FW: New home for time zone stuff by 2012?

Paul Koning Paul_Koning at Dell.com
Thu Aug 27 16:53:06 UTC 2009 

Excerpt of message (sent 27 August 2009) by SM:
> ...
> >CalConnect considers tightening up of the security of the timezone data
> >to be essential. Given that many systems rely on the data being produced,
> >we collectively need a secure distribution (i.e. a secure, reliable
> >server, signed data etc). Whilst there have not been any obvious
> >"attacks" against timezone data, one cannot assume there won't be any in
> >the future. This is a propitious time to achieve consensus on the best
> >way to    secure the data. This may very well impose additional
> >requirements on hosting the data in  the future, e.g., cost of
> >maintaining the server, signing certificates etc).
> 
> The problem with security is that it is at odds with the "open 
> model".  If you get into signing certificates, you have to determine 
> who signs the data.  You invite "attacks" by with a "central" 
> model. 

I'm not sure that's a real problem.  Many open source projects have
signed releases.  All it means is that whoever volunteers to do the
actual distribution (packaging up of the tarball, putting it on the
distribution sites) has a signing key and uses it to sign the
tarball.  It doesn't prevent others from distributing their own,
signed or not.  It merely means that there exists at least one
distribution that has a signature on it.

> At 08:43 27-08-2009, Robert Elz wrote:
> >...  The code and data
> >is open source in the sense that anyone can grab it, and do whatever 
> >they like
> >with it, but it is 100% closed in the sense that there's exactly one person
> >who gets to actually make the changes.
> 
> The code and data goes beyond open source.  Anyone can grab it and do 
> whatever they like with it; they can even change the names.

That's true for a lot of open source, too.  Don't confuse open source
with GPL.  GPL is one specific example, and more restrictive than most
of the other flavors. 

> >With the right person (which we've been lucky enough to have until now,
> >or rather, probably until now plus the next couple of years or so) this
> >works far better, faster, and more reliably, than any sorcefourge type
> >solution, for this kind of (relatively small) project.
> 
> Agreed.

True, it's a pretty small project.  Then again, a lot of sourceforge
based projects only have one or two developers, too.  I think in the
final analysis sourceforge is nothing more than a well known supplier
of mailing list and file server services.  If obtaining those services
is an issue, they are one possible solution.  If whoever ends up
volunteering to be the new lead is in a position of providing space
and list services directly -- as ADO has done -- then that works fine
too, everything is self-contained.

The efficiency and speed you mentioned comes from the size of the team
and the specific personalities in it.  The provider of the
infrastructure doesn't seem to enter into it.

       paul

More information about the tz mailing list