A tempest in a toybox

It's not only "not hard", if you think about it (you ought to have a release process in place, no?) it's just plainly trivial to do so.

I have talked to various lawyers in the free software world about this (under Chatham House Rules, so I can't explicitely name them), but all of them have frowned upon this, or dismissed it outright.

Before this turns into another flamefest about whether or not it is immoral or not for companies to violate the GPL, this is *the* core question: can you demand things outside of your own direct copyright?

Perhaps the editor could poll some lawyers about this subject, and get permission to quote them? It would be very helpful.

This is a valid point.

However, that copyright law is insane doesn't excuse us in the FOSS community doing anything insane as well (even if it is much less insane).

It is *very* hard to convince corporations to use FOSS if the risk is that a single mistake by one of their teams means that the entire company can no longer use that specific FOSS until the copyright owner agrees for them to. The main problem is uncertainty: The corporation does not know ahead of time exactly what the copyright owner will demand. At least with a proprietary license, you know ahead of times the costs involved in a clear (well, clear-er) manner.

If I had believed the GPL did actually assume such a "death penalty" event - I prefer to call it a "hostage situation" - I would never have released the GPL code I did (I would have used another FOSS license). It strikes me as counter to the intent of the GPL, and very dangerous to the FOSS community as I said above.

It is more than sufficient to protect GPL code to interpret it in the more reasonable way, which is that distributing GPL code grants a new license each time. So that you have a license if you comply with the GPL. If you don't comply, you lose that license until you download a new copy, and are in compliance with that license. In this situation, violating the GPL is still very bad - you cannot use the code any more - but at least you know ahead of time exactly what you need to do to be able to use it again - come into compliance.

That the SFC does basically that - but for all FOSS projects the company uses, not the one whose license they violated - is not as bad as things *could* be, because in theory the license enforcer could ask for anything at all (hence I prefer the term "hostage situation"). But again, the problem is that corporations don't know for sure in advance what the SFC will require, if one of their teams makes a mistake and doesn't fully comply with the license of one of the FOSS projects they use. This is one of the biggest problems for FOSS adoption today.

It's just that *if* you agree with the GPL enforcement work, then we should work together to find ways to continue it even if there's a permissive replacement for busybox. It's not an attempt to control projects or licenses, it's an attempt to coordinate with other like-minded people.

Jeremy.

Most companies take care to have an appropriate number of licenses for their software. They should do the same if its my software or big company X's software and I'm glad to see people like the SFC sticking up for the little guy.

The legal bits are important; you cannot just ignore it, then complain that SFC is somehow bad. It started with ignoring copyright and the license of the code. I thought there was some kind of thing where people are assumed to know the law. Meaning: ignorance is no excuse.

You can't do that. GPL still remains in play because everyone who ships busybox also ships the Linux kernel. It takes only one key kernel developer to ask SFC to represent them and you are back to the problem you are trying to get away from. I do wonder whether SFC or FSF would be sending kernel patches in key areas with the sole idea of using it to enforce the GPL at the kernel level directly instead of using busybox as a proxy. At the point, the violators can consider using a BSD kernel. It would be a interesting fight to watch.

You work for Sony, who thought it acceptable to install rootkits on their customer's machines. Why in the world would I trust a word you say?

It is really hard to feel sorry for a rich multinational company that skips mandatory legal checks in order to be first to market.

It then becomes much much harder to feel sorry when the very same company is lobbying hard to harden copyright law so teenagers illegally downloading music can be put in jail. Compared to this the SFC now look like very nice guys.

Note: this has nothing to do with the GPL. It's about software licensing and legal reviews *in general*.

So, what, GPL authors are supposed to shut up because they might be hurting the company?

That's a harsh way of saying: none of what you say about Sony's concerns have anything to do with what we, as a community of copyrighted code authors, choose to do with our rights. It is no more acceptable for Sony to ignore licensing of FOSS code than it is for them to ignore anyone else's copyright. If anything, the fact that they stand to lose heaps of money if products are late is reason enough for them to get it right the first time. Claiming that it's all very complicated because of sub-contractors and different divisions is about as valid as a child blaming the broken plate on their invisible friend.

Aren't Sony one of the companies that are pushing for tougher penalties when people infringe their copyright? The whole point of a penalty is to provide a disincentive to infringement. At that point it should be a very simple business decision: a potential loss of millions of dollars in lost revenue due to a delayed product, or a certain loss of even more when they are found to be violating their software licenses, get fined for it _and_ have their devices delayed even further. That a company can then choose the latter option shows that they actually think that they can get away with it - their 'calculus' is based on the flawed assumption that the cost of non-compliance is less than the cost of compliance.

I'm not criticising you; I'm pointing out the hypocrisy of Sony's actions.

And I personally think the SFC saying "let us help you with getting all your licenses sorted out now", rather than waiting for compliance on BusyBox and then hitting them with the next lawsuit for the next GPL-violating thing they find, is doing the industry a massive favour. There's already enough legal shenanigans in the computer industry, with companies waiting until the ideal time to hit their competitors with lawsuits.

Ultimately, what galls me here is that Sony isn't ponying up the developers to actually write the bits of Toybox that they want, or even implementing their own BusyBox replacement if they like. They're expecting other people to do the work for them, then they come in and use it for free. All that buys them is a little bit of time: eventually the kernel community will start to enforce its copyrights and the fight will really be on. Either they need to start rewriting everything from scratch, or just harden up and comply with the licenses of the software that they use.

