Bobulate

I was surfing around — you know, the usual sequence of Slashdot, Groklaw, random linked articles — and encountered the LLVM license (actual license text). I thought I would take a moment to look at this one and compare it to other permissive Free Software licenses. Broadly speaking, the LLVM license is one that allows everything, and requires: retaining copyright notice and disclaimers, in source or in documentation, and disallow using authors names for endorsement. Compare it to the 3-clause BSD license , 2-clause FreeBSD license or the 1-clause MIT license.

A couple of comments on this license family is in order; one is that I find the MIT license a tad unclear(!) because I don’t understand how to include a copyright and permission notice that is part of a comment in a source file in the software. The intention is clear enough, I guess: put the notice in a README or at the end of the software manual, and you’re clear. It seems to me that some mention of binary distribution vs. source should have been done, if only to clarify that point.

The second is that the header of the LLVM license invites a form of poor copyright management; this isn’t the license’s fault per se, but it contains language that suggests to other developers to do things sub-optimally [[ gosh, it’s hard to pick just the right words here; “wrong” sounds more pithy, but is also more likely to annoy people into not listening at all; the point is there are best-practices ways of doing things and anything else isn’t, well .. , the best ]]. It’s the inclusion of a group of developers at the top — the “Developed by” line, as well as the “Copyright <Owner organization name>”. These are tempting to developers of community-led projects to put in non-existent organizations or poorly-defined groups like (and I’m culling these examples exclusively from KDE because I happen to have a KDE SVN source checkout here)

(c) 1996-2008 The KDE System Monitor Developers
(c) 1999-2008, The KDE Developers
(c) 2003, The KHelpCenter developers
(c) 1998-2000,2003 The KFM/Konqueror Developers
(C) 1999-2008, The Konqueror developers
Program copyright 1997-2001 The KInfoCenter Developers

The problem lies in the fact that these groups are defined if and only if you have access to information outside the sources themselves — e.g. mailing list archives or version control system history. Putting these non-existent groups in a copyright header weakens the copyright (just a little — after all, each original author is a rightsholder, regardless of whether he or she puts her name to it) and makes compliance engineering just a little more difficult. Note that putting an existing organization there that actually holds the rights is just fine: my own code in KDE SVN should read “Copyright 1999-2008 KDE e.V.” because I used a Fiduciary License Agreement to assign the rights. Again, none of this is the license’s fault per se, it’s just an easy-to-misconstrue example.

So here it would be better — for everyone, and KDE coders in particular — to follow an example that said “Copyright <year> by <name of actual author> <email address>” because that is safer from a governance standpoint in the long run. There’s no fictitious entities involved, and complete documentation of who might be a holder of copyright in the file (besides, clause 2a of the GPLv2 wants you to do this as well).

Finally, the last bit of commentary goes not to the license text but to the explanation given by LLVM for their reasons for choosing this license over the GPL — except for llvm-gcc, which is necessarily GPL-licensed because it is a derived work of gcc, which is GPL licensed itself. And it’s the use of the word “viral” that bugs me here. It’s bolded on the LLVM license webpage, and is wholly unnecessary since they manage to explain what the GPL does pretty darn well; it’s just adding a typical FUD-word to an otherwise fine page explaining a license choice (a legitimate license choice for a Free Software license done by the original authors, and hence one to be respected). A better line for that particular web page would be “any code linked into llvm-gcc (which is GPL licensed) must also be released under the GPL, as per clauses 2 and 3 of that license.” (This assumes it’s GPLv2-licensed).

Anyway, an interesting (for me, but then I like to read licenses and the reasoning behind license choices) jaunt into non-copyleft licensing territory. [[ PS. And yes, there is a 4-clause BSD license, which has the Advertising Clause; I’m not aware of a 5-clause one, but there is a 3′-clause license, the Sleepycat license, which is formatted like a BSD-style license but has a strong copyleft component. ]]

Last week’s The Economist has a leader article titled “Battle of the Clouds” and a six-page briefing “Clash of the Clouds.” It contains some interesting tidbits, such as labeling Apple’s key market “digital music”, Microsoft’s as “operating systems” (with 93% market share) and Google as “search.” Funny, I would have expected “online advertising” for the latter.

