Copyleft Currents

Stirrings in the Kernel Module Debate

Heather Meeker — Mon, 23 Apr 2012 18:04:34 +0000

There has been recent public comment from Alan Cox regarding whether proprietary Linux kernel modules are allowed under GPL. Cox is a significant kernel contributor, and the commentary appears to be aimed at preventing estoppel arguments or supporting claims for willful copyright infringement (which could result in enhanced damages). Binary modules of some types have long co-existed with the GPL kernel, but what is allowed and what is not has long been a subject of controversy -- even mystery -- in GPL interpretation. Public comment on the topic has historically been rare.

Alan Cox comments, "I'm a rights holder.... The code I provided is licensed under the GPL. Whether the symbol is EXPORT_SYMBOL or EXPORT_SYMBOL_GPL any derivative code (eg code that requires the kernel be modified to match it) cannot call it.

I'm recommended by my lawyer to always remind people of this when such a claim is made. It ensures that triple damages for wilful infringement will apply unless the other party can show it reviewed the situation carefully and its appropriately qualified legal staff reached a different conclusion."

Also, "The GPL covers *all* derivative works. EXPORT_SYMBOL doesn't magically make code non-derivative. If you need to modify the kernel to make your driver work *and* you want to claim it is not derivative then I hope there are good lawyers involved 8-) The kernel is GPL, all derived works of a GPL codebase are required to be GPL. There is no magic rule about modules. I've stated that repeatedly for anything containing a line of code I own. GregKH [Greg Kroah-Hartman] has made it very clear for his code, and so it goes on."

Cox and Kroah-Hartman are both listed on the Linux Foundation's list of top individual contributors in its March, 2012 paper on Linux development.

Many kernel-adjacent developers have looked to EXPORT SYMBOLs to understand the intent of kernel developers as to what interfaces can support proprietary modules.

A previous public comment by Cox said:

"Since you've asked this I'm advised by my lawyer to respond to all such assumptions of legality of binary modules...For a Linux kernel containing any code I own the code is under the GNU public license v2 (in some cases or later), I have never given permission for that code to be used as part of a combined or derivative work which contains binary chunks. I have never said that modules are somehow magically outside the GPL and I am doubtful that in most cases a work containing binary modules for a Linux kernel is compatible with the licensing, although I accept there may be some cases that it is."

This discussion string referred to whether "shims" can be used to cause proprietary modules to interface with EXPORT_SYMBOL_GPLed code.

SPDX and the Meaning of Life

Heather Meeker — Wed, 18 Apr 2012 04:18:43 +0000

The Linux Foundation is moving forward with its SPDX (Software Package Data Exchange) project, which is an industry-wide project to simplify and standardize the way suppliers and customers share bill of materials information about open source software throughout the supply chain. Identifying, preserving, and verifying the meta-information about software components that is necessary to comply with open source licenses has emerged as the eternal question for redistributors of open source in the private sector. In fact, the difficulty -- not to mention the tedium and resource diversion -- necessary to convey this information accurately, along with proper notices, is one of the biggest challenges in open source today. In other words, laying aside all the areas of legal ambiguity surrounding open source licensing -- like juicy derivative works questions or the arcane patent terms of GPLv3 -- and assuming one actually knows how to comply with the license, how does one actually do it? A sophisticated product can contain hundreds or thousands of open source components, and cataloging them is a daunting administrative task that requires both legal and technical training. Most companies are currently reduced to creating excel spreadsheets ad hoc, extracting information from scanning utilities like the Black Duck and Palamida software tools, or throwing up their hands in frustration. SPDX is an effort to formulate a protocol for storing and delivering the relevant information, aimed to become a standard acceptable to all links in the supply chain.

The effort is ambitious, and may aptly compared to herding cats or solving the meaning of life, but those involved in open source compliance, across the board, understand that it must be done. Participation in the workgroup is open to all. For more information, see http://spdx.org/.

Open Source Paintball Sentry Gun

Heather Meeker — Sat, 31 Mar 2012 18:51:22 +0000

Based on Arduino. For those of us who want to scare away would-be attackers with the pure force of our nerdiness.

Live Free or Die (Whichever is Cost-Effective)

Heather Meeker — Tue, 07 Feb 2012 22:16:10 +0000

In a precedent-setting move, New Hampshire has enacted HB 418-FN, a bill that directs administrative agencies in the state to consider open source on a level economic playing field with proprietary software, and to favor open standards. State agencies are required to "Consider whether proprietary or open source software offers the most cost effective software solution for the agency, based on consideration of all associated acquisition, support, maintenance, and training costs" and to "Avoid the acquisition of products that do not comply with open standards for interoperability or data storage."

The bill contains a definition of open source software that is not dissimilar to, but not quite the same as, the Open Source Definition and the Free Software Definition: (a) Unrestricted use of the software for any purpose; (b) Unrestricted access to the respective source code; (c) Exhaustive inspection of the working mechanisms of the software; (d) Use of the internal mechanisms and arbitrary portions of the software, to adapt them to the needs of the user; (e) Freedom to make and distribute copies of the software; and (f) Modification of the software and freedom to distribute modifications of the new resulting software, under the same license as the original software.

