Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for November 26, 2003Examining an attack on the GPL On November 21, a law firm called Wolf, Greenfield & Sacks, P.C saw fit to issue a press release on the evils of the GPL. By the reckoning of Steve Henry, a "senior intellectual property lawyer" with the firm, the GPL is indeed scary:
This "time bomb" lurks because a popular license for open source,
the GNU General Public License, (GPL) is "viral." The license
attaches to any product with GPL-licensed code, including a
derivative work, he said. The entire software package becomes open
source and the company thus must distribute it freely and let
anyone copy it. A widely used open-source utility, for instance,
could "infect" hundreds of software products and destroy their
commercial value.
We found this reading of the GPL to be interesting, so we asked Mr. Henry to explain his reasoning a bit. We thank him for getting back to us; for the curious, we have put his full response on a separate page. We'll just look at the core of his claims here. What Mr. Henry tells us is:
Those who portray the GPL as an entirely innocent and voluntary
instrument take a simplistic view of the GPL itself as well as of
both copyright law and contract law. They often project onto
others the benevolent behaviors and actions they attribute to
themselves. The problem is that others are not always so benevolent
and if the GPL is an enforceable contract, then it may not only be
enforceable by the licensor, but also by third-party beneficiaries
(under at least some conditions).
So, if you see the GPL as a contract, those who have received GPL-licensed software can enforce that contract's provisions against you. How could that be a problem? According to Mr. Henry:
So, if a company downloads a GPL product, and incorporates it into
the company's product in such a way that the company's product is
considered a "derived" work or a work "containing" the downloaded
code, not only is the company obligated to use the GPL to
distribute its product, but also it is obligated not to charge. And
its licensees automatically receive a license under GPL terms for
the original code. If the company uses a different license (a) it
could be liable for copyright infringement, (b) it could be liable
for breach of contract, and (c) it could be subject to a court
order for "specific enforcement" of the GPL obligation to
distribute the derivative work under the GPL. The licensor of the
downloaded code could enforce the GPL, as might a licensee of the
company (as a third-party beneficiary).
Mr. Henry's point (a) is not controversial; if you use copyrighted work in violation of the license that applies to that work, you are infringing the copyright. There is nothing unique to the GPL there. Point (c) is the crux of the matter: Mr. Henry claims that, if you distribute a product containing GPL-licensed code, anybody receiving that code could sue to have your proprietary code relicensed. The fact that nobody has ever attempted to do this is irrelevant by this analysis; in the future somebody could make a try at it. One could argue that, even if this reasoning holds, there is no real problem here. If a company does not wish to abide by the terms of the GPL, it should simply avoid incorporating GPL-licensed code into its products. Once again, the GPL does not differ from any other software license in this regard: if you do not like the license, nobody forces you to use the code. But the fact is that, by this argument, GPL-licensed code is more actively dangerous than other code. If you get caught using somebody's proprietary code, all you have to do is settle the copyright infringement claims and get on with life. With GPL-licensed code, you still have the infringement issue, but you could also be forced to give your proprietary products away. That would be a heavy price for a company to pay just because one of its employees slips some GPL-licensed code into its product. But does this reasoning hold water? We dropped a note to FSF counsel Eben Moglen to get his opinion on Mr. Henry's argument. His response was:
So far as "specific performance" is concerned, there is *no* legal
support for the claim. "Specific performance" is the name of a
contract remedy; the GPL is not a contract. In the event of
copyright infringement the relevant possible remedies are: (1)
damages, actual or statutory; and (2) an injunction to prohibit
infringing distribution.
If the GPL is not a contract, what is it? If you look at §106 of the U.S. copyright code, it states:
Subject to sections 107 through 121, the owner of copyright under
this title has the exclusive rights to do and to authorize any of
the following: (1) to reproduce the copyrighted work in copies or
phonorecords; (2) to prepare derivative works based upon the
copyrighted work; ...
One of the rights given to copyright holders is to authorize others to create copies and derivative works. The GPL is that authorization: you have the right to create certain kinds of copies and derived products from GPL-licensed code. You have not signed a contract with the copyright holder, and you have not paid any sort of consideration, which is a required part of any legal contract. So you, as the recipient of GPL-licensed code, do not have any contract rights against those who distributed that code to you. Even the copyright holder lacks such rights, though the holder does have the right to claim infringement if the provisions of the GPL are not followed. Mr. Moglen concluded with: "This talk about 'incorporating' GPL'd code in a product leading to forcing the rest of the product open is scare-mongering." We are inclined to agree. Anybody who is truly concerned about such issues, however, should discuss it with their own lawyer rather than taking our word for it.
