[Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Karen Sandler]

I know that it's somewhat late in this process, but I was encouraged by 
a few
kernel developers here at LinuxCon to propose a discussion about 
enforcement
at the summit. There has been a lot of news recently (Patrick McHardy's
enforcement, the Principles of Community Oriented Enforcement, VMware
dismissal/appeal) resulting in quite a bit of speculation and 
discussion.

I think a Q&A on where things stand on all of these matters would make 
sense
and in that context also have a discussion about the GPL and enforcement
generally if there's time. It seems to me by the number of questions 
I've been
getting that many more kernel devs are interested in these topics than 
ever
before, and many who have previously preferred not to think about 
licensing
are starting to change their minds.

There have been so many discussions about these topics by industry 
lawyers and
executives behind closed doors, but developers have been generally kept 
out of
the loop. Understanding what's going on and figuring out if there's 
consensus
on some of these issues is likely to help the kernel community deal with 
the
impact down the road. At the very least, I think kernel developers each 
need
to decide how they feel about GPL enforcement as silence and inaction is 
as
much of a choice as voicing a view. From what I see, the timing on this
discussion has become critical.

thanks!
karen



Karen M. Sandler
Executive Director, Software Freedom Conservancy
__________
Become a Supporter today! http://sfconservancy.org/supporter/

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 01:30:00AM -0400, Karen Sandler wrote:
> 
> There have been so many discussions about these topics by industry lawyers
> and executives behind closed doors, but developers have been generally
> kept out of the loop.

That's a very unfair comparison, "lawyers and executives" always are
"behind closed doors" as that's the way business works (and has to for
legal reasons as you know).  One can say the same thing about any type
of company meeting where anything is discussed.

And "developers" are not being kept out of any "loop" here, please, lots
of us know exactly what is going on here.

> Understanding what's going on and figuring out if there's consensus on
> some of these issues is likely to help the kernel community deal with
> the impact down the road.

The impact of what?  And getting "consensus" from 5000+ people is pretty
impossible on any kind of topic at all :)

> At the very least, I think kernel developers each need to decide how
> they feel about GPL enforcement as silence and inaction is as much of
> a choice as voicing a view.

That's not fair, it's implying that our current way of doing this type
of thing is somehow not working.  Remember, we have done something that
no other group has ever done before, so please don't discount that we
know how to handle stuff like this.  Sometimes not making a public
statement is actually the correct thing to do.

> From what I see, the timing on this discussion has become critical.

Why is things "critical" now vs. the situation we had 5, 10, or 15 years
ago?

Anyway, we try to stick to technical topics from the developers of the
kernel for the kernel summit wherever possible, and I think that the
deadline for proposing new topics has passed, so I don't think there's
much that can be done this late in the process.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Karen Sandler]

On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
> On Wed, Aug 24, 2016 at 01:30:00AM -0400, Karen Sandler wrote:
> > 
> > There have been so many discussions about these topics by industry lawyers
> > and executives behind closed doors, but developers have been generally
> > kept out of the loop.
> 
> That's a very unfair comparison, "lawyers and executives" always are
> "behind closed doors" as that's the way business works (and has to for
> legal reasons as you know).  One can say the same thing about any type
> of company meeting where anything is discussed.
> 
> And "developers" are not being kept out of any "loop" here, please, lots
> of us know exactly what is going on here.

I'm of course not talking about internal company meetings, but rather
invite-only backchannels where lawyers and executives are invited but
developers are typically not.  I know, Greg, that you and a few other
developers do cross between these worlds, but most Linux developers I've
spoken to do not.  This session is an opportunity for those developers
to hear about what's been going on in the last year.

> > At the very least, I think kernel developers each need to decide how
> > they feel about GPL enforcement as silence and inaction is as much of
> > a choice as voicing a view.
> 
> That's not fair, it's implying that our current way of doing this type
> of thing is somehow not working.  Remember, we have done something that
> no other group has ever done before, so please don't discount that we
> know how to handle stuff like this.  Sometimes not making a public
> statement is actually the correct thing to do.

I absolutely agree that sometimes making a public statement is not the
right thing to do.  I'm not suggesting that in this session we plan a
public statement or pressure anyone to do so in the future. Rather, I
suggest that we discuss among the Linux developer community what public
statements have been made, what semi-private discussions have occurred,
and discuss as a group how this impacts Linux community.
 
> > From what I see, the timing on this discussion has become critical.
> 
> Why is things "critical" now vs. the situation we had 5, 10, or 15 years
> ago?

5, 10, or 15 years ago we didn't have Patrick McHardy engaging in
enforcement without coordinating with the rest of the netfilter team.
Also, the recent VMware court ruling and its implications are new this
year; the community of copyright holders should examine it and discuss
it. 

> Anyway, we try to stick to technical topics from the developers of the
> kernel for the kernel summit wherever possible, and I think that the
> deadline for proposing new topics has passed, so I don't think there's
> much that can be done this late in the process.

Three people from the TAB, two of which are on this committee suggested
yesterday that I submit this session and Ted's original CFP says:
"Obviously, if new topics come up after that, please still send them to
us!"

Finally, some of the issues here are very technical.  In the VMware
ruling, the Court claimed difficulty in understanding how copyright
holding is documented in Linux.  This is a problem that can be mitigated
and even solved with technical solutions that we can discuss in this
session.

karen

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Daniel Vetter]

On Wed, Aug 24, 2016 at 3:08 PM, Greg KH <greg@kroah.com> wrote:
> Anyway, we try to stick to technical topics from the developers of the
> kernel for the kernel summit wherever possible, and I think that the
> deadline for proposing new topics has passed, so I don't think there's
> much that can be done this late in the process.

Hm, I always thought the point of KS is to talk about process,
painpoints in the same and other topics of larger scale. Personally I
think Karen's topic fits into this, and I think it would be
interesting (at least for me). The pure technical topics are
interesting to keep up on general things, but lwn.net does a great job
at covering these wherever they happen - no reason for me to fly
around the globe for those. At least that's been my experience with
the past few KS, I've always took home a lot more from the
process/more general sessions than the latest deep technical topic.
Might just be that gfx folks are somewhat in a world of their own.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Josh Triplett]

On Wed, Aug 24, 2016 at 10:25:38AM -0400, Karen Sandler wrote:
> On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
> > On Wed, Aug 24, 2016 at 01:30:00AM -0400, Karen Sandler wrote:
> > > 
> > > There have been so many discussions about these topics by industry lawyers
> > > and executives behind closed doors, but developers have been generally
> > > kept out of the loop.
> > 
> > That's a very unfair comparison, "lawyers and executives" always are
> > "behind closed doors" as that's the way business works (and has to for
> > legal reasons as you know).  One can say the same thing about any type
> > of company meeting where anything is discussed.
> > 
> > And "developers" are not being kept out of any "loop" here, please, lots
> > of us know exactly what is going on here.
> 
> I'm of course not talking about internal company meetings, but rather
> invite-only backchannels where lawyers and executives are invited but
> developers are typically not.  I know, Greg, that you and a few other
> developers do cross between these worlds, but most Linux developers I've
> spoken to do not.  This session is an opportunity for those developers
> to hear about what's been going on in the last year.

Personally, I've seen numerous examples of people not having heard any
of the background on these issues.  I'd love to see this topic covered
far and wide.  Not everyone gets to go to LLW or similar, or otherwise
has access to much of the information about such topics.

The session in a past Kernel Summit providing timely information on the
ongoing court case seemed quite popular.

I think a session providing information on current legal issues and
discussing implications of them seems quite relevant, as well as fitting
the criteria of "something that doesn't work as a mailing list
discussion".  *Especially* if the session includes discussion of
practical implications and practices.

Linux has pioneered many best-practices, such as the DCO.  By both
interest and necessity, we have to deal with issues like these.  Let's
talk about them, and start trying to find solutions for the next round
of issues.

- Josh Triplett

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Josh Triplett]

On Wed, Aug 24, 2016 at 04:38:47PM +0200, Daniel Vetter wrote:
> On Wed, Aug 24, 2016 at 3:08 PM, Greg KH <greg@kroah.com> wrote:
> > Anyway, we try to stick to technical topics from the developers of the
> > kernel for the kernel summit wherever possible, and I think that the
> > deadline for proposing new topics has passed, so I don't think there's
> > much that can be done this late in the process.
> 
> Hm, I always thought the point of KS is to talk about process,
> painpoints in the same and other topics of larger scale. Personally I
> think Karen's topic fits into this, and I think it would be
> interesting (at least for me). The pure technical topics are
> interesting to keep up on general things, but lwn.net does a great job
> at covering these wherever they happen - no reason for me to fly
> around the globe for those. At least that's been my experience with
> the past few KS, I've always took home a lot more from the
> process/more general sessions than the latest deep technical topic.
> Might just be that gfx folks are somewhat in a world of their own.

It's not just you.  Kernel Summit exists to cover things that a mailing
list discussion just won't work for.  We can handle the vast majority of
technical issues with asynchronous, distributed discussions, to the
point that Kernel Summit regularly rejects some technical topics either
because they don't actually need an in-person discussion or because
someone just needs to go write a patch or make an RFC proposal.  Process
issues, on the other hand, go much more smoothly if you get the right
people in the room, quickly bounce around a few concrete possibilities,
and make a call for what path to start down (even if that changes
later).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 1813 bytes --]

On Wed, Aug 24, 2016 at 10:39:32AM -0400, Josh Triplett wrote:
> On Wed, Aug 24, 2016 at 10:25:38AM -0400, Karen Sandler wrote:
> > On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:

> > > And "developers" are not being kept out of any "loop" here, please, lots
> > > of us know exactly what is going on here.

> > I'm of course not talking about internal company meetings, but rather
> > invite-only backchannels where lawyers and executives are invited but
> > developers are typically not.  I know, Greg, that you and a few other
> > developers do cross between these worlds, but most Linux developers I've
> > spoken to do not.  This session is an opportunity for those developers
> > to hear about what's been going on in the last year.

Definitely - there are discussions but they're hardly wide discussions,
there's some people with good access to information but it's really not
that widespread.

> Personally, I've seen numerous examples of people not having heard any
> of the background on these issues.  I'd love to see this topic covered
> far and wide.  Not everyone gets to go to LLW or similar, or otherwise
> has access to much of the information about such topics.

Speaking for myself I have no idea what LLW is - I'm guessing it's *not*
Low Level Waste (the UK organization for handling nuclear waste) which
is what Google suggests!

> Linux has pioneered many best-practices, such as the DCO.  By both
> interest and necessity, we have to deal with issues like these.  Let's
> talk about them, and start trying to find solutions for the next round
> of issues.

I agree, and there's also the fact that good practice is often helped by
understanding so when we have the opportunity to share things in a wider
but still not public environment that seems like a great use of Kernel
Summit time.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1327 bytes --]

On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
> 
> > At the very least, I think kernel developers each need to decide how
> > they feel about GPL enforcement as silence and inaction is as much of
> > a choice as voicing a view.
> 
> That's not fair, it's implying that our current way of doing this type
> of thing is somehow not working.  

There are many who believe that it *isn't* working. Companies violate
the GPL all the time, and are encouraged by the fact that there is no
consistent enforcement when they do so.

And it's worse than "silence and inaction". There are even some who
actually argue *against* and try to derail any efforts to improve and
enforce compliance. It's almost as if they'd rather the kernel was
under a BSD licence, so that such usage was permitted.

> Remember, we have done something that no other group has ever done
> before, so please don't discount that we know how to handle stuff
> like this.  Sometimes not making a public statement is actually the
> correct thing to do.

Well, that of course depends on what you want to achieve.

If you are happy with the status quo, and do not want violators to be
brought into compliance, then of course it's the correct thing to do.

I don't think everybody *is* happy with the status quo, though.

-- 
dwmw2

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Randy Dunlap]

I don't expect to be there, but I do agree with several others that this
is a good & relevant topic for KS.  I expect that most people are not
aware of closed meetings and their topics and decisions.


-- 
~Randy

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 10:25:38AM -0400, Karen Sandler wrote:
> On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
> > On Wed, Aug 24, 2016 at 01:30:00AM -0400, Karen Sandler wrote:
> > > 
> > > There have been so many discussions about these topics by industry lawyers
> > > and executives behind closed doors, but developers have been generally
> > > kept out of the loop.
> > 
> > That's a very unfair comparison, "lawyers and executives" always are
> > "behind closed doors" as that's the way business works (and has to for
> > legal reasons as you know).  One can say the same thing about any type
> > of company meeting where anything is discussed.
> > 
> > And "developers" are not being kept out of any "loop" here, please, lots
> > of us know exactly what is going on here.
> 
> I'm of course not talking about internal company meetings, but rather
> invite-only backchannels where lawyers and executives are invited but
> developers are typically not.  I know, Greg, that you and a few other
> developers do cross between these worlds, but most Linux developers I've
> spoken to do not.  This session is an opportunity for those developers
> to hear about what's been going on in the last year.

But how are you going to present this if those were "closed meetings"?
Honestly, I'm curious?

> > > From what I see, the timing on this discussion has become critical.
> > 
> > Why is things "critical" now vs. the situation we had 5, 10, or 15 years
> > ago?
> 
> 5, 10, or 15 years ago we didn't have Patrick McHardy engaging in
> enforcement without coordinating with the rest of the netfilter team.
> Also, the recent VMware court ruling and its implications are new this
> year; the community of copyright holders should examine it and discuss
> it. 

15 years ago we had tons of closed source kernel drivers being created
and shipped by companies like IBM and Intel.  Without having to "enforce
the license" we converted and changed them such that they are now our
most ardent supporters.

10 years ago we had companies try to use the "GPL condom" defense to
ship closed source kernel modules.  We got that taken care of in ways
that had nothing to do with legal methods.

Yes, Patrick is not a good thing to have happen, but as numerous of us
have said to the companies involved, "let us know if we can help out"
and so far they have refused to do so.  So unless that happens, there's
not much we can do as a community.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 10:39:32AM -0400, Josh Triplett wrote:
> On Wed, Aug 24, 2016 at 10:25:38AM -0400, Karen Sandler wrote:
> > On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
> > > On Wed, Aug 24, 2016 at 01:30:00AM -0400, Karen Sandler wrote:
> > > > 
> > > > There have been so many discussions about these topics by industry lawyers
> > > > and executives behind closed doors, but developers have been generally
> > > > kept out of the loop.
> > > 
> > > That's a very unfair comparison, "lawyers and executives" always are
> > > "behind closed doors" as that's the way business works (and has to for
> > > legal reasons as you know).  One can say the same thing about any type
> > > of company meeting where anything is discussed.
> > > 
> > > And "developers" are not being kept out of any "loop" here, please, lots
> > > of us know exactly what is going on here.
> > 
> > I'm of course not talking about internal company meetings, but rather
> > invite-only backchannels where lawyers and executives are invited but
> > developers are typically not.  I know, Greg, that you and a few other
> > developers do cross between these worlds, but most Linux developers I've
> > spoken to do not.  This session is an opportunity for those developers
> > to hear about what's been going on in the last year.
> 
> Personally, I've seen numerous examples of people not having heard any
> of the background on these issues.  I'd love to see this topic covered
> far and wide.  Not everyone gets to go to LLW or similar, or otherwise
> has access to much of the information about such topics.
> 
> The session in a past Kernel Summit providing timely information on the
> ongoing court case seemed quite popular.

Yes, and I know a number of people who "got in trouble" after the fact
that they attended it.  So we need be aware that if the kernel summit
starts discussing legal issues, we open ourselves up to a much wider
range of "issues" than we have ever had before.

> I think a session providing information on current legal issues and
> discussing implications of them seems quite relevant, as well as fitting
> the criteria of "something that doesn't work as a mailing list
> discussion".  *Especially* if the session includes discussion of
> practical implications and practices.

Will your employer allow you to attend something like this?  If so,
great, but again we would need to warn people ahead of time to get that
type of approval :(

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 04:29:43PM +0100, David Woodhouse wrote:
> On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
> > 
> > > At the very least, I think kernel developers each need to decide how
> > > they feel about GPL enforcement as silence and inaction is as much of
> > > a choice as voicing a view.
> > 
> > That's not fair, it's implying that our current way of doing this type
> > of thing is somehow not working.  
> 
> There are many who believe that it *isn't* working. Companies violate
> the GPL all the time, and are encouraged by the fact that there is no
> consistent enforcement when they do so.

That's not fair, companies have always "violated" our license, and
violate lots of other licenses, that doesn't make them any less real or
valid.

Personally, it seems that we are much better off today than we were 15,
10, and even 5 years ago on this front.  There's a standing offer from
the Linux foundation to get any code from any company that someone
things is not open that is in the kernel.  That offer has been taken up
on a few times, and has never failed so far.

And that's the best that we can do without getting lawyers involved.
Once we do that, to quote Linus, "we lost".

> And it's worse than "silence and inaction". There are even some who
> actually argue *against* and try to derail any efforts to improve and
> enforce compliance. It's almost as if they'd rather the kernel was
> under a BSD licence, so that such usage was permitted.

Sure, lots of companies would like that because they are stupid and
selfish.  The best thing we have to combat that is what we have been
doing for the past 20+ years.  It has made huge changes to huge
companies (just look at Intel, and now Microsoft!)  Once you get legal
involved, all bets are off as this now stops being something that we can
help address, and instead have to rely on lawyers and courts, a fickle
beast as the vmware thing is proving :(

And we aren't "silent" at all, but it's all about providing a big enough
carrot for companies to join us, and not go after them with a stick to
drive them away.

As someone else once said, "never sue your customer".

> > Remember, we have done something that no other group has ever done
> > before, so please don't discount that we know how to handle stuff
> > like this.  Sometimes not making a public statement is actually the
> > correct thing to do.
> 
> Well, that of course depends on what you want to achieve.

I want the code, and I want the company that produced that code to join
our community.  So far we are doing really well in achieving that goal.
You might have other goals, which is fine.

> If you are happy with the status quo, and do not want violators to be
> brought into compliance, then of course it's the correct thing to do.

I do, but I don't ever think that suing them is the right way to do it,
given that we have been _very_ successful so far without having to do
that.

> I don't think everybody *is* happy with the status quo, though.

That's fine, and understandable, someone is always never happy :)

So, specifics, what are you upset about that we can do specifically
better?  What company is shipping code that we don't have that we want?

I have a shortlist that I'm working on, what's yours?

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Wed, Aug 24, 2016 at 10:39 AM, Greg KH <greg@kroah.com> wrote:
> On Wed, Aug 24, 2016 at 10:39:32AM -0400, Josh Triplett wrote:
>> On Wed, Aug 24, 2016 at 10:25:38AM -0400, Karen Sandler wrote:
>> > On Wed, 2016-08-24 at 09:08 -0400, Greg KH wrote:
>> > > On Wed, Aug 24, 2016 at 01:30:00AM -0400, Karen Sandler wrote:
>> > > >
>> > > > There have been so many discussions about these topics by industry lawyers
>> > > > and executives behind closed doors, but developers have been generally
>> > > > kept out of the loop.
>> > >
>> > > That's a very unfair comparison, "lawyers and executives" always are
>> > > "behind closed doors" as that's the way business works (and has to for
>> > > legal reasons as you know).  One can say the same thing about any type
>> > > of company meeting where anything is discussed.
>> > >
>> > > And "developers" are not being kept out of any "loop" here, please, lots
>> > > of us know exactly what is going on here.
>> >
>> > I'm of course not talking about internal company meetings, but rather
>> > invite-only backchannels where lawyers and executives are invited but
>> > developers are typically not.  I know, Greg, that you and a few other
>> > developers do cross between these worlds, but most Linux developers I've
>> > spoken to do not.  This session is an opportunity for those developers
>> > to hear about what's been going on in the last year.
>>
>> Personally, I've seen numerous examples of people not having heard any
>> of the background on these issues.  I'd love to see this topic covered
>> far and wide.  Not everyone gets to go to LLW or similar, or otherwise
>> has access to much of the information about such topics.
>>
>> The session in a past Kernel Summit providing timely information on the
>> ongoing court case seemed quite popular.
>
> Yes, and I know a number of people who "got in trouble" after the fact
> that they attended it.

Huh, because of the last discussion at kernel summit? Holy spaghetti monster!

>> I think a session providing information on current legal issues and
>> discussing implications of them seems quite relevant, as well as fitting
>> the criteria of "something that doesn't work as a mailing list
>> discussion".  *Especially* if the session includes discussion of
>> practical implications and practices.
>
> Will your employer allow you to attend something like this?  If so,
> great, but again we would need to warn people ahead of time to get that
> type of approval :(

Case in point -- can a Linux developer working for a company really
care about GPL enforcement or has this right been taken away by a lot
of companies ? Is it a thing only a few can care for ? What are the
implications ? Do we care ? Do you ?

My opinion of course is you should be able to care. The fact that this
topic can be an issue *is an issue* in and of itself. My own
logistical approach to addressing this however is a bit different then
-- those that should care should just simply join SFC Conservancy. If
you are not sure then talk to one of us that is part of the alliance,
or that do care. If you can't talk to us because your employer does
want you to talk to us or join SFC -- well snap. There's obviously
only a few options then.

 Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

We're getting off into the weeds on this.

The question is whether there's an interest among the attendees of KS
in hearing about this type of thing.  Based on the feedback from
Christoph's session last year and some of the replies to this thread,
I'd say there is.  There is an argument that we shouldn't do this
because it expands our exposure to legal jeopardy ... if you want to
argue on that tack, I'm listening.

Dragging up employers not liking it is a red herring: last year's
session was organised very late and some employer's did veto their
developers attending (like yours), but the resolution was simple: you
didn't stay in the room.  Anyone whose employer orders them to stay
away can do the same.  We can make sure to have the same warnings we
had last year, so I don't really see the employer angle being an
objection to holding a GPL session at KS.

One of the good things about last years session was that I think we did
get an embryo of a process to actually share this type of information
responsibly with the kernel community and that enabled more information
to be discussed reliably.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Wolfram Sang]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]


> > The session in a past Kernel Summit providing timely information on the
> > ongoing court case seemed quite popular.
> 
> Yes, and I know a number of people who "got in trouble" after the fact
> that they attended it.

This is really sad news :( That put aside, I don't see the conclusion
that we shouldn't have topics like this at KS then. As this thread
shows, there is enough interest from individuals (or employees speaking
as individuals or companies being fine with it) to justify this topic,
or?

> So we need be aware that if the kernel summit starts discussing legal
> issues, we open ourselves up to a much wider range of "issues" than we
> have ever had before.

I'd think the variety of opinions will make it impossible to reach a
common statement or conclusion anyhow (as this thread shows as well).
But to inform (interested) people what is happening right now and
discuss it, why not? What kind of issues could come from that?


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 08:30:50PM +0200, Wolfram Sang wrote:
> > So we need be aware that if the kernel summit starts discussing legal
> > issues, we open ourselves up to a much wider range of "issues" than we
> > have ever had before.
> 
> I'd think the variety of opinions will make it impossible to reach a
> common statement or conclusion anyhow (as this thread shows as well).
> But to inform (interested) people what is happening right now and
> discuss it, why not? What kind of issues could come from that?

When someone involved in a legal suit talks to other people about it,
those other people, in some countries/jurisdictions, can then be called
in to testify / be disposed as part of that suit by the other member of
it.

I do my best to _never_ have to be disposed in anything, and so should
everyone else, as what can be asked in that can be _very_ wide ranging
and is almost always used in ways that you never want or intended it to
be.

And if you work for a company, you can be seen as a company
representative and all sorts of other things come into play very
quickly.

I served on a Grand Jury in the US for a while, so I've seen how the
legal system can work.  It can be arbitrary and unfair at times,
unfortunately.

Talk to any lawyer with experience in litigation for lots of stories if
you are curious.

So please be careful,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Wed, 2016-08-24 at 15:57 -0400, Greg KH wrote:
> On Wed, Aug 24, 2016 at 08:30:50PM +0200, Wolfram Sang wrote:
> > > So we need be aware that if the kernel summit starts discussing
> > > legal
> > > issues, we open ourselves up to a much wider range of "issues"
> > > than we
> > > have ever had before.
> > 
> > I'd think the variety of opinions will make it impossible to reach
> > a
> > common statement or conclusion anyhow (as this thread shows as
> > well).
> > But to inform (interested) people what is happening right now and
> > discuss it, why not? What kind of issues could come from that?
> 
> When someone involved in a legal suit talks to other people about it,
> those other people, in some countries/jurisdictions, can then be 
> called in to testify / be disposed as part of that suit by the other 
> member of it.
> 
> I do my best to _never_ have to be disposed in anything, and so 
> should everyone else, as what can be asked in that can be _very_ wide
> ranging and is almost always used in ways that you never want or 
> intended it to be.

To clarify for everyone: the specific danger here is that if we have a
discussion on legal issues, any statement you make as part of the
discussion is discoverable as evidence in a court proceeding, meaning
that if one side or the other thinks whatever you said can help them,
they can call you to repeat it in court.  Worse still, such a statement
could potentially be portrayed as "the opinion of the community" if
we're not careful.  Lawyers become trained to recognise what is safe to
say in this regard and what isn't, but we, as kernel developers, aren't
used to guarding our opinions in this way.

Everyone has to bear this in mind, and that's why, when Christoph gave
his statement about VMware, we didn't actually allow any discussion.

The way companies escape from this is to have a corporate lawyer be
part of the conversation so it's protected under attorney client
privilege.  However, we have no such protections. (In case you're
wondering, the lawyer who's present actually has to be your counsel,
it's not enough that they simply be a lawyer).

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 02:24:25PM -0400, James Bottomley wrote:
> We're getting off into the weeds on this.
> 
> The question is whether there's an interest among the attendees of KS
> in hearing about this type of thing.  Based on the feedback from
> Christoph's session last year and some of the replies to this thread,
> I'd say there is.  There is an argument that we shouldn't do this
> because it expands our exposure to legal jeopardy ... if you want to
> argue on that tack, I'm listening.

Yes, that's the issue here.

I discussed this last year with you, and others.  By us talking about
this in a setting like this, we open ourselves up to being part of any
lawsuits that are discussed.  That's _really_ dangerous, and is why I
didn't attend the session last year.  I was not told by anyone that I
could not, it was my own decision.

That's my objection, I don't want any of us to be exposed to that risk.

> Dragging up employers not liking it is a red herring: last year's
> session was organised very late and some employer's did veto their
> developers attending (like yours), but the resolution was simple: you
> didn't stay in the room.  Anyone whose employer orders them to stay
> away can do the same.  We can make sure to have the same warnings we
> had last year, so I don't really see the employer angle being an
> objection to holding a GPL session at KS.
> 
> One of the good things about last years session was that I think we did
> get an embryo of a process to actually share this type of information
> responsibly with the kernel community and that enabled more information
> to be discussed reliably.

Maybe, but really, this has the huge potential to politicize our
community (if it hasn't already).  The kernel summit has always been
about technical things.  We have had outside people (user group
representatives, crazy Germans wanting changes for userspace, etc.)
attend in the past, but those are all technical issues.  I never want to
have a topic at the kernel summit be such that I am forced to have my
personal lawyer present just to ensure that I don't get in any sort of
legal trouble.

