Torsten Curdt’s weblog

I just heard the about the business model of insecure.com. And while searching for a different more PC way to saying this all I can think of is “I am so pissed off”.
Insecure are the initial copyright holders of the well known security scanner nmap. Nmap is released under GPL license …BUT they come up with their own definition of derived work. (see here)

…Note that the GPL places important restrictions on “derived works”, yet it does not provide a detailed definition of that term. To avoid misunderstandings, we consider an application to constitute a “derivative work” for the purpose of this license if it does any of the following:

• Reads or includes Nmap copyrighted data files, such as nmap-os-fingerprints or nmap-service-probes.
• Executes Nmap and parses the results (as opposed to typical shell rexecution-menu apps, which simply display raw Nmap output and so not derivative works.)
• Links to a library or executes a program that does any of the above

Now if you want to parse the XML output of nmap your program has to be under GPL or you have to pay insecure.com a one time license (5 digits number …depending on the customer) plus a 4 digits number as annual fee. And they think it’s totally ok…

…We don’t consider these to be added restrictions on top of the GPL, but just a clarification of how we interpret “derived works” as it applies to our GPL-licensed Nmap product. This is similar to the way Linus Torvalds has announced his interpretation of how “derived works” applies to Linux kernel modules. Our interpretation refers only to Nmap – we don’t speak for any other GPL products. …

…but I’d call it an abuse of the open source idea. They use the viral nature of the GPL license to protect “their” product. On the other hand they happily accept support from the open source community. Actually I don’t want to believe this is really ok …legally. I am also wondering if Mr. Torvald knows he been used as a reference here.

In this very case finding this note in the man page feels almost like a slap in the face:

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

Is it just me who thinks that the java time/date/calendar handling just sucks? Here are some points that come to my mind straight away…

• The distinction between date and time is blurry. Basically because there is no Time object that just takes the hour, second and millisecond values.
• Why are the explicit constructors of the Date object deprecated. Well, probably because java aims to support different Calendars. Fine! But where is the connection between them. Shouldn’t the Calendar then act as Date-Factory?
• Let’s say you want to increase you position in the timeline by one day. What you want to do is to add a day to the date which reflects a certain point inside the Calendar. But with the current API you add it to the calendar. Just think about this sentence and you see how awkward this is. Using the Calendar object as the main computation object just feels wrong.
• …I could go on and on

Does anyone know a good alternative? Google revealed the joda time API which on the first glance looks much better. Any other suggestions?

So I just got back from the ApacheCon 2004 in Las Vegas. It’s amazing how time went by. 5 days of geek talks, questions, answerers, sharing of ideas and visions.

Things have changed since my last ApacheCon in 2001. This time I somehow more felt being part of this little family we call the ASF. A lot of putting faces to names …especially with people from different projects.

Quite some people shared my impression that the social aspects of this gathering are even more important than the content of the sessions themself. A lot of people go there for the people. …still sessions are a quite useful topping. Been a speaker that’s at least what I hope. In fact an “extraordinary topping” were the lightening talks chaired by Stefano “the jester” Mazzocchi and Brian Fitzpatrick. Great fun!

As for Vegas I am glad so many raised their hands when Ken asked whether we should have the ApacheCon US somewhere else next year. It’s just not my type of city. Many cities in the US have so much more to offer than a fake Disneyland for adults where people walk around with a beer in public just because it’s allowed. Some shows might be great and some hotels are impressive but I think the real sights are surrounding Vegas and I feel very sorry I had not enough time to go out to the desert, see the grand canyon or things like that …escaping the clicking noises of gambling machines.

As for the hotel …that was pretty much a bad joke. A (quite entertaining) keynote from Doc Searls covered all the little annoying details of the venue. To be honest: for a short moment I was tempted trying to get a better rate at the checkout …having in mind how much I paid when I was in (a really great) hotel in downtown Sydney. Usually one should try to claim money back under such conditions.

Anyway …I guess most people will come back no matter where to. At least I will :-D There was an on-site derby coding contest sponsored by IBM. And since I heard there were hardly any submissions, I did a tiny submission and did win a free ApacheCon 2005 registration including airfare. Not that I am proud of winning it like that …but it was worth a try.

I doubt I’ll spend it on the ApacheCon Europe though. It’s in Stuttgart, Germany ;-)

There is a very interesting paper on a potential way of getting native java continuations into the JVM. I am wondering if a new JIT compiler might be a future way to go. I came across this open source JIT compiler implementation that potentially could be used as a basis.

Heading off to Vegas in a few minutes… it’s ApacheCon time!