Re: funding & viability questions of GPL enforcement.
> From: joel.r...@gmail.com > To: debian-user > On Sat, Jul 22, 2017 at 3:29 AM, Alessandro Vesely wrote: >> On Thu 20/Jul/2017 22:18:25 +0200 Fungi4All wrote: >>>[...] >> >>> For linux we all need to agree before we decide. >> >> Yeah, that"s a pita. It"s hard to change anything if everyone can veto. > That"s sure indication that everything is getting too big -- the companies, > of course, but also the projects, the software, ... > ... and the egos. Under the same logic how can it all be considered one "big" thing with so many different participants? Are companies, projects, developers, sysadmins, and users all equal parties? Do companies have egos? No, they have one motive to make money and become the only player and decision maker. What all these different entities need is organization, each with distinct goals and principles of organization. Then each community will have its own voice, cooperate with others, and form a direction, if that is possible. In every industry there ever was when standards (of cooperation) were developed there was development in the direction the industry had set. This chaotic system of each one doing their own thing and see where it gets everyone seems to be coming to an end. And at this end some are more organized to benefit from the whole than others. In terms of debian, it is an utopian proposition to expect it to compete as a semi-democratic institution among the dictatorships. It also unthinkable that individuals can have an influence among organizations. The binding licensing agreements will in the future be either abolished or will not be enforced as much as to matter, as far as being obstacles to corporations making money.
Re: funding & viability questions of GPL enforcement.
On Sat, Jul 22, 2017 at 3:29 AM, Alessandro Vesely wrote: > On Thu 20/Jul/2017 22:18:25 +0200 Fungi4All wrote: >>[...] > >> For linux we all need to agree before we decide. > > Yeah, that's a pita. It's hard to change anything if everyone can veto. That's sure indication that everything is getting too big -- the companies, of course, but also the projects, the software, ... ... and the egos. -- Joel Rees One of these days I'll get someone to pay me to design a language that combines the best of Forth and C. Then I'll be able to leap wide instruction sets with a single #ifdef, run faster than a speeding infinite loop with a #define, and stop all integer size bugs with my bare cast. http://defining-computers.blogspot.com/2017/06/reinventing-computers.html More of my delusions: http://reiisi.blogspot.com/2017/05/do-not-pay-modern-danegeld-ransomware.html http://reiisi.blogspot.jp/p/novels-i-am-writing.html
Re: funding & viability questions of GPL enforcement.
On Thu 20/Jul/2017 22:18:25 +0200 Fungi4All wrote: >> > On 19/07/17 12:17, Alessandro Vesely wrote: >> >> Of course, nobody dislikes security. Making it neat and clear is another >> question, and that"s why experiments are needed. Can we consider Linux and >> GRSecurity as entities cooperating with each other in that respect? > > GRS is a formal hierarchical organization, a very different single endity > than the linux "thing". A community of many different entities, in size and > shape. Not a formal organization, I don't think. How can the two different > things communicate, let alone cooperate? Let's just home each does their > thing and share what they do and leave it at that. Yes, of course. I didn't mean to propose to change anything "real" of how each organization works. My question was meant to check if we can consider GRS to be good although somehow misguided, and if it could be viable for them to double-license their code (by some tricky clause, e.g. section 7 of GPLv3?) Disclaimer: I'm not involved in either organization's copyrights. Allowing GPL infringements makes "us" look like jackasses :-/ > For linux we all need to agree before we decide. Yeah, that's a pita. It's hard to change anything if everyone can veto. Ale
Re: funding & viability questions of GPL enforcement.
> On Wed 19/Jul/2017 23:14:35 +0200 Martin Read wrote: >> On 19/07/17 12:17, Alessandro Vesely wrote: >>> One my wonder why GRSecurity is not (optionally) included in Linux. >> >> For a variety of reasons relating to the personalities and opinions of the >> people who would be involved - on both sides - in making it happen. >> >> It should be noted that some people who are not part of the grsec project >> *are* >> trying to incrementally move the less performance-impactful features of grsec >> into the mainline kernel. > Yes, the example I had in mind was this: > https://lwn.net/Articles/725203/ > Of course, nobody dislikes security. Making it neat and clear is another > question, and that"s why experiments are needed. Can we consider Linux and > GRSecurity as entities cooperating with each other in that respect? GRS is a formal hierarchical organization, a very different single endity than the linux "thing". A community of many different entities, in size and shape. Not a formal organization, I don't think. How can the two different things communicate, let alone cooperate? Let's just home each does their thing and share what they do and leave it at that. Only equals can communicate, coordinate, and cooperate. So linux as a whole can hardly be imagined to be in communication with anything else. > Ale I vote against such cooperating proposals as such would try to shape and change what linux is. If grs and debian can cooperate that would be an issue for them to decide. For linux we all need to agree before we decide.
