LWN: Comments on "Apertis v2024 released"

This project is suspicious

Wol — Sun, 08 Dec 2024 19:29:48 +0000

> They say they're removing GPLv3 as a means to solve a problem, but the problem is barely described. And when the solution is so harmful, a bit of justification should be expected.

I think the problem is extremely obvious. It's called a "lost opportunity". As in "if we don't do this we will get locked out of the market".

And while the GPL fanatics don't seem to care about whether FLOSS is actually used or not, so long as they can live in their digital cave, some of us would actually like to see FLOSS make a difference in the real world. I'm actually rather gutted that my company would rather pay for OpenQM, than use the GPL2 ScarletDME.

If I write NEW code for Scarlet, I'll almost certainly MPL it, with the *deliberate* intention that the owners of OpenQM can incorporate it. I don't particularly like the idea, but imho the alternative is worse.

Cheers,
Wol

This project is suspicious

sammythesnake — Sun, 08 Dec 2024 19:09:26 +0000

> Cars, like medical devices, are (IIRC) not in the "consumer products" definition ("any tangible personal property which is normally used for personal, family, or household purposes")

I'm a little confused how you think that definition doesn't cover cars. It sure as hell includes *my* car! Even my van, which is *mostly* used for business purposes is also used for daily domestic stuff...

This project is suspicious

ballombe — Fri, 06 Dec 2024 20:10:39 +0000

By only using rust-coreutils for customers that have special need license-wise, instead of rust-coreutils being used everywhere, Collabora is saying that they consider coreutils to be superior to rust-coreutils, whether they mean it or not.

This project is suspicious

randomguy3 — Fri, 06 Dec 2024 17:14:30 +0000

There's nothing to stop them making something for people who they believe are wrong! And frankly, i wouldn't be willing to say that those companies are wrong with certainty, regardless of the intentions of the authors of the gpl3 - ultimately, only the regulators or the courts can make a definitive judgement there.

This project is suspicious

mwelchuk — Fri, 06 Dec 2024 16:49:19 +0000

> They're all FOSS, yes, but Apertis didn't say "Hey, rust-coreutils is memory safety!" Instead, it seems they're saying, "Hey, here's a GNU/Linux system that we've modified such that you don't have GPLv3's requirements to ensure the users can modify that software!" The choice of package seems to be motivated by weakening obligations for companies to contribute back or to avoid that their customers get the intended freedoms.

One of the selling points for Apertis is it's ability to be used in places where the GPLv3 would be problematic. The fact that rust-coreutils and other such packages are written in a memory safe language was definitely seen as a positive, however it's not the main focus of Apertis.

Collabora is a consultancy. We strongly believe in open source and work with a number of large companies, promoting and helping them to make use of open source, including frequently submitting improvements upstream. For instance, if you look back at the development statistics for previous kernels on this site, you will see Collabora come up in the most active list from time to time. This is a result of the work we do with our clients.

We will make pragmatic choices (as we have in the case of package selection in Apertis) to enable our clients to use open source, whilst ensuring that we honour the licensing terms for the projects that we choose / are able to use in the given circumstances.

> They say they're removing GPLv3 as a means to solve a problem, but the problem is barely described. And when the solution is so harmful, a bit of justification should be expected.

The problem is that clauses, such as the anti-tivoization clause in the GPLv3, make it impossible for a company looking to ship a consumer focused device, specifically one that needs to comply with strict regulations (typically requiring the manufacturer to ensure that unsanctioned changes can't be made to the software), to use software under that license. This is not a new issue, it's been known about since before the GPLv3 was finalised and is why the Linux kernel still ships under the GPLv2 license.

We're honouring the licensing terms as chosen by the projects involved. As a result the freedoms of each projects users are being maintained as requested by their authors. I agree, there are projects that grant more freedoms to their users, however for the reason described above we avoid using those projects so as not to violate the freedoms they wish to provide their users. There is a pragmatic balance that sometimes needs to be made here in certain circumstances.

In using a Linux based OS on a device, there are still large portions of that OS that are licensed in a way that require source to be shared, but do not require the device to be modifiable. For example kernel support where, unlike a mature low level utility, there is likely to be some support added (and such support is typically upstreamed as we prefer to avoid heavily modified downstream vendor kernels or carrying out-of-mainline patches in Apertis), which can broadly benefit the FOSS community in providing improved access to support for the SoC, functionality in SoCs using similar/identical IP cores or other ancillary components that may well be used in other devices. A common alternative is a proprietary OS such as VxWorks or QNX is used instead, where no such advantage for the FOSS community exists.

> Cars, like medical devices, are (IIRC) not in the "consumer products" definition ("any tangible personal property which is normally used for personal, family, or household purposes"). I don't remember the details, it was many ago that I last looked into that. There are probably some good docs available. The GPL FAQ gives just two examples of consumer products: portable music players and digital video recorders.

I don't know what to say. I personally own a car that's used for personal, family, and household purposes. They're classed as consumer goods, hence the issue.

