Thread

@skunkbad - unmodified core, no changes to OSL licensed CI files, our official repository satisfies the reciprocal obligation in our eyes.  By the letter of the license, perhaps, you should fork our repo since you are technically the Licensor for your distribution (your public web site).

@skunkbad - unmodified core, no changes to OSL licensed CI files, our official repository satisfies the reciprocal obligation in our eyes.  By the letter of the license, perhaps, you should fork our repo since you are technically the Licensor for your distribution (your public web site).

So, legally speaking, YES OR NO, does my hello world website, having no changes to OSL licensed CI files, require a link to the official repo or a fork? Is the mere fact that the official repository exists, or does just having a fork exist without a link satify the license? Does the fork have to be on github? I’m just trying to ask for the exact requirements because making hello world websites is serious business. I work for at least one company that would absolutely not allow any of the code I write to be publicly accessible, regardless of it’s location in either application or system directories. Also, it seems to me that advertising the technology that a website is created with or running on is like telling a hacker, “Why don’t you poke your nose around and see if you can find any security vulnerabilites”. PCI compliance scanners absolutely look for this kind of stuff. I’m not big on reading legal stuff or spending hours with attorneys trying to figure out what the OSL license really means to me, so I appreciate your answers.

Brian, I’m not a lawyer and can’t answer legal questions for you or your firm.  I’ve stated the license’s requirements a number of times here, with various scenarios that satisfy reciprocity.  We also published 5 articles on software licenses to help educate developers on the ins and outs of licenses.  And I’ve spoken to security by obscurity.  I don’t know that I can answer your questions more thoroughly than to restate it: once you trigger copyleft by distributing CI, including running it over a network (like a public web site), you are obligated to make any OSL licensed files and their changes available to others under the same terms that you received them, in a way that is reasonably calculated to be convenient and inexpensive.  EllisLab legally cannot demand any more than what is stated there, such as telling you that you have to use a specific mechanism or satisfy those conditions at a specific location.

Brian, I’m not a lawyer and can’t answer legal questions for you or your firm.  I’ve stated the license’s requirements a number of times here, with various scenarios that satisfy reciprocity.  We also published 5 articles on software licenses to help educate developers on the ins and outs of licenses.  And I’ve spoken to security by obscurity.  I don’t know that I can answer your questions more thoroughly than to restate it: once you trigger copyleft by distributing CI, including running it over a network (like a public web site), you are obligated to make any OSL licensed files and their changes available to others under the same terms that you received them, in a way that is reasonably calculated to be convenient and inexpensive.  EllisLab legally cannot demand any more than what is stated there, such as telling you that you have to use a specific mechanism or satisfy those conditions at a specific location.

I’ve spent hours looking into this, and read all I can stand to read. From that I think I understand, I don’t think the new license is devastating, but I do think it’s a bummer to have to link to a repository or otherwise make the OSL licensed files available to website visitors. I do normally use a terms of use page and/or a legal page on my own websites, and I suppose that somewhere on line 400 or something would be plain text URL for the official repo. For a developer like myself, this license stuff is a steaming pile of cow crap. I just don’t even want to have to deal with it.

Brian, I’m not a lawyer and can’t answer legal questions for you or your firm.  I’ve stated the license’s requirements a number of times here, with various scenarios that satisfy reciprocity.  We also published 5 articles on software licenses to help educate developers on the ins and outs of licenses.  And I’ve spoken to security by obscurity.  I don’t know that I can answer your questions more thoroughly than to restate it: once you trigger copyleft by distributing CI, including running it over a network (like a public web site), you are obligated to make any OSL licensed files and their changes available to others under the same terms that you received them, in a way that is reasonably calculated to be convenient and inexpensive.  EllisLab legally cannot demand any more than what is stated there, such as telling you that you have to use a specific mechanism or satisfy those conditions at a specific location.

I’ve spent hours looking into this, and read all I can stand to read. From that I think I understand, I don’t think the new license is devastating, but I do think it’s a bummer to have to link to a repository or otherwise make the OSL licensed files available to website visitors. I do normally use a terms of use page and/or a legal page on my own websites, and I suppose that somewhere on line 400 or something would be plain text URL for the official repo. For a developer like myself, this license stuff is a steaming pile of cow crap. I just don’t even want to have to deal with it.

The answer to all of your questions is really simple. Don’t edit any of the core files ever, there are mechanisms in place for you to overwrite functionality in CI without needing to edit any core files so upgrading versions is very simple. It’s not a big deal if you use CodeIgniter properly and don’t touch any of the core files.

The answer to all of your questions is really simple. Don’t edit any of the core files ever, there are mechanisms in place for you to overwrite functionality in CI without needing to edit any core files so upgrading versions is very simple. It’s not a big deal if you use CodeIgniter properly and don’t touch any of the core files.

I don’t ever touch the system files. I’m capable of extending the system files properly if necessary. That’s not what my concern is regarding. Check out my “Hello World” example. It simply asks what I need to do when making a simple website.

The answer to all of your questions is really simple. Don’t edit any of the core files ever, there are mechanisms in place for you to overwrite functionality in CI without needing to edit any core files so upgrading versions is very simple. It’s not a big deal if you use CodeIgniter properly and don’t touch any of the core files.