Re: funding & viability questions of GPL enforcement.
On Wed 19/Jul/2017 23:14:35 +0200 Martin Read wrote: > On 19/07/17 12:17, Alessandro Vesely wrote: >> One my wonder why GRSecurity is not (optionally) included in Linux. > > For a variety of reasons relating to the personalities and opinions of the > people who would be involved - on both sides - in making it happen. > > It should be noted that some people who are not part of the grsec project > *are* > trying to incrementally move the less performance-impactful features of grsec > into the mainline kernel. Yes, the example I had in mind was this: https://lwn.net/Articles/725203/ Of course, nobody dislikes security. Making it neat and clear is another question, and that's why experiments are needed. Can we consider Linux and GRSecurity as entities cooperating with each other in that respect? Ale
Re: funding & viability questions of GPL enforcement.
On 19/07/17 12:17, Alessandro Vesely wrote: One my wonder why GRSecurity is not (optionally) included in Linux. For a variety of reasons relating to the personalities and opinions of the people who would be involved - on both sides - in making it happen. It should be noted that some people who are not part of the grsec project *are* trying to incrementally move the less performance-impactful features of grsec into the mainline kernel.
Re: funding & viability questions of GPL enforcement.
On Sun 16/Jul/2017 17:17:21 +0200 Martin Read wrote: > On 16/07/17 12:47, Alessandro Vesely wrote: >> May I ask, in passing, why Debian (for packages like apt, say) as well as >> Linux >> did not switch to GPLv3? Would such switch ease enforcement? > > Switching a project over from GPLv2-only to GPLv3-only or GPLv3-or-later > requires either (a) the consent of all copyright holders who made non-trivial > contributions or (b) the wholesale replacement of all material written by the > non-consenting copyright holders. Back to GRSecurity, which is our source of reality in this discussion, they complain that large corps use their product but fail to return revenues to the market. In an attempt to force payments, they withdraw GPL terms and step back to close-source EULA marketing. Except that they don't hold the kernel copyright. Hmm... Quite different from double licensing. One my wonder why GRSecurity is not (optionally) included in Linux. In fact, there are kernel features, such as trusted path execution (TPE) whose origin seems to be related to GRSecurity. Avoiding feature-creep is a perfectly legitimate reason to leave some other patches alone. That way, however, Linux lets particularly sensitive users experiment --and pay-- for the development of some patches, which may possibly be introduced in later kernel releases, according to their popularity. That's a well known pattern of development of closed-source stuff. How are free software developers supposed to go through it? I thought that GPLv3's section 7 "additional permissions" could ease such kind of mutual acknowledgments, but IANAL... Ale
Re: funding & viability questions of GPL enforcement.
Joel Rees wrote at 17:50 (PDT) on Sunday: > The whole idea that they have to protect themselves from users of their > so-called intellectual property is where we, as a society are failing to > do the reality check. This text above is very well said! The value that Debian has is that it works very hard as a community to assure its users are liberated when they copy, modify and share Debian main. -- Bradley M. Kuhn
Re: funding & viability questions of GPL enforcement.