So yes, the license matters.  And yes, the GPL is one of the main
reasons we have succeeded so well.  And yes, us being engineers love
arguing the technical issues involved in legal matters.  But being as
these are legal matters, shouldn't we be trusting this to our lawyers
(personal and corporate?)  That's what they do best, not us!

As the creators of this body of code, let's stick to the technical
issues at hand, as we do that really well.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Greg,

Greg KH wrote today:
> There's a standing offer from the Linux foundation to get any code from any
> company that someone things is not open that is in the kernel.

I'm certainly glad to hear that in a few cases among the many hundreds of
active Linux GPL violations, Linux Foundation's "ask for our help to find the
compliance officer at a violator company" program has helped some.

> That offer has been taken up on a few times, and has never failed so far.

However, I know for a fact that it *has* sometimes failed.  Specifically,
I've utilized this service of Linux Foundation (which others can find at
https://compliance.linuxfoundation.org/references/open-compliance-directory
), with 0-for-2 results.

I did go through channels.  I used that online form and got no reply.  In
both cases, I ultimately approached Jim Zemlin directly to discuss the
matter.  Jim and other LF staff did make efforts, in both cases, to talk with
the companies, but no compliance results were achieved by Linux Foundation.

First, regarding VMware, Jim told me in August 2012 that Linux Foundation
(LF) was "in communication with VMware" and "they assured [us] that VMware
would work with Conservancy and comply".  I explained then to Jim that VMware
was conflating different issues: (a) their easy-to-resolve violations
regarding BusyBox and GNOME software, and (b) their more central issue of
combining their kernel with Linux source code -- an issue which Linus called
"in very poor taste", and which you yourself, Greg, told me "really bothered
you".  I also told Jim in 2012 that eventually, if VMware didn't resolve that
issue, that someone would likely sue them over the matter.

Over the next few years, both Karen Sandler and I attempted to follow up with
LF executives and employees -- up and down Linux Foundation's org chart.
They were unable (or unwilling) to offer any assistance in bringing VMware
into compliance.  Christoph got fed up and wanted to sue them.  After 4 years
of trying every other alternative, Conservancy decided to help him do so.

But, VMware is not my only example here.  I tried again, a year after I'd
first contacted LF about VMware, with another violator, in the automotive
industry, who had a zero-day GPL violation in their cars that contain Linux
-- no source nor offer -- and they remain out of compliance today.  I won't
name them because, per Conservancy's GPL enforcement principles (see
https://sfconservancy.org/copyleft-compliance/principles.html ), we're
keeping their name confidential as we continue to patiently work toward a
compliant resolution of their violation.

In that case, I waited about six months for an answer from LF on who to
contact at that automotive company.  In the end, LF just stopped responding
to Conservancy staff on the matter and we had to find our own way to get in
touch with the violator.  LF remains aware ( -- indeed -- I remind Jim, Mike
Dolan, Karen Copenhaver, and you, too, Greg, every time I see you all) that
this automotive company remains out of compliance on Linux, but LF has
rendered no assistance on getting them into compliance.

> I want the code, and I want the company that produced that code to join
> our community.  ..
> So far we are doing really well in achieving that goal.

Yes, with companies who "get it".  There are many of those, and they are
great stalwarts of our community.  No one is proposing suing them!  For those
companies: Karen or I call the person we know at the company and any GPL
violation is fixed in a matter of days (usually).  I've had *that* wonderful
experience with many major companies who employ many kernel developers.
Those are not the companies we're talking about here.

There are many companies, including some big ones, who just get away
with GPL violations year after year, have no intention of complying, and
refuse every effort by *everyone* (LF, Conservancy, etc.) to convince them to
comply.  In some cases, these bad actors even *flaunt* their violations; they
market products by saying that those products do things other products in the
sector can't -- because, of course, their products have proprietary Linux
modules that aren't available in source and certainly not upstream.

Anyway, as others have said, it's quite clear that there are strong policy
opinions on both sides of this issue.  As Luis mentioned, Conservancy is
actively enforcing for a growing coalition of Linux copyright holders.  But,
as Conservancy representatives, we want to hear from the entire community and
coordinate with that community.  KS is the best venue to communicate about
complex policy discussions with Linux developers.

--
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jiri Kosina]

On Wed, 24 Aug 2016, Greg KH wrote:

> I discussed this last year with you, and others.  By us talking about
> this in a setting like this, we open ourselves up to being part of any
> lawsuits that are discussed.  That's _really_ dangerous

Is it? What if a person actually wouldn't mind to participate because he 
actually believes in what the lawsuit is trying to achieve, and would be 
happy to provide his testimony in a lawsuit if need be?

Sure, there are corporations/employers involved (either due to copyright 
assignment, or due to other contract details), but that's up to every 
individual to judge and decide himself (together with his/her employer of 
course).

But I don't understand your implication that having yourself dragged into 
a GPL enforcement lawsuit is somehow a personal disaster.

Thanks,

-- 
Jiri Kosina
SUSE Labs

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Karen Sandler]

On Wed, 2016-08-24 at 15:57 -0400, Greg KH wrote:

> When someone involved in a legal suit talks to other people about it,
> those other people, in some countries/jurisdictions, can then be called
> in to testify / be disposed as part of that suit by the other member of
> it.

Perhaps I am confused - are there recordings of kernel summit sessions?
Is attendance recorded? I don't see how participating in a closed door
discussion here by folks who want to do so is any different risk-wise
than discussions happening behind other closed doors. 

It's true that someone can be called (by subpoena or other mechanisms in
various jurisdictions) to be deposed, often whether or not they are
disposed to doing so :) 

But I urge caution - you stated in an earlier email which is publicly
archived:

> lots of us know exactly what is going on here.  

Unless I've misunderstood how the kernel summit works, I think an
unrecorded invitation only conversation is much lower risk than a
substantive discussion in writing, which is why I propose it. 

I note that many developers have a personal stake in the kernel, and not
a lot of places to have these discussions. One of the reasons I'm so
dedicated to Conservancy's coalition, enforcing pursuant to stated
principles and am resigned to bringing last resort law suits is that
otherwise these issues will get decided in law suits between companies.
There, GPL interpretation will be collateral damage.

I think we should start the session by explaining possible risks for
those attending and encouraging them to seek legal counsel, which
obviously this session won't provide.

karen

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Wed, 2016-08-24 at 23:09 +0200, Jiri Kosina wrote:
> On Wed, 24 Aug 2016, Greg KH wrote:
> 
> > I discussed this last year with you, and others.  By us talking 
> > about this in a setting like this, we open ourselves up to being 
> > part of any lawsuits that are discussed.  That's _really_ dangerous
> 
> Is it? What if a person actually wouldn't mind to participate because 
> he actually believes in what the lawsuit is trying to achieve, and 
> would be happy to provide his testimony in a lawsuit if need be?

Even if it's VMware compelling you as witness for their case?

> Sure, there are corporations/employers involved (either due to
> copyright assignment, or due to other contract details), but that's
> up to every individual to judge and decide himself (together with
> his/her employer of course).
> 
> But I don't understand your implication that having yourself dragged 
> into a GPL enforcement lawsuit is somehow a personal disaster.

The specific problem is that we, as kernel developers, are used to
giving frank and unvarnished opinions, which are totally unlike the
carefully phrased non-statements that lawyers usually make.  Fine, if
what you've said helps Christoph or other plaintifs, but consider what
happens if an unguarded statement of yours ends up helping the alleged
violator because it can be construed in a way you didn't intend.  This,
exactly, is the fear and, I think, you would regard something like this
as a bit of a disaster.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jiri Kosina]

On Wed, 24 Aug 2016, James Bottomley wrote:

> > > about this in a setting like this, we open ourselves up to being 
> > > part of any lawsuits that are discussed.  That's _really_ dangerous
> > 
> > Is it? What if a person actually wouldn't mind to participate because 
> > he actually believes in what the lawsuit is trying to achieve, and 
> > would be happy to provide his testimony in a lawsuit if need be?
> 
> Even if it's VMware compelling you as witness for their case?

As I said, this first of course needs to be resolved between each 
individual person and his/her employer, because mileage might vary a lot 
due to contract differences.

But in a hypothetical case of an individual either not contributing to 
kernel under emploympent contract, or an individual having a clearance 
from his employer to act in this particular matter solely on his own (with 
the copyright not being assigned to the company, etc), why not?

> > But I don't understand your implication that having yourself dragged 
> > into a GPL enforcement lawsuit is somehow a personal disaster.
> 
> The specific problem is that we, as kernel developers, are used to
> giving frank and unvarnished opinions, which are totally unlike the
> carefully phrased non-statements that lawyers usually make.  Fine, if
> what you've said helps Christoph or other plaintifs, but consider what
> happens if an unguarded statement of yours ends up helping the alleged
> violator because it can be construed in a way you didn't intend.  This,
> exactly, is the fear and, I think, you would regard something like this
> as a bit of a disaster.

Sure, but if everyone is "just afraid" to provide a sincere testimony 
(especially if this includes just people from one side of the dispute), 
then I wouldn't put my bets on a positive result of the lawsuit.

-- 
Jiri Kosina
SUSE Labs

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Wed, 2016-08-24 at 23:33 +0200, Jiri Kosina wrote:
> On Wed, 24 Aug 2016, James Bottomley wrote:
[...]
> > > But I don't understand your implication that having yourself 
> > > dragged into a GPL enforcement lawsuit is somehow a personal
> > > disaster.
> > 
> > The specific problem is that we, as kernel developers, are used to
> > giving frank and unvarnished opinions, which are totally unlike the
> > carefully phrased non-statements that lawyers usually make.  Fine, 
> > if what you've said helps Christoph or other plaintifs, but 
> > consider what happens if an unguarded statement of yours ends up 
> > helping the alleged violator because it can be construed in a way 
> > you didn't intend.   This, exactly, is the fear and, I think, you 
> > would regard something like this as a bit of a disaster.
> 
> Sure, but if everyone is "just afraid" to provide a sincere testimony
> (especially if this includes just people from one side of the 
> dispute), then I wouldn't put my bets on a positive result of the
> lawsuit.

I think the classic lawyer joke about their memoirs is that they should
be entitled "what my client meant to say ...".  Cases can be won or
lost (sometimes regardless of the issues) because of an unguarded
remark made by the client.

I'm not advocating that we don't have the session, I just want everyone
to have a very clear understanding of why there's a huge concern about
discussing an ongoing case.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jiri Kosina]

On Wed, 24 Aug 2016, James Bottomley wrote:

> I'm not advocating that we don't have the session, I just want everyone 
> to have a very clear understanding of why there's a huge concern about 
> discussing an ongoing case.

Especially given the fact that it hasn't been proposed by Karen (at least 
as I read it) as solely VMWare-centric topic in the first place at all. My 
reading of the proposal is "Seems like some of you guys seem to be 
uncertain or uncomfortable regarding the GPL enforcement success in 
today's world; let's discuss that".

Thanks,

-- 
Jiri Kosina
SUSE Labs

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 01:50:11PM -0700, Bradley M. Kuhn wrote:
> Greg KH wrote today:
> > That offer has been taken up on a few times, and has never failed so far.
> 
> However, I know for a fact that it *has* sometimes failed.  Specifically,
> I've utilized this service of Linux Foundation (which others can find at
> https://compliance.linuxfoundation.org/references/open-compliance-directory
> ), with 0-for-2 results.

<snip>

Ok, let's work together off-list to get these issues resolved, it's not
on-topic here, thanks.

> > I want the code, and I want the company that produced that code to join
> > our community.  ..
> > So far we are doing really well in achieving that goal.
> 
> Yes, with companies who "get it".  There are many of those, and they are
> great stalwarts of our community.  No one is proposing suing them!

But note, many, if not all, of those companies who you say "get it", did
get it 15, 10, or even 5 years ago.  If we had done what you are
proposing to do here then, those companies would never now be part of
our community and we would be much worse off, and possibly, not even be
here at all.

Again, "never sue your customer".

> There are many companies, including some big ones, who just get away
> with GPL violations year after year, have no intention of complying, and
> refuse every effort by *everyone* (LF, Conservancy, etc.) to convince them to
> comply.  In some cases, these bad actors even *flaunt* their violations; they
> market products by saying that those products do things other products in the
> sector can't -- because, of course, their products have proprietary Linux
> modules that aren't available in source and certainly not upstream.

I know about these just as well as everyone else.  And we all deal with
it the best that we can, through various ways.  But to somehow think
that by taking legal action against them, they will then gladly join our
community and work to make Linux better overall, is just not true.  It
never happened with the Busybox lawsuits from what I could tell, right?

In fact, it seems the opposite happened, there's now a replacement for
Busybox that does much the same thing, under a non-copyleft license,
that is being used in lots of places that Busybox used to be in.  That's
the exact opposite any project should ever want to see happen to them.

I don't want Linux to be a test case for the GPL as you put it
recently[1].  That's not how I personally feel a project succeeds in the
long run.  And I'm in it for the long haul.  Remember, at this point in
time, the only thing that will ever be able to stop us, is ourselves.
So we should do our best not to fuck it up.  The history of Busybox
development shows me one way a project can fuck up, and I try to learn
from history.

> Anyway, as others have said, it's quite clear that there are strong policy
> opinions on both sides of this issue.  As Luis mentioned, Conservancy is
> actively enforcing for a growing coalition of Linux copyright holders.  But,
> as Conservancy representatives, we want to hear from the entire community and
> coordinate with that community.  KS is the best venue to communicate about
> complex policy discussions with Linux developers.

The kernel summit is to discuss technical issues involving the kernel,
and developing it.  Personally, I do not feel that it is a place for
legal matters.  Our community is made up of people, and companies, that
have an extremely hard time agreeing on technical matters, throw
culture, corporate competition, free software vs. open software, and
legal issues into the mix and it would turn into a total and complete
mess.

As Linus today said on stage at LinuxCon, some of us barely like each
other to begin with, but we all know that we are working together to
make the best technological solution that we can, so we tolerate each
other :)

And as I said earlier in this thread, I don't want to have to have my
personal lawyer sitting next to me for me to be able to attend the
kernel summit.

thanks,

greg k-h

[1] https://lwn.net/Articles/695014/

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Wed, Aug 24, 2016 at 05:13:56PM -0400, Karen Sandler wrote:
> 
> Perhaps I am confused - are there recordings of kernel summit sessions?
> Is attendance recorded? I don't see how participating in a closed door
> discussion here by folks who want to do so is any different risk-wise
> than discussions happening behind other closed doors.

There are no recordings of kernel summits, but who the attendees of
the kernel summit is public knowledge, and there is generally
photographic evidence.  :-)

	     https://lwn.net/Articles/662699/

It's true that an unrecorded conversaion with 75+ of your best is
"safer" (and a hallway conversation with a handful of people is even
safer), but nothing is risk-free, and the risks can come in multiple
dimensions.  I encourage folks to talk to their corporate counsels for
legal, because nobody else can give you that legal advice.

One of the things which very much worries me is the open scope of the
proposal.  e.g., let's have "discussions".

If there was a concrete proposal to consider, it would be much easier
for people to evaluate whether or not (a) it would be considered safe
for them to be in the room, and (b) whether it would be safe for them
to participate in the discussion.

In the ideal world, said proposal would have already received signoffs
from a number of General Counsels from most of our employers, and we
would be looking for the community assent to that proposal before we
went ahead with it.

If you have such a proposal, I would suggest bringing it to the
attention of Mike Dolan and Karen Cooperhaven who are lawyers from the
Linux Foundation (and since Linus and Greg works for the LF, they can
provide legal advice to them :-).  If it makes sense, they can help
with trying to circulate proposals to the various LF members' GC's.
There are also a number of of the TAB that are quite well informed in
this area, if you are less comfortable talking to lawyers right off
the bat.

Cheers,

						- Ted

P.S.  It would be a lot easier for both the progam committee and your
lawyers to evaluate whether or not it would make sense for invidual
engineers to attend such a session is if there was concrete proposal
on the table, not only because the risks are much easier to evaluate,
but the upside benefits of such a session are also much easier to
consider.  It also significantly improves the chances of concrete,
positive results afterwards!

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Greg KH wrote:
> I don't want Linux to be a test case for the GPL as you put it
> recently.

I am certainly sympathetic to your position.  But I myself don't
have the power nor will to make Linux into GPL's test case; a confluence of
external events already did that without my help.  I've been involved with
copyleft enforcement and policy for almost copyleft's entire existence.  I
observe now that the last 10 years brought something that never occurred
before with any other copylefted code.  Specifically, with Linux, we find
both major and minor industry players determined to violate the GPL, on
purpose, and refuse to comply, and tell us to our faces: "you think that we
have to follow the GPL?  Ok, then take us to Court.  We won't comply
otherwise."  (None of the companies in your historical examples ever did
this, Greg.)  And, the decision to take that position is wholly in the hands
of the violators, not the enforcers.

In response, we have two options: we can all decide to give up on the GPL, or
we can enforce it in Courts.  As always, no one is compelled to enforce the
GPL; Linux remains a multi-copyright-held project and copyright holders make
their own decisions, as Linus reminded us this week in his press comments.

I work for an organization that holds copyrights in Linux, and Conservancy
furthermore coordinates a coalition of developers who signed agreements
asking us to enforce their copyrights.  We also have embedded device users
writing us weekly asking us to please get the Linux sources for their
devices.  We have a huge mandate, and we're going to enforce (always adhering
to the Principles of Community-Oriented Enforcement, of course).  Together,
we are a vocal, but significant, minority of Linux contributors and users.

There's another vocal and significant minority of Linux contributors and
users who oppose GPL enforcement.  Greg, I wouldn't have pegged you for being
in that camp until this thread, but it seems that you now are. :)

Both of these minorities should have their voices heard, and we should
discuss and debate issues together.  Furthermore, both groups should
encourage the silent majority to share their views -- which might bring us
entirely new ideas that neither side has hitherto considered.

As others have pointed out, that silent majority may not want to discuss
complex licensing policy topics in public email discussions for various
reasons.  IIUC, the KS is designed as a venue for discussion of any issue
important to Linux that's difficult to discuss by email and online fora.

So, what baffles me, Greg, is not that you and I are on different sides of
this debate, but that your position appears to be that the issue should
simply not be discussed at the KS.  Frankly, seeing the diversity of views on
this thread has made me even more eager to sit down in a room to figure out
how and why our positions seem so far apart.  I'd like to learn from you,
Greg, what caused you to change your position so much in recent years,
because I respect your opinions and I know you understand these issues
very well.  (You've certainly given me some clever ideas about GPL
enforcement over the years that I've utilized to good effect.)  I'd like that
conversation to occur in a room with other smart, thoughtful Linux developers
in real time so we can all learn from each other.  The KS seems a perfect fit.

As to this side-thread about risk of "being in a room where such things are
discussed", obviously it's probably not a bad idea to talk to one's
employer's legal department before deciding to *speak up* in a session about
GPL enforcement.  And, I suppose there are a very few hyper-conservative
legal departments that would raise alarm bells even if an employee silently
attended such a session.  (I doubt that the latter is common, though.)
Anyway, if there there's even a glimmer of a concern, there's currently
plenty of time for those who need to double-check with their management/legal
department to see if there's a ban on attending conference sessions that
discuss GPL enforcement.

Linux developers are a smart bunch, thus I don't think they need more
instruction than what's already been said on this thread to determine the
risk level to their livelihoods.  I thus don't see any reason that a session
at the KS on GPL enforcement would require different preauthorization than
many other sessions (e.g., such as one on UEFI or handling wireless spectrum,
which both also have many complex policy, legal, and licensing concerns for
many employers in the software industry).

As to Ted's point about the purported vagueness of the proposal, Karen gave a
clear list of things that occurred this year, all of which are public, that
we from Conservancy will bring up for discussion at the session.  Obviously
other ideas are welcome, but I can't imagine there are any issues to discuss
that aren't already mostly public by now -- Karen and I have certainly
succeeded a lot this year in removing excessive industry secrecy around
various issues (such as McHardy's enforcement actions).  If it helps to
know this too: neither Karen nor I plan to name any violators who have
not already been publicly named as violators before the session.  Indeed,
I don't expect to say anything I wouldn't say in a regular public talk.
--
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Wed, Aug 24, 2016 at 09:06:19PM -0700, Bradley M. Kuhn wrote:
> I work for an organization that holds copyrights in Linux, and Conservancy
> furthermore coordinates a coalition of developers who signed agreements
> asking us to enforce their copyrights.  We also have embedded device users
> writing us weekly asking us to please get the Linux sources for their
> devices.  We have a huge mandate, and we're going to enforce (always adhering
> to the Principles of Community-Oriented Enforcement, of course).

Bradley,

If the Conservancy is going to do what it's going to do, it's not
clear what's the purpose of having a discussion.

Having a debate implies that there is a question on the floor, and to
date it's not clear what the question or questions would be.  Yes,
it's clear what you and Karen have proposed as the *topic*, and the
Conservancy's positions aren't really a secret --- but that's not a
debatable question; it's not a specific proposal that could be
examined.

And even if we have a question on the floor; say, "Resolved: that
hackers should only use Emacs and not vi" --- we would want to
evaluate that question on several metrics: "Is the question what that
can be profitably debated?"  "Is the a way to determine which side has
one the debate?"  "Will the 'winners' of the debate be able to enforce
the outcome of the debate?"  "Do the people deciding who wins and who
loses have the legal / moral standing to be make such a decision and
to bind the rest of the community or industry?"

There is plenty of time for discussion for the sake of dicussion and
that's at the bar.  :-)

					- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Josh Triplett]

On Thu, Aug 25, 2016 at 02:37:07AM -0400, Theodore Ts'o wrote:
> On Wed, Aug 24, 2016 at 09:06:19PM -0700, Bradley M. Kuhn wrote:
> > I work for an organization that holds copyrights in Linux, and Conservancy
> > furthermore coordinates a coalition of developers who signed agreements
> > asking us to enforce their copyrights.  We also have embedded device users
> > writing us weekly asking us to please get the Linux sources for their
> > devices.  We have a huge mandate, and we're going to enforce (always adhering
> > to the Principles of Community-Oriented Enforcement, of course).
> 
> Bradley,
> 
> If the Conservancy is going to do what it's going to do, it's not
> clear what's the purpose of having a discussion.
> 
> Having a debate implies that there is a question on the floor, and to
> date it's not clear what the question or questions would be.  Yes,
> it's clear what you and Karen have proposed as the *topic*, and the
> Conservancy's positions aren't really a secret --- but that's not a
> debatable question; it's not a specific proposal that could be
> examined.

A few possibilities:

- What's the right way to handle enforcement?  (The most general version
  of this question has no hope of consensus, but I suspect we could
  fairly easily reach consensus about what we don't want to see people
  doing, for instance.)

- What (if anything) do we do in response to the "wrong" way to handle
  enforcement?  Would we ever have a response at the kernel level,
  rather than just within a maintainer team (as happened with
  netfilter)?  Is there a line where we'd stop taking patches from
  someone because they've created problems in the legal arena?  Where is
  that line?

- Do any of our current development procedures make enforcement easier
  or harder?

- Could we incorporate anything into our development procedures that
  improves the situation, analogous to the DCO?  (Not suggesting a live
  brainstorming session, but rather suggesting that if a concrete
  proposal exists for such a change, Kernel Summit seems like the place
  to discuss it.)

- EXPORT_SYMBOL_GPL and MODULE_LICENSE.  I know that some history exists
  suggesting that they've helped with some cases.  Do they potentially
  make enforcement more difficult, though?  (This also includes informal
  or internal enforcement/compliance efforts; for instance,
  EXPORT_SYMBOL_GPL may provide a supporting argument for such efforts,
  but conversely EXPORT_SYMBOL may then hinder such efforts.)

- A recent proposal (with patch) suggested adding an additional
  (GPL-compatible) license to the table of licenses in MODULE_LICENSE.
  Should that happen?  Would it make sense to use a different approach
  in MODULE_LICENSE, such as just "GPL-compatible" or "GPL and
  additional rights"?  Would any of the possible approaches there cause
  problems?

Some of these questions may potentially work better on a mailing list;
some of them seem like good topics for in-person discussion, especially
if there's research or answers that friendly legal experts could
provide.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Rik van Riel]

On Wed, 2016-08-24 at 17:21 -0400, James Bottomley wrote:
> On Wed, 2016-08-24 at 23:09 +0200, Jiri Kosina wrote:
> > On Wed, 24 Aug 2016, Greg KH wrote:
> > 
> > > I discussed this last year with you, and others.  By us talking 
> > > about this in a setting like this, we open ourselves up to being 
> > > part of any lawsuits that are discussed.  That's _really_
> > > dangerous
> > 
> > Is it? What if a person actually wouldn't mind to participate
> > because 
> > he actually believes in what the lawsuit is trying to achieve, and 
> > would be happy to provide his testimony in a lawsuit if need be?
> 
> Even if it's VMware compelling you as witness for their case?

It's a good thing that the German court system
does not have a discovery process, unlike US
courts.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Dave Airlie]

On 25 August 2016 at 17:03, Josh Triplett <josh@joshtriplett.org> wrote:
> On Thu, Aug 25, 2016 at 02:37:07AM -0400, Theodore Ts'o wrote:
>> On Wed, Aug 24, 2016 at 09:06:19PM -0700, Bradley M. Kuhn wrote:
>> > I work for an organization that holds copyrights in Linux, and Conservancy
>> > furthermore coordinates a coalition of developers who signed agreements
>> > asking us to enforce their copyrights.  We also have embedded device users
>> > writing us weekly asking us to please get the Linux sources for their
>> > devices.  We have a huge mandate, and we're going to enforce (always adhering
>> > to the Principles of Community-Oriented Enforcement, of course).
>>
>> Bradley,
>>
>> If the Conservancy is going to do what it's going to do, it's not
>> clear what's the purpose of having a discussion.
>>
>> Having a debate implies that there is a question on the floor, and to
>> date it's not clear what the question or questions would be.  Yes,
>> it's clear what you and Karen have proposed as the *topic*, and the
>> Conservancy's positions aren't really a secret --- but that's not a
>> debatable question; it's not a specific proposal that could be
>> examined.
>
> A few possibilities:
>
> - What's the right way to handle enforcement?  (The most general version
>   of this question has no hope of consensus, but I suspect we could
>   fairly easily reach consensus about what we don't want to see people
>   doing, for instance.)
>
> - What (if anything) do we do in response to the "wrong" way to handle
>   enforcement?  Would we ever have a response at the kernel level,
>   rather than just within a maintainer team (as happened with
>   netfilter)?  Is there a line where we'd stop taking patches from
>   someone because they've created problems in the legal arena?  Where is
>   that line?
>
> - Do any of our current development procedures make enforcement easier
>   or harder?
>
> - Could we incorporate anything into our development procedures that
>   improves the situation, analogous to the DCO?  (Not suggesting a live
>   brainstorming session, but rather suggesting that if a concrete
>   proposal exists for such a change, Kernel Summit seems like the place
>   to discuss it.)
>
> - EXPORT_SYMBOL_GPL and MODULE_LICENSE.  I know that some history exists
>   suggesting that they've helped with some cases.  Do they potentially
>   make enforcement more difficult, though?  (This also includes informal
>   or internal enforcement/compliance efforts; for instance,
>   EXPORT_SYMBOL_GPL may provide a supporting argument for such efforts,
>   but conversely EXPORT_SYMBOL may then hinder such efforts.)

