How not to handle a licensing violation

Posted Apr 11, 2007 20:13 UTC (Wed) by jengelh (subscriber, #33263) [Link]

Posted Apr 11, 2007 20:19 UTC (Wed) by drag (subscriber, #31333) [Link]

The problem faced with the BCM43xx people is that the offending code is already out there. That the copyrights are wrong, that the licensing is wrong, and that third parties are already starting to look at it and maybe even are trying to use it.

So it's something that needed to be done publicly. There is no way around it. You can't do it privately since there are third parties that _need_ to know.

Although it would of been better to go talk to the BSD developer BEFORE going public with the issue. So that was the first mistake.

The second mistake was letting Theo change the discussion to center around email etiquette.

They should of just ignored him. It's obvious that it's pointless to discuss anything with him.

Posted Apr 11, 2007 20:32 UTC (Wed) by jengelh (subscriber, #33263) [Link]

Well, since we can give comments, here's my standpoint as an observer. (I am not involved in bcm43xx or bcw.) The arguments I find most strong (as in value) are:

And, you are going to do this using the GPL, even. You did not privately mail that developer. No, you basically went public with it.

The bcw developers went public with it. This code was submitted to a public CVS. With multiple commits.[ref]

A mistake several times in a row? Isn't that unlikely to be a mistake them?[ref]

Posted Apr 11, 2007 20:48 UTC (Wed) by ajross (subscriber, #4563) [Link]

One of the things I haven't seen discussed is how exactly this happened. It just seems incredibly sloppy. Apparently the OpenBSD developer intended to start with a working driver and reimplement it piecewise until he had replaced all the code. But is that kosher? That would strike me as almost the very definition of a "derived work", no?

Now, surely there are people who would disagree* with this analysis and say that it's fine. But shouldn't the developer have asked first? Something like "Is this OK to go into CVS as it is, or should I do development somewhere else?" Did any conversation like ever take place? Why not?

Even if this is an one-time process failure, the general lack of interest in enforement makes one wonder if, perhaps, this isn't the only such license violation in the tree.

* The original AT&T/BSD settlement involved a similar piecewise replacement of the Bell Labs code with "pure" Berkeley code, for example. So maybe this is just a tacit assumption in the BSD world.

Posted Apr 11, 2007 22:40 UTC (Wed) by k8to (subscriber, #15413) [Link]

The problem is that the source repository is public, and so was essentially made available to the public in an ongoing fashion. This is where the license is being trammaled upon, and is also a clear and present risk to the public in that they are at risk for acquiring and incorporating tainted code under false pretenses.

In this situation, I cannot criticize the choice of bringing the problem to the attention of the public immediately. In the usual GPL situations, the problem is that binaries are being provided without source, or that code is being linked in a manner which is not license-compatable. Neither of these situations will lead to further legal problem if they are addressed at a measured and diplomatic pace in private. This particular problem _did_ represent the real possibility of the creation of additional legal problems for any number of third parties in a present manner.

Thus the communication of the problem in the manner it was communicated was reasonable. There was no error.

Posted Apr 11, 2007 22:53 UTC (Wed) by rfunk (subscriber, #4054) [Link]

I'm glad Our Editor is trying to strike a middle ground and push for more
diplomatic sort of thing in the future. I wish more people around here
(and over there) could do that.

Posted Apr 11, 2007 23:39 UTC (Wed) by ncm (subscriber, #165) [Link]

First among these must be that Marcus, the amateur bcw developer, didn't think that committing file versions to (public) CVS amounted to "distribution". That was the "mistake" that Theo alluded to, over and over, and that Michael, who complained, couldn't see as a simple "mistake" because it happened repeatedly. I.e., Michael saw him distributing copyrighted code over and over, while Marcus didn't think he was distributing at all. Michael thought Theo was claiming the copying itself was the mistake, and objected that it could not have been accidental.

(If OpenBSD used Monotone, or a similar distributed repository, it mightn't have come up, because he would have been checking the code into his local repository.)

Another was when Theo announced that Michael was calling Marcus a thief by saying the copying and distribution couldn't have been a "mistake". Copyright violation isn't thievery. Distributing somebody else's code with the copyright notice filed off is not allowed, but the remedy is just to stop distributing (i.e. take it out of public CVS), and no criminal codes are violated.

Posted Apr 12, 2007 3:32 UTC (Thu) by paravoid (subscriber, #32869) [Link]

As a result, there are actually open specifications on the hardware -- unlike most drivers where the code *is* the specification.
Usually, BSD developers can only read through the GPL code to implement a driver and try(?) hard not to copy actual code (i.e. derive) from Linux.

In this case, there was no reason of reading or copying the code from Linux.
There were open specifications, like those that Theo has been asking from every vendor by *publicly* attacking them (talk about PR...)

The bcm43xx project went through the trouble of having distinct teams, one to read the proprietary code and one to write the GPL one, so their code would not be tainted by any implementation details.
The particular BSD developer had _open specifications_ and instead he preferred *copying* the implementation from Linux.
Not to mention replacing all ocurrences of "bcm43xx" with "bcw", stripping the GPL license, stripping the copyright, adding his name and making numerous CVS commits on the way.

