Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Rules behind using this open source platform

edited April 2008 in Vanilla 1.0 Help
Hope I don't get reamed for asking, but I'm fairly new to the open-source community. I'm part of a development team for a large non-profit organization in Canada who is currently building a community based health website and I have recommended that they use Get Vanilla for their discussion board. The programmer brought up the fact that any additions made to the code, paid for by this non-profit, MUST be given back to the community. For example, if they were to have a function developed that added a "flag as inappropriate" link to each forum entry, they would be required to submit that code back to the Get Vanilla community. Is that how things work? If so, I don't think it's a big deal, but the programmer (who is an independent contractor) is pushing for a proprietary forum software and seems to be trying to convince them to go that route. I just want them to have all the facts in front of them. Any help or advice would be much appreciated! I apologize in advance that this is not a code-related question but I couldn't find any contact info to reach someone directly.


  • More info from the programmer about the validity of using Get Vanilla is posted below - anyone have any comments on this. Is what he's saying true? Does Get Vanilla have a number of security problems? Is is safe for a non-profit to use? Can someone defend Get Vanilla!!?? "I asked a good friend of mine in the Open Source community to really check out the status of Get Vanilla for me. He pulled up the most recent development and bug fix logs and sent it along to me. It appears that 80% of the problems and fixes are security related – people hacking into it. I decided to pass this along to you simply because it shows that this particular open source piece of software is three quarters baked – as is the case for so much open source software. In comparison, when Microsoft releases software to the market, it is fully baked, supportable and ready to go – and you can bet your project’s success on it."
  • edited April 2008
    "...when Microsoft releases software to the market, it is fully baked..."
    HAHAHA! I'm sorry but I literally laughed out loud when I heard that. I just recently started using Windows again and they release "security" updates more than twice a week! This guy is clearly just trying to push to get his own way. But I digress...

    First of all, you can just use "Vanilla" (no Get) as that is the name of the Open Source product. Second, Take a look at the Vanilla Bug Tracker. Not very many security bugs there, those that are in there have been fixed.

    As for licensing, I'm fairly new to the community but that comment that all extension MUST be given back to the community seems ludicrous. AFAIK the only requirement about using Vanilla is that the banner you see on the left remain there in some form (it may look different due to themes I suppose). You may want to contact The Man himself to clear up some of your questions.

    Personally I will always search for an Open Source solution before I move to something proprietary simply because restrictions on OS are phenomenally less. The source code of Vanilla is GPL'd so you can pretty much do whatever you want with it except take and try to sell it as your own product.

    Update: Vanilla has been rock-solid in my LAMP environment. The only time I think stability becomes an issue is when you're trying to run it in obscure environments, but I've only used typical setups...
  • This programmer has also told me that integrating Vanilla into an .Net environment is not worth the trouble. True?
  • My impressions of the "programmer" are that he is pushing what he uses because he has confidence in that. However, that being said, he makes some outlandish statements like the "Microsoft statement" and the "good friend in the Open Source community" which make me wonder. Beware of this independent contractor. They typically try to perpetuate their jobs. Is he on a fixed-fee basis or hourly? You could help yourself and us by asking him to send you the logs he got from his friend. Then send them to Mark (the developer) to check out.
  • This must be the changelog he is referring to: As you can see yourself, there are a number of security fixes on there, among with general developments. You can also see if you dig around a bit that generally these security issues have been discovered and then rapidly resolved and released - part of the benefit of an open source project is everyone can work out exactly what's gone wrong and how to fix it. I think if you buy the 'microsoft releases software which is perfect' argument then everyone's fighting a losing battle - without sparking a 'microsoft vs the world' debate there's plenty of information on the net about security holes in microsoft products. The difference there is that once holes are found they're generally kept hush so a) people don't get worried and possibly b) so they can be abused in the meantime. The time lag between security issues being found and them being fixed can sometimes be shockingly large. If everything was perfect first time then you wouldnt see so many updates and service packs for MS Software. As for whether it's 'safe' for a non-profit to use - I dont see why not. There are certainly plenty of very profitable companies who 'bet their project' on it (lets start with ). You might also hope (if you still have faith in humans) that people wouldnt target non profit organisations for attacks anyway...
  • MarkMark Vanilla Staff
    edited April 2008
    First of all, the GPL *can* be somewhat restrictive in it's use. But I don't think it is nearly as scary as this other developer points out. I'm certainly not in the business of chasing down the people that use it and having them give me back their cobbled together versions of the software.

    If you want to have all of your questions about the GPL answered, check out this FAQ.

    I should also mention that the new framework I am working on will probably not be released under the GPL. I am thinking about releasing it under an MIT license (which is WAYYY less complicated).

    Finally, about .NET and Vanilla. I wrote Vanilla in PHP, but the framework I program in 90% of the time is .NET. I can safely say that Vanilla and .NET were *NEVER* intended to play together. I know that there have been MSSQL ports of Vanilla in the past (search this forum and you'll find some), but the real headache is going to come when the customer wants to add or change features of the forum and mix/match features from their .NET app into the forum - which is going to mean re-creating .NET procedures in PHP.

    So, I can completely understand why this other programmer guy doesn't want to use Vanilla. He's going about it in a very silly way, though. Instead of making broad sweeping claims about open source software and flat out lying about the security issues in Vanilla, he should have just said, "Integrating two different programming languages, two different databases, and two different session management methods entails a colossal amount of work, and it might not be the right way to go considering our situation."
  • Really appreciate everyone's feedback. This is exactly the info I needed. @minisweeper - yes, that's the log he was referring to. @Mark - Thanks for your feedback. I'm disappointed to not be able to use Vanilla, I think it's a great product and was hoping to have the opportunity to work with it.
  • If he is pushing Community Server, ask him to try to get a change log of security fixes!

    There is a huge cultural difference between between open source and closed source projects. I have nothing against Community Server, in fact I think it would be a great solution for you if you wanted an commercial .NET community package.

    Just make note that the source is not the only thing that is open with a open source platform.
  • hmmm.. MIT license?
    MIT License... including without limitation the rights to ... publish, distribute, sublicense, and/or sell copies of the Software ...
    Are you sure you want to do this, Mark? I can envision some struggling startup company (a.k.a. asshole with an LLC) selling Vanilla (under another name, of course) for big cash (yes, people will pay for software like Vanilla, it's that good). Wouldn't that pretty much SUCK if there was absolutely nothing you could do about it? I definitely like the simplicity, but at least find a license that doesn't allow selling the software.
  • IIRC, the GPL allows you to sell the software also--but it requires that if you do so, you must include the source, and you can't restrict those obtaining the source from selling/distributing the software. (Although, you can restrict them from using your trade name)

    Which is how Red Hat can sell Red Hat Enterprise Linux, while the free Fedora still floats around, just under a different name.
  • hmmm, I guess I didn't know that.. interesting.
This discussion has been closed.