Oh I really wish someone could answer that. I hate _GPL as I believe it makes
it legal to create GPL modules with MODULE_LICENSE, when really they
violate the license just as much if not more. If something isn't a derivate work
for MODULE_LICENSE, but using one _GPL work somehow makes it one,
is insane.

Although I can't attend this year, I think there should be less stop energy from
the senior developers, and more discussion in the only place it's probably
safe to discuss this, in a closed room with no press, I'm nearly sure this
is one of the reasons KS existed in the first place to have
unreportable discussions.

Everyone who stays in the room can later drink heavily and deny any knowledge
of having been there.

Dave.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Fri, 2016-08-26 at 06:03 +1000, Dave Airlie wrote:
> On 25 August 2016 at 17:03, Josh Triplett <josh@joshtriplett.org>
> > - EXPORT_SYMBOL_GPL and MODULE_LICENSE.  I know that some history 
> > exists   suggesting that they've helped with some cases.  Do they
> > potentially make enforcement more difficult, though?  (This also 
> > includes informal or internal enforcement/compliance efforts; for 
> > instance, EXPORT_SYMBOL_GPL may provide a supporting argument for 
> > such efforts, but conversely EXPORT_SYMBOL may then hinder such
> > efforts.)
> 
> Oh I really wish someone could answer that. I hate _GPL as I believe 
> it makes it legal to create GPL modules with MODULE_LICENSE, when 
> really they violate the license just as much if not more. If 
> something isn't a derivate work for MODULE_LICENSE, but using one 
> _GPL work somehow makes it one, is insane.

Well, having talked to some corporations who are fast and loose with
kernel modules: They fear accessing the GPL symbols (by lying about
their module licence) because, in the US, their lawyers have advised
them that this could be construed as circumventing a technological
protection mechanism under the DMCA.

I'm not sure I believe that pushing symbols to become GPL only helps
because the lawyers now seem to think that open source shims which give
access to the symbols are generally OK.

> Although I can't attend this year, I think there should be less stop 
> energy from the senior developers, and more discussion in the only 
> place it's probably safe to discuss this, in a closed room with no 
> press, I'm nearly sure this is one of the reasons KS existed in the 
> first place to have unreportable discussions.
> 
> Everyone who stays in the room can later drink heavily and deny any 
> knowledge of having been there.

That's about what we did last year.

Just on that, I would like to remind everyone that last year, we did
something fairly similar to what's being proposed and the sky didn't
fall ... there may have been a few irritated corporations, but there
weren't huge consequences.

What I think last year demonstrated was that we could use the forum of
the KS to have a useful dissemination of information and I think it's
got to be better than simply refusing to talk about it.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Dave Airlie]

> That's about what we did last year.
>
> Just on that, I would like to remind everyone that last year, we did
> something fairly similar to what's being proposed and the sky didn't
> fall ... there may have been a few irritated corporations, but there
> weren't huge consequences.

Yes, like did anyone get fired? if not then nobody actually did anything
their company cared about wrong.

Dave.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Wed, Aug 24, 2016 at 09:06:19PM -0700, Bradley M. Kuhn wrote:
> Greg KH wrote:
> > I don't want Linux to be a test case for the GPL as you put it
> > recently.
> 
> I am certainly sympathetic to your position.  But I myself don't
> have the power nor will to make Linux into GPL's test case; a confluence of
> external events already did that without my help.  I've been involved with
> copyleft enforcement and policy for almost copyleft's entire existence.  I
> observe now that the last 10 years brought something that never occurred
> before with any other copylefted code.  Specifically, with Linux, we find
> both major and minor industry players determined to violate the GPL, on
> purpose, and refuse to comply, and tell us to our faces: "you think that we
> have to follow the GPL?  Ok, then take us to Court.  We won't comply
> otherwise."  (None of the companies in your historical examples ever did
> this, Greg.)  And, the decision to take that position is wholly in the hands
> of the violators, not the enforcers.
> 
> In response, we have two options: we can all decide to give up on the GPL, or
> we can enforce it in Courts.

I call bullshit on this.

And frankly, I'm tired of hearing it, as it's completely incorrect and
trivializes the effort that thousands of people have been doing for 25+
years to preserve the rights that the GPL grants us.

> There's another vocal and significant minority of Linux contributors and
> users who oppose GPL enforcement.  Greg, I wouldn't have pegged you for being
> in that camp until this thread, but it seems that you now are. :)

I have NEVER said I oppose "GPL enforcement", I will say that I oppose
the way that _you_ approach this task.

And here is why.

I too have had people say to my face, numerous times, "you think that we
have to follow the GPL?  Ok, then take us to Court.  We won't comply
otherwise."  And guess what, no one took anyone to court, and every
single time, I ended up with the code[1].

As you well know, when you take legal action against someone, you have
to be prepared to lose, and accept the consequences of that loss.

Frankly, I am not prepared to lose, and there is no way in hell that I
am willing to accept the consequences of such a loss.

You have told me yourself that you are willing to take that risk, and I
have told you that I am not.  I want Linux to succeed, I think it's the
right way to develop a software project, it's personally immensely
satisfying work, and the benefits it brings to millions of people
allowing them to create and control their lives is invaluable.

I've spent the last decade of my life working to support, grow, and
enhance our community.  And corporations are a _huge_ part of our
community, and frankly, the only reason we are where we are today.  We
_have_ to work to bring more companies and their developers into our
group, never working to purposefully alienate anyone.

Here's what happens when you threaten legal action against a company:
	- they instantly stop talking to any "external" developer that
	  might have been working with them to figure this community and
	  license thing out.  So much for our "back channel" to them
	  that was slowing starting to pay off.
	- they bring in more lawyers, and react defensively to protect
	  themselves, as that's what they have to do to preserve the
	  company.
	- Anyone in the company that pushed to use Linux is now seen as
	  "wrong" and instantly is pissed off that external people just
	  messed up their employment future.
	- Anyone in the company that resisted the use of Linux (possibly
	  in ways that caused the code not to be released over the
	  objection of the previously mentioned people) are vindicated
	  in their opinion of those "hippy"[2] programmers who develop
	  Linux.
	- The lawyers know that now that you are willing to accept that
	  loosing is an option, and will do everything in their
	  capability to ensure that it happens (drag it out, annoy the
	  hell out of developers by disposing them, burn your money in
	  whatever way they can, etc.)

Now, even if, after many years of work on your part, you do get that
code, what is the end result?  You have made an enemy for life from the
people who brought Linux into the company, you have pissed off the
people who didn't like Linux in the first place as they were right and
yet you "defeated" them.  Both of those groups of people will now work
together to never use Linux again as they don't want to go through that
hell again, no matter what.

And look, we have a case study of this, BusyBox.  That's exactly what
happened numerous times.  Some of those people/companies you upset had
enough resources to create a competing project to replace it and ensure
that they never have to deal with that mess again.

And yes, you are "vindicated", but at what cost?  You have the code,
it's useless as it's old, obsolete, not mergable, and oops, your
development community is now dead and the project is obsolete.

So, turn it around, and look at how _we_ have been doing enforcement in
the Linux community for the past 25 years.

We do it quietly, working with companies, from within, convincing them
that yes, this license that seems so strange and crazy is really worth
following, not only because it is the law (companies ignore the law all
the time, it's called risk management), but because it turns out it is
the right thing to do from a business point of view.  It's cheaper to do
so, the benefit is huge, and the return on investment is immense when
they join together to work with us, instead of off in their own bubble.

By doing this, the people that pushed for Linux in their company are
vindicated and love you more, some of the naysayers are convinced,
slowly, of the real truth here, and boom, you now have grown and
strengthened your community and the feedback loop continues.

Now back to one of those companies that told me to my face I was going
to have to sue them.  I just reviewed a major patch set from that
company a few weeks ago[3]  Would that have worked if I had taken legal
action against them?  No way!  They are now a part of our community and
helping to make it succeed as their company relies on it.[4]  It took
many many years of work, but it happened.

So, by working with people, and showing them the BENEFIT of the GPL,
we grow our community, ensure our survival, and win converts to the
license itself as now those people have a stake in it as their company
relies on it.

A very smart senior kernel developer once told me over drinks in a bar
in Germany many years ago, something along the lines of "A foolish man
bangs on the outside trying to change a company, a wise and cunning man
works from within the company, changing it from inside such that it
never knew what happened."

And look, that's _exactly_ what we have done.  Us "punks" have grown up,
changed companies from within in ways that no one had ever imagined was
possible, and now hold major influence within them, if not total control
in some instances!  Look at the success of Linux, we took over the
world, by working from the bottom up, embracing and taking over all
possible industries in ways that has never been done before.

And we did it all by not suing anyone, as some of us know that's the
quickest way to piss businesses off and make enemies.[5]

Now you are in a problem here.  Being the representative of a number of
copyright holders, you only can use a legal approach in order to try to
get companies to comply.  All you have is a threat of litigation, which
clouds the viewpoint you are coming from (as is evident in your original
statement above about "enforce or give up".)

But me, and hundreds like me, who are the developers of the code, and
the people with the most at stake in the project, have more tools at our
disposal in order to achieve the goal of getting the code created by
companies, and bringing them into "the fold."  Bringing a developer in
to talk to people, and work with people, and discussing things
face-to-face, without any lawyers involved, is a incredibly powerful
force. Yeah, it's not flashy or public, it's slow, a grind, frustrating,
thankless, and burns airline miles like crazy.

But it's working.  And has worked.  So to dismiss the way a large number
of us have been doing this for decades as "not working" is personally
hurtful, and totally short-sighted.  I feel we have the proof that this
_does_ work based on the success of Linux.

Remember, "carrot vs. stick", "honey vs. vinegar", and the like.  Maybe
it's just me and my "attachment parenting" model of approaching the
world, but I honestly think that it's better to be nice to people than
to piss them off, if you wish to have them join you in your goals.

Another proof point, look at Microsoft and the BSA.  How many companies
did they piss of when they went in with lawyers to enforce their
licenses?  Wasn't it Fender Guitar that flat out refuses to ever use
anything from Microsoft again because of that?  We don't ever want to be
accused of acting like that to any company.

And yes, I know you work with companies before resorting to legal
action.  But it's not the developers of the project working with the
company, it's their representative, a VERY big difference, as is seen by
how it has worked out with Busybox.

This has gotten way off topic, sorry, but I felt I had to set the record
straight of being accused of not working on, or wanting to, enforce the
license of the project I have spent decades working on, that I feel is
one of the main reasons it has succeeded.

As you like to quote Linus, I will too, "once the lawyers are involved,
you have lost".

And you can quote me, "I do not want to lose."

So, back on topic, I think that the kernel summit should be left to
technical issues, as well as development issues (how maintainers work,
how releases happen, if we will finally turn off bugzilla, etc.)  Let's
keep the legal, and political, things out of it, in my opinion that
doesn't belong there.

Especially as I don't want to have to have my lawyer present in order
for me to be able to attend :)

thanks,

greg k-h


[1] It always, without fail, totally sucked.
[2] Personally I prefer being called a "punk", as that's much more
    accurate as to where the majority of us came from, yourself
    included.
[3] It still sucked, they haven't learned much, but they are trying and
    willing to learn.
[4] I want to resist the analogy of a drug pusher "first hit is free!",
    so I'll bury it here in a footnote.
[5] Till and Harald did take people to court, and it was good, but the
    issues there were much different than what you are proposing, and
    the stakes were much lower.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Thu, Aug 25, 2016 at 8:59 PM, Greg KH <greg@kroah.com> wrote:
> I too have had people say to my face, numerous times, "you think that we
> have to follow the GPL?  Ok, then take us to Court.  We won't comply
> otherwise."  And guess what, no one took anyone to court, and every
> single time, I ended up with the code[1].

And yet, if you and I were to go into a store today I bet we could
find more examples of infringing Linux than compliant. Of the ones
that *are* compliant, I strongly suspect that most would be companies
that were either sued over Busybox or came very close to being sued
over Busybox. Sure, it's not an approach that would have worked with
Intel or IBM, but they're a tiny fraction of the Linux that's sold.

If your focus is mainly on "How can we maximise contribution of $ and
developers to Linux", then yes, your approach makes sense. But that
comes at the cost of a vast number of users left with closed devices,
abandoned by their manufacturers, waiting for someone to find another
massive security flaw that we left behind in 2.6. These people matter,
and we shouldn't ignore their needs.

We've already got plenty of corporate investment. Let's not forget
that many of us are here because Linux gave us a way to hack on
devices that would otherwise have been closed to us, and let's do what
we can to ensure that the next generation of interested hackers have
the same opportunity.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Thu, 2016-08-25 at 20:59 -0400, Greg KH wrote:
> We do it quietly, working with companies, from within, convincing 
> them that yes, this license that seems so strange and crazy is really
> worth following, not only because it is the law (companies ignore the 
> law all the time, it's called risk management), but because it turns 
> out it is the right thing to do from a business point of view.  It's 
> cheaper to do so, the benefit is huge, and the return on investment 
> is immense when they join together to work with us, instead of off in 
> their own bubble.

To give support to this point, I've spent most of my career working at
fairly high levels within various companies to build open source
strategies and business models for them.  There is a very solid
business rationale for any corporation both releasing code under the
GPL and for using projects which are under the GPL.  It takes a while
to communicate and work out the strategy, but if you do it properly,
everyone just gets why.  Take a certain Russian company as an example. 
 When I joined, that company really fancied permissive licences. 
 However, it also feared releasing code that its competition would then
use against it in the market.  The give back clause of the GPL has a
solid answer to this (your competition has to show you the code they
would compete with you on), so it took under a year for the GPL to
become the default licence for them to release projects they controlled
under.

This isn't a "comply or else" approach, it's a "here's the business
value you're missing with your current position approach".  I'm happy
to negotiate with any company on this point and, as Greg says, the fact
that I haven't sued anyone and that I do have a reputation in the
industry really helps to get my foot in the door when it comes to
persuading some entity to be more GPL friendly.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Wed, 2016-08-24 at 21:06 -0700, Bradley M. Kuhn wrote:
> I work for an organization that holds copyrights in Linux, and 
> Conservancy furthermore coordinates a coalition of developers who 
> signed agreements asking us to enforce their copyrights.  We also 
> have embedded device users writing us weekly asking us to please get 
> the Linux sources for their devices.  We have a huge mandate, and 
> we're going to enforce (always adhering to the Principles of 
> Community-Oriented Enforcement, of course).  Together, we are a 
> vocal, but significant, minority of Linux contributors and users.

Thanks to the ruling you've landed us with in Germany, it does appear
that this means you actually don't have any standing to enforce GPL for
the Linux kernel .... and now neither do the rest of us.

I fear the two pong test the court required could easily be applied
here in the US once the lack of standing defence is raised.  I've
actually spent some time this week working out how we might satisfy the
tests if they can't be overturned on appeal.  It turns out that Kate
Stewart and her Montreal Polytechnic crowd have spent years developing
a tool set that we can use to demonstrate precisely what the two prong
test demands and if we have to go down this road, I trust you'll be
grateful for the time and effort the Linux Foundation (Kate's employer
for all of this) has spent ensuring that the above ruling won't be the
disaster for us that it currently appears.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Christoph Hellwig]

I've been trying to ignore this stupid flame war, but..

> Thanks to the ruling you've landed us with in Germany, it does appear
> that this means you actually don't have any standing to enforce GPL for
> the Linux kernel .... and now neither do the rest of us.

Event despite lots of help Bradley and the Conservancy this is my case,
and I have lost the first instance.  I really don't want incorrect
statements like this rest on a mailing list with a public archive.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luck, Tony]

> If your focus is mainly on "How can we maximise contribution of $ and
> developers to Linux", then yes, your approach makes sense. But that
> comes at the cost of a vast number of users left with closed devices,
> abandoned by their manufacturers, waiting for someone to find another
> massive security flaw that we left behind in 2.6. These people matter,
> and we shouldn't ignore their needs.

A better legal tactic might be to get some product liability laws on the
books that include a specific long term liability exception for products
that ship with full source. If those existed, then corporate lawyers would
be advising that using open source and making it available would be the
way to avoid giant liabilities like the asbestos and lead-in-paint suits.

[Disclaimer: my own random musings, not the opinion of my employer]

-Tony

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Wolfram Sang]

[-- Attachment #1: Type: text/plain, Size: 595 bytes --]


> everyone just gets why.  Take a certain Russian company as an example. 
>  When I joined, that company really fancied permissive licences. 
>  However, it also feared releasing code that its competition would then
> use against it in the market.  The give back clause of the GPL has a
> solid answer to this (your competition has to show you the code they
> would compete with you on),

Here is the core question of consequences for non-compliance again:

What if the competition doesn't want to show the code? Were you able to
advertise a "don't sue" approach to that company?


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Wed, Aug 31, 2016 at 10:37:45AM +0200, Greg KH wrote:
> On Tue, Aug 30, 2016 at 09:17:31PM +0200, Luis R. Rodriguez wrote:
> > On Tue, Aug 30, 2016 at 08:15:28PM +0200, Greg KH wrote:
> > > <fixing Jeremy's email address, Luis, your email client broke it...>
> > 
> > Stupid mutt, sorry!
> > 
> > > On Tue, Aug 30, 2016 at 07:20:33PM +0200, Luis R. Rodriguez wrote:
> > > > On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> > > > > That brings up a question, who exactly is the SFC representing here?
> > > > 
> > > > I've come out:
> > > > 
> > > > http://www.do-not-panic.com/2016/02/im-part-of-conservancys-gpl-compliance.html
> > > > 
> > > > Others have as well. We don't force people to come out though obviously, so its
> > > > optional. Some folks would prefer their association to remain private. That's
> > > > a right they should have.
> > > 
> > > It's something you would "loose" if you actually file for something.
> > > And for the SFC to approach a company with a vague "we have random
> > > copyrights, give us the code!" that message is horrid!
> > 
> > Growing pains.
> 
> Huh?  What do you mean by this, the SFC has been working on doing this
> for _years_.  They have been doing this for other projects for probably
> over a decade now.  You don't start approaching companies and then go
> "oops, sorry, still learning how to do this, never mind!"  You also don't
> go around in public saying crap like "corporations are evil!" and then
> show up on a company's doorstep saying "just kidding, please work with
> us, we are friendly, trust us."
> 
> It's as if you went and hired the law firm of Dewey, Cheetham & Howe,
> and expected that they _not_ do what they had been doing for years and
> years before that, just because you were now their client.
> 
> That's NOT how you pick someone to be your representative.  It looks
> badly on you, and of course it looks horrid on the community you are a
> part of.
> 
> Again, as Linus said, appearances matter.  And you can't just blow off
> public statements with the "but I said it from my personal, not my
> corporation which I founded, email account."

Let's not get into crazy details here...

There's tons of things folks say or do publicly which make companies cringe,
even our best of maintainers have quite a lot of pictures on the Internet giving the
middle finger to them...

At one point I considered giving up on Linux kernel development because of the
actions of *one* developer. But I did not. I decided these are growing pains
and I really feel we can overcome these stupid qualms.

So yes, tact. I am saying we learn from these mistakes and move on.

That is what I meant by growing pains.

> As IBM drilled into me many many times when I worked for them, employees
> of a corporation reflect directly on how the corporation is viewed by
> others, no matter if you are the president, or an engineer, when you are
> in public.  I think there is even some legal rules about that somewhere
> as well...

Makes sense.

> > > Again, the SFC puts the GPL before Linux,
> > 
> > That's news to me. I think everyone on the alliance would have a fit if
> > this were true. So please stop equating Bradley's own sentiments to that
> > of the alliance's. If that's the message folks get then we need to correct
> > this.
> 
> WHAT???
> 
> Bradley has said this to me, and many others, directly!  He founded the
> SFC and is responsible for setting the direction of it and picking and
> choosing what it will do, as well as deciding who will help him run it.
> To ignore his public, and private, statements about something like this
> is folly.
> 
> If you want legal representation for kernel license issues, great, but
> pick someone that doesn't go around publicly saying crap like this, as
> again, it reflects directly on you!

Since we have a group of like minded folks who care about freedom, given no
other alternative existed -- I preferred to join and ask them to tone it down
if I saw it fit.

> Luis, I trust you when you say you want Linux to succeed, as it's backed
> up by years and years of your hard work and dedication and public
> statements.  But I don't trust your representative, as he has explicitly
> stated that he doesn't care.  That's what started this whole long
> email-thread-from-hell, his statement that we have to "enforce in the
> courts or give up on the GPL."  That's toxic to Linux as both me and
> Linus have pointed out.

I *completely* understand the concern, and I choose to join to help ensure
that no lunacy is done in the name of kernel developers. Although I already
trusted the kernel developers that were part of the alliance, I sympathized
with other developers and users who were having issues getting source code
to products they purchase. I decided it is best to join and voice in my
best capacity what I believe is rational for our community.

> People will tell you who they are if you listen to them.  Please listen.

Sure thing.

> I suggest you get a different representative, there are many out there
> that I know of that do care about the future of Linux, and have backed
> that up with years of work toward that goal.  I encourage you work with
> them instead, as it seems that your representative doesn't seem to share
> the same feelings about the future of _your_ project as you do.

Thanks, so far Conservancy has been *extremely* keen on ensuring they listen to
the developers that are part of the alliance so I trust them with what they are
doing. I wish I could tell you to what extent Conservancy is serious about
this... but then I'd break confidentiality :) If you trust me -- then please
trust that they listen and work with our expressed interests and goals.

If they don't -- I'll ask you then for alternative representatives that are out
there which might also care not only for Linux but also for both the developer
and user freedoms that come with Linux.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 10:58:57PM -0400, Theodore Ts'o wrote:
> On Tue, Aug 30, 2016 at 09:17:31PM +0200, Luis R. Rodriguez wrote:
> > > Again, the SFC puts the GPL before Linux,
> > 
> > That's news to me. I think everyone on the alliance would have a fit if
> > this were true. So please stop equating Bradley's own sentiments to that
> > of the alliance's. If that's the message folks get then we need to correct
> > this.
> 
> Given that the alliance's membership is secret, we only have your word
> on it. 

Its optionally secret so developer's privacies can be respected, which means
some folks are willing to say publicly they are part of it and some are not.
Why would someone not want to come out ? Well why would they with such
hostility going around ? First one needs to understand why the hostility is
there and now it seems some clarify is coming up. Is it because companies who
use Linux don't want to give developers and users their freedoms, or because of
tact? It sounds like its the tact. Can you confirm if that is correct ?

I came out before these clarifications given I have an employer who has built
into their DNA FOSS and understands these issues are part of our DNA to resolve
and they have the patience to deal with this. It is critical to both understand
these issues and resolve them in an amicable way, with the community and
developers, as transparently as possible. A concern others face is the chance of
being put on a sort of a persona non grata list for employers. Does such a list
exist ? I don't know, but such concerns exist. If you have kids to maintain the
pressure is even harder. I personally have the luxury to not be concerned over
this since I have a supportive employer and do not have children -- nor plan
on having any ;) Not only that, if my employer were to start doing crazy things
I'm assured I would not be the only one to step out, and worst come to worst, I
could just go and hack on Linux from a beach in Costa Rica. That's not a bad
thing. I know of some retired developers who go around travelling and
contributing when they can to Linux on 802.11 :D There's not many folks in
similar situations though, and you cannot rationally expect someone to
compromise on this.

If the concerns are not clear for some folks to come out -- please let me know.

> And the governance mechanisms of the alliance have also not
> been spelled out publically.  Do you guys vote?

Like I said before -- no, because we so far have pretty much have had
consensus. We should probably consider voting if such consensus were
not happening. Its something to discuss in the coalition.

> Is it weighted based
> on the amount of code someone brings to the "alliance"?  Or is it just
> one head, one vote?  So if someone with a large amount of code where
> they own the copyright comes to the project, and Bradley then uses
> this fact to browbeat a vendor, and that person says, woah, that
> doesn't seem right?  Do they get one vote, or something proportional
> to what they bring to the table? 

We have no had to deal with this issue or concern, we so far have had
consensus. If the issue comes up then we should talk about it in the
coalition, among developers.

> Sure, they can withdraw from the
> alliance, so there is _some_ recourse after you've signed on the
> dotted lines, but only after 30 days, and a lot of threats could be
> issued in their name in 30 days...

It sounds like these are terms you can discuss with Conservancy and see
if its possible to address them. After all -- these are the sorts of
things I would have expected from you know, a Q&A which you could get
immediate feedback from Karen from.

> It doesn't help the SFC that there's no transparency in its actions.

What type of transparency would you like ?

> A similar dynamic is at work when the FBI issues national security
> letters with gag orders attached.

Seriously Ted... you are comparing FBI gag orders with Conservancy's
coalition. Because unless my eyes need LASIK again -- which maybe they
do -- this just happened. Let us recall Karen was the one who brought
up in the list the idea of *flying out* to KS and let developers, you
know, ask questions. Does the FBI does this sort of crap ? Hell no!

> So some kind of regular
> transparency report where companies have been contacted by the SFC are
> described in some general way ("a handset vendor", "a consumer
> electronics product"), the nature of the violation ("lack of
> apparently otherwise unmodified source code available on the vendor's
> FTP site", "apparent mixing of GPL code with some incompatible open
> source license", "out-and-out blatent misuse of Linux code in a
> completely unrelated commercial virtualization product," etc.) and the
> steps taken (friendly contact, lawsuit threatened, lawsuit filed,
> etc.) might be helpful in the long run.

I am not sure, this seems like it might break confidentiality for companies...
but IANAL, so if we had a Q&A perhaps you could have gotten a direct answer,
maybe ask Karen in person next time you see her!

> > Its sad that misrepresented statements are why you have given up, instead of
> > talking to members of the alliance and what we do, and more importantly the how
> > consensus is reached.
> 
> So I don't believe they are misrepresented, because #1, a few years
> ago, in a hallway discussion, I've asked Bradley point blank whether
> the GPL or the long-term health of Linux development was more
> important to him, and he very candidly said "the GPL".  Props for him
> not dissembling, but this was not a case of my not understanding what
> he said.

My point was to disregard Bradley as what matters here for Linux is
what Linux developers part of the alliance care for and what you need
to do is talk to those involved. The Q&A would have been a perfect
opportunity you know...

I can only speak for myself so I'll say how I feel.

I care deeply over the long term development and health of the entire Linux
ecosystem, and above and beyond all things in the ecosystem I care mostly and
deeply about Linux. Since Linux is GPL I've been an advocate for it, since I
also care about the license it uses, because it gives both developers and uses
certain rights that I think are bad ass. So when it comes to "long-term health
of Linux development" -- this is subjective if we do not take into
consideration both the practical gains over open collaborative development and
the *freedoms* that come with Linux that we grant to both our developers and
users. So if you'd like we can get into specifics here. Please let me know if
you have any particular questions.

I encourage you to ask others involved similar questions.

