Continuing the Open Source audit, I discovered something disconcerting about Protex. I was under the impression that a snippet match would be two pieces of code which match disregarding whitespace. However, this is not necessarily the case.
Protex indicated that a function from a source file is part of a snippet match for a function in MathML (which is GPL).
The function in the source file differs from the other in a number of instances. The source file has, as an example, this:
1 2 |
output.append("&#" + code + ";"); |
whereas MathML has:
1 2 |
output.append("&#").append(code).append(";"); |
There is a good bit more to the snippet, but the two lines above are indicative of the differences between the two files. While the code is functionally equivalent, it is not textually equivalent.
Unfortunately, given security constraints at the company, they would not allow their source code to be loaded into Protex, so there was no easy way to compare the snippets side-by-side (which is something which Protex normally does). I spent a good while looking for other versions of the function before I did a side-by-side comparison. In so doing and comparing dates, I found other versions of the function on the net which match the one in the project and predate the entry for MathML. Not to mention having a slightly more permissive license.
Trust, but Verify indeed.