Anyway, there are two key — and somewhat contradictory — parts to the leader article. It starts off like this (edited for brevity):

The new approach has great promise. It makes life easier for consumers and cheaper, too: many cloud services are free, supported by advertising or subsidised by users who pay for a premium service. — The Economist, 17/10/2009, p. 13

I find it hard to believe that a massive shift to cloud computing — as in supporting everyone’s email and document handling — could ever be advertising supported, and the rates for maintaining massive amounts of servers for a broad slice of the population can’t be kept low for very long. Any user is going to consume a non-negligable amount of resources (electricity) in the course of a working day one the server end — that needs to be recouped.

The other end of the same leader article is headed “A storm brewing?” and touches on the issues and social implications of cloud computing. Something the FSF and FSFE have been concerned about as well. Here my feeling is that the article has done reasonably well: it mentions technological lock-in, “favour service providers who allow them to switch between services without too much hassle,” privacy implications, “most users will be happy to trade some privacy for free services,” (cue Ben Franklin) and data integrity and sustainability, “data stored in the cloud may not be safe.” Yes, those are the umbrella problems of clouds. For now, local storage and local computing are the best bet to avoid those problems and keep out of the rain.

It is possible for software to be Free Software (in the sense of GPL version 2 compatible), and yet not satisfy the requirements of the Open Source Initiative for being an Open Source license. This is an obscure corner case in the GPL, because people usually (not always) mean Free Software when they say “Open Source” — stressing a technical detail that is a prerequisite for Freedom over Freedom itself.

The relevant bit of the GPLv2 is clause 8:

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

You could write GPLv2 licensed software whose distribution to the United States is prohibited, for instance. This clause allowing additional restrictions based on geography has not survived in the GPL version 3.

In any case, for a GPLv2 plus geographical restriction license, the problematic requirement is requirement 5, No Discrimination Against Persons or Groups, formulated as: The license must not discriminate against any person or group of persons. Clearly restricting a GPLv2 licensed product to a certain geographical area discriminates against a specific group (i.e. those outside that area).

I’m told — but have not verified — that there are also two Open Source licenses that are not Free Software (i.e. the converse of the compatibility issue pointed out here). I’m also told that they are used by one project each, so it’s not a huge burden on the Free Software community.

Up until today, the furthest south I had been in pursuit of Free Software was Abuja, although that was just a touchdown. I have practiced Free Software in Kano (12.1N) and in Bangalore (13.0N). Today, that barrier gets smashed as I head down to Latinoware in Foz Do Iguacu (25.5S). So that is four continents and the subcontinent (India has a special place in my heart); I have my sights set on Australia this winter, but the Antarctic will probably just not happen.

So, Latinoware. South America’s largest Free Software conference? Eight parallel tracks? I’m tremendously honoured to be giving two talks at the conference. One with my blue hat — KDE — and one with my green hat — FSFE. That’s a technical and project plan talk about what KDE is doing and where it is going, and a project management and legal talk about how Free Software projects can be run. Both topics close to my heart, and I’ll likely talk about what the FSFE does for KDE in the KDE talk and use KDE as an example in the FSFE talk. Hats can be so confusing.

In the meantime, I expect to be slightly out-of-sync with goings-on in Europe. I hope, nay, expect, the network to be better than at some conferences I’ve attended, though. See you soon (Helio, Mauricio, and others).

While looking to install smbclient on my laptop this morning to talk to some devices on my home network, I was pointed at a security advisory regarding SMB2. It’s about a known defect the SMB2 implementation on Windows 7 — kind of interesting to have pre-release security defects publicised already. The FSFE’s statement is here, and you can find English-language Heise coverage here.

The intermediate work-around — isolate Windows machines from the Internet with a good firewall — is good practice anyway. Do not let SMB traffic escape from your local network.

This week I was in Grenoble for the Embedded Linux Conference Europe. On the seond day of the conference — Friday — I was one of the few people wandering around in a suit. Even the guys who normally wear suits had dressed down to deal with the nitty-gritty of kernel threads, time sources, and boot time optimization.

So I talked about licenses. And license obligations. And interesting bits of the GPL version 2. There’s one clause of the GPL version 2 that I’d like to single out because it’s one that is surprising to me — and rarely mentioned. Clause 6.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

So, let’s suppose you (Bob) receive a program under the GPLv2 from the original author (licensor, called Alice), and pass it on unmodified to a third party, Charles. Clause 1 of the GPL applies, because it is verbatim. You just need to give Charles a copy of the license, and Charles receives a license from Alice automatically. There is in my reading no license, no relation whatsoever between you and Charles. Now if Charles distributes the program, the only license he could violate is Alice’s, and it is Alice who would need to enforce any violation.

