Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for August 26, 2004IBM brings the GPL to court IBM's memo in support of its motion for a partial summary judgment on its copyright counterclaims is now available, via Groklaw, in plain text format. This one is truly worth a read; it is far shorter than the complex memo for IBM's other motion (the attempt to do away with the breach of contract charges), and it shows just how a GPL infringement case can be brought to court. SCO, which has made its disdain for the GPL clear over the last year and a half, is going to have an interesting time trying to dance around this one.Summary judgment motions depend on the lack of a dispute over the relevant facts, so IBM leads off with its list of the facts which, it says, are undisputed. The very first one is a statement that Linux development started with Linus; this, of course, is very much a disputed fact in many circles. The SCO Group, however, is unlikely to have a great interest in ensuring that the GNU Project gets proper credit for its work, and thus will probably not make a big deal out of this issue in court. IBM goes on to list its contributions to Linux; these include the Enterprise Volume Management System (which was never actually merged into the kernel), PowerPC64 support, the Omni print driver, JFS, PCI hotplug support, and more. Copyrights for all of these contributions have been registered. Each contribution is also listed with the exact number of lines of code; IBM is showing that it is possible to be specific about such topics. IBM points out just where SCO has distributed copies of each of the claimed contributions to Linux. The final set of "undisputed facts" has to do with the GPL and SCO's actions relative to the GPL. IBM notes that it has not authorized the copying, modification, or distribution of its code except under the terms of the GPL. SCO, meanwhile, has denied the validity of the GPL and has attempted to add restrictions to IBM's GPL-licensed code by way of its lawsuit threats and "Linux license" scheme. Several paragraphs describing SCO's activities have been redacted from the publicly-available version of the memo. It would be most interesting to know what IBM is arguing that cannot be made available to the world as a whole. With the "undisputed facts" in place, IBM moves on to the "argument" portion of its memorandum. The first step is to reiterate that IBM owns its copyrights, and that SCO has, beyond doubt, redistributed the code. The full memo includes a "side-by-side comparison" of IBM's code with the version that appeared in SCO Linux Server 4.0. This step may have been a bit more than was truly necessary, given that SCO does not dispute that it distributes Linux, but IBM is being sure that all the bases are covered. IBM still has to show that SCO's copying was copyright infringement, however. So that's where the argument goes next:
As stated, IBM has not authorized the copying, modification, or
distribution of the IBM Copyrighted Works, except pursuant to the
terms of the GPL or LGPL. SCO does not have permission or any
license to copy, modify, or distribute the IBM Copyrighted Works
for at least two independent reasons: (1) SCO has repudiated
and disclaimed the GPL (and thus also the LGPL) as a source of
legal rights, and (2) SCO has breached the GPL and LGPL and
thus lost any rights it might have had under the GPL or LGPL.
The first argument is interesting. IBM has no trouble citing statements from SCO challenging the validity of the GPL; some of them appear in SCO's own filings in the same case. But the argument that, by publicly trashing the GPL, SCO has forfeited its right to distribute GPL-licensed code does not convince everybody. The case law on the subject appears to be inconclusive; there is no real way to know how the court will treat this argument until the time comes. The second part of the argument - that SCO has flat-out breached the terms of the GPL - is more straightforward. SCO has very clearly attempted to impose additional restrictions on GPL-licensed code, and that is not an action that the GPL allows. IBM should have little trouble establishing this breach as a fact. Inquiring minds are most curious to see how SCO will respond to this argument. SCO's lawyers would appear to have these options:
The third alternative above is the only one which holds out any hope for SCO in this case. Given that the U.S. courts have, in general, not been hospitable to the idea of rolling back the rights of copyright holders, it seems unlikely that this court would take a different tack now. It is also hard to see how the court could strike sections of the GPL without creating grave difficulties for many other software licenses. So SCO is unlikely to prevail in an attempt to disable the operative terms of the GPL - in the long term. What SCO might be able to do is to create enough confusion around the issue that the judge is unable to hand down a summary judgment. In that case, IBM would have to argue its case in a full court trial next year, and SCO would get some breathing room to continue its campaign. Such an outcome seems improbable, however. The facts seem clear, and SCO appears to be very much on the wrong side of them. In your editor's untrustworthy opinion, IBM seems much more likely to prevail on this motion than on its companion motion regarding the breach of contract claims. That result would clearly paint SCO's actions as an infringement of copyright, and it would put an end to SCO's attempts to put a tax on Linux. At the same time, it would put an end to claims that the GPL has never been tested in court. That would, needless to say, be an interesting day.
