Firstly, thank you for bringing this to everyones attention. On 20/05/2013 12:54 p.m., Daniel Streefkerk wrote:
Symantec provide a version of Squid to their Symantec.Cloud customers that they call the "Client Site Proxy". They've modified the source to add two "encrypted" headers (X-TEACUP and X-SAUCER) to each request, and only provide a Windows version of the product. These headers provide reporting information back to the centralised admin portal. I think one of them contains an encoded username, not sure about the other. They're refusing to provide a Linux version on the grounds that their modifications are "confidential" due to the "encryption" of the headers.
A bogus reason. Squid-3 offers eCAP exactly for the purpose of commercials like this to write their own modules and publish those under different licensing than Squid. If they were doing *that* they would be able to restrict the source code for their module(s).
Also, this blogger appears to have managed to get one out of them: http://blog.periodicfailure.com/?p=22
Seeing as Squid is GNU-GPL licensed and they're providing a commercial product based upon it, aren't they required by GPL to make the source code for their modifications to squid-cache available to the consumer?
Maybe. The key question is whether they are distributing the binaries or just offering access through them?
Squid is released as GPL version 2. Any patches made to a distributed Squid binary fall under its clauses. But, anyone can *use* Squid patched or otherwise to offer a commercial service.
FWIW: Hiding the code on those grounds is a sure sign that their "security" measure is a bogus protection. eg rot-13, base-64, X+N cipher or something just as easily broken by knowing the algorithm.
Amos