Perhaps more interesting is the definition of an "open standard," a standard that:

(a) Is free for all to implement and use in perpetuity, with no royalty or fee;

(b) Has no restrictions on the use of data stored in the format;

(c) Has no restrictions on the creation of software that stores, transmits, receives, or accesses data codified in such way;

(d) Has a specification available for all to read, in a human-readable format, written in commonly accepted technical language;

(e) Is documented, so that anyone can write software that can read and interpret the complete semantics of any data file stored in the data format;

(f) If it allows extensions, ensures that all extensions of the data format used by the state are themselves documented and have the other characteristics of an open data format;

(g) Allows any file written in that format to be identified as adhering or not adhering to the format; and

(h) If it includes any use of encryption or other means of data obfuscation, provides that the encryption or obfuscation algorithms are usable in a royalty-free, nondiscriminatory manner in perpetuity, and are documented so that anyone in possession of the appropriate encryption key or keys or other data necessary to recover the original data is able to write software to access the data.

Open standards definitions are elusive -- you've got to admire the Granite State for trying.

The bill further mandates "principles of open government data" aimed at transparency and free availability of data.

On a personal note, I am always pleasantly surprised when anyone in government appears to be thinking about what is cost effective.

PS Thanks to Mark Radcliffe for the scoop on this.

Open Source in US Defense Acquisition

Heather Meeker — Thu, 26 Jan 2012 22:49:06 +0000

On Jan 12, 2012, the Department of Defense held a public meeting inviting comment on the use of open source software in defense contracting. Written comments were submitted by various organizations including the Aerospace Industries Association. Those comments lay out the questions posed by the DoD regarding risks that open source software includes proprietary software (i.e. is infringing), ability of contractors to get support for open source software, and whether the DFARs (Defense Federal Acquisition Regulations) should be revised to clarify the rights granted the government under licenses like GPL. The AIA's comments also raise the question of whether export restrictions are "additional restrictions" that conflict with GPL. Another set of comments addressed the question of whether Apache 2.0, paragraph 9, which "provides that the licensee indemnifies the developer in certain circumstances," conflicts with the Antideficiency Act (ADA) 31 USC 1341. The ADA prevents the government from incurring of obligations in excess of appropriations or funds.

Linux Coffee Roaster

Heather Meeker — Tue, 24 Jan 2012 16:16:51 +0000

I don't know about you, but when I get up in the morning, I always think: the only thing that would make this cup of coffee better would be if it were made with open source software. Until I decide to devote an entire computer to roasting coffee, open source caffeine will have to remain a dream for me.

Mozilla 2.0 Published and Approved

Heather Meeker — Tue, 03 Jan 2012 19:12:44 +0000

Mozilla Public License 2.0 has been released, has been approved as an open source license by the Open Source Initiative, and has been approved as a free software license by FSF.

Koha Trademark Dispute

Heather Meeker — Tue, 06 Dec 2011 18:58:50 +0000

An open source project in New Zealand is involved in a trademark dispute.

If you want to see an example of the kind of reporting about open source legal matter that drives lawyers like me to distraction, take a look at this article. It describes the dispute as just about everything except what it is -- a trademark interference. "A small New Zealand library is fighting to keep its trademark free software from the clutches of a United States corporation." It's actually a dispute about the trademark, not the software copyright. "[A]n American company named LibLime has hijacked the system and wants to use it for its own private client base." Hijacked? If it's open source, it's free to use and modify, though there may be a separate trademark issue. Also the URL for the article calls it "Small-library-fights-US-corporation-over-software-patent" and there are no patents in sight.

But apparently the publicity worked, as the project, according to its own blog post linked above, got many donations to a legal fund, and also pro bono representation. A deal is reportedly being brokered to assign the trademark to a non-profit representing the Koha community.

When is Open Source not Open Source?

Heather Meeker — Mon, 24 Oct 2011 21:08:33 +0000

A recent article in Network World contained some interesting caveat emptors about marketing open source software. The first part of the article -- discussing whether open source is really free or secure -- is nothing new. But then, the article mentions this: "Some software vendors playing fast and loose with the rules have slapped an "open source" label on software that in fact turns out to be a "free to download and use" version of proprietary software that cannot be altered or distributed."

This raises an interesting potential legal issue that has not yet come to fruition. Key "trademarks" in the open source space such as "open source" and "Linux" are probably largely genericized, so it seems unlikely that claims will arise as to whether inaccurately calling a product these things is a trademark infringement. However, I have been surprised not to see a fraud or false advertising claim based on a vendor identifying software as "open source" when it is not. It's unclear what the damages might be if the software is gratis but not libre, but that has never stopped a class action plaintiff's lawyer, as far as I know.

Meego Gone -- or at least reborn

Heather Meeker — Sun, 02 Oct 2011 21:50:36 +0000

Intel has joined the Linux Foundation, and rebranded the Meego operating system as Tizen. Meego was an open source mobile platform that has foundered, after being created based on Intel's Moblin and Nokia's Maemo. The Tizen platform, " an open-source, standards-based software platform that supports multiple devices including smartphones, tablets, smart TVs, netbooks and in-vehicle 'infotainment' systems" that supports HTML5 will be hosted by the Foundation and is supported by Samsung as well. Intel stated, “Tizen builds upon the strengths of both LiMo and MeeGo, and Intel will be working with our MeeGo partners to help them transition to Tizen." Asus says it will continue to ship Meego systems, and Nokia has just recently released a Meego device, N9.