License compliance is not a problem for open source users (opensource.com) [LWN.net]

Simon Phipps worries that excessive focus on license compliance actions obscures the fact that free software licenses make life easy for users. "Open source does not place a compliance burden on the end user, does not mandate acceptance of an end-user license agreement, does not subject you to para-police action from the BSA. That is a significant advantage, and there's no wonder that proprietary vendors want to hide it from you and make you think open source licensing is somehow complex, burdensome or risky. If all you want to do is use the software - which is all you are allowed to do with proprietary software as the other three freedoms are entirely absent - then open source software carries significantly less risk."

to post comments

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:17 UTC (Mon) by promotion-account (guest, #70778) [Link] (32 responses)

You do not become "tainted" in some way, and there is no need to create a "clean room" environment

Unfortunately you do become tainted for trying to study GPLed code even if you're a developer of a BSD-ish code-base. I'm not criticizing the GPL here, just trying to be more honest.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:25 UTC (Mon) by clugstj (subscriber, #4020) [Link] (24 responses)

Would you please explain how?

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:43 UTC (Mon) by mjg59 (subscriber, #23239) [Link] (10 responses)

If you copy GPLed code into a BSD-licensed work and then release that under a BSD-style license, you're committing a copyright violation - the same as if you copied code under a proprietary license. Clean room techniques are usually used to protect you from the latter case, but the principle is the same.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:45 UTC (Mon) by NAR (subscriber, #1313) [Link] (7 responses)

Copying and studying code are different.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:58 UTC (Mon) by Lefty (guest, #51528) [Link] (6 responses)

"Studying" code can constitute evidence that, even if you didn't outright copy the code, you may have plagiarized it in some fashion. Despite the fact that there tend to be optimal ways to solve specific problems, any resemblance between the new code and the code which had been "studied" would tend to support a claim of infringement.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 18:45 UTC (Mon) by wahern (subscriber, #37304) [Link] (5 responses)

The leading case in this area is Computer Associates v. Altai (2d Cir. 1992). If the particular scheme is indeed optimal, then by operation of the Merger Doctrine would be uncopyrightable, because you can't copyright that which is necessary to the expression of an idea. See http://www.bitlaw.com/source/cases/copyright/altai.html#%... Short of literally copying the source code--from memory or otherwise--you're safe.

However, it is true that by looking at the code you become, in a sense, tainted. Proof of access to a copyrighted work is a necessary precondition to infringement (unless the work is so strikingly similar that it is proof in itself). But this applies to every field under copyright protection. If you're a musician you're tainted every time you turn on the radio--you might subconsciously copy certain melodies later on, like in George Harrison vs Bright Tunes Music Corp.

If you really want to be all belt-and-suspenders, then, yes, don't look at other code. But the court in Altai rightly said that this was absurd.

Note that this "tainting" is a different legal issue than in trade secret law, though obviously similar.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 20:46 UTC (Mon) by Lefty (guest, #51528) [Link] (4 responses)

Hm. "Safe". Well, that's for a judge to decide, I'd imagine. Certainly you have a legal theory, I'll grant you that much, and you can definitely argue it.

There's also no slam-dunk on "optimality", necessarily: if I were arguing the other side, I'd certainly attempt to introduce the notion that there were "any number of other ways to accomplish the same goal", but that an infringing one had, in fact, been used.

That's what makes horse races, like they say.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 22:14 UTC (Mon) by wahern (subscriber, #37304) [Link] (3 responses)

Yeah, but Altai stands for the proposition that you can't copyright the best way, either in hardware efficiency or in best practice. So then the Plaintiff is in the position of explaining why their engineers are idiots.

I'm not saying clean-room implementations aren't a prudent move for some companies, but let's not be fatalistic about how onerous the law is.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 22:17 UTC (Mon) by Lefty (guest, #51528) [Link] (2 responses)

That's fine and dandy, but as I've said, it's not always clear that there is a best way. In general terms of legal risk avoidance, the "best way" is the one that keeps you the hell out of a courtroom.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 23:33 UTC (Mon) by rahvin (guest, #16953) [Link] (1 responses)

So you would support SCO's legal theory that any developer who ever saw the Unix System code was tainted and any code they developed was a derivative work regardless of the code in question?

