Open source the JOSM.py Trac plugin

[Stereo]

Would it please be possible to open source and publish the JOSM.py plugin that powers the customisations in the JOSM Trac? Either in the source tree here, or a git tree elsewhere.

[stoecker]

Why? There are reasons why that's not done:

• There wont usually be contributions from outside the current admin team, so we have no advantages
• Releasing makes it easier to find possible security concerns we may have overlooked
• Sourcecode would expose a lot of the internal server structure again making breaking in easier
• It's only one part of the server code which heavily relies on other parts like cron jobs, Apache config and so on.

In special cases we already share (parts of) the source with interested persons.

[Stereo]

That's a bit chicken-egg. There are no community contributions to most proprietary software :).

Not releasing source code has never stopped anyone from finding security issues in proprietary software. I suspect I have found a possible xss vulnerability (without looking at the source code), and will investigate and fix it if and when the source code is available and easy to contribute to.

JOSM is an open source project, and how it runs should be open. Linus's law of many eyeballs applies to security bugs.

[stoecker]

Replying to Stereo:

That's a bit chicken-egg. There are no community contributions to most proprietary software :).

No it's not. JOSM server infrastructure will not be used by anybody else. Contributions will be near zero. So to get it OpenSource you need to present a real reason.

Not releasing source code has never stopped anyone from finding security issues in proprietary software.

Well, it makes it a lot harder. In more than a decade there have been approx. 3 requests to look at the source (which have been partial fulfilled on an individual base). This is one of them. Making it open will not help us, but only a possible attacker. And currently the majority of traffic is still SPAM related, so there are attackers.

I suspect I have found a possible xss vulnerability (without looking at the source code), and will investigate and fix it if and when the source code is available and easy to contribute to.

Contact me+Vincent by mail if you think and we'll check it. It's enough to report a reasonable assumption, you don't need to provide a full exploit.

JOSM is an open source project, and how it runs should be open.

The JOSM server is operated by two people and those people have access to the sources. And no, OpenSource does not mean that everything related to a project must be open.

Also the server backend code majority is my copyright and I did not yet choose a license. That does not mean that it never will be OpenSource, but for the near future it is very unlikely.

Linus's law of many eyeballs applies to security bugs.

If the code would be used outside the JOSM server that may apply, but that will not be the case. The code parts which are useful for others are already OpenSource (translation infrastructure, spam filter, etc).