> More importantly, #2, if you look at the 2016 linux.conf.au talk, it
> was quite unambiguous.  Trying to claim that there was
> misunderstanding or misrepresentation going on is roughly the same as
> Trump surrogates trying to claim that Donald Trump's very clear
> statements on Mexicans was all a misunderstanding pushed by the
> mainstream media.  But hey, don't take my word for it; listen to the
> talks for yourself and judge for yourself.

Yeah often, but not always, what Bradley says makes me cringe, so I joined
Conservancy to ensure I can voice my concerns and express exactly what I think
to him and all other developers.

> Maybe it was all rhetoric was for fundraising purposes, and wasn't
> actually meant "for real" (just as the claims that Trump's words about
> immigration was just to appeal to the Republic base, but it wasn't
> what he _really_ believes and he _really_ isn't a racist in his heart
> of hearts) --- but to the extent that Bradley is the face of "The
> Alliance" when he goes and pays visit to companies, the fact that he
> was making these statements just a few months ago doesn't help "The
> Alliance" and it certainly doesn't help Linux since it sows FUD to the
> companies who could just as easily decide to use a commercial OS like
> QNX, or another Open Source OS such as FreeBSD instead.

Agreed.

> (Never think you are irreplaceable; you aren't.  This is true just as
> much for programmers and employees, as it is for operating systems.)

Agreed.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Maxime Ripard]

[-- Attachment #1: Type: text/plain, Size: 1530 bytes --]

On Tue, Aug 30, 2016 at 09:44:40PM +0200, Arnd Bergmann wrote:
> On Tuesday 30 August 2016, Guenter Roeck wrote:
> > On Tue, Aug 30, 2016 at 05:33:36PM +0200, Arnd Bergmann wrote:
> > > 
> > > > Anyway, like I was saying, no one from Linaro ever contributed
> > > > something meaningful (except some cross-tree patches, and the usual
> > > > "maintainance" patches).
> > > 
> > > I'm not surprised at all. Most of the kernel work we do in
> > > Linaro is intentionally cross-platform (so it benefits all members
> > > equally), or it is done on those platforms that the members decide
> > > are important upstream.
> > > 
> > One may wonder how your Linux kernel patches and merges are classified
> > per the above.
> >
> > Thank you for all your work in the Linux kernel. It is anything but
> > meaningless, and it obviously goes far beyond "some cross-tree patches,
> > and the usual maintenance patches".
> 
> I'm sure Maxime was specifically referring to mach-sunxi specific code
> here, but it's clear how that could be interpreted differently, or
> taken out of context.

Yeah, sorry, I wasn't try to reduce or deny the huge amount of work
Linaro is doing on the whole kernel.

My point was just that, on the Allwinner specific code, all the work
done was on code that was already there, not on any new code.

Which doesn't prevent us from using a lot of Linaro code everywhere.

Maxime

-- 
Maxime Ripard, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Tue, Aug 30, 2016 at 09:17:31PM +0200, Luis R. Rodriguez wrote:
> On Tue, Aug 30, 2016 at 08:15:28PM +0200, Greg KH wrote:
> > <fixing Jeremy's email address, Luis, your email client broke it...>
> 
> Stupid mutt, sorry!
> 
> > On Tue, Aug 30, 2016 at 07:20:33PM +0200, Luis R. Rodriguez wrote:
> > > On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> > > > That brings up a question, who exactly is the SFC representing here?
> > > 
> > > I've come out:
> > > 
> > > http://www.do-not-panic.com/2016/02/im-part-of-conservancys-gpl-compliance.html
> > > 
> > > Others have as well. We don't force people to come out though obviously, so its
> > > optional. Some folks would prefer their association to remain private. That's
> > > a right they should have.
> > 
> > It's something you would "loose" if you actually file for something.
> > And for the SFC to approach a company with a vague "we have random
> > copyrights, give us the code!" that message is horrid!
> 
> Growing pains.

Huh?  What do you mean by this, the SFC has been working on doing this
for _years_.  They have been doing this for other projects for probably
over a decade now.  You don't start approaching companies and then go
"oops, sorry, still learning how to do this, never mind!"  You also don't
go around in public saying crap like "corporations are evil!" and then
show up on a company's doorstep saying "just kidding, please work with
us, we are friendly, trust us."

It's as if you went and hired the law firm of Dewey, Cheetham & Howe,
and expected that they _not_ do what they had been doing for years and
years before that, just because you were now their client.

That's NOT how you pick someone to be your representative.  It looks
badly on you, and of course it looks horrid on the community you are a
part of.

Again, as Linus said, appearances matter.  And you can't just blow off
public statements with the "but I said it from my personal, not my
corporation which I founded, email account."

As IBM drilled into me many many times when I worked for them, employees
of a corporation reflect directly on how the corporation is viewed by
others, no matter if you are the president, or an engineer, when you are
in public.  I think there is even some legal rules about that somewhere
as well...

> > Again, the SFC puts the GPL before Linux,
> 
> That's news to me. I think everyone on the alliance would have a fit if
> this were true. So please stop equating Bradley's own sentiments to that
> of the alliance's. If that's the message folks get then we need to correct
> this.

WHAT???

Bradley has said this to me, and many others, directly!  He founded the
SFC and is responsible for setting the direction of it and picking and
choosing what it will do, as well as deciding who will help him run it.
To ignore his public, and private, statements about something like this
is folly.

If you want legal representation for kernel license issues, great, but
pick someone that doesn't go around publicly saying crap like this, as
again, it reflects directly on you!

Luis, I trust you when you say you want Linux to succeed, as it's backed
up by years and years of your hard work and dedication and public
statements.  But I don't trust your representative, as he has explicitly
stated that he doesn't care.  That's what started this whole long
email-thread-from-hell, his statement that we have to "enforce in the
courts or give up on the GPL."  That's toxic to Linux as both me and
Linus have pointed out.

People will tell you who they are if you listen to them.  Please listen.

I suggest you get a different representative, there are many out there
that I know of that do care about the future of Linux, and have backed
that up with years of work toward that goal.  I encourage you work with
them instead, as it seems that your representative doesn't seem to share
the same feelings about the future of _your_ project as you do.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Geert Uytterhoeven]

Hi Arnd,

On Tue, Aug 30, 2016 at 9:44 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> However, Linaro also has a number of subsystem maintainers and most of
> the sunxi specific drivers were reviewed and/or merged by someone
> in Linaro who is doing that work for all ARM platforms, whether they

I think "ARM" shouldn't be part of this sentence (e.g. for SPI).

> are made by Linaro member companies or not.

Yep. That's assumed by wearing a Linux MAINTAINERS hat...

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Tue, Aug 30, 2016 at 09:17:31PM +0200, Luis R. Rodriguez wrote:
> > Again, the SFC puts the GPL before Linux,
> 
> That's news to me. I think everyone on the alliance would have a fit if
> this were true. So please stop equating Bradley's own sentiments to that
> of the alliance's. If that's the message folks get then we need to correct
> this.

Given that the alliance's membership is secret, we only have your word
on it.  And the governance mechanisms of the alliance have also not
been spelled out publically.  Do you guys vote?  Is it weighted based
on the amount of code someone brings to the "alliance"?  Or is it just
one head, one vote?  So if someone with a large amount of code where
they own the copyright comes to the project, and Bradley then uses
this fact to browbeat a vendor, and that person says, woah, that
doesn't seem right?  Do they get one vote, or something proportional
to what they bring to the table?  Sure, they can withdraw from the
alliance, so there is _some_ recourse after you've signed on the
dotted lines, but only after 30 days, and a lot of threats could be
issued in their name in 30 days...

It doesn't help the SFC that there's no transparency in its actions.
A similar dynamic is at work when the FBI issues national security
letters with gag orders attached.  So some kind of regular
transparency report where companies have been contacted by the SFC are
described in some general way ("a handset vendor", "a consumer
electronics product"), the nature of the violation ("lack of
apparently otherwise unmodified source code available on the vendor's
FTP site", "apparent mixing of GPL code with some incompatible open
source license", "out-and-out blatent misuse of Linux code in a
completely unrelated commercial virtualization product," etc.) and the
steps taken (friendly contact, lawsuit threatened, lawsuit filed,
etc.) might be helpful in the long run.

> Its sad that misrepresented statements are why you have given up, instead of
> talking to members of the alliance and what we do, and more importantly the how
> consensus is reached.

So I don't believe they are misrepresented, because #1, a few years
ago, in a hallway discussion, I've asked Bradley point blank whether
the GPL or the long-term health of Linux development was more
important to him, and he very candidly said "the GPL".  Props for him
not dissembling, but this was not a case of my not understanding what
he said.

More importantly, #2, if you look at the 2016 linux.conf.au talk, it
was quite unambiguous.  Trying to claim that there was
misunderstanding or misrepresentation going on is roughly the same as
Trump surrogates trying to claim that Donald Trump's very clear
statements on Mexicans was all a misunderstanding pushed by the
mainstream media.  But hey, don't take my word for it; listen to the
talks for yourself and judge for yourself.

Maybe it was all rhetoric was for fundraising purposes, and wasn't
actually meant "for real" (just as the claims that Trump's words about
immigration was just to appeal to the Republic base, but it wasn't
what he _really_ believes and he _really_ isn't a racist in his heart
of hearts) --- but to the extent that Bradley is the face of "The
Alliance" when he goes and pays visit to companies, the fact that he
was making these statements just a few months ago doesn't help "The
Alliance" and it certainly doesn't help Linux since it sows FUD to the
companies who could just as easily decide to use a commercial OS like
QNX, or another Open Source OS such as FreeBSD instead.

(Never think you are irreplaceable; you aren't.  This is true just as
much for programmers and employees, as it is for operating systems.)

     	 	     	 	       	   - Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 08:15:28PM +0200, Greg KH wrote:
> Why would you ever give the power that you have, and have
> created, away to others that might not have your project's best interest
> in mind?

Oh and just wanted to confirm, as with Jeremy, I have not given any power up, I
hold copyrights, I never signed copyrights away to Conservancy, I joined the
alliance and voice my opinion to make sure to help voice my opinion in not only
the last resort topics, but also even voice how things might work better for
things currently up in the air. Case in point the ZFS crap, the permissive
license actually makes sense there [0].

So yet -- more permissive license "agenda" and this coming from SFC! -- jeesh,
how copyleft crazy this is, isn't it? These SFC permissive license zealots are
just nuts. Crazy I tell you...

So -- if you'd like to voice your opinion and give the conservancy a shot,
please note you do not have to sign away copyrights to Conservancy -- so you
can join, see we're civil and reach consensus amicably through the list and use fair
judgement. Please consider joining the alliance if you want to voice you opinion.

And -- you can always leave, you know -- if it turns out we're bat shit crazy.

[0] http://www.do-not-panic.com/2016/02/zfs-linux-and-illumos-and-isc-license.html

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Arnd Bergmann]

On Tuesday 30 August 2016, Guenter Roeck wrote:
> On Tue, Aug 30, 2016 at 05:33:36PM +0200, Arnd Bergmann wrote:
> > 
> > > Anyway, like I was saying, no one from Linaro ever contributed
> > > something meaningful (except some cross-tree patches, and the usual
> > > "maintainance" patches).
> > 
> > I'm not surprised at all. Most of the kernel work we do in
> > Linaro is intentionally cross-platform (so it benefits all members
> > equally), or it is done on those platforms that the members decide
> > are important upstream.
> > 
> One may wonder how your Linux kernel patches and merges are classified
> per the above.
>
> Thank you for all your work in the Linux kernel. It is anything but
> meaningless, and it obviously goes far beyond "some cross-tree patches,
> and the usual maintenance patches".

I'm sure Maxime was specifically referring to mach-sunxi specific code
here, but it's clear how that could be interpreted differently, or
taken out of context.

Looking at the commits in mach-sunxi from all Linaro developers,
his categorization is completely right:

$ git log --oneline --no-merges --author=linaro --author=arnd --author=robh torvalds/master arch/arm/mach-sunxi/
5c34a4e89c74 ARM: do away with ARCH_[WANT_OPTIONAL|REQUIRE]_GPIOLIB
117d4f59affa cpufreq: sunxi: Use generic platdev driver
e58cf0193c0f ARM: sunxi: allow building without reset controller
1146b600044d ARM: sunxi: fix build for THUMB2_KERNEL
90bc8ac77dc8 ARM: select HAVE_SMP for V7 multi-platform
ddb902cc3459 ARM: centralize common multi-platform kconfig options

However, Linaro also has a number of subsystem maintainers and most of
the sunxi specific drivers were reviewed and/or merged by someone
in Linaro who is doing that work for all ARM platforms, whether they
are made by Linaro member companies or not.

	Arnd

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 11:25:38AM -0700, James Bottomley wrote:
> On Tue, 2016-08-30 at 11:00 -0700, Luis R. Rodriguez wrote:
> > On Mon, Aug 29, 2016 at 12:04 PM, James Bottomley
> > <James.Bottomley@hansenpartnership.com> wrote:
> > > As a side note: if you own a project you want to open source, 
> > > Apache-2 ends up being practically the worst licence imaginable: 
> > > not only can your competitors make proprietary modified copies of 
> > > your code they don't have to show you, but they also gain rights to 
> > > your patents with which to do it.
> > 
> > I disagree. The benefit that Apache 2 provides not that you hold
> > patents per se, but rather if you want to contribute to the ecosystem
> > you have to also contribute to the patent pool. In today's mobile
> > market place the Apache 2 license seems like a rather *genius* move
> > IMHO for the cases where otherwise you do not care for the gains of
> > copyleft. What I'm trying to say is -- in my experience Android folks
> > barely cared about contributing upstream, it always was an uphill
> > battle. Patents however were a serious problem in every possible
> > little corner in the ecosystem. If a lot of new companies are using
> > permissive licenses for Linux, and you don't care over the copyleft
> > gains the Apache 2 license seems to give you a better edge.
> 
> Basically, no, you've weakened your own patent shield: we keep OIN
> around for defensive measures around the ecosystem.

The value of OIN is only sensible if it has something *you want*. Otherwise its
pointless, provided you have other grounds to cover your other interests. If
you're already a member and OIN doesn't have what you need you are shit out
of luck.

>  Imagine an OIN
> member wishing to defend linux gives OIN access to a set of patents
> which also read on an open project it contributes to under apache-2. 
>  Lets assume these patents are also practised by an evil proprietary
> company that attacks Linux.  OIN defends on the basis of infringing
> these patents but the evil proprietary company claims that it, in fact,
> incorporated code from the open project into its proprietary one and
> thus with the code came the licence to the patents.  End of defence

Understood, however I don't think that's the strategy behind the choice
of the license.

> OIN fortunately does have a stock of patents it owns outright as well
> as cross licences, so the shield doesn't die entirely, but it may lose
> a valuable weapon at the time it's most needed.

Sure, but if OIN *does not* have the patents you really care for, who
cares.

> The problem here is limiting the IP leak.  GPLv2 is easy because the
> patent licence is implied.  GPLv3 works because the patent licence is
> explicit but bounded by the recipient's willingness to release their
> code.  Apache-2 is basically unbounded and this is the problem that has
> a wide range of unintended consequences.

If you are simply leveling the playing field and the bait is contribution, then
what really matters if producing an ecosystem you want people to contribute to.

Its a nice alternative to have. In fact, you can take both approaches.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 08:15:28PM +0200, Greg KH wrote:
> <fixing Jeremy's email address, Luis, your email client broke it...>

Stupid mutt, sorry!

> On Tue, Aug 30, 2016 at 07:20:33PM +0200, Luis R. Rodriguez wrote:
> > On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> > > That brings up a question, who exactly is the SFC representing here?
> > 
> > I've come out:
> > 
> > http://www.do-not-panic.com/2016/02/im-part-of-conservancys-gpl-compliance.html
> > 
> > Others have as well. We don't force people to come out though obviously, so its
> > optional. Some folks would prefer their association to remain private. That's
> > a right they should have.
> 
> It's something you would "loose" if you actually file for something.
> And for the SFC to approach a company with a vague "we have random
> copyrights, give us the code!" that message is horrid!

Growing pains.

> Go back and read my long email about what happens at a company when they
> are approached by a "representative", and not a developer.  Especially
> one that makes lots and lots and lots of public statements about how
> companies are evil, how Linux is the GPL's ultimate test case, how they
> want to use the courts to clarify the GPL's "grey areas".  All of these
> have been stated numerous times by the leadership of the SFC as recently
> as a few months ago.

I've known Bradley since I was an eager beaver Linux college contributor, and I
agree that clearly his background and statements can only send chills to
certain companies. But he's also known me, so, I try to what I can to influence
him as well with regards to how we work best upstream, and I'm pretty sure he
has always appreciated this effort. He's also learned from others and he
listens. In fact, it is his job to listen.

He recently noted he's to be held accountable to that.

I will note that despite what he says, when it comes to the kernel actions
actually speak more loudly towards advocating permissive licenses than the GPL.
In fact he has a Sign-off-by on a driver upstream and that's all ISC licensed.
As much as I'm sure it burned his copyleft heart, we did this to help the BSD
community as that is what we needed to do. In fact we have this effort to blame
for the slew of new permissive licensed practices by a slew of other vendors
after that.

> Again, that is NOT how to create and sustain a community.  That's how
> you set fire to it and watch it burn.  It happened to Busybox and I
> don't want it to happen here to Linux.

Understood.

> > What do you think? Did it ever cross your mind to consider joining ?
> 
> Sure, many years ago.  And I'm glad I never signed the document that
> Bradley gave me many years ago at LinuxCon as it would have been a bad
> idea (not to mention that people giving developers random legal
> documents to sign at a conference really isn't a wise thing on either
> parties involved...)  As I mentioned my discussion with Bradley last
> year, at LinuxCon, I did not want him to continue to do this as it is
> not how you create a community.
> 
> Again, the SFC puts the GPL before Linux,

That's news to me. I think everyone on the alliance would have a fit if
this were true. So please stop equating Bradley's own sentiments to that
of the alliance's. If that's the message folks get then we need to correct
this.

> and is willing to do things to
> make Linux fail if it somehow finally answers their unresolved questions
> about the GPL[1].

We won't allow for that. It is stupid. It should be clear by now the issue
has been a proper due process for issues that are long standing and not
resolved, last resort issues.

> For a group of people who had nothing to do with Linux at all in the
> first place, this seems like a very dangerous thing to let them do to
> you, or anyone else who has signed up for this.  This is _our_ project,
> not theirs.  Why would you ever give the power that you have, and have
> created, away to others that might not have your project's best interest
> in mind?

You are making an assumption as to what SFC does on behalf of kernel developers,
and that we do not discuss things carefully. Obviously that is incorrect.

> Remember, they approached all of us, shopping around the fact that they
> knew of companies that were violating, showing us printouts of files
> that were in the information they had received from their Busybox work
> at vmware.  They were digging and asking and wanting to bring this type
> of lawsuit forward, it was not brought by us, the developers.  Bradley
> has always been very upfront about this, I'll give him credit for that.

Busybox is another one of their members. He has *listened* to their request
to try to request more folks involved. It makes sense to dismiss cases
where no harm is done or no due process is followed, but if the violation
is legit and due process is being followed, it is worth *considering*. Do
you not think ?

> Go and watch their talks!  Like Linus, I spent all weekend, reading and
> watching their talks.  It's actually worse than I thought.  I have notes
> somewhere around here when I was going to try to point them all out, but
> I gave up after a while as it was just crazy...

Growing pains. Remember its their job to listen to alliance members. So
I voice these concerns ;)

> I can dig them up if you really want, but I suggest you go do it
> yourself, it's more powerful that way :)

No, I understand. Let me be clear that there is a disconnect between
philosophy, engineering and finance. Throw law in the mix and you have
a good Mexican Mole sauce. The evolution is painfully slow. As Conservancy
gains kernel developers they educate Conservancy on matters and tact for
*our* community, just as I'm sure others members (hey git is one) do for
their community.

In lack of a better due process, which seems rather implicit and it seems only
work for a few, some folks resort to alternatives. If you ask me -- the Principles
are a huge win over anything close to represent due process in a responsible
way than for instance what seems to have been Patrick's approach. Asking for
more feedback openly is another good step. But joining and actively voicing
your opinion however is the best strategy, provided of course your concerns
are addressed.

> > > What developers have signed over copyrights to the SFC?  Was this done
> > > in a "permanent" way?  "revoking" copyright assignment isn't exactly a
> > > simple thing to do, last I checked, so is this really true?
> > 
> > If this is a concern, perhaps its something SFC can address. Also, would
> > you like a way to participate without signing off copyrights to SFC ? If so
> > that sounds like a type of discussion we could start.
> 
> How can you participate in something that you are not a part of, and
> right now, really really want nothing at all to do with?
> 
> I'm really sick after watching all of this, and honestly, want nothing
> to do with the SFC anymore at all.  My employment contract at the LF
> says that I can't tell them what to do, and they can't tell me what to
> do either, but I'm going to go recommend to them that they not donate
> any more money to the SFC as I really think they are toxic to the future
> of Linux, which is the exact opposite of the LF's charter.

You've made up your mind, and I understand. I'm however in hope other
developers who do know folks who are part of the alliance can talk
and decide based on these conversations. SFC is simply there to listen
to us.

Its sad that misrepresented statements are why you have given up, instead of
talking to members of the alliance and what we do, and more importantly the how
consensus is reached.

On the other hand I donate and I joined and I voice my opinion, strongly.

Also, by not addressing the last resort measure, or trying to correct SFC's
approach, you still leave a gap and I'd hate for more Patrick type of
stupid things to happen.

> Outreachy is a good thing that SFC does though, so I'll still support
> that for now and recommend that the LF funds that portion (if that's
> even possible, I have no idea how the LF donates their funds, or if even
> the SFC accepts earmarked funds).  Perhaps the SFC can focus on doing
> that type of work (outreach and growth, not litigate and destroy).

Outreachy is amazing :D

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Josh Triplett]

On Tue, Aug 30, 2016 at 11:04:44AM -0700, Luis R. Rodriguez wrote:
> On Tue, Aug 30, 2016 at 10:38 AM, Mark Brown <broonie@kernel.org> wrote:
> > On Mon, Aug 29, 2016 at 08:26:38AM +0200, Greg KH wrote:
> >> On Sun, Aug 28, 2016 at 02:06:44PM -0000, David Woodhouse wrote:
> >
> >> > Even though I abhor what Patrick McHardy is doing, I still can't quite
> >> > find it in my heart to have *sympathy* for his victims. Because it's not
> >> > as if he's just taking random pot-shots at passers-by on the street. These
> >> > people defended their actions in court, and lost.
> >
> >> No, that's not what Patrick did.  Whenever he actually took something to
> >> court, _he_ lost.  Companies paid him off before then because they were
> >> scared for foolish reasons, or it was honestly just cheaper to do it
> >> than go to court and win.  He took the traditional model of patent troll
> >> to the next level.
> >
> > Please bear in mind that public information on what's going on there is
> > very scarce, I suspect most people have only seen the SFLC statement at:
> 
> SFLC != SFC. It will be hard, but try and look at why we have two orgs
> now. SFLC did do good -- it helped with the upstream openhal efforts
> and ath5k review. But the org that put out the review below and then
> published the Principles is SFC, not SFLC.

If it helps, they tend to go by "Conservancy" or "Software Freedom
Conservancy", rarely "SFC", to avoid acronym confusion.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Tue, Aug 30, 2016 at 08:17:46PM +0200, Greg KH wrote:
> On Tue, Aug 30, 2016 at 10:49:24AM -0700, Jeremy Allison wrote:
> > 
> > In Samba for example (which I can talk publicly about),
> > *NO* devlopers have assigned any copyrights to the SFC,
> > they are merely acting as an enforcement agent authorized
> > to do so on our behalf - by the wishes of the developers.
> 
> I don't understand, what exactly do you mean by "authorized to do so on
> your behalf"?  Are they your project's legal representation?

Yes.

> When the SFC approaches a company that seems to not be abiding by the
> Samba license, who exactly do they say they are and what rights do they
> have to do so?

They are our legal representation, so they act in the same way
any lawyers representing clients do.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Tue, 2016-08-30 at 11:00 -0700, Luis R. Rodriguez wrote:
> On Mon, Aug 29, 2016 at 12:04 PM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > As a side note: if you own a project you want to open source, 
> > Apache-2 ends up being practically the worst licence imaginable: 
> > not only can your competitors make proprietary modified copies of 
> > your code they don't have to show you, but they also gain rights to 
> > your patents with which to do it.
> 
> I disagree. The benefit that Apache 2 provides not that you hold
> patents per se, but rather if you want to contribute to the ecosystem
> you have to also contribute to the patent pool. In today's mobile
> market place the Apache 2 license seems like a rather *genius* move
> IMHO for the cases where otherwise you do not care for the gains of
> copyleft. What I'm trying to say is -- in my experience Android folks
> barely cared about contributing upstream, it always was an uphill
> battle. Patents however were a serious problem in every possible
> little corner in the ecosystem. If a lot of new companies are using
> permissive licenses for Linux, and you don't care over the copyleft
> gains the Apache 2 license seems to give you a better edge.

Basically, no, you've weakened your own patent shield: we keep OIN
around for defensive measures around the ecosystem.  Imagine an OIN
member wishing to defend linux gives OIN access to a set of patents
which also read on an open project it contributes to under apache-2. 
 Lets assume these patents are also practised by an evil proprietary
company that attacks Linux.  OIN defends on the basis of infringing
these patents but the evil proprietary company claims that it, in fact,
incorporated code from the open project into its proprietary one and
thus with the code came the licence to the patents.  End of defence.

OIN fortunately does have a stock of patents it owns outright as well
as cross licences, so the shield doesn't die entirely, but it may lose
a valuable weapon at the time it's most needed.

The problem here is limiting the IP leak.  GPLv2 is easy because the
patent licence is implied.  GPLv3 works because the patent licence is
explicit but bounded by the recipient's willingness to release their
code.  Apache-2 is basically unbounded and this is the problem that has
a wide range of unintended consequences.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Tue, Aug 30, 2016 at 10:49:24AM -0700, Jeremy Allison wrote:
> On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> > 
> > That brings up a question, who exactly is the SFC representing here?
> > What developers have signed over copyrights to the SFC?  Was this done
> > in a "permanent" way?  "revoking" copyright assignment isn't exactly a
> > simple thing to do, last I checked, so is this really true?
> 
> Ah, this could be a big part of the misapprehensions in this
> thread !
> 
> While it is possible to sign over copyrights to the SFC, this
> is not commonly done by member projects (I think I'm safe in
> saying that). It's also not required to assign copyright in
> order for SFC to represent copyright holders in enforcement
> actions.
> 
> In Samba for example (which I can talk publicly about),
> *NO* devlopers have assigned any copyrights to the SFC,
> they are merely acting as an enforcement agent authorized
> to do so on our behalf - by the wishes of the developers.

I don't understand, what exactly do you mean by "authorized to do so on
your behalf"?  Are they your project's legal representation?  If you
haven't assigned your copyright to them to enforce, how does this all
work?

When the SFC approaches a company that seems to not be abiding by the
Samba license, who exactly do they say they are and what rights do they
have to do so?

