Groklaw's open letter to SCO's Darl McBride [LWN.net]

From:		PJ <pj@groklaw.com>
To:		lwn@lwn.net
Subject:		Press Release and Groklaw's Open Letter to SCO's Darl McBride
Date:		Sat, 20 Sep 2003 12:18:08 -0400
Press Release

Open Letter Warns SCO's Darl McBride of Widespread Legal Action

Friday,  September 18, 2003

SCO Is Warned of Legal Action If Invoices Are Mailed to Linux Users

London, UK

Members of an ad-hoc group drawn from the open source/free software 
community today released an open letter to The SCO Group's CEO Darl 
McBride, responding to issues he raised last week in his "Open Letter 
to the Open Source Community".

The letter, written as a collaborative work at the web site Groklaw, 
warns McBride his company faces widespread legal action from the 
community, if SCO mails invoices to Linux users, as it has recently 
threatened to do by October 15.

The letter refutes the criticism of Linux, the open source community, 
and
the General Public License (GPL) made by McBride in his open letter, 
and rejects
the idea that Linux users need to purchase a license from SCO:  "We 
purchased GNU/Linux software in good faith, and we chose it precisely 
because it is released under the GPL. We will not accept your attempt 
to charge us a second time for a product that we have already bought 
and paid for, most of us from vendors other than yourself."

Groklaw's letter calls on SCO to immediately identify any infringing 
code, prove infringement if it can, and allow the code to be 
immediately removed:  "We do not need or want your legacy UNIX source 
code."

The letter makes the following points:

* It warns of the consequences of violating the GPL and explains the
connection between copyright law and the GPL.

* Sets forth legal steps the community members intend to take if SCO 
mails
invoices, as threatened.

* The open source community believes in and relies upon copyright, upon 
which the GPL is built, despite McBride's insinuating otherwise.

* SCO has not proven any infringing source code in Linux.

* Linux source code can be identical to UNIX but also legal; BSD source 
code
is in both.

* Open source polices its source code effectively, but can SCO say the 
same? Any proprietary software company can police its own code by 
simply looking at the publicly available Linux source code to check for 
copyright infringement at any time it wishes.

* SCO's calls for indemnification are a red herring.

* Calls on SCO to allow inspection of its LKP software, which the group
suspects includes Linux source code without authorization.

* SCO mischaracterizes the open source community as counter-cultural, 
whereas
in reality it includes many of the largest and most successful 
businesses in
the world.

* Linux already has a successful business model.

* Dual licensing is possible, using the LGPL.

* Asks how SCO could distribute its own version of Linux for years 
without
noticing that infringing code was in the kernel.

Groklaw also released a research document that contains "links to 
evidence supporting our assertions and other resources you may find 
helpful, such as links to information about the GPL and how it works . 
. . . We hope it will help you to understand our position better and 
that it will prove a useful resource to you and to others interested in 
this case."

The supporting research document "Digging for
Truth" is available online at the INQUIRER, a leading IT news website
located at:  http://www.theinquirer.net/?article=11649 .

About Groklaw

Groklaw is a technology legal news and research website, which is is
currently dedicated to providing daily news and analysis of the SCO 
Group litigation. For more information, please visit Groklaw at: 
http://www.groklaw.com .


Source: Groklaw

* * *

Dear Mr. McBride,

Recently you wrote an "open letter to the open source community"
published September 9, 2003 by LinuxWorld. This reply is from a group 
within the
open source / free software community. Because you addressed your letter
to our community-at-large, we thought we should answer you ourselves.

Our community isn't organized hierarchically like a corporation, so it
has no CEO or overall leader in that sense, except that Linus Torvalds
leads Linux kernel development and Richard Stallman leads the GNU
Project and the Free Software Foundation (FSF). We have written this
letter together on the website, which is a research and news site 
currently
dedicated to covering developments in the news about your company.

Quite a number in the group are software engineers, including
contributors to the Linux kernel. Others are proprietors of Linux-based
businesses or executives or employees of Linux-related businesses. A few
of us are lawyers, one is a paralegal, one a stockbroker, at least one
is a physicist, a couple are journalists, one is a retired policeman,
another a retired truck driver, others are in or have been in the
military, and some work or have worked in government. We also have
experienced UNIX programmers among us who personally witnessed the
history of UNIX since its inception, participated in its development,
and know the software well. One of us is a non-technical grandmother who
installed GNU/Linux herself recently and fell in love with the software.
We are a large, international and varied group of people, which is
appropriate because GNU/Linux is developed and used worldwide and the
open source community to which you directed your letter is both global
and diverse.


