freenode/lisp - IRC Chatlog
Search
7:58:06
shrdlu68
I will be releasing my first significant bit of code shortly, and for the first time I've bothered to sit down and read about all the licenses people use.
7:59:42
axion
There are sites which compare the various licenses in human readable terms. All ou really need to know is to use MIT, BSD, or similar if you want something very permissive
7:59:42
shrdlu68
SBCL is mostly public domain. Why don't more people release their code as public domain?
8:00:48
White__Flame
public domain doesn't exist in some jurisdictions, so grabbing a MIT license or something is easier and more clear & comprehensive
8:01:33
jackdaniel
shrdlu68: if you are into free software, go with gpl, if you are after open source, go with bsd ;)
8:02:32
aeth
MIT license seems to be the most common permissive license these days, including in permissively-licensed Common Lisp projects.
8:03:27
aeth
I'd go with the MIT license just for compatibility, but that's just my 2 cents, an idiom that is quite out of date with inflation.
8:04:22
aeth
Whatever you do do not use LLGPL. It is a custom license only used in the Common Lisp community. Good luck if you ever wind up in court.
8:05:02
jackdaniel
shrdlu68: gplv3 is restrictive in a sense, that it disallows mixing it with propietary software
8:06:19
aeth
The main options are MIT, BSD, GPL, and maybe LGPL (note the one L, seriously, do not use custom licenses... and that probably includes public domain dedications, if you must do public domain, use CC0)
8:08:13
jackdaniel
shrdlu68: gplv3 clarifies some terms not clarified in gplv2, and prohibits drm afaik
8:08:58
White__Flame
iirc gpl3 was created to restrict 'tivo-ization' and such loopholes aroung not actually shipping with source
8:09:54
aeth
Iirc, it's also somewhat controversial because GPLv3 is more explicitly ideological rather than just copyleft, which is why e.g. Linux isn't switching to GPLv3 even if they could (they couldn't because they don't have a CLA or a "GPLv2 or later" license)
8:10:32
shrdlu68
What I'm concered with is, if I release code as GPLv3, will the rest of the "community" benefit from it?
8:10:44
aeth
Iirc, macOS ships with the last versions of GNU software that are on GPLv2 (terribly out of date by now)
8:11:50
jdz
shrdlu68: I won't even look at the code lest I learn something and use it in my own code.
8:12:02
aeth
But, really, no one is going to be selling a proprietary fork of your desktop application made in Common Lisp in the year 2017 (or in the year 2027) so the GPL doesn't really make a difference imo, even there.
8:12:34
aeth
Proprietary companies don't even make desktop applications anymore. They just wrap a whole web browser and call it desktop.
8:13:17
jackdaniel
shrdlu68: if you are after widest adoption, go with BSD/MIT/ISC, if you are after empowering users (i.e by supporting free software movement), go after GPL
8:14:06
aeth
shrdlu68: You'd have to ask Xach to be sure, but afaik, the most popular license in the Lisp ecosystem right now is the MIT license. So if you wanted maximum compatibility, you should go with the most popular license. If you really don't want a closed source fork at the expense of not really having many users, use the GPL.
8:15:21
jdz
I'm not also sure what's the deal with contributing to GPL code -- AFAIK FSF requires a signed paper to actually be able to accept "significant" contributions.
8:16:13
aeth
FSF wants copyright assignment. Some other organizations that use the GPL also do this, but probably for less noble reasons than the FSF.
8:16:26
jackdaniel
jdz: GPL is a license, GNU is the operating system. GNU software requires assigning rights to FSF by contributors
8:17:09
aeth
If you don't have copyright assignment, it's harder to sue for GPL violations (the main reason FSF wants it) and it's also harder to relicense if there's an issue with the license (which is why it's basically impossible for Linux to go to GPLv3)
8:19:06
shrdlu68
Wait, my code depends on a bunch of other lisp projects, most notably ironclad, babel, and usocket.
8:20:20
shrdlu68
What restrictions does this impose on the license I can choose (the fact that I have dependencies ^)
8:20:58
aeth
shrdlu68: licenses like the GPL are universal receivers, licenses like the MIT license (which usocket and babel use) are universal donors... practically speaking. The GPL has some licenses it isn't compatible with, but they're usually very unpopular (in part because of that reason) and the MIT license does have *some* restrictions, just not many.
