Here's my take on the situation: Since anyone using an open-source
library to send transactions to Vital can potentially modify the code,
they are essentially becoming Vital developers. I have a feeling that
Vital might want to have anybody using such a library to get their own
certification to go along with it, before they start processing. From a
security standpoint, that's not a bad thing.

Frank Davis

-----Original Message-----
From: snacktime [mailto:snacktime / gmail.com] 
Sent: Sunday, December 31, 2006 2:07 PM
To: ruby-talk ML
Subject: Re: Open source credit card processing in ruby

On 12/31/06, Francis Cianfrocca <garbagecat10 / gmail.com> wrote:
> On 12/31/06, M. Edward (Ed) Borasky <znmeb / cesmail.net> wrote:
> >
> >  from a technical perspective, I don't think open vs. closed source
> > really has any security impact. I don't think it's any easier or any
> > harder to attack or otherwise compromise open or closed source
software.
>
>
>
> Many security practitioners prefer open-source implementations because
it's
> easier to audit them. I have to ship security-sensitive code all the
time,
> and my company's large-company customers have always preferred that
> *everything* we ship be on open-source.
>
>
I'm mainly concerned about people modifying the source.  Even though
it's open source, it's also certified and any changes that effect
messages sent to Vital require re-certification.  There is also the
danger that Vital could at any time refuse to certify open source
implementations.  If someone modifies the code and starts sending in
corrupt batches or causes other problems, that could happen rather
quickly.

Another option would be to make it free but not open source.  The
source could still be provided for review to those that need it, but
would require signing a simple contract to not release the source, and
not to modify it unless you were a Vital developer, which only costs
$100.  But with those restrictions I doubt many people would even use
the software.  It has a limited market to begin with, even though
there is nothing out there like it that isn't fairly expensive.