|
|
Log in / Subscribe / Register

The Linux Foundation's "sigstore" project

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 15:51 UTC (Wed) by Rigrig (subscriber, #105346)
In reply to: The Linux Foundation's "sigstore" project by rahulsundaram
Parent article: The Linux Foundation's "sigstore" project

I'm not sure "You can find the source somewhere online" qualifies as free software.

What really annoys me though is that this could just have been a plain HTML page.
And it is.
But then someone used CSS to stick a "preloader" in front of the whole page and added some javascript (which depends on a bunch of external javascript libraries) to hide the loader after some delay.
So the only way to read it is to either run a bunch of external javascript blobs, or to also disable stylesheets.

And I think that a project which aims to improve the supply chain could have bothered with providing checksums for those external blobs: https://en.wikipedia.org/wiki/Subresource_Integrity

to post comments

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 16:27 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (14 responses)

> I'm not sure "You can find the source somewhere online" qualifies as free software.

Sure it does. It is not ideal but just because you don't see the full source directly in the browser doesn't make it somehow non-free.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 17:29 UTC (Wed) by jebba (guest, #4439) [Link] (13 responses)

The license for it says:

> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

https://github.com/Modernizr/Modernizr/blob/master/LICENS...

Wouldn't the license info need to be included? Just curious.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 19:39 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (12 responses)

They ideally should include a copy of the license. That practice is far from universal as we see here.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 20:21 UTC (Wed) by jebba (guest, #4439) [Link] (11 responses)

> They ideally should include a copy of the license.

Just "Ideally"? Isn't it required?

> That practice is far from universal as we see here.

The Linux Foundation themselves work against copyright enforcement of "Open Source", is it surprising that it is far from universal? Without people on the Board like Bdale Garbee and Karen Sandler, this is the result we get. Microsoft and copyright violations.

The Linux Foundation's "sigstore" project

Posted Mar 10, 2021 20:47 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (10 responses)

> Just "Ideally"? Isn't it required?

A requirement is meaningless unless it is enforced. I doubt the authors care enough to bother.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 1:06 UTC (Thu) by jebba (guest, #4439) [Link] (9 responses)

You think all 283 contributors (according to github) don't care? That's quite an assumption. And that allows an exemption?

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 2:55 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (8 responses)

> You think all 283 contributors (according to github) don't care? That's quite an assumption. And that allows an exemption?

Given how many websites do this and how often a requirement to bundle a license is enforced, it is a pretty mundane assumption. Also most of the contributors in a project with a long tail has a few patches each that fixed a bug or added a feature they wanted and moved on, leaving a much smaller number of contributors doing bulk of the work and they can either spend their limited time improving the library or enforcing a licensing term. In legal terms, there isn't an exception. In practice, this sort of licensing requirement is often overlooked and questioning me isn't going to change that one bit.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:14 UTC (Thu) by jebba (guest, #4439) [Link] (7 responses)

So since they are too small and unlikely to be able to fight the Linux Foundation's lawyers, the violation is just fine. Got it.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:20 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (5 responses)

> So since they are too small and unlikely to be able to fight the Linux Foundation's lawyers, the violation is just fine. Got it.

Complete mischaracterization of what I said. Try again.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:30 UTC (Thu) by jebba (guest, #4439) [Link] (4 responses)

The Linux Foundation is big enough to overlook violating others' licenses and it is a common practice. Better?

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:34 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (3 responses)

> The Linux Foundation is big enough to overlook violating others' licenses and it is a common practice. Better?

Nope. I never talked about the Linux Foundation at all.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:38 UTC (Thu) by jebba (guest, #4439) [Link] (2 responses)

OK, how about the corporate masters you routinely shill for violate free software developers' licenses regularly, so it doesn't matter because the community can't do anything about it.

Can we end this here, please?

Posted Mar 11, 2021 17:45 UTC (Thu) by jake (editor, #205) [Link]

This does not seem a productive use of anyone's time.

Let's just stop this here, please.

thanks,

jake

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 17:56 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

You seem very confused. I have zero association whatsoever with Linux Foundation nor do I work for any organization associated with it. I do have some experience getting free software licensing issued resolved as a volunteer distro package maintainer and developer for several years and that's the perspective I am sharing here. The enforcement of licensing requirements if the authors of the library care enough to do it has to initiated by them. I don't see any evidence at all for that. That's my point.

The Linux Foundation's "sigstore" project

Posted Mar 11, 2021 18:20 UTC (Thu) by jschrod (subscriber, #1646) [Link]

Can you please stop your crusade?

This is not Slashdot.

The Linux Foundation's "sigstore" project

Posted Mar 12, 2021 20:13 UTC (Fri) by ratfactor (guest, #132367) [Link]

> ...this could just have been a plain HTML page.

The sharp irony of these awful Web practices (no matter how common they are) being needlessly used on a "web of trust" site is downright painful.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds