Re: [squid-users] GNU GPL Question

From: Daniel Streefkerk <dstreefkerk_at_gmail.com>
Date: Mon, 20 May 2013 22:16:57 +1000

Thanks for the reply Amos. I'm pretty sure they're using Squid to
provide their services, but they are distributing the binaries in the
product they call the "Client Site Proxy". It's a packaged install of
Squid for Windows that's preconfigured to point to their cloud-based
upstream proxies.

As for that blog, that was back in the days before Symantec bought
Messagelabs. I've discussed that with them previously.

On 20/05/2013, at 21:24, Amos Jeffries <squid3_at_treenet.co.nz> wrote:

> Firstly, thank you for bringing this to everyones attention.
>
> On 20/05/2013 12:54 p.m., Daniel Streefkerk wrote:
>> Symantec provide a version of Squid to their Symantec.Cloud customers
>> that they call the "Client Site Proxy". They've modified the source to
>> add two "encrypted" headers (X-TEACUP and X-SAUCER) to each request,
>> and only provide a Windows version of the product. These headers
>> provide reporting information back to the centralised admin portal. I
>> think one of them contains an encoded username, not sure about the
>> other.
>>
>> They're refusing to provide a Linux version on the grounds that their
>> modifications are "confidential" due to the "encryption" of the
>> headers.
>
> A bogus reason. Squid-3 offers eCAP exactly for the purpose of commercials like this to write their own modules and publish those under different licensing than Squid. If they were doing *that* they would be able to restrict the source code for their module(s).
>
> Also, this blogger appears to have managed to get one out of them: http://blog.periodicfailure.com/?p=22
>
>
>> Seeing as Squid is GNU-GPL licensed and they're providing a commercial
>> product based upon it, aren't they required by GPL to make the source
>> code for their modifications to squid-cache available to the consumer?
>
> Maybe. The key question is whether they are distributing the binaries or just offering access through them?
>
> Squid is released as GPL version 2. Any patches made to a distributed Squid binary fall under its clauses. But, anyone can *use* Squid patched or otherwise to offer a commercial service.
>
> FWIW: Hiding the code on those grounds is a sure sign that their "security" measure is a bogus protection. eg rot-13, base-64, X+N cipher or something just as easily broken by knowing the algorithm.
>
> Amos
Received on Mon May 20 2013 - 12:17:10 MDT

This archive was generated by hypermail 2.2.0 : Mon May 20 2013 - 12:00:05 MDT