Closed Bug 919628 Opened 12 years ago Closed 11 years ago

pastebin missing source

Categories

(Infrastructure & Operations :: IT-Managed Tools, task)

Product:
Infrastructure & Operations
Component:
IT-Managed Tools
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: lonnen, Assigned: nmaul)

Details

(Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/585] )

Pastebin is GPL'd. http://pastebin.mozilla.org/?help=1 has a link to download the source that is 404: http://pastebin.mozilla.org/pastebin.tar.gz That should be restored along with any modifications we've made to the source.
(In reply to Chris Lonnen :lonnen from comment #0) > Pastebin is GPL'd. http://pastebin.mozilla.org/?help=1 has a link to > download the source that is 404: http://pastebin.mozilla.org/pastebin.tar.gz > That should be restored along with any modifications we've made to the > source. IANAL but technically that isn't required _unless_ we're distributing pastebin...which we aren't.
Newer versions of Pastebin are under Aferro GPL for that reason. Given our currently deployed version I'm not certain of any legal obligation, but we do have something of a moral obligation. Also, some mozillians on the webdev list were looking for the source.
(In reply to Chris Lonnen :lonnen from comment #2) > Newer versions of Pastebin are under Aferro GPL for that reason. Given our > currently deployed version I'm not certain of any legal obligation, but we > do have something of a moral obligation. Totally with you on the moral parts, I was strictly referring to the "letter of the law" of the GPL. > Also, some mozillians on the webdev list were looking for the source. I have no idea. Maybe reed has some clue here.
AFAIK we do not have the source anywhere. This is a legacy project that we got before the guy sold it and the source vanished. This has not been updated or worked on that I know of for quite some time with the exception of migrating it between datacenters. I think at some point it was customized but none of the old bugs reference any repository for these modifications or if we even had such a thing. As I understand it some mods were made upstream and some local edits were made. These local edits were later lost and may or may not have ever been reapplied. As it stands I am not sure how we would even do this short of simply zipping up the code base and putting it online. I suspect that the security folks might have something to say about this due to the fact that we have no idea if there are local modifications or sensitive data contained within. As such I imagine a security review would need to be accomplished before we could put the current codebase online in that fashion. If you would like to take this on let me know and I can send you a zip of what we have on the production server. Otherwise I do not think that anyone on my team has the time to tackle this at the moment.
(In reply to Jason Crowe [:jd] from comment #4) > I suspect that the security folks might have something to say about this due > to the fact that we have no idea if there are local modifications or > sensitive data contained within. As such I imagine a security review would > need to be accomplished before we could put the current codebase online in > that fashion. Correct. Giving away the source for others to analyze and find vulnerabilities, without us (or anyone else) producing security patches, is a very bad idea.
It looks like we have a consensus about this so I will close this wontfix. Please reopen with further information if I am mistaken. Regards
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
How many modifications to the source have we made? Just because we aren't providing the source code doesn't mean it's not available. If we're concerned about pastebin security we should put it through sec review, or replace it with something that has gone through sec review.
I have no idea how many modifications were made. I only discovered any by searching bugzilla but there are not really any details in the old bugs, just that changes were made. I agree that something better should be done here. In fact I have been saying that for more than a year (since I last migrated it and discovered these issues). Unfortunately no one seems all that willing to commit resources with so much going on elsewhere in the project just now.
So it's been brought to my attention that pastebin is aGPL. The wording on the help page is ambiguous, but the author claims it has always been aGPL, which has additional provisions requiring that servers make the source available to any network users of it. We should re-establish the link to the source or we're in violation of the license.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/585]
Link works now... points to current source.
Assignee: server-ops-webops → nmaul
Status: REOPENED → RESOLVED
Closed: 12 years ago11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.