Excerpt of message (sent 27 August 2009) by SM:
...
CalConnect considers tightening up of the security of the timezone data to be essential. Given that many systems rely on the data being produced, we collectively need a secure distribution (i.e. a secure, reliable server, signed data etc). Whilst there have not been any obvious "attacks" against timezone data, one cannot assume there won't be any in the future. This is a propitious time to achieve consensus on the best way to secure the data. This may very well impose additional requirements on hosting the data in the future, e.g., cost of maintaining the server, signing certificates etc).
The problem with security is that it is at odds with the "open model". If you get into signing certificates, you have to determine who signs the data. You invite "attacks" by with a "central" model.
I'm not sure that's a real problem. Many open source projects have signed releases. All it means is that whoever volunteers to do the actual distribution (packaging up of the tarball, putting it on the distribution sites) has a signing key and uses it to sign the tarball. It doesn't prevent others from distributing their own, signed or not. It merely means that there exists at least one distribution that has a signature on it.
At 08:43 27-08-2009, Robert Elz wrote:
... The code and data is open source in the sense that anyone can grab it, and do whatever they like with it, but it is 100% closed in the sense that there's exactly one person who gets to actually make the changes.
The code and data goes beyond open source. Anyone can grab it and do whatever they like with it; they can even change the names.
That's true for a lot of open source, too. Don't confuse open source with GPL. GPL is one specific example, and more restrictive than most of the other flavors.
With the right person (which we've been lucky enough to have until now, or rather, probably until now plus the next couple of years or so) this works far better, faster, and more reliably, than any sorcefourge type solution, for this kind of (relatively small) project.
Agreed.
True, it's a pretty small project. Then again, a lot of sourceforge based projects only have one or two developers, too. I think in the final analysis sourceforge is nothing more than a well known supplier of mailing list and file server services. If obtaining those services is an issue, they are one possible solution. If whoever ends up volunteering to be the new lead is in a position of providing space and list services directly -- as ADO has done -- then that works fine too, everything is self-contained. The efficiency and speed you mentioned comes from the size of the team and the specific personalities in it. The provider of the infrastructure doesn't seem to enter into it. paul