WingNews logo WingNews
top | item 43612659

(no title)

blokey | 10 months ago

The risk is that Apple code sign's all the executables they ship and that someone could try to use GPLv3 to force Apple to either give them their signing keys to run their own version (the anti-tivo clauses) or that it would restrict Apple from suing someone for patent infringement because they've shipped GPLv3 software.

Valid or not in anyone else's opinion, it doesn't really matter, the risk that someone will attempt to use a court to enforce one of these tends to mean companies don't want to even go near it.

Working in a Bank we won't touch anything GPL3, even to build our software/services or mobile app, because we don't want to even open that Pandora's box.

We don't have to find out if a court would try to force us to release our signing keys if we don't use or ship any code that contains language that could in some ways be phrased to do that.

discuss

order

imglorp|10 months ago

Why do orgs like this bank sometimes also ban GPL3 for internal use, even if it's not part of the product?

blokey|10 months ago

For the same reason we spent £1.8m "licensing" iText PDF for Java..... And removing it with extreme prejudice immediately afterwards.

We had very keen developer upgrade all the libraries in our codebase as a "reducing technical debt" task that they decided to undertake themselves.

They couldn't get something working and posted a stack-trace to ask for help..... Some enterprising sales person in iText saw it and emailed them offering to help and asked a question about what they were running and the developer effectively told them they were running version 5 which they didn't even check (or possibly understand) is relicensed under AGPL or commercial license.

The legal threats from iText and the resulting fallout means we now do not allow developers access to the internet from their machines, even via a proxy, they have a separate RDP machine for that.

And they can only pull in libraries that are scanned via jFrog xRay and ensure the license of said library is "acceptable".

On the plus side, means we're doing something about supply-chain vulnerabilities.

antonvs|10 months ago

There's a risk that someone uses such a library the wrong way. A big part of the goal of legal compliance and security at large enterprises is to protect staff from doing dumb things that could have bad consequences, and one of the easiest ways to do that is to ban things that are particularly prone to that. It's a blunt weapon, but a more targeted one requires much more work and care.