Thread: [Secureideas-base-devel] BASE and Debian
Brought to you by:
secureideas,
sinukas
From: Kevin J. <kjo...@se...> - 2006-12-12 04:35:21
Attachments:
PGP.sig
|
Hi all, I just wanted to post a quick note explaining that as of right now BASE is no longer available via the Debian repositories. There is one reason for this and sadly, I do not know how to fix it. First, I am not the person who submitted BASE to be included in Debian but I was excited that it had become popular enough that someone would want it there. This has been one of the many places you could get BASE for quite awhile now. As of 1.2.7 (karen), it was rejected due to license constraints. Now I am sure that most of you are thinking: "What the heck, BASE is GPL!?!?" And that would be a valid thought. The issue is that BASE uses Image_Graph, which by the way is LGPL. Image_Graph then makes use of Image_Canvas, which is also LGPL. So far we are fine. But then Image_Canvas uses Image_Color. Image_Color is licensed with the PHP 2.0.2 license. While this license is approved by the Open Source Initiative, Debian has a problem with it. They consider it fine for PHP but it has a couple of trademark clauses that appear to make it invalid for programs that are not PHP. I do not mean written in PHP, I mean actually PHP. Now, I am not sure this is accurate of them, because I am not a lawyer. But I think they, of any one, would know. They have asked the maintainer of Image_Color to relicense and he has said no as he has only written some of the code and the original authors are no longer around to ask if they are ok with the change. So as of Etch, BASE, which they refer to as acidbase, will not longer be available via the main repositories. The question I have is do we do something to fix this? I have had a number of email discussions where I have pointed out that graphing is not a required feature, that users can install the PEAR libraries after we are installed, and that Debian themselves do not consistently apply this type of decision. They have asked us to rewrite the graphing system to use a different library, one that Debian approves of. My opinion is, that we have nothing to do. The libraries we use are open source and any user can download BASE from the Sourceforge site and install it. But I think as an open source project I have a requirement to bring this to the developers as a group. So here it is.... What do you guys all think? Thanks Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net |
From: Dan F. <da...@ap...> - 2006-12-12 16:33:03
|
Hello back, =20 I believe that this is one of those tough, but fair instances where the situation occurs 'if all of it isn't free, the end-product isn't really free, either.' While that may seem anal-retentive to some, it has been the cause of some serious litigation (read: SCO/IBM.) =20 My first thought of a solution to this would be to modularize/plugin-ize the graphing portion of BASE- make it so that there can be any number= of ways to graph the data, depending on what graphing solution the user is most comfortable with (i.e., RRD is pretty popular.) I always felt BASE seemed constrained with only the current method of graphing available, anyway, so maybe this could be an opportunity... =20 I'm sure this would involve a lot of re-coding (and I'm no PHP programmer myself) so I apologize for suggesting more work, but it could kill two birds with one stone- make BASE truly free, and make it more extensible via plugins. =20 =20 Dan Farrell Applied Innovations da...@ap... <mailto:da...@ap...>=20 =20 ________________________________ From: sec...@li... [mailto:sec...@li...] On Behalf Of Kevin Johnson Sent: Monday, December 11, 2006 11:35 PM To: BASE Developers Subject: [Secureideas-base-devel] BASE and Debian =20 Hi all, =20 I just wanted to post a quick note explaining that as of right now BASE is no longer available=20 via the Debian repositories. There is one reason for this and sadly,= I do not know how to=20 fix it.=20 =20 First, I am not the person who submitted BASE to be included in Debian but I was excited=20 that it had become popular enough that someone would want it there. This has been one of=20 the many places you could get BASE for quite awhile now. =20 As of 1.2.7 (karen), it was rejected due to license constraints. Now= I am sure that most of you=20 are thinking: "What the heck, BASE is GPL!?!?" And that would be a valid thought. The=20 issue is that BASE uses Image_Graph, which by the way is LGPL. Image_Graph then makes use of Image_Canvas, which is also LGPL. So far we are fine. But then Image_Canvas uses Image_Color. Image_Color is licensed with the PHP 2.0.2 license. While this license is approved by the Open Source Initiative, Debian has a problem with it. They consider it fine for PHP but it has a couple of trademark clauses that appear to make it invalid for programs that=20 are not PHP. I do not mean written in PHP, I mean actually PHP. Now,= I am not sure this is=20 accurate of them, because I am not a lawyer. But I think they, of any one, would know. They have asked the maintainer of Image_Color to relicense and he has said= no as he has only=20 written some of the code and the original authors are no longer around to ask if they are=20 ok with the change. =20 So as of Etch, BASE, which they refer to as acidbase, will not longer= be available via the main repositories. =20 The question I have is do we do something to fix this? I have had a number of email discussions=20 where I have pointed out that graphing is not a required feature, that users can install the PEAR=20 libraries after we are installed, and that Debian themselves do not consistently apply this type of decision. They have asked us to rewrite the graphing system to use= a different library, one that Debian approves of. =20 My opinion is, that we have nothing to do. The libraries we use are open source and any user=20 can download BASE from the Sourceforge site and install it. But I think as an open source project I have a requirement to bring this to the developers as a group. So here it is.... =20 What do you guys all think? =20 Thanks Kevin =20 Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net =20 =20 |