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

<fixing Jeremy's email address, Luis, your email client broke it...>

On Tue, Aug 30, 2016 at 07:20:33PM +0200, Luis R. Rodriguez wrote:
> On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> > On Tue, Aug 30, 2016 at 06:15:57PM +0200, Luis R. Rodriguez wrote:
> > > On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> > > > On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> > > > > Your opinion on that is clear and I understand why you hold it.
> > > > > There are many other developers who hold the same opinion, but
> > > > > lots of them work on FreeBSD not Linux.
> > > > > 
> > > > > Respectfully, I don't agree with you. Greg and Ted seem to agree
> > > > > with you, Linus (like me) seems to imagine there can be a case for
> > > > > that shiny red button.
> > > > 
> > > > For the record, I believe there can be a case for the shiny red
> > > > button.  I just want Linus, and not the SFC (or some --- as admitted
> > > > by the SFC --- minority set of developers), to be the one who decides
> > > > when it's appropriate to push it.
> > > > 
> > > > I've said it before, and I've said it again.  For me, this is much
> > > > more about a project governance issue.  We don't let random pissed off
> > > > army officers decide when to start World War III. 
> > > 
> > > If you are trying to equate "random pissed off officers" with those kernel
> > > developers part of the SFC alliance, then I have to say that is perhaps one of
> > > the most stupid misrepresentations of members of SFC that I have heard so far.
> > > Unless of course your statement is educated, you know all members part of SFC
> > > and have asked each one why they joined.
> > 
> > That brings up a question, who exactly is the SFC representing here?
> 
> I've come out:
> 
> http://www.do-not-panic.com/2016/02/im-part-of-conservancys-gpl-compliance.html
> 
> Others have as well. We don't force people to come out though obviously, so its
> optional. Some folks would prefer their association to remain private. That's
> a right they should have.

It's something you would "loose" if you actually file for something.
And for the SFC to approach a company with a vague "we have random
copyrights, give us the code!" that message is horrid!

Go back and read my long email about what happens at a company when they
are approached by a "representative", and not a developer.  Especially
one that makes lots and lots and lots of public statements about how
companies are evil, how Linux is the GPL's ultimate test case, how they
want to use the courts to clarify the GPL's "grey areas".  All of these
have been stated numerous times by the leadership of the SFC as recently
as a few months ago.

Again, that is NOT how to create and sustain a community.  That's how
you set fire to it and watch it burn.  It happened to Busybox and I
don't want it to happen here to Linux.

> What do you think? Did it ever cross your mind to consider joining ?

Sure, many years ago.  And I'm glad I never signed the document that
Bradley gave me many years ago at LinuxCon as it would have been a bad
idea (not to mention that people giving developers random legal
documents to sign at a conference really isn't a wise thing on either
parties involved...)  As I mentioned my discussion with Bradley last
year, at LinuxCon, I did not want him to continue to do this as it is
not how you create a community.

Again, the SFC puts the GPL before Linux, and is willing to do things to
make Linux fail if it somehow finally answers their unresolved questions
about the GPL[1].

For a group of people who had nothing to do with Linux at all in the
first place, this seems like a very dangerous thing to let them do to
you, or anyone else who has signed up for this.  This is _our_ project,
not theirs.  Why would you ever give the power that you have, and have
created, away to others that might not have your project's best interest
in mind?

Remember, they approached all of us, shopping around the fact that they
knew of companies that were violating, showing us printouts of files
that were in the information they had received from their Busybox work
at vmware.  They were digging and asking and wanting to bring this type
of lawsuit forward, it was not brought by us, the developers.  Bradley
has always been very upfront about this, I'll give him credit for that.

Go and watch their talks!  Like Linus, I spent all weekend, reading and
watching their talks.  It's actually worse than I thought.  I have notes
somewhere around here when I was going to try to point them all out, but
I gave up after a while as it was just crazy...

I can dig them up if you really want, but I suggest you go do it
yourself, it's more powerful that way :)

> > What developers have signed over copyrights to the SFC?  Was this done
> > in a "permanent" way?  "revoking" copyright assignment isn't exactly a
> > simple thing to do, last I checked, so is this really true?
> 
> If this is a concern, perhaps its something SFC can address. Also, would
> you like a way to participate without signing off copyrights to SFC ? If so
> that sounds like a type of discussion we could start.

How can you participate in something that you are not a part of, and
right now, really really want nothing at all to do with?

I'm really sick after watching all of this, and honestly, want nothing
to do with the SFC anymore at all.  My employment contract at the LF
says that I can't tell them what to do, and they can't tell me what to
do either, but I'm going to go recommend to them that they not donate
any more money to the SFC as I really think they are toxic to the future
of Linux, which is the exact opposite of the LF's charter.

Outreachy is a good thing that SFC does though, so I'll still support
that for now and recommend that the LF funds that portion (if that's
even possible, I have no idea how the LF donates their funds, or if even
the SFC accepts earmarked funds).  Perhaps the SFC can focus on doing
that type of work (outreach and growth, not litigate and destroy).

thanks,

greg k-h

[1] You will note that the FSF and the people who created the GPLv2 are
    not even involved in this!  If anyone actually had any bit of
    standing for issues like this and how it applied to Linux, it might
    be them (and even then, we could argue that they don't matter at
    all, so why would some "random" people who are not developers, and
    don't have anything "invested" in Linux, really care about us at
    all?)

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 10:38 AM, Mark Brown <broonie@kernel.org> wrote:
> On Mon, Aug 29, 2016 at 08:26:38AM +0200, Greg KH wrote:
>> On Sun, Aug 28, 2016 at 02:06:44PM -0000, David Woodhouse wrote:
>
>> > Even though I abhor what Patrick McHardy is doing, I still can't quite
>> > find it in my heart to have *sympathy* for his victims. Because it's not
>> > as if he's just taking random pot-shots at passers-by on the street. These
>> > people defended their actions in court, and lost.
>
>> No, that's not what Patrick did.  Whenever he actually took something to
>> court, _he_ lost.  Companies paid him off before then because they were
>> scared for foolish reasons, or it was honestly just cheaper to do it
>> than go to court and win.  He took the traditional model of patent troll
>> to the next level.
>
> Please bear in mind that public information on what's going on there is
> very scarce, I suspect most people have only seen the SFLC statement at:

SFLC != SFC. It will be hard, but try and look at why we have two orgs
now. SFLC did do good -- it helped with the upstream openhal efforts
and ath5k review. But the org that put out the review below and then
published the Principles is SFC, not SFLC.

>    https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/
>
> (it seems from followups that there may be some confusion even in what
> I've quoted above).

Agreed, I think more has been revealed in this thread then in that
article, sadly most is information learned so far is through the grape
vine.

 Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Mon, Aug 29, 2016 at 12:04 PM, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
> On Mon, 2016-08-29 at 11:49 -0700, Linus Torvalds wrote:
>> On Mon, Aug 29, 2016 at 10:42 AM, Rik van Riel <riel@redhat.com>
>> wrote:
>> >
>> > Companies like IBM and SGI started participating in Linux because
>> > they knew no competitor would run off with their code, improve it
>> > slightly, and offer a proprietary product for sale based it.
>>
>> Absolutely.
>>
>> Right now we're in the situation that a lot of companies are very
>> suspicious of the GPL, I do agree with Bradley on that.
>>
>> But we put the blame on very different things - I at least partly
>> very much do blame the "culture" that goes with the GPL.  Corporate
>> users do see the hostility towards commercial use that we have in
>> some quarters.
>>
>> We should be much more vocal about how it protects even companies
>> from people taking advantage of their code. Yes, they'll always want
>> to have their "value add" on top, but we should push the GPL as a
>> great model for core infrastructure everywhere.
>>
>> We should strive to make companies *like* the GPL, and encourage
>> exactly the kinds of things you mention.
>
> As I said way far upthread: this is how I sold the GPL to Parallels.  I
> definitely have real world experience of doing this and I'm happy to do
> it for other companies

I will note that this is a very hard job and only a few are both apt,
and have enough patience to deal with. Since people have learned they
can contribute to the kernel permissively though, this has meant there
is less of a need for that these days. What this means is that old
business models are less willing to change, if they don't have to.
Still -- that should be an advantage for the companies that *do* want
to consider using the GPL, the question would then be -- how to do
better, business-wise in today's market place if they do use the GPL.
This requires careful consideration, business partnerships, and an
keen eye towards the future. My answer to this is of course pure
mathematics -- but that requires more R&D still, but more on the
financial areas. The engineering gains should be clearly tangible
already, so the only thing stopping this is archaic business models.

> and be part of the crowd that does this
> encouragement.  We have a lot of support within the industry (Martin
> Fink, ex HP CTO springs immediately to mind here).

These are rather old companies, do we have any good market evidence of
newer companies preferring the GPL? If not why not?

> As a side note: if you own a project you want to open source, Apache-2
> ends up being practically the worst licence imaginable: not only can
> your competitors make proprietary modified copies of your code they
> don't have to show you, but they also gain rights to your patents with
> which to do it.

I disagree. The benefit that Apache 2 provides not that you hold
patents per se, but rather if you want to contribute to the ecosystem
you have to also contribute to the patent pool. In today's mobile
market place the Apache 2 license seems like a rather *genius* move
IMHO for the cases where otherwise you do not care for the gains of
copyleft. What I'm trying to say is -- in my experience Android folks
barely cared about contributing upstream, it always was an uphill
battle. Patents however were a serious problem in every possible
little corner in the ecosystem. If a lot of new companies are using
permissive licenses for Linux, and you don't care over the copyleft
gains the Apache 2 license seems to give you a better edge.

You still loose good collaborations of course, and that of course is a
rather stupid thing to do. But that's a practical engineering decision
they seem to be happy to believe they can overcome. So its a bet. To
loose that bet Linux better damn well enable those who want to bet on
upstream Linux to do a better job. Let's make sure that happens. In
the end *both* strategies (Apache 2 front, and GPL upstream) should
actually help extinguish archaic business models -- but more
importantly, behind the scenes what is really taking place is the
justification behind better engineering through more rapid and
efficient collaborations. That will evolve slowly.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> 
> That brings up a question, who exactly is the SFC representing here?
> What developers have signed over copyrights to the SFC?  Was this done
> in a "permanent" way?  "revoking" copyright assignment isn't exactly a
> simple thing to do, last I checked, so is this really true?

Ah, this could be a big part of the misapprehensions in this
thread !

While it is possible to sign over copyrights to the SFC, this
is not commonly done by member projects (I think I'm safe in
saying that). It's also not required to assign copyright in
order for SFC to represent copyright holders in enforcement
actions.

In Samba for example (which I can talk publicly about),
*NO* devlopers have assigned any copyrights to the SFC,
they are merely acting as an enforcement agent authorized
to do so on our behalf - by the wishes of the developers.

The Samba developers can revoke such permission at any time and
for any reason. The reason we haven't is that the consensus
for Samba is that SFC is doing a good job representing our
interests.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 05:16:21PM +0000, Luck, Tony wrote:
> > Given that the names aren't public, that's somewhat of an impossible
> > test.
> 
> If SFC does at some point sue, and that action ends up in court, would the
> names become public? I'm assuming that they would since the first discovery
> request by the defending company would be to find out which code was at
> stake, and whether the copyright was really owned by the people that
> SFC represents.

If the law requires it I'm sure the names of those involved would come out.
Otherwise its a volunteer option.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

On Mon, Aug 29, 2016 at 08:26:38AM +0200, Greg KH wrote:
> On Sun, Aug 28, 2016 at 02:06:44PM -0000, David Woodhouse wrote:

> > Even though I abhor what Patrick McHardy is doing, I still can't quite
> > find it in my heart to have *sympathy* for his victims. Because it's not
> > as if he's just taking random pot-shots at passers-by on the street. These
> > people defended their actions in court, and lost.

> No, that's not what Patrick did.  Whenever he actually took something to
> court, _he_ lost.  Companies paid him off before then because they were
> scared for foolish reasons, or it was honestly just cheaper to do it
> than go to court and win.  He took the traditional model of patent troll
> to the next level.

Please bear in mind that public information on what's going on there is
very scarce, I suspect most people have only seen the SFLC statement at:

   https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/

(it seems from followups that there may be some confusion even in what
I've quoted above).  

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 10:10:29AM -0700, James Bottomley wrote:
> On Tue, 2016-08-30 at 18:15 +0200, Luis R. Rodriguez wrote:
> > On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> > > On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via
> > > Ksummit-discuss wrote:
> > > > Your opinion on that is clear and I understand why you hold it.
> > > > There are many other developers who hold the same opinion, but
> > > > lots of them work on FreeBSD not Linux.
> > > > 
> > > > Respectfully, I don't agree with you. Greg and Ted seem to agree
> > > > with you, Linus (like me) seems to imagine there can be a case 
> > > > for that shiny red button.
> > > 
> > > For the record, I believe there can be a case for the shiny red
> > > button.  I just want Linus, and not the SFC (or some --- as 
> > > admitted by the SFC --- minority set of developers), to be the one 
> > > who decides when it's appropriate to push it.
> > > 
> > > I've said it before, and I've said it again.  For me, this is much
> > > more about a project governance issue.  We don't let random pissed 
> > > off army officers decide when to start World War III.
> > 
> > If you are trying to equate "random pissed off officers" with those 
> > kernel developers part of the SFC alliance, then I have to say that 
> > is perhaps one of the most stupid misrepresentations of members of 
> > SFC that I have heard so far. Unless of course your statement is 
> > educated, you know all members part of SFC and have asked each one
> > why they joined.
> 
> Given that the names aren't public, that's somewhat of an impossible
> test.

Then best not equate them to angry officers. Its no different than trying to
equate those opposed to modern responsible community GPL enforcement with
corporate lobbyists. I'd be really, really stupid if I used that analogy.

> The problem Ted has is that a tiny minority of the copyright holders
> can launch a GPL action under the law today with out regard to the
> opinions of the majority.

This thread seems to reveal that even Linus was aware of the Vmware law suit.
Other than this it seems due process, in whatever capacity we have, is being
followed. In lack of any process being available, and given the interest of
those pestering SFC, what else can be done but to gather folks, discuss,
and try to reach some sort of transparent process ? What else can be done
better? That's the whole point of the discussion and engagement.

Simply dismissing all the effort possible by assuming Bradley is in charge is
IMHO understandable but also doing a huge disservice to Karen's own efforts.
Moving past that, if one can trust that he's not, then the next question is --
what due process would we like in place. Linus would prefer a proactive
approach, and I'm all for it. Always have been.  But that still dismisses any
proper due process left in place as last resort which we can settle on for the
community.

If a proactive approach can avoid another stupid lingering Vmware type of case,
then lets hear it. Why didn't it work and what can we do better ? In fact,
other than few key developer having impact at companies, what other effort is
there? I'm one of the few that took the plunge into a silicon company and
did my best to educate, and I think the company learned the benefits of
upstream, but working at silicon companies is *hard* and takes a lot of
patience. These days I know more developers that simply prefer to do contract
work than work full time or lobby. Then we have things like Linaro. That
helps but still leave open to question what proactive measure are in place.

> So could one person try to set up a
> permanent fork of linux; What holds it together isn't legal principles,
> it's sound governance, which is why Ted says this is a governance
> issue.

I agree with the governance thing obviously. The analogy used was just dumb.

> The analogy is to try to get you to understand, not to insult you by
> equating members of the SFC coalition with random pissed off generals.

The analogy does nothing to help. The discussion we are having, yes.

> > If you don't know then please educate yourself on this as reading 
> > this type of incoherent nonsense being spouted out is just offending 
> > and does nothing to help.
> 
> OK, so leaving the rhetoric aside, do you understand why we see this as
> an unsolved governance issue?  Solving it correctly is a hard problem,
> because it involves finding some mechanism for bringing GPL violators
> into line that everyone (including those in the SFC coalition) can
> support.

Of course, that's the whole point ! How do we resolve this ?

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Tue, Aug 30, 2016 at 06:45:40PM +0200, Greg KH wrote:
> On Tue, Aug 30, 2016 at 06:15:57PM +0200, Luis R. Rodriguez wrote:
> > On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> > > On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> > > > Your opinion on that is clear and I understand why you hold it.
> > > > There are many other developers who hold the same opinion, but
> > > > lots of them work on FreeBSD not Linux.
> > > > 
> > > > Respectfully, I don't agree with you. Greg and Ted seem to agree
> > > > with you, Linus (like me) seems to imagine there can be a case for
> > > > that shiny red button.
> > > 
> > > For the record, I believe there can be a case for the shiny red
> > > button.  I just want Linus, and not the SFC (or some --- as admitted
> > > by the SFC --- minority set of developers), to be the one who decides
> > > when it's appropriate to push it.
> > > 
> > > I've said it before, and I've said it again.  For me, this is much
> > > more about a project governance issue.  We don't let random pissed off
> > > army officers decide when to start World War III. 
> > 
> > If you are trying to equate "random pissed off officers" with those kernel
> > developers part of the SFC alliance, then I have to say that is perhaps one of
> > the most stupid misrepresentations of members of SFC that I have heard so far.
> > Unless of course your statement is educated, you know all members part of SFC
> > and have asked each one why they joined.
> 
> That brings up a question, who exactly is the SFC representing here?

I've come out:

http://www.do-not-panic.com/2016/02/im-part-of-conservancys-gpl-compliance.html

Others have as well. We don't force people to come out though obviously, so its
optional. Some folks would prefer their association to remain private. That's
a right they should have.

What do you think? Did it ever cross your mind to consider joining ?

> What developers have signed over copyrights to the SFC?  Was this done
> in a "permanent" way?  "revoking" copyright assignment isn't exactly a
> simple thing to do, last I checked, so is this really true?

If this is a concern, perhaps its something SFC can address. Also, would
you like a way to participate without signing off copyrights to SFC ? If so
that sounds like a type of discussion we could start.

> > If you don't know then please educate yourself on this as reading this type of
> > incoherent nonsense being spouted out is just offending and does nothing to help.
> 
> Without knowing the above, it's hard to know what is, or is not, a
> stupid misrepresentation :)

But the analogy was made so it was rather stupid and simply not contributing
anything. What you describe however, sounds like useful feedback.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luck, Tony]

> Given that the names aren't public, that's somewhat of an impossible
> test.

If SFC does at some point sue, and that action ends up in court, would the
names become public? I'm assuming that they would since the first discovery
request by the defending company would be to find out which code was at
stake, and whether the copyright was really owned by the people that
SFC represents.

-Tony

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Sun, Aug 28, 2016 at 01:36:38PM -0700, Linus Torvalds wrote:
> On Sun, Aug 28, 2016 at 12:36 PM, Theodore Ts'o <tytso@mit.edu> wrote:
> >
> > I didn't say that.  I said consensus driven and taking into account
> > all of the stakeholders.  If it makes you feel better, how about
> > "Linus as the benevolent dictator"?  He makes a point of gathering
> > input from multiple stakeholders, and delegating authority to others
> > for day to day decisions.  That's how we do our development, after
> > all.
> 
> So quite honestly, I think everybody would be much happier if we were
> not even ever in the situation where that would be required.

Absolutely. Proactive measures are best, always. If we don't have good
proactive measures in place then I think we have only ourselves to blame.

> Personally, I really think that legal action by the "community" is not
> at all what we should hope for, or even _aim_ for.

The problem is some folks are taking stupid action and it seems for profit.
At least SFC's approach is transparent, has a published Principles guideline
*and* has an open invitation to anyone to participate in the discussion. The
goal is to prevent stupid things, but to obviously address the high level or
violations being reported, somehow.

> As mentioned, I don't think it has worked wonderfully well.

So let us learn from that.

> But we do have examples of Linux GPL-related legal action that I think
> we *all* can agree has worked absolutely stunningly well.
> 
> I don't think anybody disagrees that IBM's legal actions against SCO
> were a really good thing. 

Sure.

> No, that was not mainly about some "GPL test
> case" or "license clarification", and it wasn't even _mainly_ about
> the GPL.

I agree with not using suits for test cases. That is just plain stupid.

> But the GPL _was_ part of it, and both the license and the community
> came out really well in it.
> 
> What I'm happy about it is also that it was a defensive suit, and
> quite frankly, when we talk about "going to war" and "nuclear
> options", I have to say that "defensive" is also a big big positive.
> Because offensive use of nuclear options is just a f*cking bad idea.
> Seriously.

Absolutely.

> And to further take that example: it was also a very good example of
> how companies really can help us. Any legal enforcement discussion
> absolutely should *not* be about "how does the open source community
> enforce the GPL against companies". That's just stupid talk, and makes
> it be about "individuals vs companies", which IS NOT TRUE. That's
> simply not how the community has worked in Linux, and it isn't how it
> *should* work.

Absolutely.

> Seriously. I think we should see the IBM/SCO thing as an example of
> how we should all wish the GPL is to be used.
> 
> Do I want some "community effort" to try to create a "GPL test case"

Emphasis, "test case".

> against some random badly behaving company that isnt' even all that
> *meaningful* from a development standpoint? Hell no. Quite frankly,
> anybody who sees that as a good end goal should haev their head
> examined. Yet that seems to be what the SFC sees as their goal in
> life.

Agreed.

> We should put our goal posts in a totally different direction. We
> don't have a ":community effort" to do marketing. We all realize how
> completely idiotic and stupid that would be. A "Software Freedom
> Marketing Center" would be laughed at.

Laughable as it may be such campaigns do exist, such as the FSF's "Respect
your freedom" hardware product certification thing [0]. Having been involved
in making freedom available on one of these devices, an 802.11 device with open
firmware, I can tell you that its been a success with those that care. Sure,
the group of interested folks in this sort of stuff might be small -- so to me
more important is the breed of better developers, better software, potential
new hires, and eventually showing how only a group of a few open developers can
end up replacing an entire fucking team doing a completely sub-par quality
firmware. Fortunately, as code was opened one can inspect what the quality was
during initial release against the latest development in collaboration with the
community. I left Atheros leaving behind *two* test cases of open firmware on
the 802.11 world, and any security researcher should be able to have a good
field day in showing what the quality of changes that opening brought about.

For open firmware though, the market simply is too late to take advantage of if
one is to do this as a test case, which is what we were doing. Silicon cycles
are fast and based on experiences you'd need to be releasing and engaging *with
the community* even during hardware ramp up, while you are working on the first
pieces of software being stitched together, not as a *port work*. Port work is
just dumb and too late.

>From a practical point of view, resource point of view -- so, corporate -- tons
of lessons to be learned form these efforts. Those were the good 'ol days.

[0] https://www.fsf.org/resources/hw/endorsement/respects-your-freedom

> Why the hell do people not laugh at it when it comes to legal issues?
> 
> The fact is, Linux is in a very different position than the one that
> Jeremy Allison describes for samba. Or the one we were in 20 years
> ago. We have very consciously tried to make various companies be
> *part* of our community, and they have been an incredibly powerful
> resource. They employ a lot of the engineers, but they do so much more
> too.
> 
> So I seriously believe that we should not see companies as the "enemy"
> and as a target of lawsuits. We should see the Linux companies as a
> big part of the community, and as the natural *defender* of the GPL.

Ah. If those companies use the GPL. Sadly a new breed of companies do not use
the GPL for upstream contributions when they can now and as such the GPL is not
even part of their language other than danger, and if you need to use the GPL
you can end up feeling like a caged monkey. The good 'ol days are over, for
some companies and if I were you I'd be a bit concerned over what that might
mean long term. There surely are companies still using the GPL, and that's
great, but its not like the way it was before. I'll admit I am partly to blame
for the proliferation of a new age of permissive license proliferation in the
kernel, this all started with a joint effort to help the BSDs when we took the
openhal for ath5k, then ath9k.. etc... My days of the whole BSD camp - kumbaya
are over, as I've seen the danger with that.

> And we already have a really good example of that that people seem to
> be ignoring.

The good 'ol days are over. Not for all, but some.

> I would really want people to completely change their thinking about
> this "GPL enforcement" thing.
> 
> The great thing about the GPLv2 was how it turned copyright law
> "against itself" (really just against traditional use of copyrigth)
> and it has been described as a legal "judo move" - using copyright to
> *open* software instead of using it as a way to *restrict* software.
> It's why people call it "copyleft", after all.
> 
> THAT is the beauty of the GPLv2.

:D

> But the people who then see proprietary software as "evil", and see
> companies as being amoral, and as the enemy (and this very much is how
> rms and the FSF was acting), those people were doing exactly the wrong
> thing, and I have been fighting that idiocy for as long as I've been
> using the GPLv2.
> 
> The fact that we didnt' see proprietary software as evil, and that we
> opened our arms to companies made all the difference.

People have the right to feel proprietary software is amoral, its on them,
this may be subjective in certain situations. But, from a market perspective
proprietary software is also plain stupid.

> Now those same small-minded people are making the SAME MISTAKE, all
> over again. I do *not* want anybody who talks about "evil" proprietary
> software to be the seen as the "protector" of the GPL. No, people who
> talk about how proprietary software is "evil" should be seen as
> *stupid* people. Because they are. We showed them wrong.

I say proprietary software is just stupid. There are advantages of copyleft,
however not many companies tend to see similar gains towards the GPL as perhaps
some used to. I'm not saying these companies do not exist, they still do, I'm
just saying -- the market has change and some just use Linux permissively.

> And similarly, we should *not* see this as some crazy "community is
> protecting itself against companies" crap. Again, that's the stupid
> and wrong-headed FSF thinking. It's bad.

Of course.

> We have a ton of companies that are part of the community, and the
> same way we're bad at marketing and rely on companies to do that, we
> should at least _strive_ to work towards companies doing legal
> enforcement too.

Sure, but many companies don't care about that aspect of the GPL, to a large
camp they are fine with Linux being a permissive license dump ground. That's
fine for them too, so long as they contribute, we should be happy right?

But I'm pointing out the same logic has slightly changed about approach.

> That's the true "judo" move.
> 
> Because quite frankly, I think just by going by existing history,
> companies are better at lawsuits than the community is anyway. Just
> look at IBM.

Sure, but there is a new era of companies that do not care. In lack of there
being any new need for companies to use the GPL, why would they?  That might
leave a gap for the community, and then again, should the community have a GPL
representation as companies do? What if it was only used as a last resort
measure ? That's what is being asked. What due process to follow. Etc.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Tue, 2016-08-30 at 18:15 +0200, Luis R. Rodriguez wrote:
> On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> > On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via
> > Ksummit-discuss wrote:
> > > Your opinion on that is clear and I understand why you hold it.
> > > There are many other developers who hold the same opinion, but
> > > lots of them work on FreeBSD not Linux.
> > > 
> > > Respectfully, I don't agree with you. Greg and Ted seem to agree
> > > with you, Linus (like me) seems to imagine there can be a case 
> > > for that shiny red button.
> > 
> > For the record, I believe there can be a case for the shiny red
> > button.  I just want Linus, and not the SFC (or some --- as 
> > admitted by the SFC --- minority set of developers), to be the one 
> > who decides when it's appropriate to push it.
> > 
> > I've said it before, and I've said it again.  For me, this is much
> > more about a project governance issue.  We don't let random pissed 
> > off army officers decide when to start World War III.
> 
> If you are trying to equate "random pissed off officers" with those 
> kernel developers part of the SFC alliance, then I have to say that 
> is perhaps one of the most stupid misrepresentations of members of 
> SFC that I have heard so far. Unless of course your statement is 
> educated, you know all members part of SFC and have asked each one
> why they joined.

