Bobulate

Starting in November 2009, Free Software Foundation Europe (FSFE) will award three people with a Fellowship grant every month for the coming year. Everybody who is actively working for Free Software but cannot afford the Fellowship contribution can apply for the grant.

That’s from the Fellowship of FSFE news page. The Fellowship of FSFE is the way that individuals can support the work of FSFE; by becoming a member you add to our resources of people, time, enthusiasm. However, it costs money, which not everyone has, so we’re looking to recognize people who contribute time, enthusiasm and skills to Free Software with a complimentary Fellowship.

The Fellows in an area also organize get-togethers — after all, they are members of one club — and the groups in various cities in Germany are quite active and successful. In the Netherlands, not so much, but we’re looking to change that by getting together in the second half of january (after jan. 14th, when the New Year’s borrel for a whole bunch of Free Software and Open Standards groups happens). For those in .nl — keep an eye on the national mailing list.

The nice thing about standards is that there’s so many to choose from. Joel Spolsky elaborates on Martian handsets in the context of web standards — it’s a fun read, go on. It’s somewhat relevant in the context of Open Standards (there are many definitions out there, largely compatible and differing in details; the FSFE uses on definition of Open Standard, the SIUG uses a slightly different one). Now, one of the characteristics of an Open Standard is that there is some change process — new features are added, ambiguities in the standard worked out. Article 4 of the FSFE definition asks for “managed and further developed independently of any single vendor”. I think none of the available definitions demand “don’t be daft.”

But when changing standards (e.g. producing a new version of a standard with new features, new extensions, or clarification and disambiguation), some form of “don’t be daft” needs to be taken into account. Clearly there’s a need for measured progress, although we can argue about what “progress” means. As a (former) formal-verification-kind-of-guy, I suspect I use words like “specification” and “standard” differently from, say, the ISO. A specification states truth, and does so elegantly. In my academic experience, changing a specification raises two main questions: is this true? is this the best possible way to express the spec? These academic specs, too, are written by small groups of people, with strong co-working ties.

Way down at the other end of the spectrum — no, I shouldn’t suggest that there’s a continuum present here; somewhere there’s a quote like “that’s not the same ballgame; heck, it’s not even the same sport” but I forget where that’s from — are fuzzy processes, ambiguous specifications and fundamental disagreements on what “progress” means. Rob Weir has a three-part blog series (Part I) on the IS29500 update process. Looking at that, I see an update process rife with procedural problems, intellectual dishonesty, and a lack of commitment to a common goal. It’s an interesting read, if only to wonder — what kind of provisions should we make in the definition of Open Standards to ensure a (better) workable change process?

Whenever I say “it’s immoral to prevent people from sharing knowledge” it brings a smile to the lips of whomever I’m talking to. That’s nice, it’s a good emotional line — also one that needs a little nuance in order to work. But once you’ve got a smile, the rest of the conversation is easier.

In academia and education, dissemination and sharing of knowledge is what it’s all about — there the prevention of knowledge sharing really is at odds with hundreds of years of academic tradition, and the “immoral” argument gains strength. It’s always seemed odd to me how closed academic publication is (although to be honest the actual published papers by me are insignificant). One of the projects I’ve done is CodeYard, which tried to get Dutch students to build Free Software as part of the curriculum at high-school — in the open, as a way of sharing and demonstrating knowledge.

For educational materials as such for the Dutch computer science (informatica) classes in high school, there was the “Turing” method, which I thought had moved into an open contribution model — but I can’t find any indications of that quickly. One of the best sources for HS-CS information in the Netherlands is InformaticaVO, which also encourages sharing of information between teachers. I’m also happy to see Poland adding incentives for sharing to the creation of educational materials. Once learning materials are created (by teachers, on the public dime) there’s no economic reason to stop dissemination, and indeed a moral obligation (smile!) to share widely.

At an academic level, we have Open Access; there was even an Open Access Week (in Dutch) three weeks ago. I must say it passed largely unnoticed by me, but I might have been traveling. The University of Nijmegen had an event related to that week too, with a press release. There’s some push towards a semi-open-access repository called the “Radboud Repository”, but ironically it has CS papers only up to 2008 and every one I looked at there was closed, in the sense of no actual content, no link to the paper, no reference to where the content could be obtained; one paper was published in an NLUUG bundle, so I know that that one isn’t strongly protected by the publisher, and the one article that I spotted that is published by the university (R08007, on Size Analysis of ADTs) has no content link but does have a “related link” attached that doesn’t work.

