Finally I pulled myself together and made c-ares.haxx.se the new official URL for the c-ares project, and to celebrate the occasion we now also have an “official” project logo (thanks to Jeff Pohlmeyer):
[image has been lost]
Category Archives: Open Source
Open Source, Free Software, and similar
ohloh vs statcvs
I’ve played a bit with statcvs lately and I generated reports for the curl repository. It turned out rather interesting (well, assuming you’re a statistics geek such as me) especially in comparison to the data and stats ohloh.net presents for the same code:
[the images have been lost in time, like tears in rain]
Executive summary:
- I’ve done 82% of all code changes.
- We seem to grow at roughly the same pace (both number of code lines and number of files) over the last years.
- The lines of code per file count seems rather fixed
Oh, that initial big bump at late 1999/early 2000 was due to a lot of “wrong” files such as configure, config.guess etc were committed and subsequently removed. It is a bit annoying to have there as it ruins the data somewhat but I’ve not managed to fool statcvs into ignoring that part…
The NFSA 2008 went to…
The Nordic Free Software Award 2008 went to Mats Östling for programverket.org which is “a project operating with open software and open software development in the public sector. The purpose is to achieve more collaboration and more efficient IT application within the public sector“. Congratulations Mats!
The FSCONS official site (the award was handed out during that event) keeps up with its tradition with being totally behind the schedule and isn’t even mentioning the winner yet…
I’m not sure only two awards is enough to draw any conclusions, but with Skolelinux last year and a public sector open source project this year it certainly gives a feeling what the jury has prioritized so far.
Snaxx 19
In an attempt at making something social, to actually meet up with real-life physical people bu
t yet avoid common trivial subjects and only stay on-topic with technology, computing, work, beer and things related to that, we’re gathering at the next Snaxx on november 20th somewhere in Stockholm city Sweden. The exact location has yet to be decided.
If you’re into technology, open source, good ales, talking about work on your spare time or possibly all of that at once – then you might just be one of us.
Welcome!
Copyleft and closed dual license ethics
There are a bunch of companies out there today that offer their products in a dual-license style, where you can download and use the GPL licensed version or buy the proprietary licensed version (often together with some kind of service deal) that you then can use without the “burden” of a GPL agreement. Popular known brands doing this include Trolltech/Qt (now Nokia), MySQL (now Sun), OO.o (Sun), Sleepycat (now Oracle) (Berkely DB is not strictly GPL but still copyleft) and VirtualBox (now Sun) etc.
It’s perfectly legal for them to do this, as the company is the copyright holder of all the files, they can just easily re-release everything under whatever license they want at their own discretion. The condition is of course that they are in fact copyright holders of everything, that the parts they don’t have copyright for are either licensed under an enough liberal license or that they can buy a similar relicense from third party lib authors.
It kills contributions from non-employees since doing a large chunk of code for these guys means that you would hand over copyright to a company whose entire business idea is to convert that to a proprietary license and make money from it. In a way you cannot do yourself since they can turn the GPL code into proprietary goods and you cannot. This may be a clue to why MySQL has less community contributors. The forced assigning of copyright over to a company could very well also be a contributing factor to OO.o’s problems to attract developers.
Companies “hide” the truth about this and try talking customers into the proprietary license. I’ve worked a bit with Qt and the wording they have used have often given companies the impression that they have to pay for the proprietary licensed version to be allowed to use the product in a commercial product. I’ve had to explain to several customers that as long as they just adhere to GPL they can use the free version just fine without paying anything. Trolltech also has this dubious condition tied to their commercial license: “The Commercial license does not allow the incorporation of code developed with the Open Source Edition of Qt into a commercial product.“[*] Needless to say, this will prevent companies from trying the open source licensed route first. I’m curious if they even have the legal right to make that claim.
This puts competitors at an arm’s distance of course since no other companies can take the code and conduct business the same way. Of course this is part of the reason why they gladly adapt GPL for this. Lots of actions by these companies make me feel that they aren’t real and true open source believers, but that they use this label a lot for marketing and for making sure competitors can’t do the same as they do.
The GPL version is without support for customers in another push to drive them to pay for the proprietary license instead of the GPL one. Of course, it being open source lets companies going the GPL route to fix their own problems since they have the source and all, but the push towards the proprietary license also narrows how many customers that will actively contribute anything back since there’s little chance they will do anything in a project with a proprietary license. I honestly can’t see many other possible legitimate reasons why companies wouldn’t do support for the GPL licensed versions.
I’ve not personally worked in any of these projects under such proprietary licenses, but I would love to hear experiences from people that have!
Obviously all this are not problems large enough to concern users. Quite possibly so because these companies do a good enough job and keep the GPL versioned versions of their software at a sufficiently good quality so that there just don’t appear any forked projects that take the GPL version and run with it in a different direction. Another explanation could be that there are good enough alternative projects to go with if you’re not happy with one of these dual-licensed ones.
