Weekly Open Source Software: Frinika

This post represents the start of something new on this blog. Each week I will make a post about an open source project. In generally, I will try to find lesser known software and positively critique it. I hope this will give everyday users a chance to discover new open source software, as well as developers to gain feedback.

To start off this weekly event, I would like to mention a music workstation software called Frinika for the Windows, Linux, and Mac operating environments. In simple words, it allows one to create music. It is still in development, but works relatively well.

Like many commercial equivalents, Frinika seems confusing to someone like me who wants to create software. The largest problem with Frinika is the lack of documentation describing how to use the software properly. It would be beneficial to see this project more user friendly, at least in terms of documentation, which would help create a larger user base.

Nevertheless, from playing with it, it seems to be a very powerful music workstation software. It’s complete with a sequencer, synths, notation editor and piano roll, among many other features. (The one major problem I found when playing with it was that placing notes with the notation editor was hard to deal with.)

“Multiple Security Vulnerabilities” Email

I received two emails regarding supposed security in an open source content management system I’ve been developing in my free time. Here is the second of their emails:

We are security researchers from Digital Security company [http://dsec.ru].
We found a critical vulnerabilities in your system QuateCMS 0.3.4

Unfortunately, we haven’t got any answer from you for a 5 days (see
RFPolicy for details: http://www.wiretrip.net/rfp/policy.html), so we
plan to publish advisory about vulnerabilities in QuateCMS 0.3.4 in 5
days.

QuateCMS system has multiple security vulnerabilities:

1. Multiple Local File Includes
2. Multiple Linked XSS vulnerabilities

Contact us for more information.

Digital Security Research Group [DSecRG] mailto:research@dsec.ru

They had received my email by sending a bunch of emails to my domain name, hoping to catch one.
They list no price, which suggests that they won’t be doing the full evaluation for free. Their main website is in Russian with no English translations. And the website with their policy seems to be a policy pulled from another service company entirely.
I replied:

The QuateCMS is an open source project. If you wish to contribute security fixes feel free to do so on our forums (www.quate.net/board/). We will not pay for security fixes or services that you provide. If you wish to publicly publish security issues regarding the QuateCMS, feel free to do so. Open source projects are about being true to users, which includes releasing potential security vulnerabilities. Publishing this information only helps the QuateCMS.

It is obvious that you found this email address via brute force methods, which says something about this company. Furthermore, the email sent is framed in such a way that it comes close to the blackmail line. I do not think these actions are morally appropriate in most circumstances.

I am already aware of security issues within the QuateCMS. Fortunately the majority of these issues are found within a properly protected administrator area, so they are not of concern at this moment.

- Quate.net Developer

Free Advertising for Open Source Projects

Over at Extreme Tux Racer I came up with an idea of putting advertising on the website to help promote other open source games. There weren’t any objections to the idea.

I went ahead and programmed a basic advertisement randomizer program, and including a banner ad for SuperTuxKart (they had put an in-game ad for Extreme Tux Racer). Two more banner ads were created for the Super Tux platform game, and the Free Empires rts.

One who I assume to be a Free Empires developer told us that he liked the idea, and was willing to create more banner ads.

I hope other open source games and projects alike take similar action. These may not be ads that are payed, but they are targeted ads that help distribute visitors to various other projects.