Lawyers in charge Anybody following the SCO Group story is aware that, in the last couple of weeks, the company has issued a new set of threats. Among other things, SCO claims that it will, soon, file suit against at least one Linux user. It is tempting to disregard these threats as just more bluster coming out of the company. Threats against other Unix vendors have failed to come to pass, the deadline for the company's "half-price Linux License" promotion continues to recede, the flood of invoices they promised us never appeared, etc. Why should things be different this time? When the weakness of SCO's case and the fact that a copyright suit would require a rather more straightforward unveiling of the company's evidence is considered, more lawsuits may seem unlikely.There is, however, a recent Gartner Group pronouncement which is relevant here:
SCO has declared in filings with the U.S. Securities and Exchange
Commission that its competitive position could decline if the
company can't obtain additional financing. The latest share issue
will dilute shareholders' investments about 3.5 percent. It comes
on top of a previously announced arrangement giving Boies, Schiller
& Flexner a 20-percent share in SCO if the company were sold. SCO
also received an investment of $50 million from BayStar Capital in
return for 17.5 percent of outstanding shares. We believe that
these moves compromise SCO's mission as a software
company. Increasingly, the legal and financial aspects of the
intellectual property infringement cases will absorb the company's
attention, and a law firm will be in an increasingly powerful
position to set the overall agenda for its compensation. Therefore,
SCO will likely pursue claims against Linux users quickly.
Of course, one could rephrase the above more succinctly: the company has no revenue stream and the lawyers are running the show. SCO has no real alternatives to income from litigation at this point, and its lawyers have nothing to lose from filing more lawsuits. Gartner could be right: SCO might indeed try to open up more legal fronts in the near future. If the company chooses its targets carefully, it might just succeed in finding one that will decide to settle rather than get involved in a long intellectual property case. Or so SCO management must hope. At this point, however, there is enough information about the company's claims out there that any SCO target which takes the time to research the situation may well turn out to be less of a pushover than SCO might wish. In fact, as SCO carries out its search for the softest targets, chances are good it will pass over any company which makes it clear that it will fight back. Potential recipients of SCO licensing claims would do well to bear that in mind.
The CAN-SPAM bill examined The U.S. House of Representatives passed a version of the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," on Saturday. Commonly referred to as the "CAN-SPAM" bill, the House agreed on a version of the bill very similar to the bill passed by the Senate in October. This makes it likely (but not certain) that the U.S. will soon have a national law governing unsolicited commercial e-mail (UCE) -- better known as "spam" (or any number of less polite terms) by the rest of us.Very few outside of the Washington beltway or the Direct Marketing Association (DMA) seem convinced that the CAN-SPAM bill is going to put a halt to spam. A number of people, including several state Attorneys General have argued that CAN-SPAM will make matters worse, rather than better. There is a fair amount of evidence to support this opinion. The CAN-SPAM bill actually has the effect of legitimizing spam so long as it is non-fraudulent and provides the recipient with a means to "opt-out" of future e-mails. This is a big win for the DMA, and a major loss for the rest of us. Having to opt-out of receiving spam from each and every "legitimate" source of spam is a burden that should not be placed on the user. Given that there are thousands of legitimate businesses that will seek to make use of e-mail marketing, users are going to be doing a lot of opting out. What about a "do-not-spam" list? The CAN-SPAM Act does contain a provision to create a national "do-not-spam" list. This can only be seen as a tactical error of gargantuan proportions. While a "do-not-call" list may succeed in reducing or eliminating unwanted telemarketing calls, spammers operating beyond U.S. borders are unlikely to be deterred by the CAN-SPAM provisions. Indeed, getting a copy of the the "do-not-spam" list will likely be a high priority for offshore spammers looking for a roster of known-good e-mail addresses. Users who place their e-mail addresses on a "do-not-spam" list may avoid spam from legitimate businesses, but will still find themselves subjected to unwanted e-mail from offshore spammers. Happily, the CAN-SPAM bill does not require the Federal Trade Commission to create a "do-not-spam" list, it only permits the creation of such a list. Given that the FTC has objected to this provision, implementation seems unlikely. Even worse, the bill overrides state legislation that may be more stringent than the CAN-SPAM bill. This is presented as a solution to the difficulty for "law-abiding businesses" to comply with anti-spam laws, but complying with multiple state laws is a cost of doing business. This should not be an excuse to shift the burden to users and organizations rather than businesses seeking to advertise their goods or services. By overriding state laws that require "opt-in" rather than "opt-out," the CAN-SPAM Act is giving merchants free reign to send unwanted spam, at least until the user asks to be left alone. While one may argue that any laws against spam are unlikely to be effective, at least laws like those passed in California are stacked in favor of the user rather than the spammers. Some have claimed that the CAN-SPAM Act may make anonymous e-mails illegal altogether. John Gilmore argues that the bill would make it a crime "to use any false or misleading information in a domain name or email account application, and then send an email." However, this is a somewhat liberal interpretation of the bill, which actually says:
Whoever, in or affecting interstate or foreign commerce, knowingly...