Other happenings on the SCO front The hearing date for IBM's motion for a partial summary judgment on its tenth counterclaim (seeking a declaration that none of its Linux activities infringe upon SCO's copyrights) and SCO's attempt to dismiss that counterclaim is coming. So the memos to the court are flying in all directions.SCO has filed its reply memorandum (PDF format) in support of its motion to dismiss or stay count ten. Therein, SCO claims that IBM's counterclaim is not "compulsory," that, instead, it is unrelated to the main case and could be considered separately. SCO says that IBM's counterclaim adds "undue complication and complexity" to the case, and thus should be dismissed. SCO wants the issue to simply go away. IBM has also filed a reply memorandum (PDF); this one is in support of its motion for a partial summary judgment on the tenth counterclaim. It makes for interesting reading; IBM is putting its full strength into ripping apart SCO's claims. IBM's reasoning is, essentially:
The memo goes on for 56 pages; it is an interesting read. It has long been clear that SCO management's public statements would come back to haunt the company; IBM is now doing its best to make that happen. IBM has also been busy trying to strike the declarations SCO has been filing in support of its positions. IBM's reasoning is usually that the person making the declaration is in no position to know what he is talking about. For some amusement, see this version of John Harrop's declaration posted on Groklaw; all of the portions which IBM wishes to strike have been indicated there. If IBM is successful, little of the declaration will remain. SCO is due to report its third quarter results. That announcement will, according to this press release, happen on August 31. SCO should be able to show more SCOsource income this time around, since the money from EV1Servers.Net should finally appear in its accounting. It is hard to imagine the numbers as a whole being good, however. SCO has announced, again, that it has made peace with BayStar. It might have actually happened this time.
Grokking the Grokster Decision The best way to understand what a case means if, like me, you aren't a lawyer, is to ask some. In the recent decision in MGM v. Grokster et al, filed on August 19, it's easy to do so, because there were amici briefs filed by law professors on both sides of the question. There is no better way to understand what a case is about than to read such briefs. The Electric Frontier Foundation, which represented StreamCast Networks, Inc., one of the victorious defendants, has made the legal documents available.On MGM's side, 9 law professors submitted an amicus brief explaining why they felt the lower court had made a mistake in granting Grokster and StreamCast a partial summary judgment and requesting that the Ninth Circuit Court of Appeals reverse the decision. On the other side, 40 law professors submitted an opposing amicus brief, supporting the lower court's decision and urging the Ninth Circuit Court of Appeals to affirm it. Both groups tried to persuade the three-judge panel that the law was on their side. All of this goes to show you that the law is not reliable like math. You don't ever want to plot a course to Mars based on legal opinions, because you might not arrive safely at your destination. You can always find a lawyer somewhere who will argue a side, both sides, or all sides of any issue. In the Grokster case, some of the finest lawyers in the world contributed their thoughts, on both sides, making it one of the most interesting and significant cases of the year. The appeals court decision was extraordinary, in that they accepted what can best be described as arguments you can find in Larry Lessig's book, "Free Culture," argued most ably by EFF's Fred von Lohmann for StreamCast and Michael Page of Keker & Van Nest for Grokster. The oral arguments are a delight to listen to, and EFF has them available as Ogg, WMA and MP3 files. Groklaw has made an unofficial transcript of the proceedings. The court decided to draw a line in the sand and tell the Hollywood copyright forces that their push to extend and morph copyright law beyond its current borders, in effect to rewrite the Supreme Court's 1984 Sony- Betamax decision (Sony Corporation of America v. Universal City Studios, Inc., 464 U.S. 417, 104 S. Ct. 774, 78 L. Ed. 2d 574 ), so as to make it easier to go after contributory infringers, was unacceptable. Sony held that as long as a technology has substantial non-infringing uses, it can't be held liable for copyright infringement by users. The Hollywood copyright forces were trying to get the court to accept instead the new idea that if infringement levels reached a certain percentage, then manufacturers and programmers could be held liable. Remembering that this is the same appeals court that upheld Napster, it's an extraordinary development and, in my opinion, a most significant victory, particularly for programmers, who stood to lose a great deal had the case gone the other way. Why? Because the copyright forces wanted to hold distributors of software tools -- and that means programmers too, not just companies -- liable for the infringements of end users. It was nothing less than an attempt, as the ruling put it, to get the judiciary to fashion a new way to go after distributors and programmers for vicarious and contributory copyright infringement. Why? Simply because, as the law professors on MGM's side delicately put it, such a transmogrification would satisfy "the policy interests of indirect liability -- particularly for online infringement, where locating, suing, enjoining and recovering from millions of direct infringers is extremely difficult and inefficient." In short, MGM and the music industry wanted the courts to make it easy for them. Going after the actual infringers on P2P systems is hard and expensive. So, they asked the court to let them go after those making and distributing software that some might use for the infringement instead. The conceivable consequences of such an expansion of vicarious liability were set forth in oral argument by Mr. Page:
To expand the
law of vicarious liability, to attach liability to
anyone who in theory could have acted as a policeman, leaves no border
on
it at all and leaves every technology vendor, every inventor, every
merchant at
the mercy of copyright holders who want to look around and go, 'You
could have
done something about this. You're liable.'