Given that the names aren't public, that's somewhat of an impossible
test.

The problem Ted has is that a tiny minority of the copyright holders
can launch a GPL action under the law today with out regard to the
opinions of the majority.  So could one person try to set up a
permanent fork of linux; What holds it together isn't legal principles,
it's sound governance, which is why Ted says this is a governance
issue.

The analogy is to try to get you to understand, not to insult you by
equating members of the SFC coalition with random pissed off generals.

> If you don't know then please educate yourself on this as reading 
> this type of incoherent nonsense being spouted out is just offending 
> and does nothing to help.

OK, so leaving the rhetoric aside, do you understand why we see this as
an unsolved governance issue?  Solving it correctly is a hard problem,
because it involves finding some mechanism for bringing GPL violators
into line that everyone (including those in the SFC coalition) can
support.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 2236 bytes --]

On Tue, Aug 30, 2016 at 05:33:36PM +0200, Arnd Bergmann wrote:
> On Tuesday 30 August 2016, Maxime Ripard wrote:

> > They used to yes. However, even though I don't really how Linaro works
> > internally, my understanding was that being part of Linaro doesn't
> > imply that you have engineers assigned. It's probably related to some
> > level of membership.

> Correct, the higher membership levels require assigning engineers,
> but that doesn't mean these engineers work on upstreaming code
> of that member company, or even working on the kernel.

To be more concrete: the assignees function essentially as contractors
for Linaro.  They're doing Linaro work on free software products and
infrastructure like direct Linaro employees do, they're not working for
the member company but rather for Linaro when they're assignees.

Linaro does also have landing teams for members at higher levels, these
function in the opposite direction and have their work assigned by the
members but there's no requirement that this work be upstreaming or even
kernel related, it is in some cases (eg, a bunch of the Qualcomm and ST
work upstream is being done by Linaro landing teams) but not all.

> We do provide all kinds of help to member companies and engineers
> to learn everything about upstreaming their code and working with
> the communities, and a lot of member companies use that help, but
> other members don't.

Plus the fact some member companies are large enough that they have
several groups working with Linux and in those cases it may only be one
of those groups that's joined Linaro and the SoCs people generally see
may be from another group.

[Specifically in the context of Linaro working on Allwinner SoCs]
> > Anyway, like I was saying, no one from Linaro ever contributed
> > something meaningful (except some cross-tree patches, and the usual
> > "maintainance" patches).

> I'm not surprised at all. Most of the kernel work we do in
> Linaro is intentionally cross-platform (so it benefits all members
> equally), or it is done on those platforms that the members decide
> are important upstream.

Where possible we'll try to use platforms that already work well
upstream rather than trying to do basic upstreaming work.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Tue, Aug 30, 2016 at 06:15:57PM +0200, Luis R. Rodriguez wrote:
> On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> > On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> > > Your opinion on that is clear and I understand why you hold it.
> > > There are many other developers who hold the same opinion, but
> > > lots of them work on FreeBSD not Linux.
> > > 
> > > Respectfully, I don't agree with you. Greg and Ted seem to agree
> > > with you, Linus (like me) seems to imagine there can be a case for
> > > that shiny red button.
> > 
> > For the record, I believe there can be a case for the shiny red
> > button.  I just want Linus, and not the SFC (or some --- as admitted
> > by the SFC --- minority set of developers), to be the one who decides
> > when it's appropriate to push it.
> > 
> > I've said it before, and I've said it again.  For me, this is much
> > more about a project governance issue.  We don't let random pissed off
> > army officers decide when to start World War III. 
> 
> If you are trying to equate "random pissed off officers" with those kernel
> developers part of the SFC alliance, then I have to say that is perhaps one of
> the most stupid misrepresentations of members of SFC that I have heard so far.
> Unless of course your statement is educated, you know all members part of SFC
> and have asked each one why they joined.

That brings up a question, who exactly is the SFC representing here?
What developers have signed over copyrights to the SFC?  Was this done
in a "permanent" way?  "revoking" copyright assignment isn't exactly a
simple thing to do, last I checked, so is this really true?

> If you don't know then please educate yourself on this as reading this type of
> incoherent nonsense being spouted out is just offending and does nothing to help.

Without knowing the above, it's hard to know what is, or is not, a
stupid misrepresentation :)

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> > Your opinion on that is clear and I understand why you hold it.
> > There are many other developers who hold the same opinion, but
> > lots of them work on FreeBSD not Linux.
> > 
> > Respectfully, I don't agree with you. Greg and Ted seem to agree
> > with you, Linus (like me) seems to imagine there can be a case for
> > that shiny red button.
> 
> For the record, I believe there can be a case for the shiny red
> button.  I just want Linus, and not the SFC (or some --- as admitted
> by the SFC --- minority set of developers), to be the one who decides
> when it's appropriate to push it.
> 
> I've said it before, and I've said it again.  For me, this is much
> more about a project governance issue.  We don't let random pissed off
> army officers decide when to start World War III. 

If you are trying to equate "random pissed off officers" with those kernel
developers part of the SFC alliance, then I have to say that is perhaps one of
the most stupid misrepresentations of members of SFC that I have heard so far.
Unless of course your statement is educated, you know all members part of SFC
and have asked each one why they joined.

If you don't know then please educate yourself on this as reading this type of
incoherent nonsense being spouted out is just offending and does nothing to help.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Guenter Roeck]

On Tue, Aug 30, 2016 at 05:33:36PM +0200, Arnd Bergmann wrote:
> 
> > Anyway, like I was saying, no one from Linaro ever contributed
> > something meaningful (except some cross-tree patches, and the usual
> > "maintainance" patches).
> 
> I'm not surprised at all. Most of the kernel work we do in
> Linaro is intentionally cross-platform (so it benefits all members
> equally), or it is done on those platforms that the members decide
> are important upstream.
> 
One may wonder how your Linux kernel patches and merges are classified
per the above.

Thank you for all your work in the Linux kernel. It is anything but
meaningless, and it obviously goes far beyond "some cross-tree patches,
and the usual maintenance patches".

Guenter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Arnd Bergmann]

On Tuesday 30 August 2016, Maxime Ripard wrote:
> On Mon, Aug 29, 2016 at 01:50:18PM +0200, Greg KH wrote:
> > > On Sat, Aug 27, 2016 at 06:26:55PM +0200, Greg KH wrote:
> > > > Someone in a reddit thread about this email conversation said, in trying
> > > > to quote Linus, something along the lines of "the nuclear option should
> > > > have been done to Allwinner a long time ago".  And that proved my point
> > > > exactly.  Allwinner was a pain for a very long time.  But as developers,
> > > > and through the efforts of a lot of people at the Linux Foundation and
> > > > Linaro, Allwinner is now a contributor to the kernel, and actively
> > > > sponsors developers to write GPLv2 code for their chips.
> > > 
> > > While I generally agree with you on this topic, this is simply not
> > > true.
> > > 
> > > As the Allwinner SoC maintainer, I never received any patch from
> > > someone either from the Linux Foundation or Linaro. And to the best of
> > > my knowledge, I'm not aware of anyone being paid by Allwinner to work
> > > on the kernel.
> > 
> > You wouldn't have gotten anything from the LF (we don't have many
> > developers as you know), but I thought that Allwinner was part of
> > Linaro, is that not correct?
> 
> They used to yes. However, even though I don't really how Linaro works
> internally, my understanding was that being part of Linaro doesn't
> imply that you have engineers assigned. It's probably related to some
> level of membership.

Correct, the higher membership levels require assigning engineers,
but that doesn't mean these engineers work on upstreaming code
of that member company, or even working on the kernel.

We do provide all kinds of help to member companies and engineers
to learn everything about upstreaming their code and working with
the communities, and a lot of member companies use that help, but
other members don't.

> Anyway, like I was saying, no one from Linaro ever contributed
> something meaningful (except some cross-tree patches, and the usual
> "maintainance" patches).

I'm not surprised at all. Most of the kernel work we do in
Linaro is intentionally cross-platform (so it benefits all members
equally), or it is done on those platforms that the members decide
are important upstream.

	Arnd

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Maxime Ripard]

[-- Attachment #1: Type: text/plain, Size: 2032 bytes --]

Hi Greg,

On Mon, Aug 29, 2016 at 01:50:18PM +0200, Greg KH wrote:
> > On Sat, Aug 27, 2016 at 06:26:55PM +0200, Greg KH wrote:
> > > Someone in a reddit thread about this email conversation said, in trying
> > > to quote Linus, something along the lines of "the nuclear option should
> > > have been done to Allwinner a long time ago".  And that proved my point
> > > exactly.  Allwinner was a pain for a very long time.  But as developers,
> > > and through the efforts of a lot of people at the Linux Foundation and
> > > Linaro, Allwinner is now a contributor to the kernel, and actively
> > > sponsors developers to write GPLv2 code for their chips.
> > 
> > While I generally agree with you on this topic, this is simply not
> > true.
> > 
> > As the Allwinner SoC maintainer, I never received any patch from
> > someone either from the Linux Foundation or Linaro. And to the best of
> > my knowledge, I'm not aware of anyone being paid by Allwinner to work
> > on the kernel.
> 
> You wouldn't have gotten anything from the LF (we don't have many
> developers as you know), but I thought that Allwinner was part of
> Linaro, is that not correct?

They used to yes. However, even though I don't really how Linaro works
internally, my understanding was that being part of Linaro doesn't
imply that you have engineers assigned. It's probably related to some
level of membership.

Anyway, like I was saying, no one from Linaro ever contributed
something meaningful (except some cross-tree patches, and the usual
"maintainance" patches).

> > Allwinner is not a pain anymore because a few hobbyists started
> > working on the kernel to improve the situation.
> 
> Really?  How did the work for the Chip computer come about?  That's an
> Allwinner processor, right?

It is. But it was built on what the community did (ie, the hardware is
from Allwinner, the software is not).

Maxime

-- 
Maxime Ripard, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

[ I know I said I wouldn't reply again on this subtopic, and Karen already
  posted elsewhere in the thread that Conservancy isn't going to invite more
  time responding officially on this thread, so I wrote this response on my
  own time (from my own email address).  It's just tough for me not to be
  Kibo-like when Linus says my name seven times in one email. :) ]

Linus,

Linus Torvalds wrote a few hours ago:
> Bradley claims that it's because companies are selfish, and that's
> certainly true, but there's nothing wrong with that.
... 
> So Bradley is literally spouting the *exact* wrong argument.

Oversimplifying my argument to some soundbite then attacking the soundbite
would certainly make for a good segment on "The Open Source Daily Show".  I
would truly enjoy being lampooned on such a thing; I wish it existed.

But the reason the whole "Daily Show" method that Ted mentioned works as
comedy but not as deep policy analysis is that many policy issues are
complicated, and those who speak regularly about complex policy topics
generate a string of soundbites that you can put together in ways that might
not represent their actual position.  Or, maybe they just make gaffes.

Gaffes or confusing statements don't have behind them some deep insight of
someone's real motives.  Years ago, I read this book called _The Bush
Dyslexicon_.  The book lined up a bunch of Bush 43's gaffes and argued that
somehow they showed his real motivations -- that by digging deep into the
gaffes, one could find his real beliefs.  I admit it was a cute read; and
I'm now somewhat of a walking encyclopedia of Bush 43 gaffes because I read
it.  But, I just wasn't swayed by the book's argument.  The way to judge a
public figure is by their official policies, their actions, the bills they
sign, the bills they veto, the agenda they put forward to Congress -- not by
finding ten words in a speech.  Even if it is your political opponent.

It's certainly possible to use small pieces of what I said previously as
evidence that I'm a "secret copyleft maximalist".  If you add in that I've
exchanged a lot of email with RMS in my life, the theory might sound
plausible.  Once that theory has some truthiness, no one can *prove* that
you just misunderstood some past statement, or, that in some cases, my
positions have changed over time (such as regarding copyright assignment).

For example, this thread, and the private discussions I've had at work with
Conservancy's GPL Compliance Program for Linux Developers during the last
four days have measurably changed a few positions of mine (but subtly enough
that it's not worth boring the list with details).  The discussions Karen
and I will have with Linux developers all over the world for the next six
months will probably influence and change my positions too.  But I still
don't think my personal views need accountability in this discussion.
Actions are what matters.  *Who* I am accountable to is what matters.

So let's talk about those -- taking the latter first.  When I work on my day
job at Conservancy with the GPL Compliance Program for Linux Developers, I
help enforce the GPL, but Karen and I both already said, we're accountable
to a bunch of people who *wrote code in your kernel*.

And, the former: what actions do I mean?  Well, to get there, let's consider
your question to me, Linus.  Publicly and privately, you asked me if I am,
or have I ever been, a "copyleft maximalist".  I didn't answer, not because
I'm "pleading the fifth", but because I don't understand that phrase.

During the the last 25 years that you were writing code in Linux, I wasn't
(although, some days, I wish I'd tried to upstream the tiny patchset I wrote
and deployed in 1993 for my university).  Instead, I spent that time (when I
could have been hacking on Linux) studying and trying to understand copyleft
as a tool and a strategy: how it worked, whether it worked, and how it might
work better.  I admit if I have specialty, that's my specialty.

Becoming a specialist in copyleft convinced me of the Socratic Epiphany [0].
I'm certainly one of the top experts on copyleft.  (BTW, I'm the perfect
example that "being a lawyer" is not a prerequisite for "being an expert
about a specific legal area", particularly if that area is tiny.)  Yet there
are plenty of questions related to copyleft that I can't answer.

People at social events after conferences love to pitch me what-if scenarios
about the GPL.  My pithy response is to ask them: "hypothetically speaking?"
and when they say "yes", I say: "I never learned to speak Hypothetical."
It's a joke, but I mean it: I don't claim to know what a Court will say
about questions.  More importantly to your questions to me, I don't claim to
know the right answer unless a *real world* situation is in front of me
where I can analyze all the nuances of the specific GPL violation.

The next obvious question is: "Well, we need to know the answer in the
general case, because if you're an advisor to the people enforcing the GPL
in Conservancy's coalitions, I need to know what you'll recommend!"  My
pithy answer is, "join one of the coalitions to be part of that discussion!"

The non-pithy response is: look at the public work.  Speaking just for
myself, I say: *I stand with Christoph Hellwig*.  I believe VMware
misappropriated his code (and code of other Linux developers too) into a
larger work and distributed the result in a manner that violates the
GPLv2§2(b) (primarily) and (secondarily) a bunch of other sections.  In my
day job, I co-wrote Conservancy's analysis explains why I believe that [1].

So, you can look at that FAQ and either say (a): "Aha! I don't think what
VMware did violate GPLv2§2(b), so now I know for sure -- Bradley is a
copyleft maximalist because he believes VMware violated."  Or, (as, Linus,
you (more-or-less) *did* say to me before the lawsuit) (b): "I think what
VMware is doing is in poor taste", and continue with: "so you're right on
that one, but how do I know how you'll decide on the next one you see?"

If your position is (a), well, then we know at least one tiny boundary point
of what *you* mean when you say "copyleft maximalist", but it also means
you're not just calling me a copyleft maximalist, but also the many others
who have spoken out in support of Christoph's VMware lawsuit.

If your position is (b), it doesn't mean I *am* a copyleft maximalist, and
it doesn't mean I'm dodging the question either.  It means I'm telling you:
"I don't know what *I* believe until I look at the specific situation,
including asking and considering the advice of other smart people."  And,
then you'll go back to saying you can't trust me, and I go back to my pithy
answer: "join the coalition and then you have a say in that decision, if it
ever even comes to that" (see my "Steps" email earlier [2]).

I went through all that to show that it looks to me that there's no way I
can answer your question in any way that will satisfy you, in part because
there are just too many unknowns, too much work left to do, and too many
people left to ask.  I will meanwhile hold you to what you said many times
(paraphrased here): "all Linux contributors keep their own copyrights, and
each gets to make their own copyright-related decisions".  Your opinion as
Linux's leader matters to me, but it's precisely because it matters to me
that I will hold you to your prior statements on "no copyright assignment",
until such time as you change that policy and collect copyright assignments
from every last contributor.

Meanwhile, I certainly don't think I should be appointed Grand Poobah of All
Things GPL.  I do want to practice my skill: helping get great copylefted
code written, and enabling the copyleft strategy to make sure that code
stays Free. I do that work with people who choose to work with me. I prefer
being accountable to a community, because I believe in community processes,
so I'm glad that all those people can walk away and tell me (and everyone I
work with at Conservancy in my day job) to _BLANK_ off.

But, to circle back to your primary point of "copyleft maximalism": if
you label me with an undefinable phrase, and say I've "got it all wrong",
we'll just end up working in parallel and separately.  I don't know how to
have a philosophical nor factual discussion once I'm labeled with a short
phrase that I don't fully understand, and am hearing: "there, look, see,
because you fit that phrase, you're the problem".  I don't mind being told
"you're the problem".  But, Linus, there are also places where I'd say that
"you're the problem" too.  We probably won't convince each other that either
one of us is a problem to the other, so we don't need to bother. :)

Finally, a key reason I replied was to clarify this point, since it's made
in the same email that talks about me personally in such detail:
> With people like Larry Wall etc were almost demonized by the FSF?

The primary Free Software project on my resume is Perl.  I was involved
during the Perl4 and early-to-mid Perl5 period.  I've written code in many
Perl modules and perl5 itself, under non-copyleft licenses.  I even *fought*
my University when working on my Master's thesis, who had already *agreed*
to GPL my work (under *their* copyright).  I hired a lawyer *specifically*
so I could keep my *own* copyright, released under a non-copyleft license
(GPLv2-or-later|Artistic), for compatibility with perl's license.

Think about that: Bradley M. Kuhn, The Copyleft Guy™, paid a lawyer to have
a legal fight (but not a lawsuit!) with his University because he wanted
something he wrote to *not be copylefted*, because the Perl community
*didn't want it under copyleft*, even though his University did.  That tells
you a lot about my character and views.

Anyway, more to the point about Larry: I was one of the people who nominated
Larry Wall to receive FSF's Award in 1998 [3].  Larry Wall was on my thesis
committee.  Meanwhile, one of the first volunteer activities that I did with
the FSF was encourage people to normalize licensing of Perl modules under
non-copyleft (GPLv2-or-later|Artistic).  I also wrote the Clarified Artistic
License, which was really a proto-version of the Artistic-2.0, designed to
help copyleft communities and the Perl community to get together.

So, while I don't know what demonization of Larry that you're talking about,
no one can credibly say that I, who was both a volunteer for the FSF and
involved with Perl during that time period, ever demonized Larry, and you
definitely should not paint me and those who did with the same brush.


With that, I really am done replying on this thread.  I hope to talk with
many of you about GPL enforcement at conferences, etc. in the next 6 months.


[0] i.e., I know enough about this topic to realize it's impossible to fully
    know this topic.

[1] See Conservancy's VMware Lawsuit FAQ:
    https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-faq.html#tech

[2] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2016-August/003637.html

[3] https://www.gnu.org/award/award-1998.en.html
    BTW, Ted was  given the same award in 2006:
    https://www.fsf.org/news/free-software-award-2006
-- 
   -- bkuhn

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Guenter Roeck]

On Mon, Aug 29, 2016 at 02:59:29PM -0700, Linus Torvalds wrote:
> 
>   "Guys, you really ARE the reason the GPL is failing, and people are
> starting new projects with other licenses. Because they care about
> better technology, not about your agenda. And you're making the GPL
> look bad"
> 

Unfortunately, I have seen that happen a lot recently. GPLv3 and all the
talk about heavy-handed enforcement is driving people away from GPL.
At my previous employer, where I and others spent a lot of time convincing
senior management that Open Source is a good thing, most new projects ended
up using BSD or Apache licenses to avoid the pitfalls of GPL - and because
the teams responsible for the projects wanted their software to be successful.
GPL is doing a pretty good job ensuring its own demise.

Surgery successful, patient dead, as people say in Germany.

Guenter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Mon, Aug 29, 2016 at 2:31 PM, Theodore Ts'o <tytso@mit.edu> wrote:
>
> So I don't believe that compliance efforts are necessarily needed in
> order for companies to feel comfortable donating large code bases such
> as XFS or JFS.

No, I don't think that was the argument (it certainly wasn't mine).

No, *my* argument is that we've done a great job of talking about how
open source helps companies cooperate and generate better technology.

People actually *get* that. Just look around at how much open source
is seen as the future of technology, and every single tech company is
working with it.

But then if you look at what companies are actually doing, many of
them still actively shun the GPL.

Why?

Bradley claims that it's because companies are selfish, and that's
certainly true, but there's nothing wrong with that.

What's very VERY wrong is to think that "selfish" means "anti-GPL".
That's crazy talk. And *that* is why we should show those XFS/JFS/RCU
examples and say: "No, GPL actually works very well and protects your
selfish interests, and means that others can't just steal your
wonderful technology".

So Bradley is literally spouting the *exact* wrong argument. He's
basically saying "companies are selfish, so the GPL doesn't work for
them, so we need to force the issue".

That's COMPLETE BULLSHIT.

But *of*course* if you say that to companies, when they want to pick a
project, they have heard that insane argument, and they go "ok, let's
not pick the GPL, because that's clearly bad for us - just listen to
this Bradley guy".

So I think it's because the people who talk most vocally about the GPL
and the copyelft and about how it needs to be enforced are actively
scaring companies away.

Look instead at the other side: I personally try to be fairly vocal
about my support of the GPL, and talk about how it's a positive thing
and really helped Linux succeed, and I do so because I think it's very
true. I literally try to point out how it fosters community and
protects companies and individuals. I did it on stage just *days* ago,
for chissake!

Which is actually why I was so completely *livid* when Bradley goes
out and does his usual crazy FSF nonsense thing.

I obviously do *not* believe in what the FSF and GPL zealots say. And
I do *not* believe for a moment that it comes across as positive for
most companies.

In fact, just looking at the history, scratch that "companies" part.
The GPL zealot message does not come across as a positive for most
*individuals*.

Remember all the BSD-vs-GPL wars? The BSD people _detested_ the GPL.
They absolutely detested rms. And with rather good reason, I might
say.

The FSF "message" has always been negative, and has always been
something a lot of people react badly to.  You had some very respected
BSD people who had done a *ton* of good things in open source who
absolutely refused to have anything to do with the GPL. These were
important people in teh community, who made big advances in open
source. And they would pick any other license than the GPL.

So it really isn't even "people like Bradley scare companies away from
the GPL".  They've scared away really good individuals that have spent
a lot of effort on open source code.

Does nobody else remember those BSD-vs-GPL flame wars? With people
like Larry Wall etc were almost demonized by the FSF?

This is why I so hated seeing Bradley channeling the FSF and rms when
I watched his LinuxCon.Au talk. It was the bad old FSF message about
how free software is a moral choice, and how you should fight
companies and do free software in your free time and try to take over
the world with copyright license reasons. It's only slightly softened
over the years.

I remember that message from when I started. I thought it was bullshit
back then, I think it's even more bullshit now.

The way you take over the world is by creating the best technology out
there, not with trying to extend the reach of the copyright and
"coercing" users into it.

The FSF and rms never got that. They didn't see the GPL as a way to
generate better software, but as a way to further their agenda.

And that's still the message I see from Bradley and some people.

So here's my message to the "copyleft maximalist" crowd:

  "Guys, you really ARE the reason the GPL is failing, and people are
starting new projects with other licenses. Because they care about
better technology, not about your agenda. And you're making the GPL
look bad"

Please stop. And don't use Linux as a tool in your "community work".
If your aim is to trick people into using your license, rather than
creating the best possible technology, you're no community of mine.

The point of the GPL is to create the best possible technology by
making people *want* to cooperate.

                 Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Mon, Aug 29, 2016 at 5:31 PM, Theodore Ts'o <tytso@mit.edu> wrote:
> If some competitor ran off with their code, companies like IBM and SGI
> would be perfectly capable of suing their competitor.  As Linus has
> observed, companies like IBM are prefectly capable of deciding whether
> or not a lawsuit is in their interest, and aggressively pursuing legal
> action when it's called for.

I'm a little confused here. Doesn't the argument that this would
result in companies avoiding Linux in order to reduce their potential
liability apply equally well in this case? If IBM showed willingness
to sue people for JFS-related infringements, there's no fundamental
reason to believe that they wouldn't be willing to do the same against
any other competitor on broadly spurious grounds. The threat of being
sued by IBM seems like a much stronger incentive to use something else
than the threat of being sued by a small coalition of independent
copyright holders.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Mon, Aug 29, 2016 at 01:42:33PM -0400, Rik van Riel wrote:
> 
> It is worth remembering why XFS, JFS, and RCU were made available
> only under the GPL, and not under eg. a BSD license.
> 
> Linux got access to that code because of the GPL's obligation
> that further improvements be made available to the whole community.
> 
> Companies like IBM and SGI started participating in Linux because
> they knew no competitor would run off with their code, improve it
> slightly, and offer a proprietary product for sale based it.
> 
> GPL compliance efforts keep that expectation alive, and may be a
> factor for new companies when deciding whether or not they can
> afford to release their code under the GPL.

If some competitor ran off with their code, companies like IBM and SGI
would be perfectly capable of suing their competitor.  As Linus has
observed, companies like IBM are prefectly capable of deciding whether
or not a lawsuit is in their interest, and aggressively pursuing legal
action when it's called for.

So I don't believe that compliance efforts are necessarily needed in
order for companies to feel comfortable donating large code bases such
as XFS or JFS.

Cheers,

						- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Wolfram Sang]

[-- Attachment #1: Type: text/plain, Size: 1073 bytes --]


> But we put the blame on very different things - I at least partly very
> much do blame the "culture" that goes with the GPL.  Corporate users
> do see the hostility towards commercial use that we have in some
> quarters.

I don't support the hostility, yet I'd like to mention that it mostly
doesn't come out of nowhere. There _are_ bad companies besides the good
ones and they cause frustration. For example, if I want to watch a DVD,
it takes more than a minute until I get to the actual content, because
there is all text about what I am not allowed to do and how I can be
punished. Yet, the DVD player I am using runs Linux with code I wrote.
And I can't get the sources to the device driver for that codec chip I'd
like to have. I can see that it might be irrelevant for Linux as a
project, but on the individual level, this is frustrating and can easily
scare talent away. I think this should be seen, too - for the sake of
mutual understanding.

> We should strive to make companies *like* the GPL, and encourage
> exactly the kinds of things you mention.

Yes!