(3) materially falsifies header information in multiple commercial electronic messages and intentionally initiates the transmission of such messages, (4) registers, using information that materially falsifies the identity of the actual registrant, for 5 or more electronic mail accounts or online user accounts or 2 or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages... A close reading of this language indicates that merely sending an anonymous e-mail or e-mail with a falsified header would not automatically be a crime. The provisions only apply to those "in or affecting" commerce, which would seem to exclude a user who sends an anonymous e-mail for non-commercial purposes. It might be that the language could be abused to include someone who has sent an anonymous e-mail that may have some impact on a business, perhaps a whistleblower or disgruntled customer sending out negative commentary about a company, but then the user would have to send a relatively large number of e-mails. Further on, the bill classifies "multiple" as "more than 100 electronic mail messages during a 24-hour period," up to 10,000 during a 1-year period. Unlike some of the state laws, which allow users to sue spammers directly, the CAN-SPAM Act seems to put users at the mercy of others to take action against spammers who do not comply. The Act explicitly addresses the ability of state and federal agencies to prosecute spammers under the provisions of the Act, and provides authorization for ISPs to bring action against spammers. There are a few good things about the CAN-SPAM Act. The bill specifically states that nothing in the bill requires an ISP to carry or deliver spam. This prevents spammers from claiming that an ISP is in any way required to deliver spam, even if it is explicitly legal. The bill also contains a provision that allows the court to force a spammer to pay legal fees for the party that initiates proceedings. This may make it more likely that prosecutors will take on spammers who violate provisions of the bill. CAN-SPAM also makes it illegal to for spammers to use open relays or other methods of hijacking computers to send spam, and requires a working method to opt-out of e-mail. Again, these provisions are unlikely to deter offshore spammers, but the provisions are welcome nonetheless. Finally, the bill provides for vendor liability. This means that if a vendor contracts with a third party to send e-mail on their behalf, the vendor can be held liable for failure to comply with the CAN-SPAM provisions. This prevents companies from contracting with offshore spammers to escape legal liability. In all, however, the CAN-SPAM Act is disappointing legislation. It fails to affirm users' rights to consent to e-mail marketing, and instead burdens them with the responsibility of opting out of unwanted marketing. The bill will negate tougher state laws against spam that have the backing of the general populace in favor of weakened provisions that are backed by lobbyists. After more than six years of Congressional foot-dragging, we will likely be stuck with a law that does little good, and may even serve to exacerbate the problem. It may well be that the spam problem is not solvable by legislation, but, even if it is, the CAN-SPAM act is not the law we need. (For those who are interested, the full text of the proposed law is available in PDF format.)
Page editor: Jonathan Corbet Security Security news Infrastructural attacks on free software The recent compromise of several Debian servers has been well publicized. It appears that the Debian archive was unaffected, and Debian users need not be worried about malware entering their systems by that path. Certainly this event, like the recent kernel backdoor attempt, has raised awareness of the vulnerability of our software repositories. An attacker who is able to slip a bit of evil code into the wrong place could compromise many thousands of systems.Less attention has been paid to the cost of having the Debian servers be unavailable for the better part of a week. Your editor, waiting for a working version of psycopg to be uploaded to unstable, was merely inconvenienced. Other users, who may have planned significant installations or upgrades, or who were trying to discuss problems with Debian developers will have been rather more inconvenienced. Debian developers, trying to get 3.0r2 out the door, were stopped dead for a while. These consequences are costly enough by themselves, but consider what could happen. Had a major security incident broken out while the Debian servers were unavailable, it would have been difficult or impossible for the project to respond quickly. Linux systems are living things; even the most stable systems need occasional updates to stay secure. Linux users depend on the availability of their distributions' supporting infrastructure to keep their systems up to date. This sort of attack, by making that infrastructure unavailable, hurts users worldwide, and could leave them unable to respond quickly to serious security problems. Once again, we have been warned that our infrastructure is too fragile and insufficiently secure.
