Publishing exploits in retaliation to GPL violators?
John Sullivan
johns at fsf.org
Tue Jan 2 17:05:58 UTC 2018
"Bradley M. Kuhn" <bkuhn at sfconservancy.org> writes:
> While I understand and empathize with Jon Sawyer's frustrations with a
> intransigent GPL violator as described here:
> https://twitter.com/jcase/status/947927262443094016 ...
>
> ... my initial reaction was that this doesn't fit the Principles of
> Community-Oriented GPL Enforcement. What do others think?
>
> I also wonder if "publishing a code exploit as retaliation to
> non-responsiveness from a violator" is merely a special case of
> "Confidentiality can increase receptiveness and responsiveness."?
>
> Do folks think this issue should be mentioned explicitly in the Principles,
> or is it rare enough that it can be assumed to be included by implication of
> the existing Principles text?
Yeah, similar to GPL enforcement principles, exploit disclosures should
also follow certain principles, so I wonder if he followed those (ie
told the company about the exploit privately).
My initial thought is that it's covered well enough by existing text
(both by the confidentiality principle and by the first "no other goal
should supersede" principle since there seems to be a goal of
embarrassing the company / causing economic damage to them being
prioritized here).
But curious what others think.
-john
--
John Sullivan | Executive Director, Free Software Foundation
GPG Key: A462 6CBA FF37 6039 D2D7 5544 97BA 9CE7 61A0 963B
https://status.fsf.org/johns | https://fsf.org/blogs/RSS
Do you use free software? Donate to join the FSF and support freedom at
<https://my.fsf.org/join>.
More information about the Principles-discuss
mailing list