8:21:16
White__Flame
yeah, I'd be quite interested to try it. TLS libs have been a nightmare to set up for a more casual user, so if things like key generation/conversion/registration are part of easy repl utilities, that'd be wonderful
8:21:30
White__Flame
and a new lib generally means it doesn't have all the whizbangies around config that mature implementations do
8:23:12
aeth
just never (declare (optimize (speed 3) (safety 0)) because then you have basically no security advantage over C
8:23:15
jackdaniel
shrdlu68: you may give any license to your software, resulting license of a combined software though depends on dependencies
8:25:53
shrdlu68
One other reason I'm favoring GPLv3 is because no other TLS implementation adopts it. It might prove useful to someone that way.
8:59:14
minion
andrzejku: have a look at PCL: pcl-book: "Practical Common Lisp", an introduction to Common Lisp by Peter Seibel, available at http://www.gigamonkeys.com/book/ and in dead-tree form from Apress (as of 11 April 2005).
8:59:44
beach
shrdlu68: I would love to use some version of the GPL for my projects. Unfortunately, many Common Lisp people are against it. I suppose some of them would just like to use the software and not distribute modifications. Others just really dislike anything that has to do with Stallman and the FSF. For that reason I am using a 2-clause BSD license these days.
9:00:10
beach
andrzejku: That doesn't concern us since Common Lisp is not a "functional language" in that sense.
9:00:27
flip214
beach: AFAIU the problem with GPL (as opposed to LLGPL) is that they can't get money for standalone binaries.
9:01:19
jackdaniel
andrzejku: then here's your answer: it's not ;) question whenever its better than other languages is debatable and prone to opinions
9:03:41
shrdlu68
I guess the FSF raises issues that are too profound for most people when all they want is to share some code.
9:03:46
jackdaniel
I can see merit in that, I'm listening about all the new law proposals pushing for putting "authorized backdoors" in software, not very much encouraging for using prop binaries. but its offtopic, sorry ;)
9:09:00
jackdaniel
flip214: what kind of argument is that? "there's not point on working for change, because things are getting worse anyway (because nobody works for change)"
9:09:43
jackdaniel
or, my vote won't change *anything* – claim of 50% of society in Poland. 50% – 20 million people, if they would vote on anything, it would make a difference
9:10:01
flip214
jackdaniel: no, my point is that requiring GPL (instead of LLGPL, for example) for everything hurts the economy more than the small benefit people would have w.r.t. backdoors
9:11:24
flip214
but if someone wants the source of the software I write, I might want some more $$$ for that. (_might_, remember.)
9:12:54
White__Flame
if there are mandatory back doors, I think more users/customers will start demanding source
9:13:15
White__Flame
or maybe some sort of trusted "Consumer Reports" style service will emerge, analyzing security
13:03:49
_death
the only difference between having source code and not having source code is the amount of effort it takes to analyse the software
13:21:40
ogamita
_death: assuming the binary code is not obfuscated, which is becoming the rule for software you don't have the sources anyways.
13:23:29
ogamita
_death: cf. https://www.intertrust.com/products/application-security/code-protection/
13:23:49
ogamita
yes, just widens it to cryptographic problems, for which you need more than the lifetime of the universe. Good luck.
13:24:22
_death
ogamita: come now.. this or that product doesn't mean anything.. if it runs on your machine, it can be reversed
13:24:56
_death
ogamita: nowadays they try to use hypervisors and such.. still, the cat wins every time
13:25:38
ogamita
_death: whitecryption implements whitebox cryptography: you can watch the RAM, you can trace the execution, and you still can't get the secret keys.
13:26:34
ogamita
cf. https://scholar.google.fr/scholar?q=whitebox+cryptography+thesis&hl=en&as_sdt=0&as_vis=1&oi=scholart&sa=X&ved=0ahUKEwirreOlm-rSAhWLfhoKHQ1fB20QgQMIGjAA
13:26:50
_death
at least their marketing is somewhat honest.. "To succeed, they must crack the entire protection regime at once, which is an extremely difficult and time consuming task."