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Karen Sandler]

This has all been quite a discussion! I wanted to clarify a few
things:

  * <insert lawyer joke here> [1]

  * Some of the statements made in this discussion rely on legal
assertions that aren't quite right. [2] 

  * As others have pointed out, every part of Conservancy's approach to
enforcement is designed to take risk away from companies out of
compliance. [3]

  * I'm really glad that people are thinking about these issues. [4]

  * Over time, regardless of what individual Linux copyright holders or
Conservancy do, others will bring law suits that will impact the
kernel. [5]

Conservancy spearheads a coordinated[6] and downright timid approach,
codifying our principles so that companies out of compliance can hold us
to them. We merely represent some kernel developers in exercising their
rights. We do this because we think it's right, and we re-evaluate this
together with our coalition at every step. And we do so in a coordinated
and litigation-avoiding style. I only proposed the KS session after
getting encouragement from several prominent kernel developers (and
given that there was precedence for such a legal-related discussion
[7]).

I want proper time for everyone to reflect on what has been said on this
thread and to provide well thought out feedback in whatever forum is
comfortable for them. 

We propose to have this discussion in many different venues and places
over the next six months (whether or not there's an official session at
KS and whether or not we are there to participate if so).  Bradley and
I will each be present at a lot of conferences and events over the next
six months.  At any of these events where people are interested, we'll
host sessions in whatever format is appropriate to meet with Linux
developers and stakeholders to discuss Conservancy's enforcement
activities, to get feedback, and incorporate the ideas we hear into our
work and strategies.  We'll post summaries of the meet-ups (to the
extent we can and still respect requested confidentiality) to our
principles mailing list[8].

Conservancy will be less active on this thread in the future. Obviously
we can't respond to every single criticism on every list, anyway. 
Developers from our coalition are already participating and likely will
continue to do so directly.

Also, I'd be remiss if I didn't mention that Conservancy has tons of
other work to do, supporting its member projects (many of which are
permissively licensed btw), Outreachy[9] and a number of other important
initiatives like our employment agreement project, providing good
copyleft educational materials and solving the nonprofit accounting
problem. 

karen

[1] I admit, the legal profession isn't the best... I maintain my legal
credentials, but other than teaching classes for other lawyers I'm not
primarily in that role anymore. (I do continue as a volunteer and give
legal advice to FSF and GNOME as my free time permits - not much this
past weekend after following this whole thread, haha!) As Executive
Director of Conservancy, I rely on other lawyers for Conservancy's
legal work.  Not being able to see the source code to a device that is
literally sewn into my body and screwed into my heart gives me a
slightly different perspective on software freedom and has caused me to
contribute anyway I can, even if I haven't coded in years. I appeal for
the copyleft generally on safety, security and business reasons.  I
also admit that while I have a pretty thick skin, I was somewhat taken
aback by the not-so-veiled threat of disbarment. FWIW, lawyers can hold
public or quasi-public sessions without automatically running afoul of
legal ethics. There is a long list of attorneys active in the field who
have presented at free and open source software events about myriad
topics.

[2] IAAL (though my primary work role is no longer in legal capacity)
but TINLA. I cannot point all of these out for obvious reasons.

[3] When we contact them one of the first things they see are the ways
we commit to making the process comfortable for them. This is true for
anyone who researches who we are and finds the Principles on our site.
The Principles not only talk about law suits as a last resort, but
provide the much more generous termination provisions, giving first-time
violators automatic restoration if the violation is fixed in a timely
fashion. We also respect confidentiality from companies who we believe
have a chance of doing the right thing, because while Linus may enjoy
taking a public potshot at a company out of compliance, I know from some
companies first hand that this is the singular thing that makes them
most nervous about committing to the kernel. There's a real fear that
even if they come into compliance they'll exposed to liability by some
other rightsholder in some jurisdiction somewhere. 

[4] I don't think that a publicly archived list is the best venue for
it. Also, some of the developers in our coalition have strong beliefs
but soft voices.

[5] The majority of law suits in the last couple of years have not been
from anyone in Conservancy's coalition. Obviously, there are the suits
brought by Patrick, but there's also Versata/Ameriprise/Ximpleware in
which the GPL got caught in unrelated cross-fire. Whether or not the
kernel community wants to participate in law suits, courts will surely
wind up having GPL-related issues brought before them, and the results
of those cases will apply to the kernel as well. Info on the Versata
case is here:
https://opensource.com/law/14/7/lawsuit-threatens-break-new-ground-gpl-and-software-licensing-issues

[6] We try to coordinate with anyone active in the space who is willing
to coordinate with us. This incidentally has included rogue enforcers,
industry lawyers and anyone who does work to understand the copyright
status of the kernel (btw, in an early post, I said we coordinated with
dmg when I really meant 'gave feedback on big picture issues and tried
to coordinate' with the work LF is funding.  They have graciously
listened to our comments, but I want to be clear that Conservancy has
not been invited to participate or collaborate in the project in any
way.)

[7] The Q&A I proposed was not intended as a negotiation or an attempt
to provide legal advice to anyone. In fact it was not dissimilar in
character from the session Karen Copenhaver (lawyer to Linux Foundation)
led with Keith Bergelt in 2009. 

[8] https://lists.sfconservancy.org/mailman/listinfo/principles-discuss
which we launched last year to discuss the Principles of
Community-Oriented GPL Enforcement.

[9] I note that Outreachy itself has around 10 paid interns per year for
the kernel, and apparently "ranked #13 for contributions to the Linux
kernel during the last cycle" for organizations.
https://www.linuxfoundation.org/announcements/linux-foundation-releases-development-report-highlighting-contributions-to-linux
Thanks to everyone on this list who mentored and supported these
interns.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Mon, 2016-08-29 at 11:49 -0700, Linus Torvalds wrote:
> On Mon, Aug 29, 2016 at 10:42 AM, Rik van Riel <riel@redhat.com>
> wrote:
> > 
> > Companies like IBM and SGI started participating in Linux because
> > they knew no competitor would run off with their code, improve it
> > slightly, and offer a proprietary product for sale based it.
> 
> Absolutely.
> 
> Right now we're in the situation that a lot of companies are very
> suspicious of the GPL, I do agree with Bradley on that.
> 
> But we put the blame on very different things - I at least partly 
> very much do blame the "culture" that goes with the GPL.  Corporate 
> users do see the hostility towards commercial use that we have in 
> some quarters.
> 
> We should be much more vocal about how it protects even companies 
> from people taking advantage of their code. Yes, they'll always want 
> to have their "value add" on top, but we should push the GPL as a 
> great model for core infrastructure everywhere.
> 
> We should strive to make companies *like* the GPL, and encourage
> exactly the kinds of things you mention.

As I said way far upthread: this is how I sold the GPL to Parallels.  I
definitely have real world experience of doing this and I'm happy to do
it for other companies and be part of the crowd that does this
encouragement.  We have a lot of support within the industry (Martin
Fink, ex HP CTO springs immediately to mind here).

As a side note: if you own a project you want to open source, Apache-2
ends up being practically the worst licence imaginable: not only can
your competitors make proprietary modified copies of your code they
don't have to show you, but they also gain rights to your patents with
which to do it.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Mon, Aug 29, 2016 at 10:42 AM, Rik van Riel <riel@redhat.com> wrote:
>
> Companies like IBM and SGI started participating in Linux because
> they knew no competitor would run off with their code, improve it
> slightly, and offer a proprietary product for sale based it.

Absolutely.

Right now we're in the situation that a lot of companies are very
suspicious of the GPL, I do agree with Bradley on that.

But we put the blame on very different things - I at least partly very
much do blame the "culture" that goes with the GPL.  Corporate users
do see the hostility towards commercial use that we have in some
quarters.

We should be much more vocal about how it protects even companies from
people taking advantage of their code. Yes, they'll always want to
have their "value add" on top, but we should push the GPL as a great
model for core infrastructure everywhere.

We should strive to make companies *like* the GPL, and encourage
exactly the kinds of things you mention.

What happens instead is the reverse.

For example, I just got a note from a person on the dronecode project,
where the GPL is being actively pushed away in favor of the
BSD-licensed code.

Quite frankly, when things like that keep happening, all the talk
about "GPL enforcement" is almost entirely pointless.  Nobody should
kid themselves - if it turns out to be almost entirely about the Linux
kernel, we should call it that.

And I really do blame the hardliner GPL copyleft people.

For example, I'd claim that one big reason LLVM has been so successful
has been entirely *technical* - but a techjnical issue pushed for by
strong copyleft.

One of the biggest advantages of LLVM has been the IR, which is
obviously one of the really core ideas of LLVM - that's where the
whole *name* of LLVM comes from: the generic IR concept, and the
"virtual machine" it is for..

Was having a generic and well-documented IR something really
revolutionary? No. People have been talking about it for years.
Including very much asking for it from gcc. If you write plugins, if
you do instrumentation, if you do any number of things (academic
people have lots of things that they want to interface with the
compiler), you really want to work with a good IR to get access to the
compiler without having to actually build and modify the compiler
itself.

In fact, I myself started "sparse" exactly because gcc was such a pain
to interface with.

So it's a very basic technical thing.

Gcc never had a good externally visible IR. Of course, part of it was
that gcc historically used RTL internally, which is just a much
nastier format than SSA, but I remember people asking for an
architecture-neutral IR long long ago (yes, I used to follow gcc
fairly closely), and a large part of it was also a _political_
decision for strong copyleft reasons. rms did not want an open IR,
because rms did not want those external plugins.

Yes, yes, gcc has a plugin model now. Competition happened, llvm was
getting quite powerful, there were tons of reasons why plugins do
exist.  But I think a lot of people turned to llvm simply because of
technical issues that at least partly had a historical political
strong copyleft source.

So I think a hard-liner attitude ends up really hurting projects
technically. If you want to use the license as a "weapon" to expand
your reach, it can and does back-fire. There were obviously other
reasons for llvm too, so I'm not claiming things like these are the
_only_ background, not at all.

End result: we want to show how the GPL can help make better
technology, and aim to have companies feel like the GPL protects
*them* too, and their efforts and assets.

I don't think that kind of awareness is very common. Instead, it's
seen as a fight.

                Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Rik van Riel]

[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]

On Sun, 2016-08-28 at 09:47 +0200, Greg KH wrote:
> 
> Some specific examples:
>   - huge SMP support.  Yes, Alan got basic SMP support working in
> Linux,
>     but in order to scale much larger we had to do different
> things.  As
>     SMP hardware was rare, it took companies that had that hardware
> to
>     do the work in the kernel to get things to work better.  Because
> of
>     that we got access to RCU, which without that, we would have
> never
>     been able to work as well as we have.  Look at the BSDs for an
>     example of this, they don't have access to RCU, and they can't
>     scale.

It is worth remembering why XFS, JFS, and RCU were made available
only under the GPL, and not under eg. a BSD license.

Linux got access to that code because of the GPL's obligation
that further improvements be made available to the whole community.

Companies like IBM and SGI started participating in Linux because
they knew no competitor would run off with their code, improve it
slightly, and offer a proprietary product for sale based it.

GPL compliance efforts keep that expectation alive, and may be a
factor for new companies when deciding whether or not they can
afford to release their code under the GPL.

Persistent GPL violations could be a large negative for companies
worried about being undercut by competitors.

-- 

All Rights Reversed.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

[-- Attachment #1: Type: text/plain, Size: 2665 bytes --]

On Aug 27, 2016 7:16 PM, "Linus Torvalds" <torvalds@linux-foundation.org>
wrote:
>
> On Sat, Aug 27, 2016 at 5:02 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > OK. A vendor sells 500,000 network-connected devices running a version
of
> > Linux that has a vulnerability in the network driver that's discovered a
> > year later. The hardware is custom, they refuse to release source, and
> > they've discontinued the product line, so nobody else is able to fix
it. Is
> > it acceptable to engage in litigation in order to ensure that owners of
> > these devices can receive a security update, even if by doing so we
alienate
> > the vendor and cause them to choose another kernel in future?
>
> So why don't you name them and shame them very publicly and try
> everything else first?

I'm still at the point of trying to work with the company in a way that
avoids all that, and things get rather more complicated when you're also
trying to practice responsible disclosure over security issues. But yes,
obviously I'm not going to press for anything else unless every other
option has been exhausted first.

> If the vendor still exists, and sells other devices, make a big stink
> about it. It sounds like you've talked to them in private already, but
> why do you still call them "a vendor" now when you start talking about
> wanting to sue them?

I *don't* want to sue them. I just don't have faith that the other options
will be fruitful, and that seems to be a case you're not really focusing
on.

> Because without that, the answer is always going to be absolutely no,
> simply because of the "absolute last option" thing.
>
> And you talk about how you're helping users, but how many of them
> would actually upgrade? Very few people end up upgrading firmware even
> when it's automatic, much less so if it would mean that they'd switch
> to OpenWRT or DD-WRT or something (since presumably the *existing*
> firmware ends up having lots of non-GPL'd sources that you wouldn't
> get even with a lawsuit)?

The number would end up being small, but the alternative is that they *all*
end up running insecure code. Doesn't giving people the option seem worth
it?

> In practical terms, how would that help Linux?

There would probably be no direct benefits at all for Linux as a technical
project. There are potentially benefits in public perception of Linux-based
IoT devices as being less likely to be left behind after vendors move on.
But really, that's the question. If something has no significant benefit to
the Linux project, but does benefit users of the product, are you
fundamentally against lawsuits after every other option has been exhausted?

[-- Attachment #2: Type: text/html, Size: 3261 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sun, Aug 28, 2016 at 01:36:38PM -0700, Linus Torvalds wrote:
> 
> We should put our goal posts in a totally different direction. We
> don't have a ":community effort" to do marketing. We all realize how
> completely idiotic and stupid that would be. A "Software Freedom
> Marketing Center" would be laughed at.
> 
> Why the hell do people not laugh at it when it comes to legal issues?

Well you don't need any real training to do marketing. I know as I
have done marketing for Samba for years, and I know bugger-all about it :-).

Like it or not, legal issues *are* different. Screw up your marketing,
and you just fail to sell stuff. Screw up your legal compliance or anti-trust,
and you can find yourself with a $1bn fine (See Microsoft vs. EU for
the example I know most about). That concentrates the mind *wonderfully* :-).

> So I seriously believe that we should not see companies as the "enemy"
> and as a target of lawsuits. We should see the Linux companies as a
> big part of the community, and as the natural *defender* of the GPL.

Expecting Linux companies to be defenders of the GPL is a nice
thought, but is not going to happen. If it was, it would have
already happened by now. The IBM lawsuit was IBM counter-suing
SCO after SCO went nuts, and I believe Red Hat have also counter
sued a company that went after them for software patents.

Linux companies, like all companies, look after their own interests.
Nothing bad about that, just good business. Enforcing the GPL other
than in a counter-suit or for some other business purpose doesn't
make any sense.

Linux companies are our friends, and I'm happy to work for and with
them, but they're not going to represent the interests of the project
developers. That's simply not what they are for.

SFC I'm happy to say, *does* represent our interests. That *IS*
what they are for so I'm happy to support them.

> But the people who then see proprietary software as "evil", and see
> companies as being amoral, and as the enemy (and this very much is how
> rms and the FSF was acting), those people were doing exactly the wrong
> thing, and I have been fighting that idiocy for as long as I've been
> using the GPLv2.

I don't see proprietary software as "evil", it's more of a nusance
(like public littering :-).

> The fact that we didnt' see proprietary software as evil, and that we
> opened our arms to companies made all the difference.

This is a good point I think. Samba has always been open to working
with proprietary software, and it has helped us build our ecosystem
(although for some reason we get labelled as zealots. I remember at
one SambaXP conference one company founder told me, "everyone told
me you were Free Software crazies but you're some of the most business
friendly developers I've ever met" :-).

> Because quite frankly, I think just by going by existing history,
> companies are better at lawsuits than the community is anyway. Just
> look at IBM.

That's because companies have a *lot* more practice at suing
people than we do. A fact that seems lost on some of the people
on this list (some of whom seem to think that community lawsuits
are so common and opportunistic that they simply *must* be gumming
up the courts :-).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jiri Kosina]

On Mon, 29 Aug 2016, Steven Rostedt wrote:

> What I read from you is that you feel that the SFC is too trigger happy 
> on the legal action side. If SFC were to say they really wont do that, 
> unless they get permission from the Linux kernel community as a whole, 
> would that make you feel better about them?

I, as well, pretty much agree with most of the things that have been said 
in the "lawsuits shouldn't be a regular tool to excercise GPL validity, 
there are a lot of other options which are more useful at the end of the 
day" tone.

However, to be fair -- isn't what you've written above exactly what SFC 
has been doing? Please correct me if I am wrong, but they are not 
executing any legal actions "on their own", are they? There always has to 
be someone from the community coming to them and initiating the trigger 
actions.

Now, if that is seen as a real problem, then a KS session just in between 
developers / maintainers, to shake out all the possibilities for Mr. Joe 
Developer in case of having really bad feelings about his code being 
misused, might be really helpful.

-- 
Jiri Kosina
SUSE Labs

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Steven Rostedt]

On Sun, 28 Aug 2016 13:36:38 -0700
Linus Torvalds <torvalds@linux-foundation.org> wrote:


> And to further take that example: it was also a very good example of
> how companies really can help us. Any legal enforcement discussion
> absolutely should *not* be about "how does the open source community
> enforce the GPL against companies". That's just stupid talk, and makes
> it be about "individuals vs companies", which IS NOT TRUE. That's
> simply not how the community has worked in Linux, and it isn't how it
> *should* work.

If it is not "individuals vs companies" then what is it? "companies vs
companies" like IBM vs SCO? Or "foundation vs companies"? I guess the
question I have is if a copyright holder of code in the Linux kernel
finds that his code is being used in proprietary software, and wants
that code released (or simply the code of the developer be removed),
what steps should that developer take? I agree legal action is the
worse course, but there needs to be somewhere the developer can go to
get help, and influence to make the company comply. 

> 
> Seriously. I think we should see the IBM/SCO thing as an example of
> how we should all wish the GPL is to be used.
> 
> Do I want some "community effort" to try to create a "GPL test case"
> against some random badly behaving company that isnt' even all that
> *meaningful* from a development standpoint? Hell no. Quite frankly,
> anybody who sees that as a good end goal should haev their head
> examined. Yet that seems to be what the SFC sees as their goal in
> life.

If the SFC were not to use legal actions, and only be that organization
to help the above developer influence the company (by talking with them
to show how opening up their software is actually beneficial to them,
or by the shaming method if that doesn't work). What I read from you is
that you feel that the SFC is too trigger happy on the legal action
side. If SFC were to say they really wont do that, unless they get
permission from the Linux kernel community as a whole, would that make
you feel better about them?

> 
> We should put our goal posts in a totally different direction. We
> don't have a ":community effort" to do marketing. We all realize how

Really? I thought that was what the Linux Foundation was ;-)

> completely idiotic and stupid that would be. A "Software Freedom
> Marketing Center" would be laughed at.
> 
> Why the hell do people not laugh at it when it comes to legal issues?

Again, I'm guessing that is because not all kernel developers feel they
are empowered to enforce the GPL when someone abuses *their* code.

Personally, I agree with everything you say, except that those that
feel otherwise are *stupid*. We are a bit more pragmatic, and as my
wife keeps telling me, I decide things more based on logic and not
emotion. Others, like RMS base their decisions mostly on principle,
even if it logically does not make sense. I respect that, even if I
don't agree with it, but I wont call it "stupid", just "illogical".



> So I seriously believe that we should not see companies as the "enemy"
> and as a target of lawsuits. We should see the Linux companies as a
> big part of the community, and as the natural *defender* of the GPL.

100% agree.

> 
> And we already have a really good example of that that people seem to
> be ignoring.
> 
> I would really want people to completely change their thinking about
> this "GPL enforcement" thing.
> 
> The great thing about the GPLv2 was how it turned copyright law
> "against itself" (really just against traditional use of copyrigth)
> and it has been described as a legal "judo move" - using copyright to
> *open* software instead of using it as a way to *restrict* software.
> It's why people call it "copyleft", after all.
> 
> THAT is the beauty of the GPLv2.
> 
> But the people who then see proprietary software as "evil", and see
> companies as being amoral, and as the enemy (and this very much is how
> rms and the FSF was acting), those people were doing exactly the wrong
> thing, and I have been fighting that idiocy for as long as I've been
> using the GPLv2.

I agree with you on this too.

> 
> The fact that we didnt' see proprietary software as evil, and that we
> opened our arms to companies made all the difference.
> 
> Now those same small-minded people are making the SAME MISTAKE, all
> over again. I do *not* want anybody who talks about "evil" proprietary
> software to be the seen as the "protector" of the GPL. No, people who
> talk about how proprietary software is "evil" should be seen as
> *stupid* people. Because they are. We showed them wrong.

Again, I would not call them "stupid". "illogical" perhaps but not
"stupid". It's not a lack of intelligence that drives these decisions,
but the sense of principle over logic.

> 
> And similarly, we should *not* see this as some crazy "community is
> protecting itself against companies" crap. Again, that's the stupid
> and wrong-headed FSF thinking. It's bad.
> 
> We have a ton of companies that are part of the community, and the
> same way we're bad at marketing and rely on companies to do that, we
> should at least _strive_ to work towards companies doing legal
> enforcement too.

OK, I guess this answers my question above. You feel that legal
enforcement should be "companies vs companies".

> 
> That's the true "judo" move.
> 
> Because quite frankly, I think just by going by existing history,
> companies are better at lawsuits than the community is anyway. Just
> look at IBM.

The reason why I'm responding to this email is because even though I
agree with the gist of your email, the tone is very much disheartening.
Perhaps you just want the FSF and SFC to go away and not exist anymore.
But I feel that they still have done more positive than negative and
are good for the community as a whole. I agree with you that we can't
let the "principle over logic" win. But people that are driven by
principle are much more likely to get new things done than those that
just do the logical actions. The GPL was created exactly because of
this.

You once said on stage that you are more like an Edison and not a
Tesla. You like to look at what's ahead and you are not a visionary.
Which for running a project like Linux has worked out very well,
because you let the visionaries do their thing, but ground them with
reality when they needed it. I say this is not much different. We need
people like those in FSF and SFC, but we also need to ground them with
logic. I believe working with them, but really vocalizing our voice
such that they don't represent us in a light we disapprove of, would be
helpful. But simply calling them "stupid" isn't helping anyone, and
that is stupid in itself.

-- Steve

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Mon, Aug 29, 2016 at 01:24:26PM +0200, Maxime Ripard wrote:
> Hi Greg,
> 
> On Sat, Aug 27, 2016 at 06:26:55PM +0200, Greg KH wrote:
> > Someone in a reddit thread about this email conversation said, in trying
> > to quote Linus, something along the lines of "the nuclear option should
> > have been done to Allwinner a long time ago".  And that proved my point
> > exactly.  Allwinner was a pain for a very long time.  But as developers,
> > and through the efforts of a lot of people at the Linux Foundation and
> > Linaro, Allwinner is now a contributor to the kernel, and actively
> > sponsors developers to write GPLv2 code for their chips.
> 
> While I generally agree with you on this topic, this is simply not
> true.
> 
> As the Allwinner SoC maintainer, I never received any patch from
> someone either from the Linux Foundation or Linaro. And to the best of
> my knowledge, I'm not aware of anyone being paid by Allwinner to work
> on the kernel.

You wouldn't have gotten anything from the LF (we don't have many
developers as you know), but I thought that Allwinner was part of
Linaro, is that not correct?

> Allwinner is not a pain anymore because a few hobbyists started
> working on the kernel to improve the situation.

Really?  How did the work for the Chip computer come about?  That's an
Allwinner processor, right?

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Maxime Ripard]

[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]

Hi Greg,

On Sat, Aug 27, 2016 at 06:26:55PM +0200, Greg KH wrote:
> Someone in a reddit thread about this email conversation said, in trying
> to quote Linus, something along the lines of "the nuclear option should
> have been done to Allwinner a long time ago".  And that proved my point
> exactly.  Allwinner was a pain for a very long time.  But as developers,
> and through the efforts of a lot of people at the Linux Foundation and
> Linaro, Allwinner is now a contributor to the kernel, and actively
> sponsors developers to write GPLv2 code for their chips.

While I generally agree with you on this topic, this is simply not
true.

As the Allwinner SoC maintainer, I never received any patch from
someone either from the Linux Foundation or Linaro. And to the best of
my knowledge, I'm not aware of anyone being paid by Allwinner to work
on the kernel.

Allwinner is not a pain anymore because a few hobbyists started
working on the kernel to improve the situation.

Maxime

-- 
Maxime Ripard, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Harald Welte]

Hi Greg,

On Mon, Aug 29, 2016 at 08:26:38AM +0200, Greg KH wrote:

> No one I have talked to has ever said that any of those companies were
> actually doing anything "wrong" with regards to the GPL at all.

I'm not sure whether this is generally true.  As somebody very concerned
about "bad" enforcement and the fall-out it can generate, and also as
somebody who has maybe even set the example on how to do GPL enforcement
(in Germany) at all, I have had a look at some of the (few) cases that
actually went to court, and actually also attended one of the court
hearings (against Telefonica) in person.  And the reason he lost (or
rather backed out before loosing) that particular one was merely based
on procedural mistakes, and not on merits of the case.  Unfortunately
the detailed legal briefs and filings of lawsuits in Gemany are not
published (and to the contrary, they are copyrighted works of the
lawyers who write them), so it is rather hard to know what actually
happened.

So yes, there are all kinds of allegations and rumours about what
Patrick did or didn't do.  With none of the parties involved talking
about what actually happened, it is difficult to get down to the truth.

The biggest problem that I actually see in terms of Patrick's
enforcement that he didn't talk about it, and hence created an
atmosphere where rumours, fear, uncertainty and doubt can dominate the
discussions.  His unwillingness to explain himself even within the
netfilter developers or the netfilter core team were also the reason why
he ultimately was suspended.

> He just went for small companies who couldn't defend themselves.

This is getting more and more off-topic, but I wouldn't e.g. call
Telefonica a "small company".

> We don't want GPL "enforcement" to ever be like patent trolls, that way
> is a death sentence for Linux.

This is very clear, and that's what the SFC has spearheaded with it's
"principles of community-oriented enforcement".

So yes, if the allegations against Patrick are true, then it is
something where probably everyone in this discussion thread agrees it is
far outside the consensus of when or how enforcement should be done.
But it is exactly because it is _against_ what the SFC stands for, not
because the SFC is in any way doing anything that can be compared to the
alleged activities of Patrick McHardy.

Regards,
	Harald
-- 
- Harald Welte <laforge@gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Harald Welte]

Dear Linus, Ted, Greg and others,

sorry for being late to the party.

Given that I've been somebody doing quite a bit of GPL enforcement on
the Linux kernel in the 2003-2010 time frame with my gpl-violations.org
initiative, I think I may share some perspective.

For those not aware, gpl-violations.org was created out of some
netfilter/iptables project enforcement after the first Linux based WiFi
routers came on the market in about 2003.  It used my own copyright on
netfilter/iptables, as well as some copyright from Rusty Russel, David
Woodhouse and Werner Almesberger, who helped me with that effort.

As I've been mostly absent from netfilter/iptables and moved my focus to
a topic that I feel is in more desparate need of free software
development (FOSS cellular infrastructure, now at osmocom.org), the
gpl-violations.org efforts had become dormant meanwhile.

