LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

IronBee, Community and SSL (The H)

[Posted May 5, 2011 by jake]

The H interviews Ivan Ristić about the IronBee web application firewall. "Going back to my earlier comments, ModSecurity was pretty open, but I think it has a flaw which all GPLv2 programs have, which is that if you have a single entity owning the code and asking people who contribute to assign the IP of their contributions to them, you get a certain asymmetry in the community. [...] So I have good theories on why a community of developers didn't form around ModSecurity; one is the licence and the other is that the program itself is monolithic, so there was a barrier to entry there which stopped people from being able to do something useful. I want to address that too with IronBee; we've made it very modular and we are going to have good documentation, so that if you have an itch to scratch, if you have a particular problem that you need to solve, you don't have to understand the whole thing. "
(Log in to post comments)

IronBee, Community and SSL (The H)

Posted May 5, 2011 15:44 UTC (Thu) by tao (subscriber, #17563) [Link]

There seems to be a serious flaw in Ivan's reasoning about the GPLv2. There's no requirement in the GPL about asking people to do copyright assignment. That is something some projects do (most notably the FSF), but not all (most notably the Linux kernel).

Also, even if there's a copyright assignment requirement for a certain project, the GPL is still valid -- you can at any point fork the code, the only things copyright assignment allows for is relicensing and simplified legal actions. If the former happens you can fork if you don't like the new license.

Sure, the issue that Ivan points out exists, but it doesn't stem from the GPLv2, but rather from copyright assignment requirements. If you don't like copyright assignment requirements (I'm not very fond of them either), fine, but don't blame the GPL.

IronBee, Community and SSL (The H)

Posted May 5, 2011 16:15 UTC (Thu) by Hausvib6 (guest, #70606) [Link]

Because IronBee is supported by Akamai which, of course, may want to add some proprietary modifications to IronBee and use it as a leverage for their IronBee version. I think because the nature of the application, it would need to be distributed (as in "distributed to their customers), which will not make Akamai happy if the license is GPL or another copyleft since their competitor can benefit from Akamai's modifications. Recent events (for example: Oracle and FLOSS projects) show that the trend is to avoid projects with copyright assignment. Since IronBee developers want to build community around IronBee (as stated on their whitepaper), their choice of license for IronBee will satisfy their supporter and future contributors.

Now, nothing prevent another company with sufficient resource from improving IronBee and decide not to give back to the community.

Personally, in my dream, AGPL3 would be much much much cooler.

IronBee, Community and SSL (The H)

Posted May 6, 2011 9:33 UTC (Fri) by ballombe (subscriber, #9523) [Link]

Maybe in your dream, but in reality the AGPLv3 is so unclear that it makes forking the software dangerous, because there is no way you can comply with the license. (You can make a best effort to comply, but this is not the same thing). Hardly a free software license. It is also trivial to bypass by users (since they do not have to agree with the license) by using a non- transparent proxy.

IronBee, Community and SSL (The H)

Posted May 5, 2011 16:22 UTC (Thu) by yann.morin.1998 (subscriber, #54333) [Link]

That's not how I read the statement.

> a flaw which all GPLv2 programs have, which is
> that *if* you have a single entity owning the
> code and asking people who contribute to assign
> the IP of their contributions to them, [then] you
> get a certain asymmetry in the community.

Which I interpret as: the flaw is due to the IP assignment. The fact that the programs are GPLv2 is only hapenstance, here.

But Ivan is refering to "GPLv2 programs", as they are what matters here, not just "programs".

My 2cents.

IronBee, Community and SSL (The H)

Posted May 5, 2011 16:23 UTC (Thu) by yann.morin.1998 (subscriber, #54333) [Link]

Sorry, the emphasis on 'if', and the 'then' are my additions, as that's how I interpret the sentence.

The word "all" and the supposed "flaw"

Posted May 5, 2011 16:53 UTC (Thu) by pboddie (subscriber, #50784) [Link]

Yes, but saying "...I think it [the software] has a flaw which all GPLv2 programs have" and then qualifying it with "...if you have a single entity owning the code" sort of undermines the legitimacy of using the word "all". Not all GPLv2 programs have the flaw because not all are owned by a single entity, and even if the potential for the "flaw" is present, it can be impractical bordering on impossible to actually introduce it to many programs.

Of course, the "flaw" is that the people not owning the code can't make proprietary software from the project whereas the people owning the code can do so. By forking the project (or not having a single owner), no-one gets to make proprietary software from the forked (or jointly owned) project. Whether you think it's a "flaw" depends on whether you want to contribute to a proprietary software project or not, ultimately.

IronBee, Community and SSL (The H)

Posted May 25, 2011 17:13 UTC (Wed) by ivanr (guest, #75175) [Link]

Yes, of course -- there is nothing in GPLv2 that requires IP assignments. But they are common in GPLv2 projects, and the combination of the two can be toxic. More liberal licences, for example ASLv2, do not have the same problem because everyone has effectively the same rights.

The GPLv2 + IP assignment issue usually arises when a company makes a significant investment into an open source project. If you start a GPLv2 project with a large investment, the IP assignment is practically mandatory, because not doing so would restrict what you can do with the code you created. The moment the project accepts its first GPLv2 contribution, the founder loses the ability to use the open source project in a non-GPLV2 fashion.

If you are able to somehow create that initial popularity spark in some either way and prevent any one entity from being a majority owner, then GPLv2 can work well.

Ironbee

Posted May 16, 2011 13:04 UTC (Mon) by job (guest, #670) [Link]

How mature is Ironbee? Should I evaluate it as an alternative to Mod_security in production?

What always hampered the adoption of Mod_security for me was that there is a real "first step" use case. You need to go all in to use it, and that's scary if you're not familiar with the software.

Ironbee

Posted May 25, 2011 16:45 UTC (Wed) by ivanr (guest, #75175) [Link]

IronBee is still in early development. The next version -- 0.3, due in early August -- should have enough functionality for people to start playing with. We're planning to release version 1.0 by the end of the year.

Ironbee

Posted Jun 21, 2011 10:48 UTC (Tue) by job (guest, #670) [Link]

Thanks for the comment! I'm looking forward to the release.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds