Subject: Re: Question on OSD #5
From: "Chris Travers" <chris.travers@gmail.com>
Date: Fri, 23 Nov 2007 14:52:26 -0800

On Nov 23, 2007 2:17 PM, Ben Tilly <btilly@gmail.com> wrote:
>
> Perl was developed as a reporting tool for use within a highly secure
> project on machines that theoretically had no direct communication
> with the outside world.
>
> I agree that no classified information was part of Perl's source code.
>  But what is interesting is that it managed to get off of those
> machines.  Furthermore I'll note that its status was the same as any
> open source software that manages to find itself in environments like
> that on machines like that.
>

Sure.  As I am sure a lot of other data has over time.  After
appropriate review, etc.  Sometimes information is declassified and
published, you know :-)

> > 1)  I do not think that software restricted by state or trade secret
> > classifications could be considered open source.
>
> Not so fast.  There is plenty of open source encryption software that
> by US state classification is not allowed to be exported to a specific
> list of countries.  (Perhaps that is "was".  I haven't kept up on the
> issue.)  But nobody argues that those pieces of software are not open
> source.

That is not the same thing.  State and trade secrets would mean
"classified" or "sensitive" or "FOUO."  Other regulatory restrictions
are separate from this question.

Also, IANAL, but a number of years ago the rules changed which allowed
publicly available encryption source code, for which no fee was
charged, to be published internationally with few restrictions (there
is a notification requirement, however):
http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html


>
> > 2)  Of course, in any reasonable jurisdiction, it couldn't be publicly
> > distributed so it doesn't matter (i.e. I don't think an entity can on
> > one hand publish information and on the other hand claim that it is
> > their secret, though this hasn't stopped the Bush Administration from
> > trying this unsuccessfully-- jurisdictions which allow such
> > secrets-based protections for publicly available works are not
> > reasonable).
>
> Heh.  I think you just called any jurisdiction with patents unreasonable. :-)
>
> I'm not disagreeing, but the idea of a patent is that you publicly
> disclose a secret and then it is yours.  Nobody else is allowed to use
> it until your patent expires.

Right, except that this is supposed to be something different than
trade secret protections (which never expire).

The patent system is supposed to offer a quid quo pro for the act of
publicly disclosing an invention.  I.e. the goal is to reduce the
number of trade secrets subject to a very different set of
protections.  Note that patents don't work as well in IT due to the
immense complexity of systems (both hardware and software) and I think
we need some sort of reform excluding computer technology (hardware or
software) from patent enforcement.  Pharmaceutical companies, OTOH,
tend to like patents because their products rely only on 1-2 major
components which might be patentable, so maybe rules should be
different for the different industries?

>
> > 3)  I am not sure the label of "open source" pertains to any sort of
> > private modification anyway.
>
> If I hand you a piece of GPLed software that I've made a private
> modification, it is open source software.
>
Sure, but if you have violated a trade secret in the process, you
might be liable for that breech, thus suggesting that *you* cannot
safely give me that software.

Best Wishes,
Chris Travers