I don’t ever touch the system files. I’m capable of extending the system files properly if necessary. That’s not what my concern is regarding. Check out my “Hello World” example. It simply asks what I need to do when making a simple website.

For some reason they don’t want to just flat out tell you in simple terms that your suspicion is correct.  You have to acknowledge that you are using CI, and make it known in some way where your web site visitors can view the code for any files that are OSL licensed.  Even for a simple Hello World site.

There’s nothing sneaky going on here, Sire.  We have chosen to license CI with OSL 3.0.  OSL 3.0 does not say that we can require you to place a particular link in a particular location and host the files thus and so.  Reasonably calculated to be inexpensive and convenient for licensees to access.  Nothing more, nothing less.

Derek, so, in short, if you do not alter anything in the /system directory and ONLY change things in the /application directory, then you are in compliance with OSL3?

In those cases, CroNiX, so long as the actual code in use is still freely hosted by EllisLab (i.e. available at GitHub), and there is a reasonable means of source disclosure, yes.  One user cited the example above of a short mention in a site’s terms of service, which I would perceive as an example of a reasonable means, though others may have their own preferences and methods (powered by CodeIgniter in the footer with a link, or a link banner, etc., are also common).  But again we cannot and do not even desire to demand a specific mechanism.  The basis is simply respect.

There’s nothing sneaky going on here, Sire.  We have chosen to license CI with OSL 3.0.  OSL 3.0 does not say that we can require you to place a particular link in a particular location and host the files thus and so.  Reasonably calculated to be inexpensive and convenient for licensees to access.  Nothing more, nothing less.

I don’t mean to suggest that you’re being sneaky, but you’re being somewhat vague and seemingly evasive as a result.

Anyone using CI 3.0 under the OSL 3.0 for their site must acknowledge this.  This is a condition of the license (external distribution)  whether they make any changes to the core files or not.  Surely you can see not answering this directly is causing additional confusion to the most recent few posters.

Edit:  the least intrusive (for lack of a better word) manner of complying with this is what’s really at question.  Is it enough that EllisLab hosts it on their site, and thus we don’t need to even mention that our site is powered by CI?  I believe you’ve already said no, that isn’t enough.

Derek, so, in short, if you do not alter anything in the /system directory and ONLY change things in the /application directory, then you are in compliance with OSL3?

I know you asked Derek, but if you’ve followed along this thread, and if you do a little investigation of your own, you will see that to be compliant, you will have to make the OSL licensed files available for your site visitors. Even if you did not modify these files, you still have to make them available. If could be link to the official repo, or perhaps a fork. Maybe it could be a download on your website. It seems that there is some flexibility as to how you make the files available. I can’t offer you legal advise, and it sucks that legal advice should be something we even have to consider.

Yes, I gathered.  Thanks, Brian.  As a matter of security I know the majority of my clients will not want anything about how the site was built exposed to the public, so, for those clients I guess they get to pay me more money to redo their site in a different framework or stick with the 2.x branch and never go to 3.

There should be an option of an “unbranded license” like a lot of companies do where you pay their fee and can remove the branding.  So people have a choice.  Use for free and you are under OSL3, pay the fee and you are not.  All you have to do is go to a site like this or this (there are other hacker sites with more details but I can’t find the bookmarks right now) to find the security holes.  Might as well hang your housekey on your doorknob when you leave for the day.

Yes, I gathered.  Thanks, Brian.  As a matter of security I know the majority of my clients will not want anything about how the site was built exposed to the public, so, for those clients I guess they get to pay me more money to redo their site in a different framework or stick with the 2.x branch and never go to 3.

There should be an option of an “unbranded license” like a lot of companies do where you pay their fee and can remove the branding.  So people have a choice.  Use for free and you are under OSL3, pay the fee and you are not.  All you have to do is go to a site like this or this (there are other hacker sites with more details but I can’t find the bookmarks right now) to find the security holes.  Might as well hang your housekey on your doorknob when you leave for the day.

This was exactly what I was thinking.

CroNiX, while I don’t share your level of worry of technology exposed—perhaps an anecdote might be relevant here.  I recently helped someone with PCI compliance and there were about 230 high level warnings, dozens of critical.  We shut off Apache’s disclosure of the OS version number and they all went away.  Boom, compliant.  So, 230 potential security holes—serious, critical even—are just fine so long as some auto-scanning software doesn’t pick it up?  It’s absolutely absurd, particularly since a ping to the site can help you discover where it’s hosted, you can sign up for your own account (or use lookup tables that undoubtably exist), and figure it out.  And automated tools are becoming more sophisticated and can simply craft requests for hundreds of known benign vectors of popular web software - once one innocuous one hits, they can now move on to malicious attacks.

But I digress.  We have no problem in negotiating private closed-licensing terms.  At any time, you can send a proposal to .(JavaScript must be enabled to view this email address) for your request.  If you have a proposal that you think is equitable and would be welcome by many in the community, please put it forward as well.

...and it sucks that legal advice should be something we even have to consider.

skunkbad, my friend, on this point we are in complete agreement.  Sadly at present, it is a necessary evil for anyone who wants to safely and smartly participate in this industry.