From: GaRaGeD S. <ga...@gm...> - 2006-12-12 17:32:54
|
I would redo from scratch the graph system, is not quite flexible anyway, and we can make use of jpgraph which is easy to use, and easy to make nice things How much time do we need to have the new DB schema approved and a plugin that works with it ?? if is soon enough we should wait to 2.0, if not we can start to redesing the graph system for the stable branch, I have time for that. Max -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M-- V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z** ------END GEEK CODE BLOCK------ |
From: Kevin J. <kjo...@se...> - 2006-12-13 01:42:12
Attachments:
PGP.sig
|
On Dec 12, 2006, at 12:32 PM, GaRaGeD Style wrote: > I would redo from scratch the graph system, is not quite flexible > anyway, and we can make use of jpgraph which is easy to use, and > easy to make nice things > > How much time do we need to have the new DB schema approved and a > plugin that works with it ?? if is soon enough we should wait to > 2.0, if not we can start to redesing the graph system for the > stable branch, I have time for that. > > Max Hi- I am replying to this email and going to try and answer some of the emails that have come through..... First, Debian has fixed their issue. They have removed the graphing function completely and will maintain that until the license is fixed. I think that the graphing system will need to be fixed in 2.x. I do not think we should focus on anything that complex for 1.x any longer. As to JPGraph, I agree that it is a much nicer library. As a matter of fact, it is what ACID uses and the first few versions of BASE did also. We changed libraries due to licensing concerns. The JPGraph library is free if you do not use it for commercial purposes. If you do, then you must pay a license fee. Now at first glance this would seem to be ok because we do not sell BASE. But the below quote from the JPGraph home page clarifies what they mean by commercial use: "If you plan on using JpGraph in a commercial context you will need to acquire the professional license. Commercial use is for example if you use JpGraph on a site to provide a service for paying customers or for example if you are using JpGraph in an intranet to provide support for internal business processes, i.e. in benefit for a commercial company. In short, if you use JpGraph where you have an economic advantage (either through paying customers or improving internal business processes) this most likely falls under commercial use." As you can see from this, if you use BASE in a company then you must pay. I personally don't mind paying for software but I do not think we should force companies to if they want to use BASE. Most of our users are companies. And this would definitely make Debian like us less.... ; ) So I think it boils down to we need to get something for 2.x and the 1.x code base is fine as they are satisfied. Thanks Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net |
From: Axton <axt...@gm...> - 2006-12-13 13:52:11
Attachments:
PGP.sig
|
---------- Forwarded message ---------- From: Kevin Johnson <kjo...@se...> Date: Dec 12, 2006 11:58 PM Subject: Re: [Secureideas-base-devel] BASE and Debian To: Axton <axt...@gm...> On Dec 12, 2006, at 10:20 PM, Axton wrote: Architecturally, what are our options? What are the limitations on dependencies we want to introduce? I think the options are wide open... We can do what ever we are willing to support. And since in 2.x we are splitting the UI from the data access, we don't have to fixate on one choice. Native to php: - gd. It's not nearly as robust as some other alternatives, but it's free. It may be unwieldly to use directly though. For the js route: CanvasGraph is BSD licensed: http://www.liquidx.net/canvasgraphjs/ Looks like a derivative or something (BSD/Apache): http://www.liquidx.net/plotkit/ Caveats for the above two: - stated to not work on IE - dependencies: MochiKit (MIT License) I will look into these.... Not seeing many other good options in this arena. Thats the biggest problem.... I like Dan's notion of a plugin architecture for the graphing capabilities (though I am in the same boat, in the sense I am not a strong php programmer). Users could have the option of which graphing library they want to use; free, not so free, or none at all. Not sure how hard it would be to write an abstration layer between the BASE and the various graphing libs such that it would be flexible enough to accomodate several alternatives. I think the abstraction layer is the best idea. Lets work toward this.... Axton Grams By the way, I didn't want to reply to the list since you took this off list, but if you wouldn't mind, please add it back on any responses so that others can contribute... Your ideas are excellent but if only I ever see them....<grin> Thanks Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net |