Got an interesting reply from Mikeal Rogers on the subject of copyright, open source, contributor license agreements, and such. His post was in reply to a recent podcast from codemash on these subjects. It’s a bit much to reprint here, so I’ve linked to the forum post. Lots to think about.
Archive for the ‘Law’ category
Copyright insanity
January 27th, 2008GPL and open source license amibiguities
January 5th, 2008I think I’ve written on this before, but this recent story on Slashdot just brings it all up again, so I’ll write again. I currently deal with these sorts of questions for a living, and I have to say it doesn’t generally get any easier as time goes on.
McAffee indicates that some of its products rely on GPL software, and because this of ambiguities in the license, and the fact that it’s not been tested in court, may cause product problems down the line. It’s a perfectly reasonable statement to make, yet many responding on Slashdot kept repeating that “there’s nothing ambiguous” about the GPL. Not sure how wrong these people can be, but they are.
GPL v2 states:
“You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program…”
The first question is ‘how strict should this be interpreted?’. It sounds unambiguous above – *any* modification would form a ‘work based on the Program’, right? If I load a file, my editor changes tabs to spaces, or changes carriage returns automatically, then I save it, would that count? I’ve modified the program, right?
Then later:
“If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. … In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.“
So, if I create a ‘separate’ program and distribute it, but my installation routine compiles them in to one executable, am I safe? As the license also states:
“it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.”
So, they’re concerned about distribution. If my installer combines the ‘separate’ work with GPL code after distribution, I should be OK, right? I doubt anyone would agree with that, because it seems like too much of a violation of the spirit of the GPL. But of course, there’s no ambiguities, right?
Another issue with GPL (well, open source license in particular) that I’ve faced recently is the question of origin of code. Just because there’s code in a file that states that it’s under GPL doesn’t make it so. This is probably the biggest ambiguity that developers and companies face. I’ve found a number of things with GPL license and copyright notices in them which simply *aren’t* copyrightable by the person in question. Likely people just run a script and add their boilerplate code to the top of every file in their project, but just slapping a copyright and GPL notice on something doesn’t make it correct. Unless of course the original author granted permission to the second author to license it under those terms – in other words, if the original author dual-licensed the code.
But how do you determine that? That is a cumbersome research process that can sometimes take days or weeks. Sometimes it can’t be done for whatever reason, but companies still, in my view, need to make the effort and document that effort.
Another big area of ambiguity is applying a license to something that doesn’t make much sense. GPLv2 and LGPLv2 were based on ideas from the late 80s and early 90s view of software development. LGPL, in particular, has many references to ‘linking’. What does ‘linking’ mean with respect to PHP scripts, for example? Static vs dynamic linking – does that mean copy/paste of code vs include()ing the file? Possibly, but there’s been no guidance from the FSF or GNU people as to how these concepts should apply to a whole range of current software arenas, yet people continue to blindly slap the de facto copyleft license on their code without understanding the full implications.
I do see the situation as getting better in the next few years, with more experienced developers becoming more cognizant of the issues, if only because of lawsuits and stories like the McAffee one above coming to ‘mainstream’ news sources (if Slashdot is mainstream!).
However, there’s years and years of old code out there that people will continue to use, which is clouded with ambiguities and confusion about how it can or can’t be used, and in many cases, uncertainty of its origins. This will continue to cause problems, but as more people consider licensing issues at the start of development projects, rather than after the fact, these issues will hopefully just become a footnote in the history of software development.
Queen’s nephew Linley is the royal blackmail victim
October 30th, 2007A nephew of the Queen is being named as the victim in the Royal blackmail plot. His name is now being widely touted on the internet, including the authoritative Huffington Post, quoting the Radar publication.
Royal Anecdotes
My wife is really eating this stuff up. The name in question is supposedly David Linley, son of Princess Margaret. Apparently the UK press is not allowed to name the victim of the blackmailing effort, because of his status as a member of the royal family. My wife and her friend spent most of yesterday trying to figure out who it was. Even this morning, while the blackmailers have been arrested, there’s precious little in the search engines (yet) about this unfolding drama. I figured I’d post it here as well to help spread the word.
Blogged with Flock
Tags: royal, blackmail, queen, uk, england, scandal, lindley
FEMA sorry for fake news briefing — chicagotribune.com
October 27th, 2007In the briefing, parts of which were televised live by cable news channels, Johnson stood behind a lectern, called on questioners who did not disclose that they were FEMA employees, and gave replies emphasizing that his agency’s response to this week’s California wildfires was far better than its response to Hurricane Katrina in August 2005.
FEMA sorry for fake news briefing — chicagotribune.com
Where has the character in our government officials gone? I realize this can be considered an ‘isolated incident’, and I’m sure there are many good, honest and hard-working people working in our federal government. But really – faking a news conference? This is just sickening. What other conferences have been faked? Is this really the only one?
Blogged with Flock
Tags: government
Open Source Risk Mitigation
October 12th, 2007I’ve been with Open Source Risk Management for about 2 months now, and it’s been quite interesting so far. The issues and risks that the integration of open source code raises, and how different companies respond to these risks, is probably the crux of the interesting stuff, at least for me. It doesn’t necessarily seem to be the companies with the most at stake who are necessarily the most demanding about the audit processes we do, either, which surprised me a bit. One of the things I do in my role is to talk with technical people about their code – how do things link together, where certain bits came from, and so on.
Much of what we’ve been doing so far has been reviews of code before an acquisition, or before a product launch. The awareness of the risks is a relatively new thing, and we’re (as in the industry) still mostly dealing with the issues after the code is written. Some new technologies are aiming to help developers address the problem during the coding phase itself, by flagging suspicious code in the developer’s IDE, or by offering libraries of pre-approved code available for integration.
I’ll throw this out there for all of you: do you view integrating open source in to your applications or products as risky? Does the new GPL3 make any difference that view? How do you go about keeping track of what components you’re using in your projects and ensuring licensing compliance?
Airport screeners recording what you read?
September 20th, 2007This article from Wired indicates that some airport screeners are keeping notes on passengers, down to what you’re reading. I don’t get the impression that it’s being done for every single passenger all the time, but it’s still frightening nonetheless. I flew a lot in August, and anticipate flying a lot more in the coming months, and this makes me both nervous and angry. Is it too cliche to bring up 1984?
US bill enables martial law?
October 28th, 2006Slashdot posted a story recently about a US law passed which would enable the President to declare martial law. I thought this was already possible. In any case, I’m mirroring the text of it here for people to read – it was originally from http://www.govtrack.us/congress/billtext.xpd?bill=h109-5122 but apparently that’s getting really slow right now.