It's an absurd notion. Proving non-literal copying is going to be very hard to do, I'd wager you would find very few court cases where anyone has ever been successful in proving non-literal copying. Simply seeing other code doesn't taint anyone and it certainly doesn't mean if they write a similar piece of code that it's a derivative work. This doesn't mean someone couldn't go to court and waste a lot of money but I doubt they could win if both sides have competent legal representation.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 0:20 UTC (Tue) by Lefty (guest, #51528) [Link]

No, I wouldn't, for the simple reason that it's too broad-reaching and too general. If SCO wanted to go through and come up with enough specific instances of what-they-believed-to-be-actual-plagiarism to make a credible case, they could certainly have tried to make a concrete argument.

Saying that "you saw my UNIX-like system, and therefore your UNIX-like system in infringing on that basis alone" is something akin to the Estate of Bram Stoker trying to sue Anne Rice for lifting the idea of a vampire. The devil is in the details, as usual.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:46 UTC (Mon) by charlieb (guest, #23340) [Link] (1 responses)

OK, but how does one become "tainted" by *studying* GPL code? You're changing the subject, are you not?

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:51 UTC (Mon) by mjg59 (subscriber, #23239) [Link]

How does one become tainted by studying any code? It's pretty much impossible to prove that you didn't copy, so the entire point of clean room techniques is to separate the person doing the implementation from the person studying the code in such a way that you can demonstrate that the implementation was written from a specification. The GPL doesn't grant extra permissions here, so if it's necessary in writing an open Broadcom driver based on disassembling the closed binary one, it's necessary in writing a BSDed Broadcom driver based on the GPLed one.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 17:54 UTC (Mon) by Lefty (guest, #51528) [Link] (12 responses)

Pretty simply, actually.

You get the idea into your head that what the world is looking for is a non-GPL-licensed version of busybox, which you figure you can provide to TV manufacturers and the like to enable them to avoid "enforcement actions".

You take a look at busybox to see what it does.

You write a replacement from scratch, and release it under a ISC license.

The SFLC sues you for copyright infringement on the grounds that you plagiarized busybox. You can't claim that you never looked at it, and any resemblance will quite likely count against you in court.

Simon has a point, but the point he claims he has is actually a lot broader than the one that he's got firmly in hand. While, under ordinary circumstances, ordinary users are not terribly affected by open source licensing compliance, to the extent that compliance becomes difficult, risky or inconvenientand, for example, the GPL v3 has made compliance more challenging on all of those axesthen less open-source-licensed software will be used by OEMs. Consumers will get more proprietary software, and open source efforts will suffer, or at least fail to benefit.

(This is apparently fine with some folks. In a discussion a couple of years back with Bruce Perens, when I suggested that the GPLv3a license which he was pushing quite stronglywas unusable in most consumer devices, and particularly in things like cell phones, his response was "Well, maybe you shouldn't be using free software in phones, then." Seems as though he's getting his wish. Much good it does the free software community.)

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 18:23 UTC (Mon) by clugstj (subscriber, #4020) [Link] (11 responses)

Please try to make a sane comment next time.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 18:31 UTC (Mon) by bronson (subscriber, #4806) [Link] (9 responses)

Wow, talk about hypocritical. I see a number of sane points in his comment. If you'd like to take issue with any of them, go for it.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 20:47 UTC (Mon) by Lefty (guest, #51528) [Link]

I'm predicting nothing more that the sound of crickets from this one, myself.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 20:50 UTC (Mon) by clugstj (subscriber, #4020) [Link] (7 responses)

You seem to have an unusual definition of "hypocritical" as I can't see how it applies in any way to my comment.

But anyway, where in the GPL does it say that you cannot learn from the code and write other code under a different license from that knowledge? I have NEVER heard of any case where this was an issue. Copying code, however, is always a problem.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 20:54 UTC (Mon) by Lefty (guest, #51528) [Link] (6 responses)

You seem to have an unusual definition of the word "sane".

It's not really an issue of "what the GPL says". It's more an issue of "what US copyright law says and how a judge is likely to interpret it".

Does that help?

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 21:02 UTC (Mon) by clugstj (subscriber, #4020) [Link] (5 responses)

Answer the simple question.

When has the fabled "write a program that does the same thing as busybox and get sued" problem occurred? Otherwise it is just a hypothetical situation and is in no way an explanation of how this mysterious "tainting" is a problem.

