Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Source code distribution - config.php


chris23

Recommended Posts

Posted

Hi,

 

I'm probably missing something fundamental here but how does the requirement to supply modified source code (after distribution to a client) effect config.php?

 

I can foresee instances where there this file may, in addition to the client's MySQL passwords, contain sensitive data relevant to several clients' accounts (eg web services passwords that belong to me as a service provider that I do not wish to be disclosed)

 

As far as I can see, there is no exception made for config.php - it's gpl'd and must be distributed in its modified form.

 

Can anyone provide a definitive answer whether the vanilla osC config can be distributed with the supplied source for security reasons.

 

I may have been thinking about this too hard ....

 

Cheers

Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored.

Google Site Search is your friend

My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes

Posted
Hi,

 

I'm probably missing something fundamental here but how does the requirement to supply modified source code (after distribution to a client) effect config.php?

 

I can foresee instances where there this file may, in addition to the client's MySQL passwords, contain sensitive data relevant to several clients' accounts (eg web services passwords that belong to me as a service provider that I do not wish to be disclosed)

 

As far as I can see, there is no exception made for config.php - it's gpl'd and must be distributed in its modified form.

 

Can anyone provide a definitive answer whether the vanilla osC config can be distributed with the supplied source for security reasons.

 

I may have been thinking about this too hard ....

 

Cheers

Perhaps use customer related usernames and passwords instead of your own.

Posted
Perhaps use customer related usernames and passwords instead of your own.

 

Thanks Leslie,

 

That would certainly work. My example was really an illustration; it's the concept I'm trying to nail. If a client decides to distribute the source code to a third party, the way I read things, their config.php should remain intact, i.e. containing their passwords, as strictly speaking, the config.php is modified source code and covered by the GPL.

 

I'm sure we all agree that disclosing passwords is daft, but is this avoidable whilst sticking to the GPL?

 

I know this probably sounds like nit-picking but I feel it's an interesting point.

 

Kind regards,

 

Chris

Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored.

Google Site Search is your friend

My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes

Posted
Thanks Leslie,

 

That would certainly work. My example was really an illustration; it's the concept I'm trying to nail. If a client decides to distribute the source code to a third party, the way I read things, their config.php should remain intact, i.e. containing their passwords, as strictly speaking, the config.php is modified source code and covered by the GPL.

 

I'm sure we all agree that disclosing passwords is daft, but is this avoidable whilst sticking to the GPL?

 

I know this probably sounds like nit-picking but I feel it's an interesting point.

 

Kind regards,

 

Chris

Interesting point, maybe grab one of the free TM ones and see what they do. I would like to know the answer too.

Posted

The GPL does not force you to give up your username and passwords.

Every website in the world be "hacked" by now, else.

Use Common Sense.

Posted
Use Common Sense.

Yeah, I guess the distribution would have to be installed and the configure.php files would be created anew in each case.

Posted
The GPL does not force you to give up your username and passwords.

Every website in the world be "hacked" by now, else.

Use Common Sense.

 

 

The GPL forces you to distribute modified source code - config.php is modified source code.

 

Common Sense != The Law (rarely in my experience).

 

I obviously don't distribute passwords etc but when do you get to choose which bits of GPL code you're prepared to distribute?

Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored.

Google Site Search is your friend

My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes

Posted
when do you get to choose which bits of GPL code you're prepared to distribute?

 

Whenever you want. You don't have to distribute anything that you do not want to, nothing and no-one including the GPL can force you to do anything you don't want to do.

 

Example: I make a piece of code that does XYZ and install it on a customers osCommerce site. I don't have to supply that code to anyone else. If my customer elects to distribute it, that is their concern, not mine.

Posted
Whenever you want. You don't have to distribute anything that you do not want to, nothing and no-one including the GPL can force you to do anything you don't want to do.

 

Example: I make a piece of code that does XYZ and install it on a customers osCommerce site. I don't have to supply that code to anyone else. If my customer elects to distribute it, that is their concern, not mine.

GPL is created to protect Consumers' right vs traditional licences that protects Vendors' right. E.g. if you have modified the source code for AAA, you are obliged to reveal that code to that customer. Obviously, as Burt rightly points out, the onus is on that customer to not distribute his custom config.php file for his own sake.

 

I am assuming that you are using config.php as an analogy as a vendor, and the scenario is that you want to distribute to multiple licensees using the same code base. In that case, the code should be programmed such that 'passwords' or sensitive data are dynamically driven or created at install time. i.e. a input box to ask for password, or a install-time modified config file that would be different from the vanilla config file that is covered by the GPL. Much like oscommerce config.php file. The passwords and sensitive data are keyed in by the licensees. Nobody is requiring you to distribute your config file.

- The Jackal

Posted
I am assuming that you are using config.php as an analogy as a vendor, and the scenario is that you want to distribute to multiple licensees using the same code base. In that case, the code should be programmed such that 'passwords' or sensitive data are dynamically driven or created at install time. i.e. a input box to ask for password, or a install-time modified config file that would be different from the vanilla config file that is covered by the GPL.

 

This is the clarification I was after. Your idea for dynamically altering the config file at installation would seem to cover both the practical and licence requirements.

 

Many thanks

Please use forum for support rather than PM - PMs unrelated to my contributions will be ignored.

Google Site Search is your friend

My contributions: Tracking Module | PDF Customer Invoice | Subcategory textboxes

Posted

You have not modified the "source code" by writing data to the configure.php files on set-up, any more than you have modified the source code by writing data to the database. It's install_7.php which writes data (not source code) to the two configure.php files.

 

Vger

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...