Firstly, thank you for bringing this to everyones attention.
On 20/05/2013 12:54 p.m., Daniel Streefkerk wrote:
> Symantec provide a version of Squid to their Symantec.Cloud customers
> that they call the "Client Site Proxy". They've modified the source to
> add two "encrypted" headers (X-TEACUP and X-SAUCER) to each request,
> and only provide a Windows version of the product. These headers
> provide reporting information back to the centralised admin portal. I
> think one of them contains an encoded username, not sure about the
> other.
>
> They're refusing to provide a Linux version on the grounds that their
> modifications are "confidential" due to the "encryption" of the
> headers.
A bogus reason. Squid-3 offers eCAP exactly for the purpose of
commercials like this to write their own modules and publish those under
different licensing than Squid. If they were doing *that* they would be
able to restrict the source code for their module(s).
Also, this blogger appears to have managed to get one out of them:
http://blog.periodicfailure.com/?p=22
> Seeing as Squid is GNU-GPL licensed and they're providing a commercial
> product based upon it, aren't they required by GPL to make the source
> code for their modifications to squid-cache available to the consumer?
Maybe. The key question is whether they are distributing the binaries or
just offering access through them?
Squid is released as GPL version 2. Any patches made to a distributed
Squid binary fall under its clauses. But, anyone can *use* Squid patched
or otherwise to offer a commercial service.
FWIW: Hiding the code on those grounds is a sure sign that their
"security" measure is a bogus protection. eg rot-13, base-64, X+N cipher
or something just as easily broken by knowing the algorithm.
Amos
Received on Mon May 20 2013 - 11:24:53 MDT
This archive was generated by hypermail 2.2.0 : Mon May 20 2013 - 12:00:05 MDT