Back in January, 2005, LWN ran an
article about Debian and Mozilla's trademarks
. In particular, the Mozilla
places strict requirements on where names like
"Firefox" can be used, some of these requirements do not mix well with the
Debian Free Software Guidelines. Recent events now warrant a new look at
Any distribution of Mozilla software which diverges from the
official tarballs must use a different name unless specific approval has
been obtained from Mozilla. Debian's version does indeed
differ in a number of ways. The project could seek approval from Mozilla
to call its version of the browser "Firefox," but that approval does not
help others who may wish to redistribute the software after receiving it
from Debian. Also, the Debian Firefox build omits the official logos,
since they carry a non-free license; that is another change which runs
afoul of the trademark rules.
In the 2005 discussion, the Debian Project had seemingly come to a
resolution with the Mozilla Foundation, as represented by Gervase Markham,
where Debian would be trusted to make reasonable changes and the omission
of the logos was condoned. All seemed well, and Debian has been shipping
Firefox under this understanding for over a year.
In February of this year, however, Mike Connor from Mozilla Corporation
bug report with the Debian project. This bug, marked "serious," stated
that shipping a browser called "Firefox" was a trademark violation:
Firefox (the name) is equally protected and controlled by the same
trademark policy and legal requirements as the Firefox logo.
You're free to use any other name for the browser bits, but calling
the browser Firefox requires the same approvals as are required for
using the logo and other artwork.
Under the previous understanding, the Mozilla Foundation had seemingly
concluded that it could trust Debian to be judicious in its patches to
Firefox. The Mozilla Corporation, instead, is taking a harder line:
To my knowledge, each patchset that deviates from what we ship
should be run by whoever is doing licensing approvals (this is in
progress with various distributions already). Its hard, if not
impossible, to define a set of guidelines that is crystal clear and
doesn't need human oversight. Novell and Red Hat already do this.
The conversation then lapsed until September 18, when Mr. Connor
restarted it. His position has not softened:
In that light, you should consider this, as I previously said,
notice that your usage of the trademark is not permitted in this
way, and we are expecting a resolution. If your choice is to cease
usage of the trademark rather than bend the DFSG a little, that is
your decision to make.
Anybody familiar with the Debian Project will know that asking it to "bend
the DFSG a little" tends not to go over very well.
Mozilla's immediate complaint is about the omission of the official logo, a
change which had seemingly been approved
back in 2005. But Mr. Connor is also taking issue with a number of the
other patches shipped by Debian, and has repeatedly said that every patch
that the distribution applies must be approved by the Mozilla Corporation
ahead of time.
So what happened to the previous understanding? It appears that the shift
to the Mozilla Corporation has brought a new approach to trademark policies
- and new people into the trademark enforcement role. Meanwhile, the
understanding that the Debian Project thought it had was never really
codified onto a piece of paper with the requisite signatures - and, as a
result, it is easy for the Mozilla Corporation to change. A cardinal rule
for dealing with corporations is to always assume that the people you are
dealing with will soon be replaced by others with a much more hostile attitude;
that would appear to be what has happened here. With regard to the logo:
Fair enough, [Gervase Markham] did make that statement. At the
time, we obviously weren't taking that part seriously. We are now,
and we're saying its not ok.
The Debian developers have no intention of going against Mozilla's wishes.
Eric Dorland, one of the Debian Firefox maintainers, did ask for some time,
If this isn't possible, could we at least get a stay of execution?
Etch is going into deep freeze in less than a month. Would it be
possible to resolve this after the release?
The response was not particularly sympathetic:
I would think it makes much more sense to resolve this before you
put another long-lived release into the wild, unless your aim is to
delay compliance. Ignoring the logo issue entirely, I have grave
concerns around the nature and quality of some of the changes the
patchset contains, and I would like to see the changes as a set of
specific patches before I could make any recommendation as to
whether we should continue to allow use of the trademark. If we
were forced to revoke your permission to use the trademark, freeze
state would not matter, you would be required to change all
affected packages as soon as possible. Its not a nice thing to do,
but we would do it if necessary, and we have done so before.
Eric also asked for clarification on the patch review policy, wondering if
it applied even to security updates. The answer was clear:
Yes, if you are shipping a browser called Firefox, we should be
signing off on every deviation from what we ship. Yes, its time
consuming, and yes, I can find more entertaining ways to spend my
time, but its a necessary evil.
As for your straw man about security bugs, what security bugs would
you be fixing with your own patches? If there are security bugs,
they should be fixed upstream, not in your own tree.
Many people do not consider security to be a "straw man," however. Debian
stable currently includes Firefox 1.0.4, which is no longer supported by
the Mozilla developers. So Debian must backport its own security fixes,
and may not want to wait for the Mozilla bureaucracy to review those fixes
before putting them out. The Mozilla response here is that users should
simply be force-upgraded to a supported version; that is, indeed, what a
number of distributors do, but people are not always happy about it. There
are not many other projects which force upgrades in this manner.
The end result of all this, as expressed by Steve Langasek:
Given your subsequent comments indicating that the Mozilla
Foundation reserves the right to revoke trademark grants for
released versions of Debian, I don't see that we have any choice
but to discontinue our use of the marks.
Eric Dorland has stated that he will be changing the name of the browser
soon. Previously, this scenario has been described as the "Iceweasel"
approach - but Eric has not said what name he will be using. He has asked
if Debian sarge can continue to ship "firefox," or whether the name will
have to be changed in the stable distribution; that question has not yet
Debian is not the only project to express some frustration with Mozilla;
consider this message sent to the Fedora
advisory board in August on why Firefox security updates tend to be
slow in coming:
Also you have to take into account that firefox.org doesn't care
about Linux. They produce "updates" that are first Windows
precompiled binaries. Their Linux stuff is still in CVS, not even
tarball released yet, so we have to try and take a CVS snapshot or
troll through CVS logs to find the right patch. They also don't
seem to care about vendorsec, or if they do its a token notice and
nonsensical embargo dates. The last one I noticed was set to be
released in the middle of a global holiday (Easter).
See also this message from last
June on problems the Ubuntu developers have had in keeping Firefox
secure in their distribution.
The Mozilla project has, mainly via the Firefox browser, changed the way
people work with the web. It has brought millions of people into the
community of free software users and ended the destructive domination of a
single, proprietary browser. Firefox is good stuff, and we are far richer
for its existence.
One cannot help wondering, however, if the Mozilla Corporation, now one year old,
isn't losing touch with the free software community it is ostensibly part of.
Releasing software under a free license means losing control over what
happens to it, but Mozilla appears to be having a hard time letting go.
The result makes life harder for Linux distributors, and for Linux users as
Nobody really wants to fork Firefox. The Mozilla Corporation, however,
would appear to be requiring distributors to do exactly that, whether they
want to or not. No distributor has any interest in shipping Iceweasel, but
it appears that a number of us will be using it anyway - or, perhaps,
looking harder at some of the other free browsers out there.
to post comments)