On Sun, Jul 16, 2017 at 8:47 PM, Alessandro Vesely wrote: > There are salient discrepancies in copylefting collective work —as there are > mismatches in working as a free software developer in a western economic > model. > There are salient discrepancies in every licensing model, so-called free/libre, free/open, free-as-in-beer, sell-your-first-child-shrinkwrap, etc. Shoot, the entire concept of property is still not worked out well. It only works if we agree to cooperate. And people and companies who receive excess and refuse to return it to the market simply are not cooperating, irregardless of either license or external economic system. (Excess includes not only money and less tangible proxies for value, but also control, which is one place where communism and socialism historically fail.) The whole idea that they have to protect themselves from users of their so-called intellectual property is where we, as a society are failing to do the reality check. > Let me just say that this discussion, working out the legal details of the > problem, is very interesting. I guess that's how every inch of freedom has to > be conquered, and I'm delighted that this list allows me to witness it. I think you meant "fought for" and not "conquered"? > Please go ahead. > > On Sat 15/Jul/2017 19:24:56 +0200 Bradley M. Kuhn wrote: >> [...] >> Finally, this is probably a good moment -- since this thread has erupted on >> a Debian Mailing List -- to let everyone know that Conservancy also >> organizes a GPL copyright aggregation project for Debian contributors as >> well, see: https://sfconservancy.org/copyleft-compliance/#debian and >> https://sfconservancy.org/news/2015/aug/17/debian/. Crowd-funding without the middleman! > [...] -- Joel Rees One of these days I'll get someone to pay me to design a language that combines the best of Forth and C. Then I'll be able to leap wide instruction sets with a single #ifdef, run faster than a speeding infinite loop with a #define, and stop all integer size bugs with my bare cast. http://defining-computers.blogspot.com/2017/06/reinventing-computers.html More of my delusions: http://reiisi.blogspot.com/2017/05/do-not-pay-modern-danegeld-ransomware.html http://reiisi.blogspot.jp/p/novels-i-am-writing.html
Re: funding & viability questions of GPL enforcement.
> On Sat 15/Jul/2017 19:24:56 +0200 Bradley M. Kuhn wrote: > > [...] > > Finally, this is probably a good moment -- since this thread has erupted on > > a Debian Mailing List -- to let everyone know that Conservancy also > > organizes a GPL copyright aggregation project for Debian contributors as > > well, see: https://sfconservancy.org/copyleft-compliance/#debian and > > https://sfconservancy.org/news/2015/aug/17/debian/. Alessandro Vesely wrote: > May I ask, in passing, why Debian (for packages like apt, say) did not > switch to GPLv3? I discussed in my talk at DebConf10 about how many Debian packages are already outbound licensed under GPLv3, because Debian carries the default version of GPL as GPLv3, by symlinking /usr/share/common-licenses/GPL to GPL-3. The effect of that is that, for any package that simply says "GPL" or points to /usr/share/common-licenses/GPL , Debian is licensing it it users under GPLv3. Of course, if Debian developers haven't added changes that are GPLv3-or-later, the downstream user can always go back upstream and get a copy licensed under GPLv2-or-later (etc.). I note you asked specifically about apt, which is GPLv2-or-later. While I think contributors to apt and other GPLv2-or-later packages should consider whether GPLv3-or-later is a better license for them (I generally think GPLv3 is a very good licensing choice in most situations), I don't see any urgent reason that developers should switch to GPLv3, in part because... > Would such switch ease enforcement? ... I am not aware of any specific reasons why GPLv3 is more easily enforced than GPLv2. The challenges that our community faces regarding enforcement, which I outlined in my email yesterday, exist in roughly equal measure for both GPLv2 and GPLv3. > as well as Linux As another poster pointed out, most (although not all) of Linux's copyrights are GPLv2-only, and a change in license to GPLv2-or-later or GPLv3-or-later would require extensive effort. -- Bradley M. Kuhn Distinguished Technologist of Software Freedom Conservancy Become a Conservancy Supporter today: https://sfconservancy.org/supporter
Re: funding & viability questions of GPL enforcement.
On 16/07/17 12:47, Alessandro Vesely wrote: May I ask, in passing, why Debian (for packages like apt, say) as well as Linux did not switch to GPLv3? Would such switch ease enforcement? Switching a project over from GPLv2-only to GPLv3-only or GPLv3-or-later requires either (a) the consent of all copyright holders who made non-trivial contributions or (b) the wholesale replacement of all material written by the non-consenting copyright holders. Thus, for any project which does not require contributors to sign a document either ceding their copyright in their contributions to the project's proprietor or granting said proprietor authority to relicence, it can be *really hard* to make such a transition in a lawful and timely manner (and one sufficiently-important non-consentor can basically shoot down the entire proposal). In the particular case of the Linux kernel, *Linus* didn't want to move to GPLv3 (because he didn't think certain clauses were a good idea), so the move was a dead letter almost from the moment it was proposed.
Re: funding & viability questions of GPL enforcement.