Have fun,

Paul

Replacing GPL software is harder than just complying with the GPL.

For both approached you need to know which software is GPL and do something specific. All the whining about "we didn't know we were shipping GPL stuff" isn't solved by replacing known GPL stuff with something else. It's always the unknown stuff that bites you, whether GPL or proprietary.

So this doesn't solve any compliance problems except with Busybox itself. But as said above, complying is easier than replacing Busybox when you're already using it, so the only reason to replace Busybox would be because they don't want to comply with the license. Matthew is right to say this stinks, because it does.

If I understand you correctly, the real problem here is FUD.

Companies want to comply and try to comply, but there is uncertainty and doubt as to whether they will do so successfully and fear of the possible costs imposed to restore their license.

Does the GPLv3 address this? It gives a guaranteed re-instatement if you become compliant with 30 days (as long as you aren't a repeat offender). Is that enough to reduce the FUD?

That wouldn't help with BusyBox or Linux as they are v2 only, but maybe understanding if the v3 clause is helpful would give us a better perspective on the issues.

So the only thing Sony does when picking the software to ship is doing a cost/benefit analysis. If the potential price for lawsuits or the risk of shipping late is too high, you pick something else.

This behavior explains very well why the company you identify with would select to install rootkits or litigate children into jail. It also explains why it would rather not have license enforcement actions.

And what this actually means is that the correct thing to do to spread the GPL over the BSD is to start sueing companies for failing to print the BSD disclaimer. Even if that doesn't really achieve anything for Free software directly, it would increase Sony's perception of risk for using BSD licensed software and make it flock to the GPL.

Did I get that right?

There is simply no incentive in that context to even maintain their own forks, let alone submit changes upstream.

BTW, your pragmatic angle is only important in the very short term, and even then only in a very narrowly-focused oblivious-to-the-real-world way. It's not even true pragmatism, because it's only a short-term benefit for a long-term loss.

No, it is the moral and ethical issues which are truly important.

They're not a reason to prohibit development of a BSD-style licensed alternative (an absurd suggestion anyway - even if anyone wanted to, no-one has the power). But they are a reason to boycott contributing anything to the project.

One of the reasons why manufacturers dislike the GPL is that the license effectively allows users to extend the lifespan of the "disposable" products they buy, and even re-purpose them. e.g. without the GPL, cyanogenmod wouldn't have recent versions of android running on 4,5,+ year old phones. The GPL gives rights - and options and possibilities and even capabilities - to the end-users...a fact that BSD-advocates either won't/can't see or refuse to place any value on.

This, naturally, conflicts with the gadget-fetishism, the obsession with the new and shiny, the must-have-it-now consumerist impulse that manufacturers want us to have.

Also, and just as importantly, as an occasional consumer of tech. products, I don't want a BSD-licensed userland on devices I purchase, because the BSD license does *nothing* to ensure that the product I buy is actually mine - under my control as well as in my possession. Apple has demonstrated well enough that the BSD license serves the interests of manufacturers and their corporate partners, rather than my interests.

As a user, the GPL is my friend. it gives me rights to the software I use.

as a developer and contributor to FOSS projects, the GPL is also my friend - it ensures that my work, my donation of time and effort and skill will always be available.

A couple weeks ago I wanted to use an LDAP authorization feature (nested group membership). After some investigation and surprise, I found that that feature had been committed to the svn trunk in 2007, but has not yet made it into a release. Why? Because there haven't been any new major versions released since 2.2 was released in 2005, 7 years ago! Yikes! (But, I see 2.4 is expected to be released real soon now.)

The glacial speed of releases probably has nothing to do with licenses, but I would guess that anyone who has forked Apache into a proprietary variant has most likely had no trouble keeping up with the rate of change...so you might want to find a new example to hold up. :)

You are wrong about this. What you are doing is pushing the kernel developers to use SFC instead of using busybox as a proxy

https://lwn.net/Articles/479010/

"I'll be assigning the rights to the SFC to enforce all copyrights that I personally hold in the Linux kernel and any other project they ask me about. "

Even BSD license has a copyright attribution requirement. Enforcing that vigorously would cause enough pain if a vendor hasn't thought about compliance before.

I consider GPLv3 yet another proprietary license. I'm sad GPLv3 undermined GPLv2 to the point it's no longer viable in a lot of contexts, but I got over it and moved on. I'm not the only one. GPL use is declining, and more active license enforcement will only make it decline faster.

(I like the Linux kernel, but busybox was ported to run on bare hardware with newlib+libgloss in 2006. Never think you're _irreplacable_. Nobody is.)

And yes, the guy who started license enforcement on BusyBox is saying that. It's what I learned from the experience. Are your positions based on experience, or on how you _want_ the world to behave?

Rob

(What I do worry about is laws that make modchipping an xbox illegal. Vendors lock game consoles down, people open them up to make unlicensed development workstations with aftermarket add-ons, and the _dangerous_ bit is rendering the aftermarket addons illegal. GPLv3 ain't gonna do that because the vendors can write their own kernel if they want to lock down their console, it just excludes our software from the relevant market. What we _need_ are laws making it explicitly legal for me to pick my own lock. These licensing tricks we're getting up in arms about are irrelevant: Linus explicitly allowed tivoization, and if minor developers start suing people over that _he_ might fork his own project enough rip out/rewrite your code, _and_ testify in the defense of whoever you're suing that his public statements on the matter _mean_ something. If they've got the "secure boot" lockdown and it's illegal for you to crack your own box, the rest is details.)