VIOLATIONS OF THE GPL AND COPYRIGHT LAW

Our first purpose in writing to you is to draw to your attention that
there are consequences to violating the GNU General Public License, the
GPL.

You have continued to distribute the Linux kernel, despite alleging that
it contains infringing source code. Simultaneously, you are attempting
to compel purchase of "Linux Intellectual Property" licenses for
binary-only use, the terms of which are incompatible with freedoms
granted under the GPL.

According to the GPL, any violation of its license terms automatically
and immediately terminates your permission to modify or distribute the
software or derivative works.  Note the wording of the GPL:

"4.  You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License.  Any attempt otherwise
to copy, modify, sublicense or distribute the Program is void, and will
automatically terminate your rights under this License. However, parties
who have received copies, or rights, from you under this License will
not have their licenses terminated so long as such parties remain in
full compliance.

"5.  You are not required to accept this License, since you have not
signed it.  However, nothing else grants you permission to modify or
distribute the Program or its derivative works.  These actions are
prohibited by law if you do not accept this License.  Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and all
its terms and conditions for copying, distributing or modifying the
Program or works based on it."

Releasing software under the GPL is not the same as releasing it into
the public domain. Authors retain their copyrights to software licensed
under the GPL. Even when authors assign their copyrights to someone
else, such as to the Free Software Foundation, the copyrights remain
valid, but with the new owner. Therefore, subsequent to termination of
your permissions under the GPL, you are in the unhappy position of
violating the copyrights of the software authors, if you continue to
distribute their software. Under copyright law, you are not allowed to
distribute at all without their permission -- and they have chosen to
grant that permission only by means of the GPL.

YOUR INVOICES WILL PROVOKE LEGAL ACTIONS

With regard to the invoices you have said you will mail out by October
15, we caution you that we believe that any such action will expose you
to civil lawsuits under both federal and state consumer protection laws,
as well as to possible criminal prosecution and penalties should state
and federal agencies, attorneys general, and district attorneys decide
to get involved, which we fully intend to ask them to do upon receipt of
any invoice from you.


For just one example of state consumer protection laws, we suggest that
you read Article 22-A of New York's General Business Law, Sections 349
and 350. Similar laws are on the books in other states. The Linux kernel
developers also have copyright law to rely upon to protect their
rights.  Linux-based businesses may also avail themselves of other
commercial laws, such as trade libel law.

Should we receive invoices from you, we will initiate civil actions
under the anti-fraud and consumer protection statutes wherever we live,
according to our respective circumstances. We also intend to contact our
state attorneys general to request that they seek criminal as well as
civil penalties against you, in addition to injunctive relief. In
addition, we will file complaints with the FTC and other federal and
state agencies, as appropriate. Some individuals have already sent
letters to legislators in their respective states and in Washington,
DC.

We purchased GNU/Linux software in good faith, and we chose it precisely
because it is released under the GPL. We will not accept your attempt to
charge us a second time for a product that we have already bought and
paid for, most of us from vendors other than yourself. Furthermore, we
accept no license other than the GPL for GNU/Linux software.  For one
reason, it is the permission to modify our software that we treasure.
Here is how the GPL FAQ  explains the value of being able to modify
software: "A crucial aspect of free software is that users are free
to cooperate. It is absolutely essential to permit users who wish to
help each other to share their bug fixes and improvements with other
users."  This is one key to the justly renowned stability and
security of GNU/Linux software, and we have no intention of reverting
back to the Dark Ages of binary-only software permissions, having
already made the conscious and informed decision to escape from and
avoid such like the plague.


WE DO BELIEVE IN COPYRIGHT LAW

Despite the false impression you attempt to paint in your letter -- that
we are a lawless community that doesn't respect copyright law -- we wish
to inform you that we do believe in copyright law. It is the legal
foundation upon which the GPL is built, and we rely upon it to protect
our rights. If the Linux kernel developers didn't believe in copyright,
they would have released their software into the public domain instead
of choosing to license it under the GPL.