There are salient discrepancies in copylefting collective work —as there are mismatches in working as a free software developer in a western economic model. Let me just say that this discussion, working out the legal details of the problem, is very interesting. I guess that's how every inch of freedom has to be conquered, and I'm delighted that this list allows me to witness it. Please go ahead. On Sat 15/Jul/2017 19:24:56 +0200 Bradley M. Kuhn wrote: > [...] > Finally, this is probably a good moment -- since this thread has erupted on > a Debian Mailing List -- to let everyone know that Conservancy also > organizes a GPL copyright aggregation project for Debian contributors as > well, see: https://sfconservancy.org/copyleft-compliance/#debian and > https://sfconservancy.org/news/2015/aug/17/debian/. May I ask, in passing, why Debian (for packages like apt, say) as well as Linux did not switch to GPLv3? Would such switch ease enforcement? Thanks Ale
funding & viability questions of GPL enforcement.
Bruce, your analysis ignores the political forces that have allied to thwart GPL enforcement efforts. If Conservancy did not face these anti-enforcement politics regularly, Conservancy could and would spend more time working on bringing more companies into compliance. I hope you'll review my FOSDEM keynote [0] and LibrePlanet talk [1] (the latter of which was covered on LWN [2]), wherein I discuss the political efforts by many others who seek to end GPL enforcement. I hope you'll assist us in that political struggle, rather than shaming and blaming the one organization who actually enforces the GPL for Linux, Debian, Samba, and many other projects. Bruce wrote yesterday on debian-user: > [Conservancy] may have allowed itself ... to be in the position of > suppressing developer's rights. Rather than suppressing developers' rights (as you accused of us above), Conservancy has created the only welcoming coalition of Linux copyright holders [3] who wish to enforce, adhering to community principles. The wealthy and powerful who seek to end GPL enforcement view our coalition as the primary threat to their goal. That's why they invest inordinate resources into thwarting Conservancy's enforcement efforts. Bruce also wrote yesterday on debian-user: > it would be fair for these dual-licensing companies, who offered the GPL > but made dual licensing available to those who did not wish to accept the > GPL terms, to exact the fees of lost commercial licensing from commercial > infringers. Those infringers clearly had paid licensing as an option. Meanwhile, these aggressive enforcement-centric business models function precisely because their central tenant *discourages* sharing and modification of the code under the copyleft license. The typical goal of those models is to frighten "customers" into buying a non-copyleft license. While you're correct that they generate revenue, I don't believe that the goal of copyleft was to create an ecosystem where most users operate under a proprietary license that they were cajoled to accept -- under threat of overly captious for-profit enforcement. You also mentioned the "revenue model" of lawsuits. While perhaps Patrick McHardy gained some amount of personal wealth (although reports on how much he's really recovered are unreliable rumors), that was only successful precisely because McHardy's enforcement did not prioritize encouraging compliant behavior. (In fact, his model required discouraging such behavior, because (in his settlement agreements that I've seen) his larger recoveries came from confused violators who agreed to pay larger amounts if found out of compliance again later.) Such types of lawsuits are a serious problem. That's why Conservancy was first to criticize McHardy [4], and why Conservancy worked with the Netfilter team to encourage them to (a) also denounce McHardy's activity [5] and (b) endorse the Principles of Community-Oriented GPL Enforcement [6]. Note that those Principles don't say that damages should never be sought in lawsuits, but rather, that *prioritizing* revenue over compliance is a problem. You can see on Conservancy's past Form 990s that Conservancy has received revenue from GPL enforcement. What I think those of you who have not actually engaged in litigation don't realize is that when you face a large bankroll on the Defendant's side, you take on real financial risk in litigation. Even though most Courts will award attorney's fees and costs *at the end*, a small charity bringing litigation must consider carefully what happens while the years of litigation and appeals continue, during which the Defendant funds the best legal and political power that money can buy to try to crush you. The copyright system is rigged against the small entity, so we must be agile, creative, and twice as diligent to succeed. So, Bruce, I'm more frustrated than anyone that GPL violations are rampant and we've not found in our community an effective way to fund enforcement such that GPL violations become rare rather than common. But -- even though every time I walk into an electronics store, I see a rows of GPL-violating products -- I don't think it justifies abandoning our Principles, or taking unnecessary risks. Furthermore, we already have initiatives like McHardy's and we don't see increased compliance as a result. Thus, even if we wanted to pursue enforcement driven by avarice, such has already been shown not to achieve what matters most -- more software freedom for users and developers. Bruce wrote further on debian-user: > 1. Failure of SFC or its funded parties to attempt to appeal the VMWare > decision Bruce, please don't spread this disinformation; I know many are saying it, and you probably heard it from others, but it's just incorrect. The appeal in Hellwig v. VMware is active in the German courts [7]. Everyone knows that legal appeals take a very long time. We just have to wait and keep funding the lawyers until it's done. Bruc
