RTS and the GPL [LWN.net]

By Jake Edge
November 14, 2012

GPL violations, or allegations thereof, are typically handled in private—unless, of course, they get to the lawsuit stage. That makes it rather surprising to see a GPL violation accusation on the linux-kernel mailing list. The code in question is the LIO SCSI target implementation, which was merged for 3.1 after a prolonged struggle with another contender; the alleged violator is Rising Tide Systems (RTS), which was the original developer and contributor of LIO. As might be guessed, the dispute is rather messy; there are more questions than answers.

The opening salvo was from Andy Grover to SCSI target maintainer (and RTS CTO) Nicholas Bellinger, with a copy to linux-kernel: "Your company appears to be shipping kernel features in RTS OS that are not made available under the GPL, specifically support for the EXTENDED_COPY and COMPARE_AND_WRITE SCSI commands, in order to claim full Vmware vSphere 5 VAAI support." Bellinger, however, didn't quite see things that way. He maintains that RTS owns the copyright to the code it contributed to Linux, so it can license it to its customers any way that it wants:

In fact, we are not violating GPL. In short, this is because we wrote the code you are referring to (the SCSI target core in our commercial RTS OS product), we have exclusive copyright ownership of it, and this code contains no GPL code from the community. GPL obligations only apply downstream to licensees, and not to the author of the code. Those who use the code under GPL are subject to its conditions; we are not.

But there is a wrinkle here. RTS is shipping a Linux kernel, along with its proprietary SCSI target module, as RTS OS. Proprietary kernel modules have always been controversial, but they have largely been ignored when they are descended from another operating system's driver (e.g. NVIDIA) and are not distributed with the kernel. If that doesn't hold, it could become a bigger problem, as Dave Airlie pointed out:

But if you distribute a kernel and a module in one place which I assume RTS OS does, then you are in dangerous territory and could be hit with cease and desist notices, which has happened to people shipping kernels and linked nvidia binary drivers before.

In response, Bellinger made a common mistake regarding the kernel's symbol export macros. The EXPORT_SYMBOL() and EXPORT_SYMBOL_GPL() macros are an advisory mechanism that kernel developers use in an attempt to show which symbols can only be used by GPL-covered modules. Importantly, avoidance of EXPORT_SYMBOL_GPL() symbols is not, in itself, an indication that a module is not a derived work of the kernel (and thus subject to the terms of the GPL). It's somewhat of a tricky distinction, but anyone releasing a proprietary kernel module should very likely be getting legal advice; lawyers should have little trouble understanding the intent.

Specifically, Bellinger responded: "we only use Linux kernel symbols that are not marked as GPL". That provoked a quick response from Alan Cox, who noted that the distinction lies in the question of whether the SCSI target module is a derivative work—"The symbol tags are just a guidance". Furthermore, "either your work is [truly] not derivative of the kernel (which I find wildly improbable) or you have a problem". Cox also mentioned one other potential problem for RTS, certain patents (notably read-copy-update) are only licensed for use by GPL-covered code.

There are some other things to consider as well. Bellinger clearly indicated that RTS maintains a separate repository for its proprietary SCSI target. The kernel's version of LIO has seen numerous changes and fixes from others, but those were contributed under the GPL; Grover questioned whether some of those changes were flowing back into the proprietary version. Without seeing the code, it's a little hard to say for sure.

Enter the lawyer

As it turns out, RTS has retained Lawrence Rosen, the well-known free software savvy attorney, for advice. He stepped into the thread in an effort to try to smooth things over a bit. He reiterated the RTS stance that it maintains a separate version that is completely owned by the company, which it licenses to its customers under non-GPL terms.

Rosen also maintains that Oracle v. Google in the US (and, in Europe, SAS v. World Programming) debunks the claim that using the Linux APIs automatically creates a derivative work. That's a bit lawyerly, as no one in the thread was making that particular argument. Cox, Airlie, Grover, and others were arguing that using the APIs could make a derivative work—in fact is likely to make one—but not that it automatically does so. In fact, Airlie gave two examples (the Andrew Filesystem and binary GPU drivers) where at least some in the kernel community believe derivative works are not created. In the end, though, the courts have not given us a definitive decision on what constitutes a derivative work in the software realm, which is part of the reason for the murkiness here.

Beyond that, Bradley Kuhn pointed out that Rosen's interpretation of those two cases is not universally held. He also noted that there simply isn't enough information available for anyone outside of RTS to make any real assessment regarding the proprietary code. Whether that code is a derivative work or not requires more information, which has, as yet, not been forthcoming.