How can this be called "an honest mistake"? It's nothing but honest.
This is a blatant copyright violation and an insult on the excessively time-consuming work of the bcm43xx developers.
IMHO, it should be treated as such. Michael Buesch was too *kind*.

I'm happy this was public and all of we were informed.
The deletion of the bcw driver was an unforunate event but I'm happy for it because the BSD developers (and its benevolent dictator) would not do what was needed, again IMHO, in this case: reverting the driver before the commits of the infringing code and banning the developer who made that commit from further development of this particular code.

Posted Apr 12, 2007 6:56 UTC (Thu) by peha (guest, #2168) [Link]

If people often do similar things as Marcus Glocker his misstake may not be so big, and thus going public with the misstake is not a big thing either.

On the other hand if the misstake is big then going public is necessary to prevent future misstake.

Per

Posted Apr 12, 2007 8:19 UTC (Thu) by nim-nim (subscriber, #34454) [Link]

2. the OpenBSD people had already started distributing the contentious code, in fact SUN was looking at adapting their driver for Solaris. There was no way to handle this quietly at this stage - one had to notify third-parties because third-parties were already getting involved

Writing it has been mishandled by both sides is misleading. The initial notification was not closing any doors (one could fault it for being impersonnal, but given previous bad blood between the projects that was a good thing), and the Linux people did not react to the numerous flamebaits the other party shovelled at them.

Every way you look at it OpenBSD folks brought this on their heads themselves. Given the circomstances the Linux project has been pretty gracious about the whole thing.

Posted Apr 12, 2007 12:10 UTC (Thu) by BrucePerens (guest, #2510) [Link]

Bruce .

Posted Apr 12, 2007 15:18 UTC (Thu) by mheily (guest, #27123) [Link]

It's too bad that the bcm43xx team chose to work under the GPL since reverse engineering a complex piece of hardware is such a difficult thing to do that we need all the free software developers we can get. The end result is a driver that is only useful as a "glue" between the kernel and the hardware, due to the use of magic numbers, undocumented registers, etc.

What is even worse is that the bcm43xx team is openly hostile to the idea of Broadcom using their driver to create a proprietary binary-only Broadcom driver for Linux. What's so terrible about having a a fully functional vendor-supported driver that you can study, reverse-engineer, and use to improve the capability of the free bcm43xx driver? Is nothing better than something?

If the driver were freely licensed under the BSD or ISC license, all of the free operating systems -- and even the commercial ones like Solaris and OS X -- could use it and contribute to it's development. A device driver is not like a normal piece of software, it is really only useful for one thing: talking to a specific class of hardware. There is no reason to lock it away behind a restrictive license.

Posted Apr 12, 2007 16:32 UTC (Thu) by leoc (subscriber, #39773) [Link]

Posted Apr 16, 2007 19:38 UTC (Mon) by intgr (subscriber, #39733) [Link]

Article writes:

OpenBSD developers do honestly care about the provenance and legitimacy of their code. So the claims were taken seriously; OpenBSD leader Theo de Raadt remarked "This is a major problem in our code base" and said that the issue would be resolved.

Theo's full comment in the e-mail states:

We always try to make our stuff as clean as possible too. In fact, I think no other code base out there is as clear of violations as ours. This is a major problem in our code base.

I originally interpreted the above comment as Theo's bragging of a clean code base, then sarcastically claiming that being "clear of violations" is a major "problem" in their code base, implying that Linux developers have no business in complaining about it.

Please don't turn this into a flame war, but did anyone else get it that way? Did Theo mean it that way?

Posted Apr 19, 2007 17:53 UTC (Thu) by jimmybgood (guest, #26142) [Link]

When a writer gets to the conclusion and starts it with the phrase, "Needless to say...", he should take stock and think about saying something that does need to be said. Well, I'm in a generous mood, so I'll give you an example for free.

You did say one thing that needed to be said, "The initial contact from the Linux side was clearly mishandled." You put in your 2 cents worth - good! But, you didn't really apply any analysis. So why did they handle it that way? And why did Theo respond the way he did? I have no idea about the former, but I do about the latter.

Look at the code. Marcus Glocker is never going to be a great coder. He was assigned a project, but really didn't have the skill to make much headway. Trying to deny his failure, he started to cheat, so that he could show some progress. He got caught and was publically humiliated. Theo backed him up. You know, if I were to pick one developer that I would want to have with me should I get jumped by gang-bangers on the way home from a pub, it would be Theo de Raadt.

Before you start thinking, "Gee, jimmybgood thinks my article is worth two cents," let me say that you blew it on the last sentence. "...we can only hope that all of the people involved will approach a solution in a way which allows that rational discussion to take place."

Certainly, I don't. Few things are as entertaining as a Theo de Raadt flame fest. Your subscribers don't want to read about rational resolutions. That's why there are 102+ comments here. Your subscriber-only article is nothing more than a lame opportunity to gossip. Hundreds of forums encourage users to do that for free.

Why? Because, writing something that's worth paying to read is really, really hard work and, like coding, requires talent that most people don't have. Even Bruce Schneier repeats himself.