This project is suspicious

a-wai — Fri, 06 Dec 2024 16:24:53 +0000

> They're looking for clever ways to help companies *not* give freedoms to users.

This claim doesn't acknowledge the reality that GPL-2 software (such as e.g. systemd or the Linux kernel) is an important part of Apertis and won't go away anytime soon. That's still GPL, just not the latest version.

The fact that rust-coreutils is MIT is completely orthogonal: it would still be the best choice for Apertis if it were licensed under the GPL-2, for example.

(note: I'm a Collabora employee and have worked on Apertis in the past, including the rust-coreutils transition)

Slow clap

madscientist — Fri, 06 Dec 2024 15:43:50 +0000

It is, actually, a win for the FSF. It makes those systems a bit more of a PITA to use, at least for anyone expecting a modern set of GNU tools (e.g., trying to follow the online manual and discovering these old versions don't support new features). If they want to use them they have to find them and install them. And if they ask why their systems come with outdated/buggy versions of free software, they can be educated as to the reasons. They might learn about free software, what it means, what it guarantees (and what it doesn't). They may learn how to build their own copies of free software, and possibly be motivated to get involved at some level.

I can attest to the above, personally, having had this discussion with many people over the years.

Just to remind, increasing the raw numbers of people using GNU software is NOT the primary goal of the FSF.

This project is suspicious

coriordan — Fri, 06 Dec 2024 14:58:40 +0000

> I'm not aware of any alternative implementations of components being used that aren't licensed under a FOSS license.

They're all FOSS, yes, but Apertis didn't say "Hey, rust-coreutils is memory safety!" Instead, it seems they're saying, "Hey, here's a GNU/Linux system that we've modified such that you don't have GPLv3's requirements to ensure the users can modify that software!" The choice of package seems to be motivated by weakening obligations for companies to contribute back or to avoid that their customers get the intended freedoms.

> The purpose is as stated

They say they're removing GPLv3 as a means to solve a problem, but the problem is barely described. And when the solution is so harmful, a bit of justification should be expected.

> Apertis targets consumer products, like cars.

Cars, like medical devices, are (IIRC) not in the "consumer products" definition ("any tangible personal property which is normally used for personal, family, or household purposes"). I don't remember the details, it was many ago that I last looked into that. There are probably some good docs available. The GPL FAQ gives just two examples of consumer products: portable music players and digital video recorders.

This project is suspicious

coriordan — Fri, 06 Dec 2024 14:32:52 +0000

But the GNU utilities, and their licence, were written to ensure that users received the freedoms.

The GNU utilities underline that giving people freedom is always good. There's no point being made that working around licences is always good. It depends on the goal.

The Unix implementations that were released under, for example, a BSD licence, were often modified by vendors and then the source code wasn't provided for the modified version. Same for X Windows / xfree86. So they were free software when published by the developers, but weren't free software when used by the users.

Richard invented the GPL licences to fix this problem and ensure that users received the freedoms.

Apertis is the opposite. They're looking for clever ways to help companies *not* give freedoms to users.

GPL3 concerns not new

jjs — Fri, 06 Dec 2024 13:47:28 +0000

Linux raised concerns in at least 2008, and has explained why Linux didn't go to GPL3 (https://www.linuxjournal.com/content/linus-why-gpl3-isnt-...).

Others commenting on concerns from 2013 (https://www.blackduck.com/blog/whos-afraid-gpl3.html) and 2007 (https://www.cio.com/article/274966/open-source-tools-the-...).

Not saying I agree or disagree with any of those. Only that this (Apteris) pointing out there exist concerns about GPL3 is NOT new.

This project is suspicious

jjs — Fri, 06 Dec 2024 13:17:32 +0000

>If they're working on a system to help people avoid contributing to free software projects,

Where do they say others can't use & contribute to GPL3 projects? Nowhere that I can see. Nor are they saying those that use their project CANNOT use or contribute to GPL3 software. However, they are saying that some organizations don't want to use software licensed under those terms, so they are providing software licensed other other F/LOSS licenses (https://github.com/uutils/coreutils/blob/main/LICENSE for coreutils). It's not my favorite (which is GPL2), but it's F/LOSS, same as BSD. I personally won't disparage people for using a BSD OS instead of linux. It's still F/LOSS.

>they say it's for regulatory compliance, then it's difficult to also claim that they have no opinion on whether it's really necessary for said regulatory compliance.

No, they claim their customers say its for regulatory compliance. See mwelchuk's comment on that.

This project is suspicious

mwelchuk — Fri, 06 Dec 2024 13:10:21 +0000

> Instead of presenting rust-coreutils on its merit as an implementation of coreutils in a safer language, it is presented as a way to work around coreutils license, that is as an inferior solution whose only purpose is to satisfy some beancounter.

Who's saying that they're inferior? The fact they're written in a memory safe language is a big plus.

This project is suspicious

mwelchuk — Fri, 06 Dec 2024 13:05:20 +0000

> If they're working on a system to help people avoid contributing to free software projects, and they say it's for regulatory compliance, then it's difficult to also claim that they have no opinion on whether it's really necessary for said regulatory compliance.