The court refused, based on the Sony-Betamax case, telling them to get Congress to fashion a more nuanced remedy than any court can give. Distinguishing the technology of Napster from that of Morpheus and Grokster (the centralized server in the former), the court noted that 10% of files shared on the systems are non-infringing, which is, in the words of Judge Noonan in the oral hearings, "a lot of files". The court accepted the argument that every new technology is met by the music and entertainment industry with cries of theft and predictions of copyright doom along with demands that courts shut down the new technology. This happened with the invention of cassette recorders, VCRs, radio, and cable, as Lessig points out in "Free Culture". But throughout history, US courts have been loathe to kill a new technology just to satisfy the old, vested interests affected by the new tech. Once again, the court has told those clamoring for a judicial remedy that they must seek a remedy in the legislature, if any is to be found. Jason Shultz, an attorney with EFF, explains the significance of the Grokster decision, particularly to programmers:
One of the biggest wins in Grokster for programmers was the explicit
rejection of two principles that the RIAA and MPAA were pushing the Court
to adopt in order to 'update' the Sony Betamax rule. If either rule had
been adopted for Peer to Peer companies, it would have applied to
programmers as well. Both rules would have been disastrous. 1) The first was that makers of technology (including programmers) should be liable for the infringements of their users based on the proportion of users who use the technology to infringe, instead of whether or not the code is merely capable of substantial non-infringing uses. The Plaintiffs argued that since over 90% of P2P users infringed copyright, that was high enough to hold the programmers and distributors liable. This would have been a very dangerous rule for any programmer, especially those who release open source code, because it is almost impossible to predict all the ways in which your users will employ your code. . . . [T]o hold . . . programmers . . . liable for the future, unpredictable and unintended uses of code would change the legal landscape of programming dramatically and make it a very dangerous road to go down. Fortunately, the Court rejected this attempt to 'update' Sony Betamax and stuck with the time-honored rule that any technology with a substantial non-infringing use cannot be held contributorily liable for infringements by end users. 2) The second major victory was an explicit rejection of the RIAA/MPAA's other proposal --- that under vicarious liability, programmers and distributors of technology should be held liable for end user infringements if they could have re-designed their products to allow less infringement, but didn't. In this case, the MPAA/RIAA argued that the P2P companies could have forced updates on users that installed filters into their programs to filter out copyrighted works, but didn't. This 'willful blindness', Hollywood argued, should make the P2P companies responsible for the infringements of their end users. Such a ruling would have been an absolute nightmare for any programmer, not only because again, it is almost impossible to predict all the ways one will use a program to infringe and then preemptively restrict them, but also because the reality is that no venture capitalist will fund a software project in such a world. If programmers and companies are liable unless they make their programs as incapable of copying as possible, very few programs will ever be written. The only pragmatic way to release a program, then, is to get MPAA/RIAA approval beforehand -- essentially handing Hollywood veto power over any new code or program released. Again, the Court rejected this approach, giving programmers protection from both financial ruin and attempts to undermine their freedom to write code as they see fit. EFF took the case for just these reasons. We saw how Hollywood wanted to change the law and all the bad precedent it would set. So we defended the P2P companies on these principles in order to protect every technology maker, including open source programmers. Under the eyes of the law, even non-commercial open source programmers are no different that P2P companies and without the legal protections in Grokster, all programmers would suffer. Thus, EFF stepped up to the plate to defend the freedom to code for everyone. They not only stepped up to the plate. They hit a home run. Of course, the losing side has the option of an appeal to the Supreme Court. And, as it happens -- actually, I'm sure it's no happenstance -- there is already an attempt to overturn Grokster's holding, by means of the Inducing Infringement of Copyrights Act of 2004 [INDUCE], currently working its way though Congress, with the backing of the RIAA/MPAA. It is sponsored by Senators Patrick Leahy and Orrin Hatch, who has said it is explicitly meant to reverse Grokster, so as to accomplish the very things that the Ninth Circuit Court of Appeals just rejected. Such a law would find companies and programmers liable if they release code that makes it easier for copyright infringement to occur, although in light of this stunning Grokster ruling, they may find it is a harder sell now, since its language, as well as Mr. Hatch's in pushing it, contradicts the Ninth Circuit Court of Appeals' decision. Yes, that Mr. Hatch, the father of one of the attorneys representing SCO, Brent Hatch. The apple doesn't fall very far from the tree. In a case like this, it makes sense to distribute the result via the available peer-to-peer networks. So, for those whose browsers are set up for such things, the EFF has published a magnet link and an ed2k link for downloading the decision. It doesn't hurt to boost the clearly non-infringing content available on P2P networks. One thing about the Hollywood copyright sharks: you can be sure they'll be circling back around.
Novell's results Novell announced its 3rd quarter financial results on Thursday of last week. To get some additional information on Novell's results, we spoke to Novell spokesperson Bruce Lowry about the results, and how the purchase of SUSE Linux and Ximian is working out for Novell. First on the agenda was Novell's financial results. Novell brought in $305 million in the third quarter, with a profit of $23 million, compared to $283 million in the third quarter of 2003 and a loss of $12 million during that period. Part of Novell's overall profits this quarter resulted from one-time payment of $19 million from The Canopy Group. Overall, Lowry said that the company was happy with the profit from the third quarter, but "a little disappointed with the top-line revenue number." He explained that the sales of the company's Netware products had slowed their decline in recent quarters, but resumed a 12 percent decline in sales in the third quarter. While Novell's other product lines have not been meeting expectations, SUSE Linux provided a welcome boost to Novell's bottom line this quarter. SUSE's revenues were up $2 million in the quarter, a 20 percent increase from the second quarter. A big factor in SUSE's increased revenues was a single customer that ordered 12,000 subscriptions to SUSE Enterprise. Lowry wouldn't disclose the customer's name, but said that the customer is a venture-backed company using SUSE in a "ASP sort of environment." The $12 million in revenue from SUSE products broke down into three parts, $4 million was from subscription revenue, $5 million was from SUSE retail sales, and $3 million included "tech support alliance fees and other software products from SUSE Linux." Lowry noted that the SUSE subscriptions would continue to show revenue in future quarters, as subscription revenue is distributed over the life of the subscription rather than reported entirely in one quarter. Ximian's revenue is not broken out separately by Novell, as the company mainly purchased Ximian as "a technology buy."
We basically said that the impact on earnings would be negligible...it's
almost impossible to do that now. The major products were Ximian Desktop,
which we're now combining into SUSE, hopefully later this year. The other
main sort of component was Red Carpet Enterprise... what we did was added
[that] to ZENworks.
We asked Lowry how the integration of SUSE and Ximian into Novell was going. Lowry said that the Ximian integration into Novell was "totally complete" and that the SUSE integration is "moving forward very rapidly," but noted that there was still work to be done, and that integrating a German company into Novell presented additional complications. Lowry declined to offer specifics about the upcoming SUSE release with Ximian Desktop integrated into the release, saying that Novell was being "pretty tight-lipped" about the release. However, Lowry said that SUSE will continue to support KDE and GNOME.
It seems to be an issue that people continue to be hooked on, that we're
trying to get beyond. But, we're trying to give people choice. We'll be
adding the things you'd expect Novell to add... it's obviously going to be
focused on the enterprise user.
We also asked whether the company would also be pushing Mono in its SUSE product line in order to help adoption of Mono. Lowry said that Mono is not shipped with SUSE Linux Enterprise Server 9, and said that Novell has "talked very loosely about it appearing in the desktop."
It's still very much an early stage thing, I have heard talk of pilot
deployments of Mono in corporate environments. It's still fairly
narrow...it's definitely an early stage technology.
He did say that Novell had been using Mono more for internal projects, and mentioned Novell's iFolder, which is now written with Mono. Lowry also mentioned the addition of JBoss to SUSE Linux Enterprise Server 9, and to the next major release of Novell exteNd as a replacement for Novell exteNd Application Server.
We'll be replacing the proprietary application server in the next major
release, eating our own dogfood. We're going to look at open source and
leverage open source where we can. It makes no sense to try to compete with
a proprietary product in the same place... it's a mixed world. It's hard to
envision a scenario where everything becomes open source.