You are required by law to respect the Linux kernel authors' copyrights,
as well as the license they chose to use, the GPL. It is hypocritical to
complain of alleged violations of your copyrights and licenses while at
the same time disregarding the equivalent legal rights of others.

YOU HAVE SHOWN US NO INFRINGING SOURCE CODE

You have refused to show us, much less prove, any infringing source
code. If you showed source code that proved to be infringing, it would
be immediately removed. Linus Torvalds, Richard Stallman, and the FSF's
attorney, Eben Moglen, have each told you so repeatedly as men of honor.
You refuse to let that happen. Why? It appears to us it is because you
have no infringing source code to show.

Your most recently filed 10Q shows your UNIX business declining, even as
Linux continues to grow in market acceptance. If you are refusing to
show the source code to prevent its removal because you wish to charge a
perpetual toll, in effect riding on the coattails of the more successful
GNU/Linux software, that is a shameful tactic. You cannot compel Linux
developers to retain your source code, even if any infringing code
existed. An alleged infringement is curable by removing the infringing
source code.  If you can identify any infringing source code, please do
so, prove it is infringing, and let us remove it, because we surely do
not want it.

Even more shameful would be to try to destroy, co-opt, or make
proprietary, the labor of thousands of good-hearted volunteers who did
not volunteer to work for you, do not wish to be exploited by you for
your monetary gain, and have already chosen to release their creative
work under the GPL.

If your concern is that evidence will be removed before your claims
against IBM and its counterclaims against you can be heard in court,
that is a baseless concern, because the Linux source code is and always
will be publicly available for review by any court. Secrecy is not an
option under copyright law. If you make allegations of copyright
infringement, you must offer proof.

We do not need or want your legacy UNIX source code. It would be a
violation of the GPL to accept proprietary source code into the Linux
kernel. If there is proprietary source code in the kernel, we want it
removed just as badly as you do, perhaps more so, because we believe in
the GPL. Just because people will not walk through your front door to
buy your software, you have no right to compel them to pay you through
the back door for what they did not voluntarily choose to buy. You must,
therefore, try to find a viable business model without our compelled
participation.

Any claims you may have against IBM are between you and IBM. It is a
contractual dispute to which we are not parties. If you have any valid
contractual claims, they will be settled in a court of law, but your
remedies in that dispute lie with IBM and IBM alone, not with Linux
users. Even if some misappropriation were to be established, you cannot
collect twice for the same transgression. Further, we note that to date
you have filed no copyright claims against either IBM or Red Hat.

SOURCE CODE CAN BE BOTH IDENTICAL AND LEGAL -- THE BSD CONNECTION

Since the beginning of this year, you have claimed that there is
infringing source code taken from your version of UNIX and illegally
donated to Linux. But when two examples were shown at SCOForum, neither
supported your allegations. For six months, we have listened to analysts
say that some source code appeared similar, if not identical. Yet what
both they and you failed to investigate and determine is where that
source code originated, how and by whom it was added to the software at
issue, to whom it now belongs, and who is allowed to use it.

There is BSD source code in Linux which is legally there, and it will,
of course, be identical to or similar to BSD source code in your
software. The BSDi lawsuit revealed that the AT&T source codebase
includes a great deal of BSD source code. Caldera itself also later
released "Ancient UNIX" source code under a BSD-like license.
Consequently SysV contains substantial amounts of
source code that SCO and others have already licensed for use and that
the open source / free software community may legally use.

WE POLICE SOURCE CODE EFFECTIVELY -- DO YOU?

It took only a day or so for the source code shown at SCOForum to begin
to be identified by members of the open source community. If we do not
police source code effectively, as you claim, why were they able to so
quickly identify the code? You, in contrast, had no idea where that
source code came from, or to whom it belonged, or you surely would not
have used it to attempt to prove "infringement" of "your" source code.
The evidence indicates it is your due diligence system that is broken,
not ours.

If the legal departments of corporations represent to Linus Torvalds
that they have ownership rights to source code they donate, what more
can reasonably be expected? Do you have methods in place to prevent GPL
source code from being improperly inserted into your proprietary
software? Would you be willing to allow us to check for such violations?
We particularly wish to check your Linux Kernel Personality (LKP) source
code. We suspect that there may be GPL source code taken from the Linux
kernel and used in LKP without authorization, and we challenge you to
prove this has not happened by showing us your LKP source code,
throughout its complete development history to date.

