An attempt to backdoor the kernel [LWN.net]

An attempt to backdoor the kernel

Posted Nov 7, 2003 8:34 UTC (Fri) by jamesh (subscriber, #1159) [Link]

You seem to be confusing the issue yourself.

Would you be willing to sell/support a piece of software (proprietary or free software) and provide a warranty if you knew it had defects that might affect your clients? It sounds like a great way to get sued. You would want to minimise the risk as much as possible.

Larry is essentially saying that the chance of data loss with some other source code management systems is too high to make supporting them profitable. ie:

[amount of money lost in lawsuit] * [probability of lawsuit] > [profit from selling support/warranty]

Providing a warranty like this is a commercial activity -- you would be stupid to take on a liability like that without getting something in return. So it seems to be the right term to use here.

Arch documentation

Posted Nov 7, 2003 9:19 UTC (Fri) by lolando (subscriber, #7139) [Link]

> GNU Arch obviously doesn't create this problem, and it has a user
> community and plenty of Free documentation as a bonus.

Quick reminder: the documentation is Free-for-the-FSF, but not Free-for-everyone. Specifically, it is, as far as I know, released under the GNU Free Documentation License, the Freedom of which is not recognised by everyone (see the mighty dispute between the FSF and Debian) for a start, and it even includes Invariant Sections, which should make it clear that it is not quite Free. *And* at least one of the invariant sections contains text that is controversial.

As for the "plenty"... No man page, no info page, just the one tutorial (which was outdated last time I tried it).

This is not a troll. I'd love to use TLA / GNU Arch, which seems to have the features I want. But I found it easier to get started with Subversion, even though it doesn't have all of them. The Subversion documentation is just much more polished.

Arch documentation

Posted Nov 7, 2003 10:47 UTC (Fri) by coriordan (guest, #7544) [Link]

to lolando:
I accept your point about the GFDL, indeed I'm not a fan of the GFDL myself.

I hadn't noticed the lack of infopages. I'll see if I can find someone to fix this, or stick it on my todo list for early 2004. There is a more than just a tutorial though: Quick Introduction, Quick Reference, Reference Manual, Tutorial, FAQ.

to jamesh:
> Would you be willing to sell/support a piece of
> software (proprietary or free software)

It seems Tom Lord is happy to do this. If you read my previous comment again, you'll notice that I linked to a page offering support for GNU Arch for a fee.

> and provide a warranty if you knew it had defects that might
> affect your clients? It sounds like a great way to get sued.
> You would want to minimise the risk as much as possible.

Well, I'd provide a warrany, if you don't specify how good it has to be. How about "I'll fix all problems you have with GNU Arch, if they occur on Mars". Any good? no. So lets look at the BK warranty:

Where's BitKeepers warrany? here it is:
BitMover represents and warrants for a period of ninety (90) days ("Warranty Period") that it will make a reasonable effort to ensure the Software operates substantially in accordance with the applicable Documentation

...it then goes on to list 8 things that could invalidate your license, and then:

NEITHER BITMOVER NOR ITS LICENSORS MAKE ANY OTHER WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SOFTWARE. BITMOVER DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE.

...only mildly better than my mars warranty. They're not exactly liable for much, are they?

Arch documentation

Posted Nov 7, 2003 14:41 UTC (Fri) by jamesh (subscriber, #1159) [Link]

It seems Tom Lord is happy to do this. If you read my previous comment again, you'll notice that I linked to a page offering support for GNU Arch for a fee.

That is consistent with what Larry said earlier. He said that it would be difficult/unproffitable to support an SCM system that relied on hashes alone to identify files. IIRC, Arch doesn't fall into this category.

As for the BK license you link to, it states that when you buy the software, you aren't getting support. Section 7 seems to indicate that you can buy support separately. The support contract is most likely separate.

You might not like the BK licensing (I wouldn't feel too comfortable relying on it for my own software either), but Larry hasn't really said anything controversial here.

Arch documentation

Posted Nov 7, 2003 21:50 UTC (Fri) by coriordan (guest, #7544) [Link]

> That is consistent with what Larry said earlier.

Larry said a lot of things. Some were quite confused.
He compared Free Software to commercial software, so I gave an example that is both.

and he said that "Commercial software has to be paranoid, it's part of the deal", so I pointed out that his company disclaim virtually all warranty, and that GNU Arch support is available.

So, with commerce, support, and warranty out of the way, I think the only thing that no one addressed was my LKML quote about competition and proprietary file/protocol-format lock-in tactics:
If you are trying to copy BK, give it up. We'll simply follow in the footsteps of every other company faced with this sort of thing and change the protocol every 6 months. Since you would be chasing us you can never catch up. If you managed to stay close then we'd put digital signatures into the protocol to prevent your clone from interoperating with BK. -- Larry McVoy, LKML

Arch documentation

Posted Nov 8, 2003 2:58 UTC (Sat) by lm (guest, #6402) [Link]

> Larry said a lot of things. Some were quite confused.

Funny, I don't feel confused. I must be so confused that I don't realize I'm confused :)

Our license is standard boilerplate, it's no different than other license and that's with good reason. The boilerplate exists because of previous lawsuits and changing it is not a good idea.