It should be interesting to see how Novell continues to balance between open source and proprietary offerings. With iFolder, Ximian's Evolution Connector, and SUSE YaST, Novell has shown that it is willing to open source some of its technology when it makes sense for the company to do so -- and so long as that technology isn't a profit center for Novell. Unfortunately, Novell does seem to be backing away from support of other distributions with Ximian Desktop, with only SUSE and older versions of Red Hat Linux listed as supported. Overall, though, it seems that Novell's entry into the Linux market has been both successful and beneficial for the community and has certainly been beneficial for Novell. Though Novell's income from SUSE is currently only a small fraction of their revenue, it does seem to be Novell's best chance for growth.
Page editor: Jonathan Corbet Security Distribution of security fixes The LD_DEBUG environment variable is one of those obscure, useful features found in glibc. By setting LD_DEBUG to one of a few specific values (use help to get the full list), you can get a great deal of information on just how the dynamic library loader is resolving symbols and performing relocation. This information can be most useful for tracking down certain kinds of obscure shareable library problems.LD_DEBUG can be verbose; it can also provide information about security-critical programs - especially those running setuid - which perhaps should not be made available to just anybody. The large amount of output created by LD_DEBUG can also be used as a sort of poor-man's single-stepping mechanism. If you can control when the standard output will block, you can stop a setuid program at almost any library call. This capability can be most useful if you are trying to exploit a difficult race condition, such as a temporary file vulnerability. The ability to stop a program at an arbitrary point can turn a small, difficult window into a wide-open one which can be exploited at leisure. Thus, it would make sense to disallow LD_DEBUG for setuid binaries. Unfortunately, this didn't occur to the glibc implementors, who did not add any checks for setuid operation in the LD_DEBUG code. Gentoo has recently issued an update fixing the problem; no other distributors have followed suit as of this writing. As it turns out, some distributors do not need to. OpenWall fixed this problem over three years ago; ALT Linux also patched glibc in its distribution. Somehow, however, the fixes applied by these distributors never got into wider distribution. This is not the first time that somebody has discovered a security problem for which a fix had been available for years. These incidents are, at best, a missed opportunity: known holes with available fixes remain unpatched for long periods of time. A less pleasant possibility is that crackers can look at the patches applied by security-conscious distributions (such as OpenWall) in search of holes which have not been fixed elsewhere. Security fixes are best applied universally. The obvious way to ensure widespread diffusion of security fixes is to submit them back to the package's maintainer. Such patches should almost always be accepted - or the maintainer should come up with a better way to fix the problem. If the maintainer refuses to fix the problem, there is always the time-honored technique of posting an advisory to Bugtraq. What should not be an option is keeping security fixes to ones self.
New vulnerabilities Cacti: SQL injection vulnerability
courier-imap: Remote Format String Vulnerability
icecast-server: missing escape
qt3: BMP image parser heap overflow
roundup: remote file access vulnerability
zlib: denial of service
Updated vulnerabilities acroread: UUDecode filename buffer overflow
Apache mod_proxy: denial of service
apache2: stack-based buffer overflow in ssl_util.c
aspell: bounds checking problem
Ethereal: Multiple security problems
Filename disclosure vulnerability in fam
flim: insecure file creation
Gaim: remote code execution vulnerability
glibc: Information leak with LD_DEBUG
gnome-vfs: backend script vulnerabilities
gtkhtml: malformed messages cause crash
gv: unsafe sscanf () buffer overflow vulnerability
iproute: local denial of service
racoon: failure to verify signatures
kdebase: multiple vulnerabilities
kdelibs: cookie disclosure
kernel allows unauthorized changes to the group ID
kernel information leak
kernel-utils: setuid vulnerability
libpng: multiple vulnerabilities
logcheck: symlink vulnerability
mikmod: buffer overflow
mod_python: denial of service vulnerability
MoinMoin Group ACL Bypass
mozilla: multiple vulnerabilties
mpg321: format string vulnerability
MySQL: temporary file vulnerabilities
MySQL: temporary file vulnerability
neon: buffer overflow
nessus: adduser race condition vulnerability
netpbm: insecure temporary files
openssh: timing attack leads to information disclosure
OpenSSL: denial of service vulnerabilities
pavuk: buffer overflow
php: remotely exploitable memory errors
PuTTY: pre-authentication arbitrary code execution problem
python: buffer overflow
rsync: path-sanitizing bug
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||