Any proprietary software company can police its own source code in Linux
by checking the Linux source code. The Linux kernel is open to the
public. If you see any source code that you believe is yours, you have
only to speak up, and it will be immediately removed, upon confirmation
that it is infringing. That is what you should have done. It's a
superior feature in the open source method that all you need to do is
your own due diligence. Any interested party can verify that no
copyright infringements are taking place, simply by looking at the
published source code.  This creates strong incentives for honesty and
provides far greater protection for copyright holders than your
proprietary system, where source code can be misappropriated and hidden
and no one can check for it, short of a lawsuit. Perhaps that is why
proprietary software companies are so often locked in legal battles,
something you rarely see in the open source / free software
community.

With regard to broken systems, how could it happen that while working
with the Linux kernel source code for years -- and your company did --
you never noticed any infringing source code?  And how do you explain
that you released the allegedly infringing source code in your own
distributions of Linux for years without noticing it was in there?

If Linux did contain infringing UNIX source code that you failed to
notice for years, or noticed but did nothing to prevent, despite the
fact that the Linux source code was freely available at any time for
your review, it raises questions about your internal processes and
procedures for protecting your copyrights rather than demonstrating any
purported "breakdown" in the open source methodology.

INDEMNIFICATION IS A RED HERRING

Anyone considering surreptitiously inserting proprietary software source
code into Linux knows they would be quickly discovered and identified by
name. That is your indemnification and your protection. We believe our
system for policing source code is far more exacting and successful than
your own.

On the subject of indemnification, we note that the software license
which you propose to sell does not offer indemnification from lawsuits
brought by other companies.  And we think we should inform you that
warranties are permitted under the GPL: "1.  . . .You may charge a fee
for the physical act of transferring a copy, and you may at your option
offer warranty protection in exchange for a fee." We do not feel
we need it; the open source method protects us sufficiently, but it is
certainly negotiable if we wish to pay for it.

Proprietary software companies regularly file lawsuits against each
other for copyright infringement,  patent and trademark violations.
Microsoft has been found guilty recently in several cases, but despite
the fact that the GNU Project was begun in 1984 and Linus Torvalds began
the Linux kernel in 1991, there has never been a claim of copyright
infringement that we know of in all those years, let alone a finding of
guilt. The record shows which method has done a better job of policing
source code, which reveals that your call for indemnification is, to put
it bluntly, FUD.

WE RESPECT THE LAW

With regard to your talk of having experienced a DDoS attack and your
request that we aggessively police the community, your request is like
us asking you to police Microsoft to ensure it never again breaks
antitrust law or never again violates anyone's patents, trademarks, or
copyrights.

Just because you are both proprietary software companies, it doesn't
follow that you can control what Microsoft does or should be criticized
as if you condoned their actions just because you are in the same
proprietary camp. Whether it is individuals or companies that break a
law, it is wrong, but it reflects only on the individual perpetrator. We
expect you to make that distinction for us, as we do for you.

There is a legal process for such matters. Not everyone accepts as
established fact that there was an attack. The doubt is based on the
fact that your employees were quoted as saying that reports of an attack
were untrue and that you took your servers down for maintenance yourself
and then had trouble getting them back up again. We observed that the
"attack" kept business hours, Utah time, for much of that week.  If the
information your employees provided was false and there was in fact a
network denial of service attack on your servers, we naturally abhor
such behavior. Your implication that we would feel otherwise is deeply
insulting and offensive.

We would think, however, that a capable information technology company
that sells web services software would have the technical know-how to
handle a DDoS attack, if that is really what happened. Most such
companies do handle them without being brought to their knees for a
week. We are glad that you say you have since learned technical steps
you can take to protect yourself in the future.

WHO MAKES UP THE OPEN SOURCE COMMUNITY TODAY?

