| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: The Trillian GPL violation allegations are confirmed false. Dear Sean, I thank you very much for this detailed summary of your insights. Yet there remain some unanswered questions you can maybe explain to me. Am Sa, den 28.02.2004 schrieb Sean Egan um 19:39: > Concerned over allegations that Trillian stole source code from Gaim, > Scott Werndorfer, co-founder and manager of Cerulean Studios and myself, > lead developer of Gaim arranged for me to review Trillian's Yahoo! > source code in order to confirm that it was not stolen from Gaim. I guess everybody is very glad to hear that. > Obviously, I've signed an NDA that prevents me from discussing any > specifics, but you can trust me that the code is very obviously not > Gaim's (with the exception of the old authentication code written by > myself which I've expressly permitted them to use, and the new auth code > written by Scott which he's expressly permitted us to use). Question: If Cerulean Studios let GAIM use parts of their codebase, how can the GAIM people license this under the GPL? Has Cerulean Studios given GAIM permission to do so or has this been sloppy work on their part? I have browsed through the tarball of the 0.75 version of GAIM and could not find any reference to this problem apart from a note in the changelog that they got some solutions to Yahoo problems from Trillian. No note concerning licensing on these solutions though so the unsuspecting developer using GAIM code can't know that there is maybe code included that doesn't necessarily fall under the GPL. Could you please clarify how developers should proceed with GAIM code when they maybe can't be certain if parts of it don't fall under the GPL or are used in non-GPL projects? > The code posted by Stefan Esser which started this issue > (yahoo_packet_read in Gaim) is certainly similar enough to compile into > the same machine language, but having compared the function in each > codebase, I'm convinced this is entirely coincidental. I find that somehow hard to understand. See below. > I challenge you to write code to parse an efficient, sensible Yahoo > Messenger packet that compiles to something that doesn't resemble Gaim's > or Trillian's. There are enough clients that can connect to the Yahoo network and which haven't been vulnerable to the GAIM exploits (which were buffer overflows mainly if I remember correctly). So far Trillian seems to be the only client being vulnerable to GAIM exploits (with maybe minor modifications) AFAIK. Doesn't that mean that Trillian's Yahoo code and GAIM's Yahoo code must be VERY closely related, thus more than just "coincidentally"? I'm not into IM protocols and maybe I'm plain wrong so I would be grateful if you could elaborate on this again because I don't understand why it seems to be so hard to write a Yahoo client that doesn't have the buffer overflow vulnerabilities GAIM and Trillian share "coincidentally". I don't understand how these buffer overflow possibilities in the GAIM code are linked to Yahoo authentication in a way it can't be done otherwise. You gave me exactly this impression by stating that the resemblance of Trillian to GAIM is just coincidentally. > Trillian and Gaim have been friends for a long time. They've just > allowed us to use their Yahoo authentication code and these attempts to > silence attacks on their character (sending their own code to the lead > developer of an open source competitor) are unprecedented. Trillian > should be thanked, not slandered. Everybody is glad that this seems to be a working example of cross-project cooperation. Though it would have helped immensely if the GAIM people had cared to include a clear and detailed note which parts of their code are also included in propriety products and don't necessarily fall under the GPL. This whole mess could have been avoided this way. A clean and complete documentation where code came from and who donated it under what terms is essential. I don't have a glass ball which tells me where which parts came from after all ;-) kind regards, Tobias Weisserth
Powered by blists - more mailing lists