There is yet another wrinkle here. Grover has been posting using his redhat.com email address, which could give the impression that this is some kind of official Red Hat accusation (though Grover never claims that it is). Both Bellinger and Rosen drag Red Hat into the conversation, as do others in the thread. In fact, Rosen's response is copied to lawyers for both Red Hat and the Linux Foundation. That escalates the issue further, of course.

Enter the SCSI maintainer

Kernel SCSI maintainer James Bottomley was not particularly pleased with Grover's accusation. He questioned some of Grover's assumptions about which SCSI commands were actually supported by RTS OS, but also strongly suggested verifying how the software worked before slinging any more potential "libel". Bottomley seems concerned—perhaps overly—that Grover needlessly "exposes us all to jeopardy of legal sanction". Kuhn, at least, thought the legal dangers were overblown, and suggested that Grover continue to "seek facts".

As of November 13, no further responses from Bellinger or Rosen have been posted. In his initial post, Grover noted that he had tried to discuss the problem with Bellinger and RTS CEO Marc Fleischmann via private email, without getting a "useful response". Grover's public post finally did elicit some response, one that he thinks clearly indicates a GPL violation. But he also pointed out another sticky issue:

But let's forget licenses and talk community. Looking back, can anyone say that your push to get LIO accepted into mainline as the kernel target was in good faith? Back before LIO was merged, James chose LIO over SCST saying to the SCST devs:

"Look, let me try to make it simple: It's not about the community you bring to the table, it's about the community you have to join when you become part of the linux kernel."

RTS behaved long enough to get LIO merged, and then forget community. James is right, community is more important than code, and licenses enforce community expectations. RTS has appeared just community-focused enough to prevent someone else's code from being adopted, so it can extract the benefits and still maintain its proprietary advantage.

It is an unprecedented situation and one that is likely to be messy to unwind. The Linux SCSI target appears to be missing features because its maintainer is adding them to a proprietary driver that ships with the GPL-covered kernel. There is certainly nothing that forces Bellinger or RTS to make their improvements available unless, of course, there is a GPL requirement to do so. But if some other developer were to come along with an implementation of the missing features, is Bellinger going to accept them into the mainline driver, forcing (further) divergence with the proprietary code?

The open nature of the accusation, and that it is associated with Red Hat (fairly or not), will also complicate the issue. It is unlikely that the company would set out to address a possible violation in this way, but it now finds itself in a sticky situation. Extracting itself may be difficult, and completely ignoring the problem may not be possible either.

If it turns out that there is no GPL violation, there has still been some damage done, it would seem. The idea behind the choice of the GPL for the kernel is that competitors all have equal access, but in this case RTS appears to be in a privileged position with respect to SCSI target features. That would seem to violate the spirit of Linux development, even if it doesn't violate the license.

(Log in to post comments)

RTS and the GPL

Posted Nov 15, 2012 8:03 UTC (Thu) by airlied (subscriber, #9104) [Link]

what do you mean a slippery slope?

Like if you are going to have an opinion that is wrong, then you could at least clarify it!

the GPL derived work stuff hasn't changed since the GPL was written, so not sure how you think a slope suddenly appeared.

RTS and the GPL

Posted Nov 16, 2012 23:46 UTC (Fri) by SLi (subscriber, #53131) [Link]

It's not about "the GPL derived work stuff", but the copyright law derived work stuff. No license gets to define derived work (or can apply at all to works that are not derived works, since the author of an original work does not need the permission of the author of anybody else to distribute his original work). That is, whatever FSF or the copyright owner of a work opines about whether, and in which cases, linking constitutes making a derived work is, unfortunately, largely irrelevant.

Now, that is certainly not to say that their opinion would be in my opinion bogus. In fact I find the FSF interpretation of copyright law fairly well founded, even after Oracle v. Google, but it is still in reality fairly unsettled territory.

And while FSF's FAQ re: derived works may not have changed, there certainly has been some case law development (like Oracle v. Google) about what is a derived work and what is not.

RTS and the GPL

Posted Nov 15, 2012 18:59 UTC (Thu) by xxiao (subscriber, #9631) [Link]

I for one fully support SCST as an alternative. Solid, easy to use,etc. I recently did a 10G iSCSI project based on SCST(no LIO) and it performed extremely well.
Tried to use LIO, it's a pain to pull together the kernel, and its user space and all that together(RTS repo keeps changing, document out of date,..). Wish I will never be forced to do that in the future.

RTS and the GPL

Posted Nov 15, 2012 19:42 UTC (Thu) by agrover (subscriber, #55381) [Link]

I'm fine with LIO the code. The fact that it's in upstream now makes many integration issues easier, and lets us all work on it to improve it.