13:27:32
White__Flame
plus, if it's a decryption step, you can just let it run and later look at the output
13:28:15
iago
_death: I guess it works when the effort to reverse it, is higher than the effort to implement it from scratch
13:29:04
White__Flame
if you're a black hat, you're not interested in reimplementing, but compromising and/or spying
13:32:03
jackdaniel
i thought we were talking about practial difference? in theory program is just data
13:33:22
jackdaniel
yes, but it's hard and resource-consuming task, so saying about "the only difference" is a bit inaccurate
13:35:01
_death
I think it became much more accessible and commercialized in the last decade.. I suppose that's why I lost interest :D
13:37:51
_death
White__Flame: reverse engineering.. although my old RE skills help me greatly when I need to understand other people's code of course :)
13:38:38
jackdaniel
also regarding RE – having disassembled code isn't the same as having source code. compiler may use tricks to simplify code, but source may contain ideas lost in translation (but working accurately)
13:39:06
ogamita
Indeed. One may prefer to have a good specification document rather than source code.
13:39:08
White__Flame
I'm still building RE tech, but I'm severly disinterested in the whole cybersecurity industry, after working on some major projects and taking some contracts. Of course, I'll take a paying gig in the industry, but not pursuing it
13:39:35
ogamita
With good specs, you can usually re-implement easily on new systems or hardware. With just the code, it's often more work or economically impossible.
13:40:01
White__Flame
almost nobody understands cybersecurity, and want non-invasive turnkey products (which beltway bandits are happy to provide). it makes no sense and is too self-defeating to have any interest there
13:40:43
_death
jackdaniel: it's the reverser's job to recover that information.. and yes, some things (rationale etc.) are lost, but even with source code they're sometimes lost in the translation from thought to code
13:42:21
_death
White__Flame: to me it looks like the "cyber" buzzword was invented by governments.. and I prefer to not deal with such entities :)
13:43:56
ogamita
_death: http://paste.lisp.org/display/342086 Here you have even the "source" (obfuscated). Let's see if you can restore the original source.
13:46:19
_death
ogamita: it's just a state machine.. simple VMs like this are very old tricks and well understood
13:47:53
White__Flame
I've broken a lot of that style from .swf files; noramlly it's just a single static propagation that brings you to the "real" code, after making a bunch of pointless obfuscated jumps
13:48:30
White__Flame
obviously that pasted code involves decryption keys and traps and such, but it's generally a simple linear path
13:49:02
_death
ogamita: also in this case, much of this "obfuscation" disappears, or is lessed by just compiling it
13:49:43
_death
White__Flame: I think that code just returns which mode to use based on info.algorithm
14:00:48
_death
I remember when the army interviewed me... they asked me what I liked better, reverse engineering or programming.. I answered the latter, they were surprised (dismayed, maybe).. and programming it has been for the last decade
14:20:49
_death
ogamita: I think the first instance of source-based obfuscation I encountered was with PCBoard Programming Language (PPL) sources.. there was a simple decompiler called PPLD, but because some tool was written to obfuscate the source someone wrote another decompiler, PPLX, that also performs analysis to remove the obfuscation.. I also wrote an obfuscator then called PPLE :)
14:21:39
ogamita
Well, it's related: you would definitely use lisp to write reverse engineering tools.
14:23:58
_death
ogamita: at my previous job, some people wrote games in lua and they dumped high scores and such as lua objects (actually lua code) instead of using json or whatever.. when they moved to using unity and C# they didn't know how to read those objects... so I some minimal interpreters in lisp for the two lua implementations they used
14:24:37
_death
ogamita: later I had to write it in C# but for experimentation Lisp was great of course :).. the whole thing took a day
17:30:29
beach
You should start respecting the accepted Common Lisp style if you want to submit code for others to read.
17:35:56
nyef
Also looks like it might still behave as a program if it were compiled as C++ rather than as C?
17:48:50
nyef
Yeah, I don't know why "holy" has a long o and "holly" a short o, but that seems to be the primary difference in pronunciation.
18:05:03
nyef
Yeah, the code in the paste that you gave above, even (or especially) uncommenting the LOOP form, isn't exactly optimal in terms of declared types, and plausibly doesn't even do what you think it does.
18:36:22
didi
I don't understand the results of https://paste.debian.net/hidden/1f7b83dd . When I run the program with `'negate' I get an undefined function error, but when I run it with `#'negate', I get the result I expected, i.e. (-1 -2 -3).
18:37:29
Bike
(mapcar 'negate ...) is short for (mapcar (symbol-function 'negate) ...), and symbol-function looks up global functions only