This is actually how it works, too — suppose Alice wrote a part of the Linux kernel, she grants a license to any recipient (Charles) even though there are second parties involved (Bob); Alice can enjoin Charles to satisfy the requirements of the license. (For Alice perhaps read ‘Arald)

Now suppose you, Bob, modify the program before distributing it. In that case, clause 2b comes into play and the resulting work (based on the program) is also covered by the GPL version 2. When you distribute it, Charles receives a license from you to the modified work, and Charles receives a license from Alice to the original program. This is powerful, because Charles now has two licenses and two licensors that he must satisfy — but also weak, it seems to me, because Charles could violate one of the licenses and still keep the other. So if Bob sues Charles over compliance, Charles could just switch to the original Alice version (unless Alice enforces compliance issues as well).

It’s unlikely that would work in practice, because Charles wants the modifications done by Bob. Probably.

PS. Thanks to Saul Goode for some very careful and relevant comments to my previous writing on the GPL version 2; in particular pointing to the US Copyright Code and how it doesn’t restrict running the program at all — as indeed the GPLv2 itself writes “The act of running the program is now trestricted.”

My newspaper — the NRC — contains an item de uitspraak on page two once a week that deals with some recent court ruling. This week it is a copyright-related item, probably spurred on by last week’s controversy about rights payments on embedded videos on personal websites.

I’ll translate and quote parts of the column here, because it is of interest. This is transformative in nature and thus creates a derived work. Let’s think that this particular derivative work falls under “fair use” (which doesn’t exist as such in Dutch copyright law).

To start off, it’s not actually a copyright item; a 15-year old posted a copyrighted photograph which he had found with image search on his own website. He did this twice. An earlier case awarded the rightsholder (the photographer) EUR 4000 in damages. That seems a bit excessive to me, but .. in any case, the kid did not pay, and now the rightsholder is suing the parents for the same damages.

So this case actually is about claiming damages from parents, in particular because of the responsibility that parents have for the actions of their children. Dutch law says “Responsibility for damages caused to third parties by a child, 14 or 15 years old, lies with those who exercise parental control, except if they cannot be blamed for not preventing the actions (causing the damage) by the child.” Ugh, that’s convoluted, and “parental control” is something called “ouderlijk gezag,” which may be exercised by natural parents or foster parents or in some cases an institution.

According to de uitspraak, the considerations in this case were that a 15-year old has a reasonable expectation of autonomy and that non-stop surveillance is not to be expected (heck, I don’t watch non-stop over my kids when they’re surfing, and they are 5 and 6 — but then I do try to start them in a safe place of the net). So letting kids do “stuff” on the net is not a reason in itself a reason to expect surveillance. The judge also states that it need not be considered unusual for kids to maintain a website. As a result the parents are not held responsible for the damages.

Note that this says nothing about the damages awarded earlier: presumably the kid still owes 4k from the original case. It does, however, say something about where parental oversight is expected for kids doing things on the net.

The GPL version 2 was written back in 1991, in some sort of “plain english”. At least the intention was to write a clear document that allows recipients of a copyrighted work (e.g. a compute program in source code form) the four freedoms,

• 0: The reedom to use, for any purpose;
• 1: The Freedom to study the program;
• 2: The Freedom to make modifications to the program;
• 3: The Freedom to distribute the program, either in modified form or verbatim, either as source or as a compiled object./li>

(This is not the canonical form of the four freedoms, heck no). There are restrictions on when you may exercise those freedoms. In particular, when you distribute the program, you need to give the recipient the source code. If we boil it down to its syrupy goodness, this becomes “you can have this to do what you like, but anyone you give this to gets that same right.”

Well, that’s the intention. And under normal use, this is how it works. The GPL gives you permission to use the software (you must have a license to even run a piece of software you have, because of the way copyright law interacts with software). If you violate the terms of the GPL, then you can’t use the software. Simple.

The GPL version 2 has some extra text outside of the legal parts; for instance, one bit tries to clarify the intention of the license:

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

However, intentions come into play to only a limited extent in licenses. There is the text of the license, which is .. well, suffice to say it was written in 1991 with plain English in mind.

The Register is reporting on a webcast hosted by Black Duck Software with Karen Copenhaver and Mark Radcliffe. The Register article starts out with the misleading paragraph:

Two prominent IP lawyers have warned that the all-pervasive General Public License version 2 (GPLv2) is legally unsound.

