Clarification on a few points
by tbird20d
January 31, 2012
Reasonable people can disagree on whether this is a good idea or not. As the un-named Sony developer mentioned in the article, I hope I can give some perspective that will help explain the issues better.
First and foremost, I need to clarify that this is not a "Sony project". I am working on this in my role as an embedded Linux industry advocate, who tangentially happens to be a Sony engineer. Those who see some Sony conspiracy here can take off their tinfoil hats.
It is NOT the goal of this to help people violate the GPL, but rather to decrease the risk of some nuclear outcome, should a mistake be made somewhere in the supply chain for a product. For example, it is possible for a mistake made by an ODM (like providing the wrong busybox source version) could result in the recall of millions of unrelated products. As it stands, the demands made by the SFC in order to bring a company back into compliance are beyond the value that busybox provides to a company. I also believe they are wrong from both a legal and moral perspective.
I recognize full well that some companies are not living up to their GPL obligations. At the same time, everyone I work with and talk to is working hard to comply with the GPL. In particular, I am proud of Sony's track record of GPL compliance. See Sony's Source Code download site [ http://www.sony.net/Products/Linux/common/search.html ].
However, companies and people do sometimes make mistakes. In my own experience, the remedies requested by other agents and organizations working for GPL compliance are much more productive than those of the SFC. Given the current situation, it makes sense to reduce the probability of mistakes, and their legal repercussions.
It is a shame that such a project is needed. But it is primarily needed, in my opinion, due to the overreach of the busybox litigators. I believe the project represents an ethical and pragmatic solution to this particular legal challenge.
18:01 UTC
Clarification on a few points
by rahvin
January 31, 2012
So you deny this is to avoid helping people violate the GPL then go on the state that this is being developed so that when people do violate the GPL they don't have to answer for that because you morally disagree with the level of penalty that SFC imposes.
According to what I just read you are doing exactly what you claim you aren't doing. By your own words this is being developed so that if "someone" violates the GPL they can avoid infringement discussions with the SFC, or in other words to avoid enforcement of the GPL.
It would seem from this that the original call to have Kernel developer step forward and allow their code to be used for enforcement is a very valid call to the development community as your work is specifically to allow people to use GPL software without having to worry about the legal consequences of non-compliance. IMO there should be a bite to non-compliance, regardless of intent. What the SFC asks is nothing in comparison to the millions you would have to pay for violating the licenses of any commercial product.
It's be really nice is one of the major developers of the Kernel stepped forward.
18:34 UTC
Clarification on a few points
by tbird20d
January 31, 2012
I think you misunderstand what I said. This is not to allow companies to violate the GPL, it is to help them (and mostly their suppliers, really) use non-GPL software. That way, if the supplier makes a mistake and can't find the exact source for the non-GPL software, nobody is on the hook for litigation and extreme remedies.
In practice, it would make things easier if my suppliers didn't ship any GPL user-space code to me. At Sony, we'll put on our own user-space GPL code. We have good practices in place for managing our GPL responsibilities in this case, thank you very much. In the case of kernel code, to my knowledge we've never had a problem with a supplier providing correct sources for this.
I understand why this is sub-optimal in the grand scheme of things, because it detracts from the community value of GPL user-space code.
19:03 UTC (Tue)
Clarification on a few points
by BrucePerens
January 31, 2012
I'm the original author of Busybox, and the person who placed the GPL upon it. I am not a party to the lawsuits regarding it. Instead, I offer my services to the infringing companies, to help them cure their infringement to the satisfaction of all developers.
BSD-like licenses can be enforced as well as the GPL, as we showed in Jacobsen v. Katzer. Many, many companies fail to follow the license presentation requirements of the BSD license. There are a great many copyright holders out there, GPL and BSD both, and we need just one who is represented in code on the device to enforce. So, I don't think you can achieve your legal goal by replacing Busybox.
As a representative of the companies that have been contacted by SFC, I have experienced the settlement terms of SFC firsthand. Those requirements are:
I've also had to pay SFC for the technical work on the audit. They charge a lot less than I do, and less than any sane legal-technical practitioner in New York City should charge.
The only unfair thing SFC does, as far as I'm aware, is that they don't involve me in the busybox cases, although I'm the original developer and my code is still present. And this is the requirement of their clients Eric Andersen and Rob Landley. So, I went to work for the other side, helping them to cure the infringement. Frankly, that side pays better anyway.
I think you're off base regarding the legal and moral stance of SFC, and your own moral position stinks. Help your clients perform due diligence, rather than helping them avoid enforcement.
Bruce Perens
19:13 UTC
Clarification on a few points
by tbird20d
January 31, 2012
I know who you are Bruce. I was the one at Lineo who approved paying Erik to work on Busybox, way back when. I know the Busybox history.