Or if you just want to get further and further off-topic, explain how what I said was "hypocritical"?

You choice.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 21:31 UTC (Mon) by Lefty (guest, #51528) [Link] (3 responses)

I'm not aware, off hand, of one, but I don't need to be, either. Without having to summon up a case of anyone's having done so, it's pretty clear that selling a hand-painted, but unauthorized, reproduction of a work by, say, Andy Warhol or Roy Lichtenstein is an infringement. Doesn't matter if you did it in Photoshop. The sequence of events I described is not unrealistic.

As it happens, Bruce Perens has asserted that he holds some sort of copyright over busybox, while the current maintainers deny that's the case. The fact seems to be that, today, there's no code in busybox on which Perens holds a clear copyright, or at least none on which a copyright statement with his name appears. Perens claims those notices were removed illegitimately, again, the current maintainers disagree. His assertionone which he has not seen fit to have tested in court so farseems to be something very close to exactly what I've described.

I have no comments on Mr. Perens' sanity or lack thereofmaybe you have some opinion in this regardbut, while we're on the subject, for someone who's questioning other people's sanity on no particularly clear basis (other than perhaps, pointless trolling), you're not establishing a very solid ground for your assessment.

While you're mulling that over, you might want to note that I'm not the person who called you a "hypocrite".

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 12:40 UTC (Tue) by clugstj (subscriber, #4020) [Link] (2 responses)

The original poster said:

"Unfortunately you do become tainted for trying to study GPLed code even if you're a developer of a BSD-ish code-base. I'm not criticizing the GPL here, just trying to be more honest."

I have merely been trying to get someone to explain on what evidence this statement is based. I have got nothing but wild and often off-topic theories and no actual facts. As such, I assert that the original post is not true.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 12:58 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

To the extent that the GPL says nothing on the subject, the relevant thing to look at is copyright law. Why do you think it applies any less to GPLed work than, say, Windows?

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 14:36 UTC (Tue) by Lefty (guest, #51528) [Link]

Well, friend, you're welcome to assert anything you like, but all I see is you steadfastly and stubbornly ignoring sensible responses, and claimingabundant evidence to the contrary asidethat you've seen nothing but "wild and often off-topic theories and no actual facts".

Fine, have it you way. You're not contributing anything here, and since you've persuaded yourself how things are, there isn't a lot of point in continuing to discuss it with you. If you haven't actually read prior commentsas you clearly haven'tthere's no reason to imagine you'll read subsequent ones.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 6:32 UTC (Tue) by wahern (subscriber, #37304) [Link]

If you mean to ask when has an open source project sued for non-literal copying, then I can't say I know of any situations.

If you mean to ask when has a copyright owner in source code sued for non-literal copying, then there have been many cases. And they have won in some instances. And many more surely were settled after summary judgment was denied.

Lefty's opinions have a legal foundation, I just personally think he overstates things. But don't dismiss it as non-sense. It's rare that copyright cases turn on obvious, literal copying. Usually you get non-literal copying; i.e. copying certain abstract elements--such as arrangement--which elicit similar mental impressions. This is absolutely sufficient to infringe as a general matter if those impressions sufficiently relate to the protected "work". Note that in copyright when you write source code that source code isn't the "work" per se, rather it's the first copy of that work. Copyright protects the work which is in your head; and the protection commences the moment you fix that work into a tangible medium--i.e. create the first copy.

Most of copyright law turns on the breadth of protection for the abstract work. For computer programs that protected scope is narrower than, say, in the novella industry. Courts will find infringement of a subplot in a story more readily than it will several curiously similar subroutines in a program. If you want to know why, follow the Altai link I posted earlier (it's an anchored link to the relevant portion of the opinion); the court explains many of the most important reasons quite clearly.

The Alta opinion also cites many cases on non-literal source code infringement, albeit pre-1992. One would imagine that there have been substantially more cases since then, at least in the district courts. But copyright and patent software cases go all the way back to the 1960s, believe it or not.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 20:42 UTC (Mon) by Lefty (guest, #51528) [Link]

Well, maybe it's my complete lack of mental balance speaking here, but I'm afraid I can't quite make out which parts of my comment aren't "sane". Could you be more specific?