I'll tell you a story about that. Our original commercial license was written by me and it was a license you would have loved. It had a clause in there that said if you hit a severe bug and we wouldn't or couldn't fix it promptly, we'd come to your site and pull your data out of BK and put it into the source management system of your choice, retaining all revision history such as dates, user names, etc. A large two letter company that builds chips took offense at this clause. How could that be possible? The clause was designed to make the customer feel good, we were standing behind our software to the extent that we'd drop everything and help the customer if something went wrong (a policy which we have to this day even if it isn't in our contract, ask any BK user).

The company pointed out that it was just fine if we did that for them, but suppose we had sold a pile of seats to Sony Japan. And Sony had some problem and half our engineering team had to fly to Japan to extract the data and put it in Arch which was just not done yet so we had to sit there and fix Arch as part of the contract. Where does that leave our two letter company? They are getting crappy support because we are off honoring a contract clause that put us at too much risk.

Think about that. It's really smart. They were looking ahead and they educated us as to why it is bad to be different. It's certainly OK to be a little different but in general you want to do things the way other people do them because those ways have withstood the test of time.

Beating us up about our boilerplate is just silly and naive. You might as well attack 100% of the companies which ship commercial software. You haven't found anything that is different in our license from theirs, it's all the same. So why pick on us? Especially given that we are a company who has given away their technology to help your cause, given away hardware and bandwidth to help your cause, given away salaries to help your cause, and this whole thread is about how we prevented a trojan horse from getting into Linux.

And you're attacking us? It's hard to see how that makes sense for anyone other than a zealot and that doesn't help your cause, it hurts it.

Arch documentation

Posted Nov 8, 2003 5:28 UTC (Sat) by coriordan (guest, #7544) [Link]

So you legaly promise crappy support, but you actually give very good support whenever possible. ok.

"So why pick on us?" - It's nothing personal, I reject all proprietary software.

"we are a company who has given away their technology to help your cause"
You have developed software, but you have decided to use copyright law to prevent users from helping themselves or eachother. This decision to exert power over your users completely contradicts my cause.

Your decision to use secret file format/protocols to prevent competition reminds me of why proprietary software must be rejected. Your business model relys on control, and to this end it compels you to do whatever's neccessary to maintain this control. Like when Pavel Machek started to write a BKclone at home on his own time, you contacted Pavels boss, asking him to pressure Pavel into not writing the software, you even complained that Pavels boss should have made him choose between that home project and keeping his job.

No level of warranty can makes it okay to treat people this way. People deserve freedom.

Arch documentation

Posted Nov 8, 2003 5:52 UTC (Sat) by lm (guest, #6402) [Link]

Just out of curiousity, how do you reconcile your obviously negative view of our company with the undisputed point that we just did the free software world a pile of good? If your precious open source tool was the one that was used this security flaw would likely be in the kernel right now.

While you are at it, how do you reconcile your obviously negative view with the fact that we produced a BK->CVS gateway so you can have the source you want in a 100% God fearing politically correct form? You're quick to jump on anything that supports your point of view, but isn't it interesting that this evil company is the one that is actually _doing_ the work that needs to be done? Pavel & Co are great at making noise but have you looked at the code? There isn't any.

If you were to stop and think for a minute you'd realize that we have to have a profitable business if we are going to keep on giving out the support that we do to open source world. It costs us more than $100K a year to do what we do for you, actually, a lot more than that now that I think of it, it's probably more like $250K or so. You're oh so eager to beat us up when we protect the very money it is that we use to help you but I don't see you coughing up that cash, that time, that software, or that support. I'm open to a better way to do things but in case you haven't noticed, nobody else has stepped forward with anything except a lot of talk.

Arch documentation

Posted Nov 8, 2003 7:44 UTC (Sat) by coriordan (guest, #7544) [Link]

You only solved a problem you created. If it was Arch and Arch2CVS, anyone and everyone could be running integrity checks, but you've created central control.

BK bashing on lkml was bad advertising, so you made a gateway to hush the protestors. Yes you are putting effort into your plan, it's a pity Pavel didn't finish his clone, and it's unfortunate that Linus trades away his freedom.

"more than $100K a year to do what we do for you"
You don't do anything good for me, you just make my job harder. Your free hosting for open source projects is just part of your marketing plan.
You "have to have a profitable business"? so do microsoft. You've chosen the same business method as them, but you target a harder userbase so you have to make a few more concessions. Don't think that people will call you a samaritan for these concessions.

Silly zealots

Posted Nov 8, 2003 15:37 UTC (Sat) by lm (guest, #6402) [Link]

You're right, you figured me out. I joined the kernel development 10 years ago, worked with Linus for years, all the while carefully planning to use them to make money.

And even though I was the 4th person at Google, and even though it was obvious that I could make tons of money at Google, I choose to leave that place and start a source management company because I thought that would make *more* money than Google. And you, with your incredible insight, have seen through my dastardly plan. Rats! Foiled again!

