Voir en

français

Computer security: When "free" gets even more restrictive

|

In a previous Bulletin article, we discussed the problem of free software and why "free" does not necessarily mean "free of charge" or, in the CERN context, why "free" software should not be used for professional or educational purposes. Here is a new theory as to why the situation might get worse!

First of all, a "free" licence might insist upon "personal usage only". But this does not mean it is a single-user licence allowing you to install the software as an individual for professional purposes. It instead refers to the software’s deployment at home and for completely private projects, not related to your profession, your job or the paid work you do. At most, it might permit professional testing for a (short) evaluation period or for you to "try it out". Care must be applied here, too, as "trying out" is definitely an activity not supposed to last forever.

Other "free" licences might authorise the software to be used by, for example, "small teams", even for professional purposes. While this sounds good, it also has a snag: CERN is a big organisation comprising many entities. While you might have deployed software for your "small CERN team", other teams at CERN might have considered this too (and already done so!). So, the software vendor might register a bigger picture, and conclude that CERN as a whole is contravening its licence conditions. And indeed, some have already pointed such a situation out to us and have pushed for CERN to subscribe to one of their professional licence packages. Are you prepared to contribute to these costs?

Finally, there is the "educational licence" for universities, generally intended for classroom usage. CERN is an academic institution and part of our campus can be fairly considered to be university-like. Our mission statement stipulates that we "enable research at the forefront of human knowledge[,] perform world-class research in fundamental physics[, and] unite people from all over the world to push the frontiers of science and technology, for the benefit of all" – a purely academic activity. We give lectures to students, and even issue certificates or diplomas through the CERN Accelerator School, CERN School of Computing (even leading to ECTS points), the CERN Teachers Programme and Beamline for Schools, among others. However, our academic environment, our fundamental research, lectures and seminars, as well as those certificates and diplomas, might not be sufficient for CERN to be entitled to an educational licence. Worse, and here is the new theory, licence conditions change. What was allowed for version 1.2.3 might not be the case any more for version 1.2.4. Eligibility changes. Terms change. The scope changes. Figuring all this out can be extremely cumbersome, as software vendors do not necessarily point you directly to the changes to their licence conditions! A formerly valid "free" licence might become a liability for CERN...

So, don't put the Organization at risk! Please check out the licence conditions carefully and read the fine print – not only when considering software for the first time, but also when updating it. If in doubt, please contact the CERN Software Licence Officer or the CERN-IPT Purchasing Service. If you want to stay on the safe side, check out the full portfolio of CERN-provided software via CMF for Windows PCs, LXSOFT for Linux systems and the CERN/Apple Mac Self-Service. Dedicated licences are also available for engineering software and for control software. A register of all centrally purchased licences can be found here: https://slma.cern.ch/slma.

_________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.