By a roundabout way, suffice to say that the Radboud University might want to support Open Access, but it still has to lot of work on the “making it work” side of things. But sharing is, on the whole, doing well. I wonder if anyone has baked the peanut-butter cookies for which I shared a recipe during my Latinoware talk?

One peculiarity of Dutch copyright law is the fact that obtaining a copy of a (copyrighted) work that is not offered in a legal fashion (i.e. the person offering the copy does not have a license to do so) does not in itself constitute infringement. In other words, you can take, but you can’t offer. Sounds a little like “do ask, but don’t tell” to me. I believe a similar situation applies in Canada. Both countries also have a “copying levy” applied to blank media.

The effect of this situation is to turn all the Dutch computer magazines (the non-technical ones anyway) into “where to get yur music n vidz” catalogues. Something that I feel does the notion of copyright a disservice. [[ I should note that it’s possible to disagree with the notion of copyright itself or the implementation thereof, but here we’re mostly weaseling to escape the fundamental restriction that it should be the author of a work who controls what may be done with it. ]]

[[ Additional warning: all links in this blog entry lead to Dutch-language pages, so be warned that they may contain Hottentottententententoonstellingen and other examples of that raspy tongue down by the sea. ]]

In the past few weeks there have been repeated kerfuffles around enforcement of copyright — in the music business, not software — but the Dutch government has now stated that it intends to make downloading illegal. Well, fortunately a little more subtle than that (although the umbrella for copyright organizations has in the past tried to paint a picture that all downloading is illegal, until the NLUUG and others called them on that). It hit one news site as free downloads should be punishable; another headline (same site) was gov’t to ban downloading. What I make of this is that “downloading” in Dutch apparently means “obtaining a copy of a work from an unlicensed source.” See the perverse effect on language?

This kind of news hits lots of channels, and you can see, for instance, on security.nl — the usual kind of discussion focused on “music biz needs a new business model” and “copyright lasts too long” and “implementation is infeasible because I’ll use encryption.”

But let’s take a closer look at the sources (maybe not the most-original source, but closer than reports in the media): a press release from the ministry of Justice. The summary of the press release reads:

Thuiskopieheffingen op informatiedragers zoals blanco cd’s en dvd’s moeten op termijn worden afgeschaft. Daarvoor in de plaats komt een regeling die het downloaden van beschermde werken uit (evident) illegale bron verbiedt. Verder wordt het toezicht op auteursrechtorganisaties sterker en zal de contractuele positie van auteurs en uitvoerende kunstenaars worden verbeterd.

[[ Loose translation in English: ]] The blank media levy (which covers home copying of music and video) on cd’s and dvd’s should be scrapped in due time. In its place, downloading of copyrighted content from (obviously) illegal sources will be prohibited. In addition, the oversight of copyright-related umbrella organizations will be strengthened and the contractual position of authors and performing artists will be improved.

I suppose I can only say I think I applaud this (the devil’s in the details, of course), as it moves to a somewhat less actuarial approach to copyright violations and tries to come up with something that works more closely along the original setup where the author had control over the protected work (within the scope of copyright law, which is the social contract governing the use of creative work, along with its explicitly allowed exceptions).

Oh goodness, it’s only taken until the first beta of Qt 4.6 (spoiler: it’s really Thiago!) for commercial jewelry to catch on to the fact. Especially because it’s next generation.

Attached to LinuxWorld is the InfoSecurity trade show (or the other way around, since LW is about a fifth of the size of IS). It’s a nice opportunity to find out about networking, crypto, and other things going on in that part of the world. Security isn’t exactly my thing, although when I was running CodeYard I was located across the hall from the security research group at the University of Nijmegen — and of course I’m never without my Fellowship of FSFE GPG-card.

At the NLUUG conference last week I heard of the Yubikey — unfortunately I missed the actual talk by Henk, so I’m still a little confused as to what you can actually achieve with such a device that acts as a USB keyboard and spits out 16 fixed characters followed by 32 random ones. One-time passwords, sure, but I’m just not creative enough to come up with what to do then.