Sounds like the Spanish civil war

Posted Nov 9, 2003 17:58 UTC (Sun) by vblum (guest, #1151) [Link]

IMO, one of the saddest spectacles in history is the Spanish civil war. It was lost not
necessarily because the republican forces were weaker than their fascist opponents. It was
lost because different factions among the antifascists attempted to eat one another at a
time when they should have stood together.

Not that Free Software vs Big Money is even remotely similar to that - for all their market
dominance and strategies, Microsoft et al. have a many good people and have nothing to do
whatsoever with people the likes of Franco - this here is software, not crimes against
humanity!

But the lesson is an important one - in Spain, the idealists failed miserably because they
refused to distinguish between their friends and their true enemies. It's a history well worth
a read - it makes you want to cry.

Ciaran: I respect your stance for free software (and usually appreciate your comments; I only
respond because I think this thread is over the top). However, is it really a good idea to
alienate those who are actually on our side? For all the "proprietary or not," Larry has done
the FLOSS community a rather material favor. He could have chosen otherwise.

Larry: I read many of your posts on why you keep BK licensed as it is; and, I see your need to
run a business carefully to keep it stable. But: How certain are you that you could not (in the
longer-term future) get away with a service + dual licensing model (such as Qt et al)? I
realize that your customer base are developers, and that makes it difficult - these people
are the very people that know how to clone and run a development-oriented system.

On the other hand, your customers also face deadlines (at least if they're in big companies)
- they might just pay for service from the source. Dual licensing would likely appease this
unfortunate noise that keeps surrounding your substantial and, presumably, widely
appreciated contributions. That noise must be exasperating, too - any thoughts?

cheers, V.
(Armchair General)
[my content management is reiserfs; my IDE is emacs]

war

Posted Nov 9, 2003 19:28 UTC (Sun) by coriordan (guest, #7544) [Link]

BitKeeper offers an immediate practical convenience on condition that we ignore the issue of freedom. If we accept this deal, will we ever have a Free Software SCM that rivals BitKeeper?
We didn't all accept the proprietary Qt. Now we have GNOME, and Qt has been GPL'd.

If Linus chose Arch, the whole community would have benefitted from increased developer interest in Arch. Maybe it would now have the features it lacks compared to BitKeeper.

BitKeeper is not a friend of the Free Software community. It's a friend to Linus, but Linus is not fighting for our freedom.

this here is software, not crimes against humanity!
The software divide between 1st & 3rd world countries is a humanitarian problem. Free Software is a solution.

re:war

Posted Nov 9, 2003 20:30 UTC (Sun) by vblum (guest, #1151) [Link]

errm ... just to explain my wording (crimes against humanity) - I wanted to put my own
example back into perspective, and only my own - nobody else had implied anything
remotely similar to Franco et al here, and I just wanted to make sure I could not be misread.
If my implication was that anyone else had - sorry about that.

I do see the freedom-related issues, but there must also be a path to get there; BK seems to
me a reasonable part of that path. Look at Qt vs. Gtk - yes, Qt is now GPL'd thanks to the
tireless pointing to the issue, and the world is now a better place for that. But - without
KDE, I highly doubt that Gnome would have taken off anywhere near the way it did - this
was a beautiful example of how creative competition can work.

If Larry's contribution ultimately ends up making Arch (or whatever else) a stronger system -
great. And if this can be done without hurting Larry's business in the long run (cause he
doesn't seem like a bad guy, and I'm sure he'll be happy to adapt if he can) - all the better.

re:war

Posted Nov 10, 2003 11:11 UTC (Mon) by coriordan (guest, #7544) [Link]

Software was going proprietary, so RMS started GNU, Qt was proprietary, so he started GNOME, BitKeeper is proprietary, so he endorsed Arch and it's now a GNU project. It's true that solutions are born from problems, but I wouldn't use this as a basis for supporting the problem :-)

Sounds like the Spanish civil war

Posted Nov 9, 2003 21:54 UTC (Sun) by lm (guest, #6402) [Link]

Re: could we make a business based on service

The service model has been tried before in this space. We *spend* more in a year providing free services to the open source world than has ever been made from supporting an open source management system. Ask Tom Lord how easy it is to convince people to spend money in this space, he spent the last year begging for enough money to keep his internet connection on.

Contrast that with having to pay a dozen engineers and you start to get the picture.

Re: BitKeeper limits your freedom

I really don't want to argue about this and I would like this to be my last post to this thread (and I'm off to the beach with my family and no laptop so there is a good chance :)

We are sensitive to the needs of the open source world and we do our best. BK has always made it trivial to get the data out of BK if you want to do that. If that's not enough, we built and run the BK->CVS gateway so that the zealots don't even have to touch BK. That's as much as we can do, if it doesn't make you happy, I'm sorry about that, but I can't help you.

Sounds like the Spanish civil war

Posted Nov 9, 2003 22:15 UTC (Sun) by vblum (guest, #1151) [Link]

I know - no annoyance intended, thanks for taking the time to respond. I guess I always
have the Trolltech example in mind. I also realize BK and Qt cater to different spaces.

Have fun at the beach! (I should be in the mountains, really ...)