Help your clients perform due diligence, rather than helping them avoid enforcement.
I want to help people avoid infractions, not avoid enforcement. I think this is pretty moral.
19:35 UTC
Clarification on a few points
by BrucePerens
January 31, 2012
Tim,
Avoid "infractions"? I guess you mean avoid unintentional infringement. Yes, they're all unintentional. But when I get to work with these companies I find that they are building multi-billion-dollar product lines and have no compliance program, little concept of due diligence, and no working connection between engineering and legal. They get their engineering from small software or chip companies who don't communicate their due diligence requirement and don't stay around to provide source code.
Or, in the case of Best Buy's Insignia line, they buy a run from a factory and don't ever have a relationship with the engineering department.
They are infringing on their proprietary technology providers as well, including ones that provide content protection technology and have really harsh penalties in their contracts and the ability to shut the vendor out of producing a broad swath of products that carry that content. They get caught by those guys as well as SFC.
The only moral, ethical solution is to help them with due diligence.
What you are now attempting to arrive at is a situation like Android, in which the entire user-mode is under a gift license but you still have the Linux kernel. So, SFC will have to work harder to find kernel developers. And then you'll scrap Linux for BSD, and SFC will end up enforcing attribution requirements in BSD, using the precedent from the appeal in Jacobsen v. Katzer.
19:54 UTC
Clarification on a few points
by landley
January 31, 2012
A) I ended my participation in the lawsuits in 2008, when it became clear no code was coming out of it and that they were doing more harm than good.
B) Bruce? Show me your code still being present in busybox. I did http://busybox.net/~landley/forensics.txt and you've never actually refuted any of it. You keep repeating that you have code, but you'll never do The Thing:
"Shut up, and show me the code"
20:32 UTC (Tue)
Clarification on a few points
by tytso
January 31, 2012
Speaking as someone who has a non-trivial amount of kernel code in my name (contributed before I started working for a Linux company), my huge objection to the SFC is their interpretation of the GPLv2 license, in particular about "scripts to control compilation and installation of the executable". To my mind, their expansive interpretation of that clause is tantamount to an anti-Tivoization clause, which is the primary reason I and many other kernel developers rejected the GPLv3 license.
So when he uses a busybox breach to try to enforce his view of the GPLv2 license on code that *I* own, I'm naturally going to object and consider his actions wrong from a moral and ethical point of view. Which is why I'm completely supportive of the Toybox effort.
That's not to say that I support blatant violations of the GPL; if there are manufacturers of Android devices that aren't coughing up source code, then we should go after them. But using busybox as a backdoor way of enforcing an anti-Tivoization effort as it applies to the Linux Kernel is Just Wrong. And as a result, if I were going to go after someone who was abusing the copyright on the Linux Kernel, the SFC wouldn't be my first choice as lawyers...
(Speaking only for myself, and not for any of my current or previous employers...)
20:42 UTC
Clarification on a few points
by BrucePerens
January 31, 2012
Off the top of my head:
You're not fully apprehending the context of Judge Walker's guidelines. Altai's re-implementation of CA's software in a different language was non-literal copying. On the other hand, all versions of Busybox later than mine have been directly derivative. They start with the entire body of source code that I created and the overall design, and then later versions have incremental changes. So, you could probably remove every exact line that I wrote, and I would still have an excellent case that the result remained a derivative work and that I have an actionable interest in the work.
You misuse 17.102(b) to say that certain code is not my work because you believe it's functional and thus not copyrightable.
You don't consider that I have a compilation copyright as well.
You think I will have no actionable interest in toybox, or whatever you call it, after your extensive involvement in Busybox. I could assert such an interest if provoked.
I could probably enlarge this list if I took the time. But that would be engaging with you, which isn't desirable or necessary.
21:39 UTC
Clarification on a few points
by BrucePerens
January 31, 2012
Ted,
You're over-stating their request for "scripts". I have represented a client where SFC made this request, and they asked for a non-encrypted version of the binary from a step just before encryption. They never asked for keys.
21:56 UTC
Clarification on a few points
by deater
January 31, 2012
so by your argument, the various BSDs are still derivative of the original AT&T codebase, despite all of the AT&T code being removed? Enough so that whoever owns the UN*X copyright these days could re-assert ownership rights?
22:01 UTC
Clarification on a few points
by BrucePerens
January 31, 2012
so by your argument, the various BSDs are still derivative of the original AT&T codebase, despite all of the AT&T code being removed?