Kindly bring up-to-date your concept of the people and organizations
that make up the open source community. Your  letter attempted to
portray us as a counter-cultural fringe element. On the contrary, the
truth is that our community is very much in the mainstream already and
includes many of the largest and most successful businesses today,
including IBM, Red Hat, Merrill Lynch, Lucent Technologies, Unilever,
Verisign, Dell, Amazon, Google, Dreamworks, Los Alamos National
Laboratory, Oak Ridge National Laboratory, the US Department of Defense,
the US military, and many other federal, state, and local governments
and governmental agencies, including, by the way, the town of St.
George, Utah.

You can read a list of companies and governmental agencies that use
GNU/Linux at Linux International's "Linux Success Stories" webpage ( 
http://www.li.org/success/ ). The Linux
Documentation Project also has such a webpage, called "Powered by 
Linux!" ( http://sunsite.nus.edu.sg/pub/LDP/powered.html ) as does the 
Linux in Business website ( http://m-tech.ab.ca/linux-biz/ ) website. 
The Linux Counter calculates there are currently 18 million users of 
GNU/Linux software.

With so many businesses, educational institutions, governmental
organizations, and individual users switching to our software, we must
be doing something right.

LINUX ALREADY HAS A BUSINESS MODEL

Your inability to make your Linux business a success, while unfortunate
for you, parallels your company's failure to make your UNIX business a
success. Perhaps the problem isn't Linux, the GPL, or the open source
business model.

Economist Amy Wohl ( http://amywohl.weblogger.com/ ) that "The Open 
Source
Community Has a Business Model" and one that is successful. Ms. Wohl is
an analyst who has been covering IT for nearly 30 years and who
currently comments on the commercialization of new and emerging
technology. Here are her comments, which we include with her kind
permission:

"As an economist, let me assure you that Open Source has a business
model. It simply isn't one that a traditional company like SCO, which
expects to be paid for source code, can figure out. There are still lots
of companies that can charge for source code, but only when the source
code they are offering is valued by customers because it is unique or
convenient or offers other recognized value. Other companies (IBM is a
good example) charge for their Linux-compatible middleware source code,
but honor the Open Source community by supporting it with technical and
financial assistance and by strongly supporting the open standards that
permit customers to choose to use Open Source code when they prefer it
and purchased source code when they find it, for whatever reason, more
valuable. Then, as many posters have noted, IBM extends its business
model into the future by providing services to help customers plan,
design, implement, and customize whatever combinations of hardware, open
source, and proprietary code the customer prefers.<p>

"That is the new business model and it seems to be a very successful
one."

DUAL LICENSING IS AN OPTION

We suggest that you ask your attorneys to explain the Lesser
General Public License (LGPL) to you ( 
http://www.gnu.org/licenses/lgpl.html ). If they are not familiar with 
the LGPL, contact the Free Software Foundation, and they can help you 
to resolve your misunderstanding and confusion about the GPL and how it 
works and can explain to you how the LGPL can help your business to 
thrive, should you insist on continuing with the old proprietary 
software business model ( http://www.gnu.org/licenses/why-not-lgpl.html 
). Companies such as MySQL distribute software simultaneously under both
open source and proprietary licenses, a practice that is acceptable, if 
not
ideal, under the GPL.

It is not a violation of the GPL to sell software released under that
license ( http://www.gnu.org/licenses/gpl-faq.html#DoesTheGPLAllowMoney 
). As the GPL FAQ points out,  "The right to sell copies is part of the 
definition of free software."  The "free" in free software refers to 
freedom, not that you can get it gratis. Many of us have paid for our 
free software, simply because it's more convenient than downloading it 
or as a way to thank the wonderful folks who developed and shared it 
with the world. If you're looking for a successful business model, you 
might consider the tried and true model of satisfied customers.

We have prepared a research document with links to evidence supporting
our position and other resources that you may find helpful, including
information about the GPL and the LGPL and how they work. The Inquirer
is making our research document available online ( 
http://www.theinquirer.net/?article=11649 ) . We hope it will help you 
understand our position better and
prove a useful resource to you and others interested in this
controversy. We also believe it demonstrates that we have right on our
side and that we will win.

Thank you for writing to us. We appreciate the opportunity to answer
your letter. We trust you will give our response due consideration.
Thank you for your time.

Sincerely,

Members of The Open Source / Free Software Community at Groklaw

Copyright © Groklaw, 2003 Verbatim copying of this letter is
permitted in any medium, provided this notice is preserved.
(Log in to post comments)