The FSFE is an enthusiastic user of GPG encryption and digital certificates (from CAcert) because we feel that Freedom and Privacy (through the use of strong encryption) go hand in hand. So I was happy to meet some folks from a company called Legid who are pushing certificates (S/MIME and otherwise) as means for digital signing, and have a hardware-software combination that uses a smartcard with a neat wifi-and-usb (?) enabled terminal to handle them. The terminal also apparently supports something that looks like OpenID, sending authentication requests and authorization requests (e.g. when trying to pass a doorway) to different parties for permission. The long term goal is to have everyone with a smartcard and a collection of personal (i.e. bound to your real identity) certificates for legally sound document signing; naturally you’ll want more certificates to handle the different online identities you have.

Going from there to the “but email clients are too difficult” end of the spectrum, I chatted with a company that does secure document silos — to which I largely responded “why on earth would I want a new, locked-down, non-interoperable web-based silo for document exchange?” This might signal a difference in workflows — I have different client apps for different activities (but because it’s KDE4 they integrate really well) and don’t see much value in having to go to a website to retrieve a document when encrypted attachments (S/MIME or otherwise) have been part of email for tupping ages. The company (DigiNotar) claims that that’s too complicated, and I suppose for people who have a web-browser based workflow anyway, that kind of makes sense. Especially if the silo combines document management with security — the idea behind the silo is partly that you can keep better logs of document access and document reading. Again, a move towards being able to say “I know you read the document, because you were logged in (with your client certificate) and downloaded the encrypted version offered by the portal and then sent back a signature on the document.”

For such a silo my concerns quickly turn to interoperability; I have a bank that communicates with me through such a closed sercure silo — or rather, it doesn’t communicate with me because their silo doesn’t work with my choices of browsers (and the one they do support doesn’t run on my hardware).

All in all, good to see work on privacy going on; in so far as it’s possible to get a good idea of what’s going on from a chat at a trade fair.

Two days of LinuxWorld have left me tired by happy. I ended up giving two talks, because Karsten and I made it a double on wednesday and then on Thursday I had another one on best practices in license selection for Free Software projects (one-line summary: pick one that is consisten with your business strategy). The Open Source pavilion at LW isn’t all that large, so 14-20 people as an audience fills it.

Besides giving some talks on licensing topics (FSFE hat), I sometimes stood around the NLUUG booth and handed out posters for the next NLUUG conference — spring 2010, topic “System administration.” Very traditional for an Open Systems and Open Standards organization. And aside from that, wandering around a trade fair with four themes — Linux, Storage, Security and Business Tools — is an education in itself. I try to make clear at the start of every conversation that I’m not a sales opportunity, as that seems to avoid wasting time for both of us if I run into a hard-sell booth (still, the one stand that asked “How many workplaces does your company have?” and then “Well, you have less than five hundred desks, you’re not interesting, goodbye!” — I never even found out what they were selling at all.) You can still get conference goodies though, so I got home with a nice collection of peppermints and flashlights for the kids.

With the NLUUG fall conference over (and Linux Kongress and OSDevCon, all planned for the same days and me able to attend only one), my sights are re-set to the next conferences. And lo! They are almost upon us. Linux World in Utrecht (Netherlands), which is a small Linux-oriented trade show surrounded by three much larger IT trade shows (Storage, Security, and “Tools”). It tends to be fun, though not very Free Software-oriented. I especially like talking to the storage peeps, since there’s a fair amount of technology hidden under the marketing speak — for instance ZFS has dedupe now. There’s two FSFE-related items on the agenda: I will give a brief talk on best practices in Free Software licensing for your Free Software projects (one sentence summary: consider the future business implications of your choice; longer version could be had at Latinoware). Karsten Gerloff will be paneling on public procurement (probably one sentence summary: chosing Free Software is a way to ensure long-term safety of data and social investment).

After that, at one week distance, is FSCONS where I’ll run into Karsten again. Do you suffer from bumping into your boss all the time in random countries? I do. FSFE has a big lineup there, thanks to Alina and Matthias who are secretly coordinating our presence there. Again, best practices in licensing.

After that, things are clear right through to Sinterklaas, which is good for getting some desk-time.

THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

That’s a really popular line in Free Software licenses (I copied this one out of the FreeBSD license, which is a 2-clause, permissive, non-copyleft Free Software license, but something similar can be found elsewhere, e.g. in the GPLv3). It can be the thing to hide behind in a cop-out (as in “well, it works for me, don’t bother me with bug reports”) and it can be a powerful tool to avoid liability when bugs show up that a small group of developers didn’t foresee or missed in testing — liability that might bear no relation whatsoever to the rest of the economics of the situation. It is therefore vaguely amusing to see a local council suing over software unfit for a purpose — found on the Register. Since it’s very light on details, I’ll just put up a late night comment that it’s important to pick someone negotiating a software purchase contract who is fit for that purpose; that might ease some of the pain there.

I was surfing around — you know, the usual sequence of Slashdot, Groklaw, random linked articles — and encountered the LLVM license (actual license text). I thought I would take a moment to look at this one and compare it to other permissive Free Software licenses. Broadly speaking, the LLVM license is one that allows everything, and requires: retaining copyright notice and disclaimers, in source or in documentation, and disallow using authors names for endorsement. Compare it to the 3-clause BSD license , 2-clause FreeBSD license or the 1-clause MIT license.

A couple of comments on this license family is in order; one is that I find the MIT license a tad unclear(!) because I don’t understand how to include a copyright and permission notice that is part of a comment in a source file in the software. The intention is clear enough, I guess: put the notice in a README or at the end of the software manual, and you’re clear. It seems to me that some mention of binary distribution vs. source should have been done, if only to clarify that point.

The second is that the header of the LLVM license invites a form of poor copyright management; this isn’t the license’s fault per se, but it contains language that suggests to other developers to do things sub-optimally [[ gosh, it’s hard to pick just the right words here; “wrong” sounds more pithy, but is also more likely to annoy people into not listening at all; the point is there are best-practices ways of doing things and anything else isn’t, well .. , the best ]]. It’s the inclusion of a group of developers at the top — the “Developed by” line, as well as the “Copyright <Owner organization name>”. These are tempting to developers of community-led projects to put in non-existent organizations or poorly-defined groups like (and I’m culling these examples exclusively from KDE because I happen to have a KDE SVN source checkout here)

(c) 1996-2008 The KDE System Monitor Developers
(c) 1999-2008, The KDE Developers
(c) 2003, The KHelpCenter developers
(c) 1998-2000,2003 The KFM/Konqueror Developers
(C) 1999-2008, The Konqueror developers
Program copyright 1997-2001 The KInfoCenter Developers

The problem lies in the fact that these groups are defined if and only if you have access to information outside the sources themselves — e.g. mailing list archives or version control system history. Putting these non-existent groups in a copyright header weakens the copyright (just a little — after all, each original author is a rightsholder, regardless of whether he or she puts her name to it) and makes compliance engineering just a little more difficult. Note that putting an existing organization there that actually holds the rights is just fine: my own code in KDE SVN should read “Copyright 1999-2008 KDE e.V.” because I used a Fiduciary License Agreement to assign the rights. Again, none of this is the license’s fault per se, it’s just an easy-to-misconstrue example.

So here it would be better — for everyone, and KDE coders in particular — to follow an example that said “Copyright <year> by <name of actual author> <email address>” because that is safer from a governance standpoint in the long run. There’s no fictitious entities involved, and complete documentation of who might be a holder of copyright in the file (besides, clause 2a of the GPLv2 wants you to do this as well).

Finally, the last bit of commentary goes not to the license text but to the explanation given by LLVM for their reasons for choosing this license over the GPL — except for llvm-gcc, which is necessarily GPL-licensed because it is a derived work of gcc, which is GPL licensed itself. And it’s the use of the word “viral” that bugs me here. It’s bolded on the LLVM license webpage, and is wholly unnecessary since they manage to explain what the GPL does pretty darn well; it’s just adding a typical FUD-word to an otherwise fine page explaining a license choice (a legitimate license choice for a Free Software license done by the original authors, and hence one to be respected). A better line for that particular web page would be “any code linked into llvm-gcc (which is GPL licensed) must also be released under the GPL, as per clauses 2 and 3 of that license.” (This assumes it’s GPLv2-licensed).

Anyway, an interesting (for me, but then I like to read licenses and the reasoning behind license choices) jaunt into non-copyleft licensing territory. [[ PS. And yes, there is a 4-clause BSD license, which has the Advertising Clause; I’m not aware of a 5-clause one, but there is a 3′-clause license, the Sleepycat license, which is formatted like a BSD-style license but has a strong copyleft component. ]]