Friday 4 October 2013

Well - like it or not - it's open source now

I was awake at 4am for some reason (now after 5am). However answered a question on StackOverflow and stirred the pot a bit on Twitter. This is not a good use of my time though. Earlier today Adobe announced they'd been hacked, and have had a lot of personal details stolen, and the source code for Acrobat, ColdFusion and ColdFusion Builder are now out in the wild.

There was an interesting statement about the source code in another blog post: "Illegal Access to Adobe Source Code", in that they say:

Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.
I guess the key word here is "specific". There is certainly more potential for security risk here, but I can only think that there's no "specific" risk, because no specific security breach has been identified as a result of this. Yet.

However I think this is a disingenuous statement, because clearly having the source code is going to be easier to survey than a decompiled version of the code. So there intrinsically is an increased risk. Also the whole notion of looking for security issues in ColdFusion will now be on more people's radar simply because this has happened. People will be trying to get hold of the source and having a look. Hell: I'll probably try to get hold of the source and have a look. However I would never ever circulate it (or a location for it to be found), nor would I ever directly publicise any of my findings of examining it. I would, however, use it to try to get to the bottom of any weirdness in ColdFusion I encounter, or hear of others encountering.

I also wonder if it's the CF10 or CF11 code that's been liberated? Interesting... if nothing else, I'd like to see the code to see what's coming in CF11...

Which brings me to the point of this. ColdFusion is now - like it or not, Adobe - open source. However it is open source only in the hands of people who would exploit it. This is A Bad Thing.

I realise that there will be a number of reasons - some perhaps legal (third party licensing etc) - for keeping the code closed source until now, and "not wanting it to be an open source product" is only one barrier to being open source. However any personal-pride / sense of proprietory IP etc is moot now. The code is out there. All of that secrecy is gone.

You might have some legal issues to smooth over with third parties... and of course you'd need to put it past your own legal team first, and get a new licence worked out, but... well... go on then: you might as well do it. You might as well open source ColdFusion.

As far as revenue gathering goes, there must be a way to licence it as OSS but you still retain your distribution rights? That would not be in-keeping with the spirit of OSS, but it at least means the community could contribute back into the codebase. It would also put the good guys - your community - on equal footing with the baddies.

Update on the above:

Michael Hogan answered my question above via twitter:
So that's interesting news. I dug up the Jira EULA, which says this:

2.5 Source Code. Atlassian may provide some elements of Software in source code form ("Source Code"). Unless otherwise specified, End User may modify Source Code solely to develop bug fixes, customizations, and additional features ("End User Modifications") and, notwithstanding anything else in this Agreement, may only use End User Modifications internally for purposes of using the Software licensed from Atlassian. Atlassian will have no support, warranty, indemnity or other obligations relating to, and assumes no liability for, any End User Modifications or any effect they may have on the operation of the Products.
I did not find the relevant Unreal licence, but did not look too hard.

I think it's seriously time for you to make something good out of this news story, and give some thought to officially open sourcing ColdFusion.