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 18:49 UTC (Mon) by Trelane (guest, #56877) [Link] (4 responses)

Sure, and you run the same risks if you're studying a BSD codebase (there are license requirements for redistributors after all)

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 18:54 UTC (Mon) by Trelane (guest, #56877) [Link] (2 responses)

(really, the only place you're guaranteed to not have to worry about reading the code is public-domain code)

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 2:52 UTC (Tue) by njs (subscriber, #40338) [Link]

Even then, it might turn out that the allegedly "public domain" code wasn't actually public domain after all, for any number of reasons.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 13:13 UTC (Tue) by charlieb (guest, #23340) [Link]

Actually, no. If you don't publish any code, you can study any code you like, without worry.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 25, 2010 20:52 UTC (Mon) by Lefty (guest, #51528) [Link]

Not quite, although you could cobble together a set of circumstances in which the end result might be the same.

You can do many more things with BSD-licensed code as long as you observe a fairly minimal set of rules: in particular, you can modify the code and redistribute proprietary binaries to your heart's content, at the minimal cost of including a notice in the documentation someplace.

License compliance is not a problem for open source users (opensource.com)

Posted Oct 26, 2010 14:54 UTC (Tue) by jjs (guest, #10315) [Link]

Abstraction-Filtration-Comparison (http://digital-law-online.info/lpdi1.0/treatise22.html) protects you as long as you don't COPY. Yes, clean-room development helps, but is not required.

Users, not developers

Posted Oct 26, 2010 14:59 UTC (Tue) by jjs (guest, #10315) [Link]

For an end-user of the code (one who doesn't change it, just uses linux as an operating system, or libreoffice as an office suite, and who doesn't distribute the code), open source means you don't have to worry about the BSA "license police" - install as many copies as you want on your machines, don't worry about paperwork, etc. From the article: "End-users do not need to have a license management server, do not need to hold audits, do not need to fear BSA raids."

As the article states, you only have to worry about the license in one case: "If you move beyond modifying the code and decide to distribute your modified version (or the original), that is the point at which there may be compliance issues with the open source license. You only need to check you are passing on the same rights to others as you received with the original code. "

One check - no written checks to the original developer, no tracking licenses, etc.

License compliance is still a problem for open source admins

Posted Oct 25, 2010 17:53 UTC (Mon) by mmcgrath (guest, #44906) [Link] (12 responses)

I know I'm not speaking of this from the point of view of an 'end user' but running AGPL web applications as a sysadmin is a huge PITA when it comes to hot fixes put in production and the like. In Fedora Infrastructure we had a multi-week discussion concerning what to do with some of the recent AGPL apps we had deployed and even had to add a special AGPL section to our documents explaining how AGPL applications should be treated.

Shortly after that Fedora had a whole discussion about mixing code from different licenses together on some random list and I thought to myself "open source licenses may be better then their proprietary counterparts but they sure aren't less confusing."

License compliance is still a problem for open source admins

Posted Oct 25, 2010 17:55 UTC (Mon) by Lefty (guest, #51528) [Link]

Heh. More news from the Department of Unexpected Consequences at 11.

License compliance is still a problem for open source admins

Posted Oct 26, 2010 1:17 UTC (Tue) by pabs (subscriber, #43278) [Link] (1 responses)

Seems to me you could just put those hotfixes into Fedora and upgrade to them on your servers?

License compliance is still a problem for open source admins

Posted Oct 26, 2010 7:47 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

Not quite that simple. Refer to

http://fedoraproject.org/wiki/Infrastructure_Licensing#Th...

License compliance is still a problem for open source admins

Posted Oct 26, 2010 10:48 UTC (Tue) by epa (subscriber, #39769) [Link] (8 responses)

You'd think that the AGPL web app would just have a 'download the source' button on every page which would give you a big tarball, baked into the code as part of the build process.

Yeah...

Posted Oct 26, 2010 13:26 UTC (Tue) by khim (subscriber, #9252) [Link] (7 responses)

And then you want to change ten lines here and fifteen lines there... oops?

Yeah...

Posted Oct 26, 2010 16:59 UTC (Tue) by epa (subscriber, #39769) [Link] (6 responses)

Yes so you make the change, type 'make', and your new web app is ready to deploy. When it's deployed the 'download source' button automatically has the latest source to download, since it's handled as part of the build process.

Yeah...