Both rust-coreutils and rust-findutils are existing MIT licensed projects. I'm not aware of any alternative implementations of components being used that aren't licensed under a FOSS license.

> It's a project whose most obvious purpose is to weaken our ecosystem. They're doing what Apple and Google do when they want to sell free software while also blocking the use of those freedoms. If Apertis might spread this model then we should hope Apertis fails.

That is not the purpose. The purpose is as stated, "to increase the adoption of modern, maintained OSS solutions in markets where this has historically been a challenge".

> GPLv3 was specifically drafted to allow medical devices to be locked down. The tivoisation clause is only for consumer products and smart home systems.

Apertis targets consumer products, like cars. Where in many jurisdictions there are regulatory constraints ,which many (including lawyers in the automotive world) would argue such clauses would be problematic.

(For transparency: I have worked on the Apertis project.)

This project is suspicious

epa — Fri, 06 Dec 2024 13:02:14 +0000

To be fair, many of the GNU utilities started as a way to work around the licence of the original Unix implementations.

This project is suspicious

swilmet — Fri, 06 Dec 2024 12:57:27 +0000

Yeah, we can see that the project is driven by commercial interests (which is not bad per se).

But it comes up with a technical solution for something related to licenses and legal stuff. Instead, I would have preferred first a solution coming from lawyers, legal advice, finding arrangements with customers. Seeing if the GPLv3 is truly unacceptable for some customers.

Has the lawyer route been tried before, even if it's not the expertise of Collabora? Or are the customers too powerful to bend their decisions and their "fear" for the GPLv3?

This project is suspicious

ballombe — Fri, 06 Dec 2024 12:32:12 +0000

Furthermore it is kind of disparaging for rust-coreutils.
Instead of presenting rust-coreutils on its merit as an implementation of coreutils in a safer language, it is presented as a way to work around coreutils license, that is as an inferior solution whose only purpose is to satisfy some beancounter.

Slow clap

LtWorf — Fri, 06 Dec 2024 11:50:15 +0000

Reminds me of angry people who threaten me to use something else if I don't stop using a copyleft license.

Wow! Terrible threat! I will get rid of people who contribute absolutely nothing and just act entitled.

Yeah for me personally that's a win when it happens.

This project is suspicious

coriordan — Fri, 06 Dec 2024 11:45:06 +0000

"collabora aren't asserting this about the gpl-3"

I'm not sure they can say that.

If they're working on a system to help people avoid contributing to free software projects, and they say it's for regulatory compliance, then it's difficult to also claim that they have no opinion on whether it's really necessary for said regulatory compliance.

It's a project whose most obvious purpose is to weaken our ecosystem. They're doing what Apple and Google do when they want to sell free software while also blocking the use of those freedoms. If Apertis might spread this model then we should hope Apertis fails.

GPLv3 was specifically drafted to allow medical devices to be locked down. The tivoisation clause is only for consumer products and smart home systems.

This project is suspicious

randomguy3 — Fri, 06 Dec 2024 10:37:55 +0000

to be clear, collabora aren't asserting this about the gpl-3 - they are saying that other companies (that are subject to such regulatory requirements) assert it

i would guess that the anti-tivoisation measures could be construed to fall foul of medical device requirements to guard against user error - modifying the software on the device could obviously invalidate testing and analysis done to ensure the risk of patient harm is within acceptable bounds, and i could imagine someone jumping to the conclusion that that means the device must be locked down in a way that would violate the gpl-3

i imagine there's a similar line of reasoning available for some other regulated devices

collabora's stance is fairly clear - they're not taking a position on the assertion itself, but they are trying to produce a free software operating system that such companies would be willing to use (which you may view as a practical compromise or a dangerous weakening of principles, of course)

This project is suspicious

coriordan — Fri, 06 Dec 2024 10:08:39 +0000

"some provisions in common licenses like the GPL-3 are at odds with regulatory constraints they are subject to."

Anyone know what the basis of this claim is? GPLv3 is 18 years old and this is the first time I've heard this one.

This type of claim is very suspicious.

(Collabora - the same people behind the LibreOffice online project? I haven't heard bad things about them before.)

Slow clap

zdzichu — Fri, 06 Dec 2024 07:40:14 +0000

Another win for FSF!

A Shameless Statement

comex — Fri, 06 Dec 2024 03:37:33 +0000

“Outdated and unmaintained” doesn’t refer to coreutils as a whole, but the pre-GPLv3 versions. This is referring to the strategy of picking the last versions of GNU packages that predated GPLv3 adoption, and continuing to ship those forever. Apple does that on macOS, for instance.

A Shameless Statement

PengZheng — Fri, 06 Dec 2024 03:05:25 +0000

> To avoid these licenses, Apertis uses more modern alternatives instead of relying on outdated and unmaintained pre-GPL-3 versions. For instance, coreutils and findutils (GPL-3+) are replaced in Apertis by rust-coreutils and rust-findutils.

I failed to see how coreutils can be called unmaintained.
I use it everyday and am pretty happy with it.