Why are people so yucky?
So, the deal is that I wrote a silly little Apache module last week that does kerberos authentication based upon whatever comes through basic authentication. Not a big deal, and little piece of glue code to make Stan's life a little easier. A whole whopping 56 lines of code, and about three hours of my life figuring out how Authen::Krb5 works, writing and testing the module.
So after a weeks worth of problems involving the service that was under my authentication code (actually really weird routing problems involving DHCP) I get an email from a guy in the Security Office for IU...
A little background here: I work for the Messaging Team at Indiana University. We do DNS, Email, DHCP, News, DCE, various NT services, and Account generation for the campus. Theoretically for all eight campuses, but right now mostly just two. Most of my job is to be around and write code that any of those services need to stay running in a smooth manner. I also do big design work, so that the amount of glue code necessary (and available to break) stays to a minimum.
So this email from the Security Office basically says that I should have consulted them before I write this code (not that they had anything else available), consult them before I write any code that might possibly be used for security and that they should be the maintainers of the code. And I should mail it to them.
So I am in the midst of trying not to freak out. It sounds as though they have basically told me that I am not allowed to write anything that might possibly have a little bit of security involved. Does this involve anything I write that is encrypted? I write code that does all sorts of authentication and authorization. Does it need to be cleared by committee now?
I am probably over-reacting. Hell, I know I am over-reacting, but asking me not to write code that I (or my friends and co-workers) need to do our jobs is a little upsetting. This has been happening with increasing frequency. The "Don't do that, this project will do that later" vaporware thing is definately going on.
Anyway, my response to this is to get off my ass and register as a developer in CPAN so that I can get the stuff published, then I'll inform them that they can download the code, just like anyone else. It's not a great module, but it works and hasn't shown a problem in tens of thousands of authentications since it went production on Monday. And I wrote it, dammit. I don't care if someone else wants to contribute. That is what open source is all about. But I also don't want it hidden away or co-opted because it falls into someone else's kingdom.