I've been working on improving the out-of-box user experience for the LIO user tools as well. With my enhanced version of targetcli (in Fedora 17+, repos on github) configuring a scsi target can be pretty painless. I've done some Youtube screencasts on it, and added a manpage for targetcli.

At this point, I'm definitely not in favor of dumping LIO, but we need to get these license and maintainer potential conflict-of-interest issues straightened out.

(not speaking for my employer)

RTS and the GPL

Posted Nov 15, 2012 12:44 UTC (Thu) by lacos (subscriber, #70616) [Link]

(personal opinion)

Rosen also maintains that Oracle v. Google in the US (and, in Europe, SAS v. World Programming) debunks the claim that using the Linux APIs automatically creates a derivative work.

For me that's the most interesting bit. It directly contradicts this example:

However, when a library provides a significant unique capability, like GNU Readline, that's a horse of a different color. The Readline library implements input editing and history for interactive programs, and that's a facility not generally available elsewhere. Releasing it under the GPL and limiting its use to free programs gives our community a real boost. At least one application program is free software today specifically because that was necessary for using Readline.

Incidentally, the readline interface has since been reimplemented under one of the BSD license ("libedit"). Judging by the used APIs and nothing else, the program alluded to above would now qualify as a derivative work of two libraries (alternatively), each differently licensed.

I think that a statically linked binary would indeed be derivative work (because it incorporates code). However the source code of the client app incorporates no library code. I'm not sure about a dynamically linked binary, as it can still contain (compiled) macros from the specific library header files.

Hmmm, I think the above citation references CLISP. A very eye-opening thread under the link, one that flies in the face of the rulings cited above, apparently.

RTS and the GPL

Posted Nov 15, 2012 13:40 UTC (Thu) by pboddie (subscriber, #50784) [Link]

As far as I recall, if a work will be combined with a GPL-licensed work (let us forget the confusing "derivative" or "derived work" terminology), then the GPL states that the former work must be available for licensing in a way that is compatible with the redistribution of the combined work under the GPL. Even if the BSD licence made a similar stipulation, the former work would still only need to be available under a choice of licences in order to satisfy combination with both readline and libedit, for example, and this is quite probably why you have things like Mozilla offered under such terms.

The whole business with proprietary drivers is really (or should really be) about pronouncing exceptions to the kernel licence instead of defining what "derivatives" and "derived works" are.

RTS and the GPL

Posted Nov 15, 2012 14:39 UTC (Thu) by tseaver (subscriber, #1544) [Link]

> The whole business with proprietary drivers is really (or should really
> be) about pronouncing exceptions to the kernel licence instead of
> defining what "derivatives" and "derived works" are.

The "derivative work" bit is what allows copyright law to apply: unless
the distributed work is derivative from the GPL'ed work, the GPL doesn't
have scope under law to restrict its distribution.

RTS and the GPL

Posted Nov 16, 2012 11:01 UTC (Fri) by pboddie (subscriber, #50784) [Link]

It's true that the GPL relies on such mechanisms of copyright law - that the law could invoke the meaning of "derivative work" to delimit the scope of the licence when two works are combined - and I appreciate the correction/clarification.

However, I suppose I should have been clearer: the derived/derivative terminology, whether used in the law or not, often takes on a life of its own as people define those things according to what their own intuition tells them and then use those definitions to evaluate licensing-related claims, despite the fact that they now might be referencing distinct concepts altogether.

This is why GPLv3 doesn't use such terms at all, but instead, when referencing works used together with a licensed work (section 5), mentions such works as being "combined with it such as to form a larger program". I suppose this makes the intent much clearer (as intended when the licence was drafted) and independent of any particular legal venue.

RTS and the GPL

Posted Nov 16, 2012 16:21 UTC (Fri) by Jonno (subscriber, #49613) [Link]

> This is why GPLv3 doesn't use such terms at all, but instead, when referencing works used together with a licensed work (section 5), mentions such works as being "combined with it such as to form a larger program". I suppose this makes the intent much clearer (as intended when the licence was drafted) and independent of any particular legal venue.

Not quite. If the "larger program" does not meet whatever the local legal definition of a derivative work (or equivalent in the local law) is, it doesn't matter what the GPL say, because you don't need the license to distribute it.

RTS and the GPL

Posted Nov 16, 2012 17:33 UTC (Fri) by gmaxwell (subscriber, #30048) [Link]

If you are distributing my work (say as part of a binary in your product) then you need a valid license to do so. The "local legal definition of a derivative work" doesn't really come into in in a case where a party is distributing other people's GPLed works, the situation is different for vendors like NVIDIA who do not.