Posted Oct 26, 2010 18:24 UTC (Tue) by mmcgrath (guest, #44906) [Link] (5 responses)

That sounds great... but no user (much less your boss) will want to wait for that. As much as we hate hotfixes, they're a fact of life. Having to reproduce then fix an outage or error scenario upstream, build a release from whatever tree it was from, create a release tarball, package it, build the srpm, build the rpm from srpm, sign it, throw it in a yum repo, go to all the hosts and yum update.... Users don't like to wait for that fairly time consuming process. Especially if the fix is simple.

AGPL sticklers (this is the extreme end of it) make it very difficult to even develop fixes that, for whatever reason, can't be reproduced in another environment besides the production instance. None of it is insurmountable, it's just the AGPL creates considerations that we've never had to deal with before.

Yeah...

Posted Oct 26, 2010 19:58 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (3 responses)

It seems as though what you're saying is that the mode of operation of my business (which is to say, the business where I work as a senior developer or some other ridiculous job description) is unworkable?

Now, in our case we aren't obligated to ship source code to anyone (commercial partners seem to expect to do black box security testing but not code audit). But our minimum process for putting new code live involves building from tags in the source repository, then pushing the build onto servers. We have of course automated this fairly heavily.

If we didn't do this, then we'd have the problem that there's a reported problem - for which we have no corresponding source code. What caused the problem? It's a mystery - oh - it turns out that there's a bug in some code nobody ever checked in.

No, we always have a roll-back plan, so if things are really worse we can go back to a previous version. But most often newly discovered problems that were missed in testing are fairly minor - and even previously existed unreported. If they weren't bad enough to deserve a rollback, they can wait until we've developed, tested and tagged a proper fix.

It seems to me that the systems you're managing are as important as ours, just in a different way (we have people's confidential information including bank details, credit cards etc. -- you have code that may be run with full privileges by millions of people). So I'm a bit worried that you so easily confuse your seat-of-the-pants approach with pragmatism. To my mind what we're doing is pragmatism and what you're doing is a bit... scary?

I have done things your way, for a less important site (no private details). I'm not sure I even prefer it. It was exciting, I guess, in that you could typo something and the entire web site was down, but I think I got too old for that.

Yeah...

Posted Oct 26, 2010 20:53 UTC (Tue) by mmcgrath (guest, #44906) [Link] (1 responses)

> Now, in our case we aren't obligated to ship source code to anyone.

You're not running something AGPL then.

> So I'm a bit worried that you so easily confuse your seat-of-the-pants approach with pragmatism. To my mind what we're doing is pragmatism and what you're doing is a bit... scary?

See above. You don't seem to understand what we're doing, certainly not why.

Yeah...

Posted Nov 2, 2010 23:06 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

What is it that I "don't seem to understand" ?

Actually, why don't you explain what your "hot fixes" are and why it's just not possible to have a real software engineering process that could easily throw up the source code and thus comply with the AGPL.

You might want (while writing) to reflect on the debunking of all the usual myths about how ordinary GPL compliance is hard, and how no "real" programmer has source code in version control or a repeatable build environment, or any of those things....

and if at the end you have a better process and nothing to write in your reply, that's sort of its own reward and I ask nothing further.

Heh...

Posted Oct 27, 2010 13:00 UTC (Wed) by khim (subscriber, #9252) [Link]

business where I work as a senior developer

Business which has someone at position "senior developer" is small minority of the internet. Most of the sites out there are created by hobbyists who don't have a release process or VCS. Or by small "mom and pop" businesses where site was created by friendly neighbour. For them the AGPL is major PITA. For large businesses AGPL is scary enough and the just forbid to use such software (and they have enough developers to write adequate replacement from scratch).

This makes set of places where AGPL software can be considered acceptable small indeed: small businesses which already have "release procedure" but not yet big enough to have resources to rewrite AGPL soft.

Time will tell if this small slice (which is still huge since there are millions upon millions of web sites on the Internet) will be enough to support AGPL ecosystem.

Yeah...

Posted Oct 27, 2010 9:35 UTC (Wed) by epa (subscriber, #39769) [Link]

Who said anything about reproducing the error upstream? Just hack in whatever change you want, type 'make' and then 'make deploy'.

Even if you want to go the whole way of building the thing as an RPM and pushing it out via yum, this is only a few lines of shell script and need only take a few seconds to run.