service provider that I do not wish to be disclosed) As far as I can see, there is no exception made for config.php - it's gpl'd and must be distributed in its modified form. Can anyone provide a definitive answer whether the vanilla osC config can be distributed with the supplied source for security reasons. I may have been thinking about this too hard .... Cheers Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored. Google Site Search is your friend My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes
Guest Posted February 6, 2008 Posted February 6, 2008 Hi, I'm probably missing something fundamental here but how does the requirement to supply modified source code (after distribution to a client) effect config.php? I can foresee instances where there this file may, in addition to the client's MySQL passwords, contain sensitive data relevant to several clients' accounts (eg web services passwords that belong to me as a service provider that I do not wish to be disclosed) As far as I can see, there is no exception made for config.php - it's gpl'd and must be distributed in its modified form. Can anyone provide a definitive answer whether the vanilla osC config can be distributed with the supplied source for security reasons. I may have been thinking about this too hard .... Cheers Perhaps use customer related usernames and passwords instead of your own.
chris23 Posted February 6, 2008 Author Posted February 6, 2008 Perhaps use customer related usernames and passwords instead of your own. Thanks Leslie, That would certainly work. My example was really an illustration; it's the concept I'm trying to nail. If a client decides to distribute the source code to a third party, the way I read things, their config.php should remain intact, i.e. containing their passwords, as strictly speaking, the config.php is modified source code and covered by the GPL. I'm sure we all agree that disclosing passwords is daft, but is this avoidable whilst sticking to the GPL? I know this probably sounds like nit-picking but I feel it's an interesting point. Kind regards, Chris Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored. Google Site Search is your friend My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes
Guest Posted February 6, 2008 Posted February 6, 2008 Thanks Leslie, That would certainly work. My example was really an illustration; it's the concept I'm trying to nail. If a client decides to distribute the source code to a third party, the way I read things, their config.php should remain intact, i.e. containing their passwords, as strictly speaking, the config.php is modified source code and covered by the GPL. I'm sure we all agree that disclosing passwords is daft, but is this avoidable whilst sticking to the GPL? I know this probably sounds like nit-picking but I feel it's an interesting point. Kind regards, Chris Interesting point, maybe grab one of the free TM ones and see what they do. I would like to know the answer too.
burt Posted February 12, 2008 Posted February 12, 2008 The GPL does not force you to give up your username and passwords. Every website in the world be "hacked" by now, else. Use Common Sense.
Guest Posted February 12, 2008 Posted February 12, 2008 Use Common Sense. Yeah, I guess the distribution would have to be installed and the configure.php files would be created anew in each case.
chris23 Posted February 12, 2008 Author Posted February 12, 2008 The GPL does not force you to give up your username and passwords. Every website in the world be "hacked" by now, else. Use Common Sense. The GPL forces you to distribute modified source code - config.php is modified source code. Common Sense != The Law (rarely in my experience). I obviously don't distribute passwords etc but when do you get to choose which bits of GPL code you're prepared to distribute? Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored. Google Site Search is your friend My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes
burt Posted February 12, 2008 Posted February 12, 2008 when do you get to choose which bits of GPL code you're prepared to distribute? Whenever you want. You don't have to distribute anything that you do not want to, nothing and no-one including the GPL can force you to do anything you don't want to do. Example: I make a piece of code that does XYZ and install it on a customers osCommerce site. I don't have to supply that code to anyone else. If my customer elects to distribute it, that is their concern, not mine.
TheJackal Posted February 13, 2008 Posted February 13, 2008 Whenever you want. You don't have to distribute anything that you do not want to, nothing and no-one including the GPL can force you to do anything you don't want to do. Example: I make a piece of code that does XYZ and install it on a customers osCommerce site. I don't have to supply that code to anyone else. If my customer elects to distribute it, that is their concern, not mine. GPL is created to protect Consumers' right vs traditional licences that protects Vendors' right. E.g. if you have modified the source code for AAA, you are obliged to reveal that code to that customer. Obviously, as Burt rightly points out, the onus is on that customer to not distribute his custom config.php file for his own sake. I am assuming that you are using config.php as an analogy as a vendor, and the scenario is that you want to distribute to multiple licensees using the same code base. In that case, the code should be programmed such that 'passwords' or sensitive data are dynamically driven or created at install time. i.e. a input box to ask for password, or a install-time modified config file that would be different from the vanilla config file that is covered by the GPL. Much like oscommerce config.php file. The passwords and sensitive data are keyed in by the licensees. Nobody is requiring you to distribute your config file. - The Jackal
chris23 Posted February 13, 2008 Author Posted February 13, 2008 I am assuming that you are using config.php as an analogy as a vendor, and the scenario is that you want to distribute to multiple licensees using the same code base. In that case, the code should be programmed such that 'passwords' or sensitive data are dynamically driven or created at install time. i.e. a input box to ask for password, or a install-time modified config file that would be different from the vanilla config file that is covered by the GPL. This is the clarification I was after. Your idea for dynamically altering the config file at installation would seem to cover both the practical and licence requirements. Many thanks Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored. Google Site Search is your friend My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes
♥Vger Posted February 14, 2008 Posted February 14, 2008 You have not modified the "source code" by writing data to the configure.php files on set-up, any more than you have modified the source code by writing data to the database. It's install_7.php which writes data (not source code) to the two configure.php files. Vger
foridea Posted February 22, 2008 Posted February 22, 2008 Perhaps use customer related usernames and passwords instead of your own. thanks Coopco
Recommended Posts
Archived
This topic is now archived and is closed to further replies.