RTS and the GPL

Posted Nov 17, 2012 22:12 UTC (Sat) by man_ls (subscriber, #15091) [Link]

But if I am not distributing your work directly, then either what I am distributing is a derivative of your work or I don't need a valid license. As in, anything that is not an exact copy of your binary; it might be a portion, an adaptation, a heavily modified version, a library, a single source code file or whatever. If under copyright law the distributed work is not a derivative (e.g. I only copied a functional interface) then I don't need a license; otherwise I do. And then there is also fair use, which makes more of a grey area the cases where I am only citing certain small portions.

If NVIDIA is distributing a derivative of my work they need a license, regardless if they have created it or not. It is just like creating an original story featuring Mickey Mouse; it will probably be seen as a derivative of Disney's work and, under the perpetual regime, need a license from Disney. Or a translation to a different language -- again, the text is completely written by another person, but it is based on another text so it is a derivative. And there is a creative element in a translation -- witness how bad translations can butcher an original.

I don't think there is enough case law in software to clarify all the possibilities -- for example, is translating to a different language a derivative work? So unless it is a clear cut case (i.e. literal copy of a significant portion of non-functional code written by someone else integrated into a commercial product) then a judge would need to discern if the result of something is a derivative work or not, and then it would involve the "local legal definition".

RTS and the GPL

Posted Nov 16, 2012 21:03 UTC (Fri) by pbonzini (subscriber, #60935) [Link]

Indeed, I have no idea how Oracle v. Google is of any relevance. That was about reimplementing an API, not about using it.

Nobody cares about RTS reimplementing the LIO APIs. Everybody cares about using using the Linux APIs.

But then IANAL, etc. etc.

The Squelching

Posted Nov 15, 2012 16:09 UTC (Thu) by bkuhn (subscriber, #58642) [Link]

The only disturbing thing from all this is that there has been a lot of public-list and back-channel pressure to squelch the public discussion about this issue. I'm pretty convinced that I'll never get to see the facts of the matter because of that.

BTW, these situations aren't uncommon when an alleged GPL-violating product is expensive. The few customers that buy it don't really have an incentive to report the violation, so the violation continues. For example, I know of a very expensive home automation system that I'm pretty sure comes with no-source-nor-offer, but the product comes with custom installation and costs tens of thousands of USD, and I don't know anyone wealthy enough to have bought it to report the violation officially, so I'm left with just my suspicions.

I'm a true believer, though, in the USA concept of probable cause. Some criminals go free because there's no probable cause to believe they've done wrong. While copyright infringement is (and should always be) a civil matter, an analogous concept applies: suspicion of a violation isn't proof, and while I suspect a violation in lots of cases, I only pursue compliance matters when I believe the evidence available is strong enough that it “passes” the Rule 11(a)(b)(3) requirements of civil procedure in the USA.

That means that some GPL violators get away with violations because no one who has witnessed the violation will come forward with facts. It's a pity, but it happens more than you might suspect. I certainly rather that scenario than than a BSA-style police state.

Posted Nov 22, 2012 19:19 UTC (Thu) by Wol (guest, #4433) [Link]

Not where I am!

Okay, if I engage in copyright infringement it is purely a civil matter (private individual for private use), but if downloaded copyright material wholesale from the net, and sold it, I could be jailed for it!

And actually, I think that's right. Commercial copyright infringement is a criminal offence with hefty fines and jail sentences. And while I may think the copyright regime is too strict, people who flout the system should face criminal penalties.

Cheers,
Wol

Posted Nov 22, 2012 20:29 UTC (Thu) by bkuhn (subscriber, #58642) [Link]

I don't agree that criminal penalties are appropriate for copyright infringement, and I've said so in public and directly the USA government. While I believe violating the GPL is morally wrong, I don't believe that everything that's morally wrong must be a crime.

Posted Nov 23, 2012 9:46 UTC (Fri) by nix (subscriber, #2304) [Link]

Why should reducing a company's potential profit by an infinitesimal amount result in taxpayer-funded jail time? Is jailing you likely to reduce the future probability of your reoffending? (No.) Is the crime so heinous that you should be kept off the streets lest you threaten the public with your foul crime again? (No.) Is the crime so hideous (like e.g. littering, or breathing loudly) that the Daily Mail is calling for the imprisonment of all dangerous scum who do it in order that the little childrun not be threatened and society get its vengeance jollies? (No, and there are damn few things you can say *that* about.)

Doesn't seem like a crime worthy of imprisonment, or indeed being a crime at all, to me.