There are a lot of circumstances to the AT&T and BSD case that don't apply here. AT&T didn't maintain their copyright correctly, in a different legal context than we have today. There was no copyright by default back then, as we later got from a Berne copyright convention. They didn't properly assert their copyright. So, when they went to enforce against BSD, they found they could not do so for reasons that had nothing to do with the nature of derivative works. And Ray Noorda brokered a settlement between the parties (yes, the SCO Ray Noorda, before he went senile). We might otherwise have no BSD today.
22:22 UTC
Clarification on a few points
by tytso
February 1, 2012
I just finished talking to Bradley, and I got a better clarification of what was going on with one particular enforcement action that I was concerned about.
You're correct that Bradley with his SFC hat on doesn't ask for encryption or signing keys; that was my misunderstanding. However, they *do* ask for a firmware image that contains the binary in question and ideally the ability to install that image onto the device. Merely creating a binary executable and including the makefile that does the "make install" step isn't enough from them. They want a firmware image that looks similar to what is in the original ROM image. If, hypothetically speaking, that firmware image (say, pre-encryption) also happens to include content-protecting DRM encryption keys where disclosure of said keys would result in the Content Cartel's legal sharks to come after a defendant --- which trust me are way more scary than the SFC lawyers --- it can leave the recipient of that enforcement action in a very tight place. Personally, I wouldn't have pushed as hard in the settlement talks, given my limited knowledge of the case, but that's neither here nor there. I'm also guessing that part of the problem was once the adversarial legal approach was invoked, it's very hard to avoid lawyers misunderstanding technical terms, which just draws things out once you try to negotiate remediation steps.
On a more constructive side of things, I think the best way forward is to focus on education vis-a-vis how not to get into this situation in the first place. i.e., make sure you have clean separation between your proprietary and non-proprietary binary content (i.e., put things like Blu-ray keys in separate protected partitions or hardware, and don't mix it with GPLv2, and especially not with GPLv3 licensed code).
It also seems that given that the SFC has become the "bad cop", they have acquired a reputation of being litigation-happy, which from my conversations with Bradley, is an unfair rap. The question is whether they can assuage Tim's fear that an "accidental mistake" by a downstream user of some device incorporating Busybox or other GPL'ed code won't result in the SFC going nuclear on them, without companies trying to game the system by knowing how close to the line they can get. As one example, consider the HTC loophole (i.e., "as long as we respond in 3-6 months, we don't have to be afraid of getting sued") --- although the reality is if you're going to litigate, it's probably going to be 3-6 months minimum, since the wheels of justice grind slowly. And of course, litigation has many other costs other than just the legal fees. One of them is it increases the FUD involved with using your software project.
At the end of the day, it's a question of how can we make using open source code in general, and busybox in particular, not scary. My big concern from the general perspective is that people will get scared enough by the perception that there are over-zealous, litigation-happy parties out there, that they decide to not to use the Linux Kernel, and either (a) decide to use a pure proprietary solution, such as QNX, or (b) go to a BSD or Apache-licensed OS or userspace, such as FreeBSD.
One approach (at least for busybox; fortunately the Linux kernel developers don't have this litigation-happy reputation) is of course to re-implement a BSD-licensed equivalent, and that's the approach Tim has taken. Another approach is to educate the embedded manufacturers and tell them here are the bright lines which will allow them to be safe, even if they want to use Linux to implement a Blu-ray player that needs to have very stringent DRM requirements. And, that staying in bounds of these bright lines really isn't that onerous. That is, use the carrot and not the stick. Ultimately, I think that's the much more productive approach compared to litigation, and to the extent that the SFC (from my conversations with Bradley) views litigation as a last resort, I think they would agree with this latter approach of education of the embedded vendors.
-- Ted
P.S. Not that I'm in favor of that kind of DRM; in fact I generally refuse to buy Blu-ray DVD's (there are cases where both the DVD and Blu-Ray DVD are included in the same case, where I might decide to buy said combined package). I just don't believe in using the heavy club of Copyright and the GPL as a way of imposing my beliefs on others. That's a philosophical belief for which men and women of good will have disagreed about, though, so I respect that other people may feel differently about things like GPLv3's anti-Tivo clause.
0:20 UTC (Wed)
Clarification on a few points
by landley
February 1, 2012
I tried to come up with bright lines for busybox. I tried to make them easy to follow.
http://lists.busybox.net/pipermail/busybox/2008-October/033327.html
http://busybox.net/license.html
It didn't help in the slightest.
Rob
1:32 UTC
Clarification on a few points
by tytso
February 1, 2012
Rob, note that the SFC is demanding way more than just the .config file, as you stated in the busybox web page. So that's a bit of an inaccuracy in that web page that you've sited. They also are demanding the scripts that create a firmware image that includes the busybox executable. Whether or not this is really required by the GPL is a question which (as far as I know) no court has ever ruled on point.
4:40 UTC
Copyright 2012 http://lwn.net/Articles/478249/