A little related anecdote told to me by an MySQL employee (who’s name shall remain untold). He described how they still haven’t implemented a feature in MySQL that many people have requested, since they according to him don’t want to cram in more stuff in the existing branch but instead are releasing it in the next major release (due to release in 4-6 months or similar). In the next sentence he explained how they already have it implemented in the closed version for at least one paying customer… Any (other) true open source project would’ve made that change available as a patch/branch in the GPL version for the public.
I’m pretty sure I personally would release my patches as open source only if I would change any code for any of these products. But yeah, that would mean that they would never get incorporated into their “real” products…
Nordic Free Software Award Nominee 2008
It seems I’m again (as I was last year) nominated for the Nordic Free Software Award.
They list thirteen nominees, of which there are four organizations/companies. I’m proud to be mentioned in such a swell company.
Unfortunately I cannot be present at the FSCONS itself this year (where the award is being handed over), so all the partying and celebrating the award winner will have to be done without me! 🙂
Another curl scan shows work to do
The nice guys on Coverity did a new scan on curl (the 7.19.0 source code) and they dug a bunch of new flaws. The previous version they checked was 7.16.1, release some 20 months before. The new changes are not only because of how the code has changed in the mean time, but it seems their scanner have improved a bit since the last time as well!
Here’s a sample view of how libcurl might dereference a NULL pointer with a step-by-step explanation on what conditions that lead to the flaw:
They identify 22 flaws and I found it interesting to compare the top list of bad functions as reported by Coverity with the complexity list I showed the other day. First we need to ignore the 9 flaws Coverity found in the ‘curl’ tool code (i.e not within the library). Then the 10 remaining functions with flaws marked by Coverity are:
- Curl_getinfo (4 flaws, all the other ones have one each)
- Curl_cookie_add (present in the complexity top-10 table)
- FormAdd (present in the complexity top-10 table)
- parsedate
- ftp_parse_url_path
- tftp_do
- resolve_server
- curl_easy_pause
- add_closure
- Curl_connect
See? Only two of them were present in that list. The Coverity tool does in fact also count the complexity for each function, and while it doesn’t match the values pmccabe shows exactly, they seem to agree in general about what functions that are the most complex ones.
Ok, now let’s go work on fixing all these problems…
Meizu M3 displays Rockbox
Just days after the nice Sansa v2 LCD screenshots, the guys on the Meizu front brought this picture (photo taken by Frank Gevaerts).
It does show a working LCD driver although of course the colours are all messed up due to some glitch still remaining in there…
It’s somewhat confusing with another model called M3, as Rockbox already runs on the iAudio M3 since March 2008. I think we need to refer to the Meizu M3 as MM3 or perhaps always with Meizu prepended or similar to differentiate between them properly.
Nice job!
Curl Cyclomatic Complexity
I was at the OWASP Sweden meeting last night and spoke about Open source and security. One of the other speakers present was Simon Josefsson who in his talk showed a nice table listing functions in his project sorted by “complexity“. Functions above a certain score are then considered “high risk” as they are hard to read and follow and thus may be subject to security problems.
The kind man he is, Simon already shows a page with a Curl Cyclomatic Complexity Report nicely identifying a bunch of functions we should really consider poking at to decrease complexity of. The top-10 “bad” functions are:
| Function | Score | Statements | Lines | Code |
|---|---|---|---|---|
| ssh_statemach_act | 254 | 880 | 1582 | lib/ssh.c |
| Curl_http | 204 | 395 | 886 | lib/http.c |
| readwrite_headers | 129 | 269 | 709 | lib/transfer.c |
| Curl_cookie_add | 118 | 247 | 502 | lib/cookie.c |
| FormAdd | 105 | 210 | 421 | lib/formdata.c |
| dprintf_formatf | 92 | 233 | 395 | lib/mprintf.c |
| multi_runsingle | 94 | 251 | 606 | lib/multi.c |
| Curl_proxyCONNECT | 74 | 212 | 443 | lib/http.c |
| readwrite_data | 73 | 127 | 319 | lib/transfer.c |
| ftp_state_use_port | 60 | 195 | 387 | lib/ftp.c |
I intend to use this as an indication on what functions within libcurl to work on. My plan is to primarily break down each of these functions to smaller ones to make them easier to read and follow. It would be cool to get every single function below 50. But I’m not sure that’s feasible or even really a good idea.
Rockbox displays stuff on Sansa v2
The small team of Rockbox hackers working on the Sandisk Sansa v2 architecture have been doing some great progress recently and I think it’s fair to say that we all enjoy Rafaël Carré’s photo on the left here (showing a Sansa Clip) that shows the state of where things are right now.
There is code running. There’s a start on a LCD driver and there’s a working concept to put our own bootloader code onto the device that can load and start rockbox in a future.
Nice work on this guys!