Unsound doesn’t mean broken, and unsound doesn’t mean that the main use of the GPL version 2 is unsound. There’s a great deal of ambiguity in the license; I saw a talk by Sean Hogle at OSiMWorld with similar points. In particular this ambiguity exists around “derivative work”, although “distribution” is also not watertight. One illustration that “distribution” doesn’t cover everything that might be intended is the existence of the Affero GPL (AGPL).

Note that the analysis presented (in the webcast and summarized on the Register and then summary-summarized here) applies to the GPL version 2 only, and the GPLv3 is a great deal clearer (from a legal point of view, although it’s a lot more words).

As far as the Register article goes, the first comment finishes with “Rocket science it is not.” No, it’s not rocket science, but the gap between what you want (or what you have been led to believe) and what the text actually says — let alone what it does when subjected to scrutiny — may be very great. And that’s the different between landing on the moon, crashing into the moon, and exploding on the launch pad (which is AGPLv3, BTW).

I’ve said it before, the devil is in the details. Last week the European Commission, by way of its Commissioner for Competition Policy Neelie Kroes, decided to accept a test proposal from Microsoft regarding the browser selection on its Windows operating system. Incidentally, the Register has a more readable form of the same thing.

Now, Karsten Gerloff, president of the FSFE, has written a good overview of what is wrong with the proposal. Basically, all the details are wrong. You can also find some comments by Carlo Piana on the subject.

Let me summarize: the browsers are not all shipped in the same state — there is one special pre-installed one — and the mechanism for choosing browsers is not flexible enough. It’s still not clear what the presentation order will be, which may skew the selection as well. I’ll say one good thing, and that is that there’s space for 12 browsers in the browser selection screen (umm .. no technical reason to limit it like that if the selector is a webpage, or anything else really). The big five plus space for specialized or less popular ones. It’s not clear what the criteria are there. Still, one might imagine a whole family of WebKit-based browsers being included.

The Dutch copyright enforcers on music and video, Buma/Stemra, launched a plan last week to actually start collecting rights for proprietary content embedded in blogs and other personal websites. The version that reached the public press was that you would have to pay 130 EUR for up to six copyrighted items displayed on a .. something. That wasn’t really made clear in the press, and newspapers and then politics jumped all over it.

Now that plan has been retracted; apparently several parties in the Tweede Kamer ended up doubting the legal basis for such a licensing scheme, not to mention the social unrest caused by kids linking stuff on their social network pages (I hear Hyves is the most popular one in .nl, and its name seems to be used synonymously with “social network site” by now), and then the parents get a bill for the embedding. Well, the parents get the bill if they are still legally responsible for the child — I’m not sure what the age limits are there.

Just a list of my initial questions:

• Why is it onerous on the parents to be responsible for the behavior of their children in one aspect of the law, and not in others (e.g. vandalism)?
• If there is a legal doubt about the basis of enforcing rights on embedded content, what exactly is that based on? In what way does embedding differ from other forms of hosting? Does this not affect the legal basis of all rights enforcement on online content?
• Are these political parties up there only for their crowd-pleasing skills? (And I voted for ’em, too).

Copyright is important. It’s part of our social contract, although copyright in itself is an artificial construct of society. I won’t claim that the current crop of copyright laws is the best of all possible, but it is part of our (in the context of this blog entry, Dutch) society. And working with (and protecting) that social contract is part of everyone’s duty to society. So I’ll have a little sympathy for Buma today.

And in other news, Stichting Brein (whose amazingly annoying rightsholders information film at the beginning of every DVD I own is sufficient reason for me to rip the damn thing so I can just watch the movie and who were responsible for an amazingly misdirected bit of FUD against all forms of downloaded content a few years back — find the NLUUG and others’ response to the FUD (Dutch) as well as some useful background information on home copying (Dutch) on Arnoud Engelfriet’s blog) has gotten tied up in did-too-did-not court cases against the Pirate Bay. Brein’s mandate is protecting the rights of non-Free content. I can’t really fault them for doing that, it is something that is sometimes needed under copyright law. I can’t bring myself to have any sympathy for them, though.

[[ Thought experiment: Supposing that embedding doesn’t require normal handling of the rights on copyrighted works, how does a tracker — which doesn’t even embed, but only points to other, possibly embedded, copies — differ from the exemption now given? ]] [[ Addendum: Ars Technica has a nice overview of resistance to technology from rightsholders. ]]