New vulnerabilities iproute: local denial of service
opera buffer overflows
Pan: denial of service
phpSysInfo directory traversal
Updated vulnerabilities 2.4 kernel - several vulnerabilities
apache: buffer overflows in mod_alias, mod_rewrite
apache2: Denial of Service vulnerability
CUPS: denial of service
epic4: buffer overflow
ethereal: multiple remote and local vulnerabilities
Filename disclosure vulnerability in fam
fetchmail may crash on specially crafted message
fileutils/wu-ftpd: denial of service
glibc - buffer overflow
glibc: local DoS vulnerability
glibc: DNS stub resolvers contain buffer overflow vulnerability
gnupg: key validation
gtkhtml: malformed messages cause crash
hylafax: remote code execution
KDE: Two issues in KDM
kernel-utils: setuid vulnerability
libnids: remotely exploitable buffer overflow
libpng, libpng3: buffer overflow
mikmod: buffer overflow
minimalist: unsanitized input
mpg123: heap overflow
mplayer: remotely exploitable buffer overflow vulnerability
Nessus NASL scripting engine security issues
nfs-utils xlog() off-by-one bug
openssh: timing attack leads to information disclosure
postfix: denial of service vulnerabilities
proftpd: remote root shell
pstack: Buffer overflow
Multiple-use vulnerability in Safe.pm
sane-backends: several vulnerabilities
sendmail: remotely exploitable buffer overflow
stunnel: signal handler reentrancy DoS
File overwrite vulnerability in tar and unzip
Multiple vendor telnetd vulnerability
vim - modeline vulnerability
webmin: session ID spoofing
wget: buffer overflow
XFree86 4.3.0 integer overflows in font libraries
zebra: denial of service vulnerability
Resources Quarterly CERT Summary The quarterly CERT Summary - which describes the security issues being most actively exploited - is out. Of the nine vulnerabilities, six affect only Windows systems. The summary does, however, point out ongoing problems with OpenSSL, OpenSSH, and sendmail.
Page editor: Jonathan Corbet
Kernel development Release status Kernel release status The current development kernel is 2.6.0-test10, finally released by Linus on November 23. This patch contains a month's worth of accumulated fixes for serious bugs, and not a whole lot else. Linus notes that there is still a problem associated with preemption out there; the kernel preemption code itself is likely not at fault, but some subsystem or driver out there somewhere is not being entirely preempt-safe. That problem had not been tracked down as of this writing.The long-format changelog contains the details for the patches incorporated in this release. Incidentally, -test10 has been dubbed the "stoned beaver" release. Linus also laid out his thinking for the future:
I'm planning/hoping on basically turning this over to Andrew, and
let him decide to make the final 2.6.0 or not. Timing-wise Andrew
is apparently going to be off for a few weeks, so regardless of
whether this turns out to be rock solid or not, we'll have a few
weeks of final testing before that were to happen. Which means that
I might still end up making a test11 if Andrew hasn't come back and
we find something that warrants it.
Linus's BitKeeper tree holds a small number of additional fixes. The current stable kernel is 2.4.22, but its time is coming to an end. Marcelo released 2.4.23-rc3 on November 21, with the idea that it would become the final release. Reality dictated otherwise, with the result that 2.4.23-rc4 came out on the 24th, and 2.4.23-rc5 on the 25th. The idea, of course, is that this one will become the final release; stay tuned.
Kernel development news BSD security levels for Linux The Linux Security Module (LSM) patch was intended to enable the creation of a wide variety of security regimes for Linux systems. So far, the main user of the LSM functionality has been the NSA SELinux module. But there are signs that other security-oriented developers are beginning to make use of LSM to implement different approaches.The latest such is the BSD Secure Levels patch posted by Michael Halcrow. This patch is intended to create something resembling BSD's secure level capability for Linux. Thus it implements an integer security level, which has useful values of zero to two. At level zero, the system functions as always - as if the module were not present at all. Zero is the default level, but the level can be raised (but not lowered) by writing the new value to /proc/seclvl. At level one, a number of actions become disallowed, including:
At security level two, a few additional actions are prohibited:
The "secure level" patch is thus a way of raising the bar for any potential attacker. At the higher levels, even a process with root privileges cannot make certain kinds of changes to the system. Normally, higher levels are forever; the only way to lower the secure level is to reboot the system. Note, however, that this module allows the administrator to include a small back door by specifying an executable that, when run, causes the secure level to be reset to zero. This feature may be useful for administrators who are converting a system over to secure level operation. Leaving the "emergency reset" option enabled permanently would be dangerously counterproductive, however.
Review: Linux Kernel Development Writing books about the Linux kernel is hard. The subject matter is vast, complex, and highly technical. It also is very much a moving target;![[Book cover]](/images/ns/linux-kernel-development.jpg)
today's kernel book becomes obsolete in a short period of time. So kernel
authors have to pick their subject matter carefully, time things well, and
enjoy their fifteen minutes of fame before somebody merges a patch and
their words begin the inevitable slide into obsolescence.
The latest kernel book to hit the shelves is Linux K | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||