During the active time of the project, we had some ~ 300 GPL violation
cases, out of which the large majority could be resolved out of court.
IIRC, less than 10 had to go to court, because the respective infringing
entity has not been willing to get into compliance.  All enforcement in
court was successful, i.e. in the end, the ruling was in favor of
upholding and enforcing the GPL against those infringers.  All of the
cases were about cease + desist, and none about damages.

We always had way more (confirmed) reports of GPL violations than we
ever could handle, and despite a general trend to more compliance in the
industry today than 10 years ago, Linux is entering new markets / device
types / uses cases, and as a result of that I doubt that we've reached
"peak violation" yet.  So *lots* of work remains to be done.

I've also been a bit sad that many developers of copyleft-licensed
software told me they think it's great that somebody is doing
enforcement - but they didn't want to get active themselves, due to the
unpleasant paperwork involved, which only distracts them from actual
development work.

So there clearly was space for an entity that would enable the
developers (who hold their own copyright) to do something about license
enforcement, but without having to take care of all the nitty-gritty
legal details themselves.  And I'm quite happy that the SFC has done
something to fill that void.

* I agree with David Woodhouse and others earlier in the thread: Using
  the GPL and not doing enforcement is useless, and you should have gone
  for BSD/MIT instead, if that's the goal.

* In all I know, see and hear about the activities of the Software
  Freedom Conservancy, they always explicitly act upon what the
  developers ask them to do.  What I know about their "Coalition
  Membership" agreement is that it exactly reflects that notion, i.e.
  the SFC cannot act on its own, but only on behalf of its coalition
  members, who are individual Linux kernel developers who hold their
  copyright.

* It might differ from jurisdiction to jurisdiction, but in general if
  you hold copyright on one part of a collaborative project like the
  Linux kernel, you are entitled to enforce at least a cease + desist
  claim on your own behalf and do not need the support of all the other
  copyright holders or even the majority of the copyright holders.  I
  consider this a strength of the "distributed copyright" approach,
  where you don't have a single point of failure (copyright holder), or
  an ologopoly of large corporations who have control over who can
  enforce or cannot enforce.  Sure, this has some risks as we have seen
  with the alleged actions by Patrick McHardy.  But then, doesn't every
  freedom come with some risk?

On Sat Aug 27 00:19:55 UTC 2016, Linus Torvalds wrote:

> I'd not be interested in ever having a lawsuit to "clarify" such an
> issue. I don't think it would really clarify anything anyway (it will
> just set one boundary in one case for one specific thing).

You might not have an interest in that lawsuit, but actually a lot of
corporate users (and lawyers) might actually like to have more clarity
here.  Yes, every case will be very specific about the exact type of
integration between two parts of the code, within the given
jurisdiction, etc. - but if you have a set of these, they can give
guidance as to what is acceptable under copyright law and it's notion of
derived (and other combined/collective) works, and what not.

That's how legal grey areas are generally treated.  Some rules exist,
some people do something that other people thinks goes beyond the
boundary of those rules, a legal conflict ensues and one precedent after
another, courts bring more fine-grained clarity to narrow down the grey
area into more black and white, and less grey.

Now whether it would be good for Linux (or FOSS in general), is probably
a philosophical question.  I'm just saying particularly corporate users
would love to have more clear-cut rules by which they could determine
compliance in derived works.

Also, of course it is not clear whether "we" (Linux developers) would
like the exact outcome of suhc cases.

In the end it boils down to: Do we want to linger more in grey areas and
have people with varying view points and agendas making all kinds of
statements and assumptions, or do we defer to the "arbitration" of case
law to do it for us?

I'm personally not so sure that keeping things lingering in the grey is
always the best strategy, also from a commercial/economical point of view.

But then, I still think that cases about derived works like the
VMware vs. Christph Hellwig are important.  Otherwise, once again, what
is the point of having a copyleft/GPL licensed OS kernel, if vendors of
proprietary OSs can just take entire sub-systems (or parts of that), and
hack that up to run inside their proprietary kernels?  If that's the
intent, again, BSD/MIT would have been the right license.

On Sat Aug 27 16:26:55 UTC 2016, Greg-KH wrote:

> Seriously, this is NOT how to to things.  Over the years yes, my
> position has changed from being pissed when I see devices ship without
> code for their changes, to realizing that I actually can do much more
> than any lawyer can.  I can take those developers and make them part
> of our own project, ensuring we can survive.

I don't think it is an exclusive-or.  In many cases, legal action
(either out of court or in court) has been a trigger to companines
putting attention on FOSS / GPL license compliance in the first place,
and massively helped even those forces inside the company that wanted to
release the code.

You talk in legal language to the legal departments.  They bring it up
to the senior management for a risk assessment.  And the result of that
assessment will determine whether or not they feel inclined to do
anything about it (both for the current case and for future strategy),
as the latter will cost money/resources.  So in the absence or mostly
absence of legal enforcement, the result of the risk analysis will be
"it won't cost us anything to continue to not care".

At the same time you can try to get in touch with the engineers in terms
of working more cooperatively with the community.  But then, they don't
make those decisions and have to defert that up to their management.  If
the management then in the ideal case at some point realizes that
a) they don't want to keep stuff proprietary for legal risk reasons, and
b) they might have other benefits from not doing 'gpl code drops' but
working with upstream,
you have won.

However, the legal enforcement is in my experience often a neccessary
first step to make them release source code in the first place.  Only
then you can have a discussion about the form (code drop vs. git repos
vs. community interaction).

On Sun Aug 28 08:04:59 UTC 2016, Greg-KH wrote:

> Let's please stick to what has gotten us this far, and not change to
> being rude and disrespectful to our users and developers by getting
> lawyers involved.

I am not sure if we live on the same planet ;)

Using a lawsuit as the last resort option to get incompliant companies
in line is not rude at all.  It is at the end of a process, where the
infringing entity is not willing to be compliant (translates to: release
the complete+corresponding source code) without such a lawsuit.

So if you want to talk about 'rude' in this context, you could also say
the other way around:  The infringing entity is rude by ignoring our
community and how it works, and by furthermore ignoring the essential
requirement to comply with the license term (like any software or
copyrighted material).

I can even confirm about several cases where the "Linux friendly" people
(including lawyers + technical) at formerly-infringing companies have
thanked me privately again and again for giving their cause inside the
company a stronger backing, and for being the external trigger that
helps to bring them around internally.

As described above, I think talking to the legal departments gives you a
very important vector into those companies.

On Sun Aug 28 08:04:59 UTC 2016, Greg-KH wrote:

> That way we know will cause us to fail.

I can tell you about one of te largest electronics companies on this
planet, who have set up internal teams to study and review license
compliance in more than 1000 products _after_ their market introduction,
and who have significnat departments inside the organizations to ensure
license compliance from thereon.  That all was the result of legal
enforcement (all out of court, but involving lawyers) being done at
gpl-violations.org.  And btw, at some point later, they also started
contributing to FOSS projects more openly.

The point here is: Legal threats (or sometimes lawsuits) are wake-up
calls to companies that _want_ to do the right thing, but who simply
haven't been aware of it, or who haven't given it theright
attention/priority before.  They are *not* upset about enforcement being
brought against them.

Of course this largely depens on corporate culture of the respective
formerly-infringing entity.  But I really have to dispute your blanket
statement on "getting lawyers involved will cause us to fail".

On Sun Aug 28 08:04:59 UTC 2016, Greg-KH wrote:

> Do you know who the next "Intel" will be as a huge corporate sponsor
> of Linux developers and intrinsic to our future?  I sure don't, but I
> do know that by treating offenders with lawyers, you ensure that they
> never will be that type of supporter.

I don't want to call out the name of my above example, but they actually
fit your description pretty well and have become a large corporate
sponsor of Linux.  I'm happy to share the example privately, if you'd
like.

Legal disputes are not the end of the world, or a nuclear option, or a
drone bomb.  They are part of a civilized discoures between entities
that at least at that point have a different opinion, or had ben
ignorant.  And a legal dispute escalating to court (even in case the
infringing defendant agrees they were wrong) may have all kinds of
reasons unreated to the subject matter.

On Sun Aug 28 08:04:59 UTC 2016, Greg-KH wrote:

> What is the case is that so far, I have seen that it is _ALWAYS_ better
> to work with the offending company than it is to go in with lawyers.  Or
> representatives.

You can get very good results by talking to legal departments of
companies, I can absolutely vouch for that.  In fact, at
gpl-violations.org I had given up to try to contact the companies in any
other way.  You simply never get to the right person in charge, and are
mostly wasting your time. However, if you go through the legal
department, you get the attention of the decision makers pretty soon.
In most cases, it is a very productive dialogue, and not a battle or a
fight.  I really think you're overly paranoid when it comes to members
of the legal profession.

In any case, getting slightly more on topic regarding ksummit: If anyone
was interested to hear more about my take on Linux GPL enforcement, I'd
be more than happy to share it. Be it at the kernel summit or other
event.  Be it as a bof, talk, panel, whatever.  I would like to hope
that I'm perceived as less "partisan" here, given that
a) I am an actual (albeit past) Linux kernel developer, and
b) was never aligned with the SFC or the FSF, nor any large corporation
c) have lots of hands-on experience on the subject matter.

It's an offer.  I don't seek to push myself onto centerstage with this,
but let me know if anyone thought it would be useful.

Regards,
	Harald
-- 
- Harald Welte <laforge@gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Sun, Aug 28, 2016 at 02:06:44PM -0000, David Woodhouse wrote:
> Even though I abhor what Patrick McHardy is doing, I still can't quite
> find it in my heart to have *sympathy* for his victims. Because it's not
> as if he's just taking random pot-shots at passers-by on the street. These
> people defended their actions in court, and lost.

No, that's not what Patrick did.  Whenever he actually took something to
court, _he_ lost.  Companies paid him off before then because they were
scared for foolish reasons, or it was honestly just cheaper to do it
than go to court and win.  He took the traditional model of patent troll
to the next level.

No one I have talked to has ever said that any of those companies were
actually doing anything "wrong" with regards to the GPL at all.  He just
went for small companies who couldn't defend themselves.

Again, just like patent trolls.  Go watch the wonderful talk at the LF
Collab summit this year from Lee Cheng, the lawyer from New Egg as to
how he has worked really hard to stop patent trolls, and how, even if
you don't do anything wrong at all, you can easily get sued by them, and
how much work it takes to fight these type of things.

We don't want GPL "enforcement" to ever be like patent trolls, that way
is a death sentence for Linux.  Just like what happened to Busybox.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Theodore Ts'o wrote earlier today:
> The reason why it's fair game to compare your statements with statements
> made a few months ago is for the same reason why the Daily Show played back
> old clips of politicians.

I'd be delighted to go through a political vetting process with those of you
that want that, but I suggest it's better to move that off-list.  We could
later produce the email thread as one unit for people to read if they like.
Contact me off list if you'd like to do that.  (As such, this will be my last
on-list response to anything related to material from my past talks, etc.)

I do wonder, however, if vetting me will actually yield the results you want.
Many already pointed out that (a) Conservancy's actions are on behalf of our
coalition, at their behest, and also that (b) Karen Sandler is my boss.  So,
I answer to both the coalition *and* her in any actual work that I might do.
While I admit that I love talking about my own opinions on things (and it
seems that Ted enjoys watching videos of my opinions -- BTW, I'd certainly
enjoy the "Daily Show with Ted Ts'o" more than "with Trevor Noah"), I really
wonder if most folks on the list, or in the larger Linux developer community,
care about *my* words as opposed to the *coalition's* actual actions, which I
agree do deserve substantial attention and I encourage you to vet them.

> Well, people who live near battlegrounds often have a different opinion
> about sending in the troops compared to generals back in Washington
> D.C. whore are ordering in the drone strikes.
...
Linus Torvalds wrote elsewhere in the thread:
>> But the people who then see proprietary software as "evil"

I don't believe any company, organization, entity or person mentioned in this
thread is evil, including the ones that produce proprietary software.  I
certainly want a world where proprietary software doesn't exist, but
proprietary software is not evil; calling it such is as hyperbolic as
comparing enforcing the GPL to drone strikes.
--
   -- bkuhn
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Sat, 2016-08-27 at 21:42 -0700, Bradley M. Kuhn wrote:
> James Bottomley wrote earlier today:
> > Knowing there's a threat of legal action lurking in the background 
> > produces far different conversations because it puts the other 
> > party on the legal defensive ... for all of us
> 
> Your primary argument centers around the idea that the mere 
> *existence* of *anyone* willing to file a lawsuit about a Linux 
> violation irreparably thwarts your ability to exercise your unique 
> compliance-seeking skills.  Greg has made similar arguments.  If 
> that's true, then I wonder what time frame you're talking about, 
> since Harald has been filing lawsuits since 2004, and has filed so 
> many about Linux.  Conservancy has filed none; rather, we helped
> fund and provided some logistical support for Christoph's lawsuit.

I thought it was clear, but just in case, we're talking about now.

> > Well, my recollection of the first conversation about VMware in San
> > Diego airport in 2012 was you telling me you wanted to go after
> > them and me giving you all my concerns around the possibility of an
> > adverse judgement.
> 
> That was just a short time after we discovered a Linux violation was 
> also present in addition to VMware's BusyBox violation [0], a full 
> two years before Christoph became involved and three years before he 
> chose to sue.  (This timeline has been in the VMware lawsuit FAQ on 
> Conservancy's website since the lawsuit was filed [1].)  That FAQ 
> makes reference to the fact that we sought assistance from "every
> industry contact we had".
> 
> You were among those industry contacts.  That very LinuxCon week you 
> mention, I encouraged you, Greg, and Jim Zemlin to do whatever you 
> could to attempt to get VMware to DTRT and comply with GPL.  I 
> specifically asked you and Jim to reach out to them, since as LF 
> Board members, you would have direct contacts with VMware, as a
> member company that funds LF.
> 
> Also, I believed, as you say, that you were skilled in some types of
> negotiation that I am not.  (I specifically recall saying to you as I 
> left for my flight: "we've just discovered the violation, so there's 
> time; please do what you can in the meantime".)  The large group of 
> copyright holders who were unhappy at VMware's violation then waited 
> for years for all of you to work your magic, but VMware never
> complied.  I now understand...
> > the problem would have been that your terms aren't mine.
> 
> ... that whole part of the exercise was moot because you probably 
> didn't want VMware to comply, anyway.  That explains a lot; thank you 
> for telling me.

I didn't tell you that.  You're equating not supporting all the terms
you want to impose (some of which are pretty onerous in the post
settlement regime) with being pro violators.  This would appear to be
your way or the highway.

James

> > On Sat, 2016-08-27 at 19:02 -0700, Bradley M. Kuhn wrote:
> > > Everyone here is talented and has different skills; please don't
> > > assume that yours are the only ones that produce value and good
> > > results.
> James Bottomley wrote:
> > I'm wasn't, but I get the impression you do.
> 
> Your impression is incorrect.  I have great respect for your skill in
> achieving GPL compliance outcomes in the specific industry sectors 
> where you've deployed them.  I believe your stories of all the 
> successes you've had and told me about over the years, and I thank
> you for that work.
> 
> [0] VMware's BusyBox violation was resolved *without* litigation, and
> VMware
>     still ships, AFAIK, a GPL-compliant BusyBox as part of their
> products
>     today -- yet another counter example to the incorrect memes about
> BusyBox
>     and its enforcement in this thread.
> 
> [1] 
> https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-faq.html
> --
>    -- bkuhn
> =====================================================================
> ===
> Become a Conservancy Supporter today: 
> https://sfconservancy.org/supporter
> _______________________________________________
> Ksummit-discuss mailing list
> Ksummit-discuss@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss
> 

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Sun, Aug 28, 2016 at 12:36 PM, Theodore Ts'o <tytso@mit.edu> wrote:
>
> I didn't say that.  I said consensus driven and taking into account
> all of the stakeholders.  If it makes you feel better, how about
> "Linus as the benevolent dictator"?  He makes a point of gathering
> input from multiple stakeholders, and delegating authority to others
> for day to day decisions.  That's how we do our development, after
> all.

So quite honestly, I think everybody would be much happier if we were
not even ever in the situation where that would be required.

Personally, I really think that legal action by the "community" is not
at all what we should hope for, or even _aim_ for. As mentioned, I
don't think it has worked wonderfully well.

But we do have examples of Linux GPL-related legal action that I think
we *all* can agree has worked absolutely stunningly well.

I don't think anybody disagrees that IBM's legal actions against SCO
were a really good thing. No, that was not mainly about some "GPL test
case" or "license clarification", and it wasn't even _mainly_ about
the GPL.

But the GPL _was_ part of it, and both the license and the community
came out really well in it.

What I'm happy about it is also that it was a defensive suit, and
quite frankly, when we talk about "going to war" and "nuclear
options", I have to say that "defensive" is also a big big positive.
Because offensive use of nuclear options is just a f*cking bad idea.
Seriously.

And to further take that example: it was also a very good example of
how companies really can help us. Any legal enforcement discussion
absolutely should *not* be about "how does the open source community
enforce the GPL against companies". That's just stupid talk, and makes
it be about "individuals vs companies", which IS NOT TRUE. That's
simply not how the community has worked in Linux, and it isn't how it
*should* work.

Seriously. I think we should see the IBM/SCO thing as an example of
how we should all wish the GPL is to be used.

Do I want some "community effort" to try to create a "GPL test case"
against some random badly behaving company that isnt' even all that
*meaningful* from a development standpoint? Hell no. Quite frankly,
anybody who sees that as a good end goal should haev their head
examined. Yet that seems to be what the SFC sees as their goal in
life.

We should put our goal posts in a totally different direction. We
don't have a ":community effort" to do marketing. We all realize how
completely idiotic and stupid that would be. A "Software Freedom
Marketing Center" would be laughed at.

Why the hell do people not laugh at it when it comes to legal issues?

The fact is, Linux is in a very different position than the one that
Jeremy Allison describes for samba. Or the one we were in 20 years
ago. We have very consciously tried to make various companies be
*part* of our community, and they have been an incredibly powerful
resource. They employ a lot of the engineers, but they do so much more
too.

So I seriously believe that we should not see companies as the "enemy"
and as a target of lawsuits. We should see the Linux companies as a
big part of the community, and as the natural *defender* of the GPL.

And we already have a really good example of that that people seem to
be ignoring.

I would really want people to completely change their thinking about
this "GPL enforcement" thing.

The great thing about the GPLv2 was how it turned copyright law
"against itself" (really just against traditional use of copyrigth)
and it has been described as a legal "judo move" - using copyright to
*open* software instead of using it as a way to *restrict* software.
It's why people call it "copyleft", after all.

THAT is the beauty of the GPLv2.

But the people who then see proprietary software as "evil", and see
companies as being amoral, and as the enemy (and this very much is how
rms and the FSF was acting), those people were doing exactly the wrong
thing, and I have been fighting that idiocy for as long as I've been
using the GPLv2.

The fact that we didnt' see proprietary software as evil, and that we
opened our arms to companies made all the difference.

Now those same small-minded people are making the SAME MISTAKE, all
over again. I do *not* want anybody who talks about "evil" proprietary
software to be the seen as the "protector" of the GPL. No, people who
talk about how proprietary software is "evil" should be seen as
*stupid* people. Because they are. We showed them wrong.

And similarly, we should *not* see this as some crazy "community is
protecting itself against companies" crap. Again, that's the stupid
and wrong-headed FSF thinking. It's bad.

We have a ton of companies that are part of the community, and the
same way we're bad at marketing and rely on companies to do that, we
should at least _strive_ to work towards companies doing legal
enforcement too.

That's the true "judo" move.

Because quite frankly, I think just by going by existing history,
companies are better at lawsuits than the community is anyway. Just
look at IBM.

                        Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Sun, Aug 28, 2016 at 09:26:49AM -0700, Bradley M. Kuhn wrote:
> 
> Finally, with regard generally to my past statements, I see a tendency by a
> small few on this thread to look at statements I made in years ago, and
> shoehorn those statements as a response to something specific in this
> discussion.  This is particularly strange behavior given that I am *actually*
> responding actively to this thread -- it's not as if I'm some inaccessible
> public figure whom you can't ask to clarify and discuss an issue.

Actually, we're taking it from your 2016 LCA talk, "Copyleft for the
Next Decade: A Comprehensive Plan", which you gave in February of this
year.  And one of the things which is interesting is that on this
thread, there's an emphasis on "oh, we just want to get access to the
source", whereas in the talk, it's more of "Linux will be the
battleground over the future of Copyleft", with an explicit and clear
emphasis of trying to litigate the question of kernel modules in
multiple legal jourisdictions.

Well, people who live near battlegrounds often have a different
opinion about sending in the troops compared to generals back in
Washington D.C. whore are ordering in the drone strikes.  So this is
where listening to regrets of one of the Busybox founders might be
educational.

The reason why it's fair game to compare your statements with
statements made a few months ago is for the same reason why the Daily
Show played back old clips of politicians.  One of the really powerful
things about You Tube and modern video technology in general is that
it's much harder for politicians to say one thing to one constituency,
and another thing to a different constituency.  And to my mind, that's
a really good thing.

Regards,

						- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Sun, Aug 28, 2016 at 08:43:56AM -0700, Jeremy Allison wrote:
> On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> > 
> > For the record, I believe there can be a case for the shiny red
> > button. I just want Linus, and not the SFC (or some --- as admitted
> > by the SFC --- minority set of developers), to be the one who decides
> > when it's appropriate to push it.
> > 
> > I've said it before, and I've said it again.  For me, this is much
> > more about a project governance issue.  We don't let random pissed off
> > army officers decide when to start World War III...
> 
> Ted, there is a massive inconsistency here.
> 
> For decisions on legal action you want a top-town, corporate
> power structure - with only authorized management making
> decisions on when and how to proceed.

I didn't say that.  I said consensus driven and taking into account
all of the stakeholders.  If it makes you feel better, how about
"Linus as the benevolent dictator"?  He makes a point of gathering
input from multiple stakeholders, and delegating authority to others
for day to day decisions.  That's how we do our development, after
all.

						- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Theodore Ts'o wrote at 05:55 (PDT) today:
> there are limits to what we could do to stop Patrick McHardy.

That's precisely why Conservancy and our coalition cooperated fully with the
efforts by LF and others to seek mitigation techniques to deal with Patrick's
activities.  Conservancy worked closely with the Netfilter team as they
developed their statement [0], and made a statement too about the problems
with his enforcement [1].  We were delighted to help you with that issue.

> For the record, I believe there can be a case for the shiny red
> button.  I just want Linus, and not the SFC (or some --- as admitted
> by the SFC --- minority set of developers), to be the one who decides
> when it's appropriate to push it.

Others have replied to point out the way to centralize such GPL enforcement
control is to mandate copyright assignment to Linus.

That isn't to say we shouldn't listen very carefully to what Linus has to say
on the subject.  We should take his opinions on this very seriously.  This is
why I sought Linus' advice before agreeing to help Christoph in the VMware
case, and Linus told me he didn't want that control, and always wanted
individual developers to make their own decisions.  Like James and others, I
also believe all copyrights should reside with individual developers, and
copyright assignment should always be 100% optional.

Linux has a mixed bag on that last point.  While there fortunately is no
central authority that demands copyright assignment for all merged-upstream
contributions to Linux, a non-scientific review indicates that most new Linux
copyrights generated aren't in the hands of developers, but assigned to their
employers.  I suggest that Linux developers start demanding to keep their own
copyrights, rather than giving them to any corporation (a for-profit company
*or* a charity like I work for).  Conservancy led the way by making copyright
assignment 100% optional for all our projects since our inception, and
recently launching the ContractPatch [2] initiative to help developers demand
to keep (or get back) their own copyrights from their employers.

> .... includes the those "evil corporations" that Bradley loves to bash so
> much in his conference talks.  (Both Linus, Greg, and I have alluded to
> Bradley's talks, because fortunately, they are available on YouTube.  And
> we've been looking at them...

I am glad that you've found the availability of my and Karen's talks useful.
I take great logistical effort to make sure both my and Karen's talks are
available because Conservancy does all of our work transparently.  But,
please don't attribute to me things I didn't say.

Specifically, I don't recall ever using the phrase "evil corporations" to
refer to anything other than a joke.  First of all I also work hard to avoid
describing anything as "evil".  It's inappropriate hyperbole; "evil"
accurately describes atrocities like mass murder.  Anyone able to respond to
this thread is privileged because little (if anything) ever happens in our
lives that's evil.  Anyway, I *work* for a corporation (it's "Software
Freedom Conservancy, Inc."), so if I thought corporations are were evil (or
bad), I'd also think my own employer is evil (or bad).  I don't.

Instead, what I have said, as I put on a final slide of a recent talk, is
suggest that we should question the authority of corporations.  I regularly
question the behavior of all the employers of people posting on this thread,
just as four of you here are questioning the behavior of my employer.
Questioning, and receiving answers to those questions, is a healthy community
process. (BTW, there are very few corporations who participate in the Linux
community that rally the Chief Executive (Karen), a high-ranking staffer
(me), and a member of their Board of Directors (Jeremy) to participate
directly with the Linux community in discussions about important policy
throughout the week *and* all weekend long.)

Finally, with regard generally to my past statements, I see a tendency by a
small few on this thread to look at statements I made in years ago, and
shoehorn those statements as a response to something specific in this
discussion.  This is particularly strange behavior given that I am *actually*
responding actively to this thread -- it's not as if I'm some inaccessible
public figure whom you can't ask to clarify and discuss an issue.

Also, I have not even been in *charge* of Conservancy's day-to-day operations
for almost three years.  Karen is, and she has *also* responded to this
thread.  So, worrying that my statements in some talk sets perpetual policy
is akin to worrying that some statement that Linus makes in a mailing list
will be automatically adopted by Jim Zemlin as official Linux Foundation
policy.  Linus surely has huge influence over LF policy just as I have huge
influence over Conservancy policy, but neither of us makes the final call for
our orgs.  I explicitly abdicated that authority at Conservancy because Karen
is the much better person for the job.  As I said to James last night on this
thread, I recognize when other people are better at things than I am and I
work hard to ensure my work complements theirs.  In my view, that's a
fundamentally necessary trait for a Free Software contributor.

> But Linus has stated pretty clearly what his preferences are,

Yes, and like me, Linus makes lots of public statements, so we can just read
his preferences [3]:

   "I think licence choice is very much a personal issue, and while I
   personally prefer the GPL exactly because it 'forces' you to
   co-operate"

   "if somebody decides that they want to enforce the GPL, and seriously
   believe they have a strong case for code they wrote, I think that's their
   choice too."

[0] https://marc.info/?l=netfilter&m=146887465012705&w=2
    https://www.netfilter.org/files/statement.pdf 
[1] https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/
[2] https://sfconservancy.org/blog/2016/aug/04/everything-is-negotiable/
[3] http://www.itwire.com/open-source/74432-no-highs,-no-lows-linus-torvalds-on-25-years-of-linux.html
--
     -- bkuhn
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sun, Aug 28, 2016 at 10:04:59AM +0200, Greg KH wrote:
> Ok, I'm not saying "never should legal action be taken", but what I am
> saying is the same thing that Linus said, "only under the most dire
> circumstances", the nuclear option.
> 
> So yes, if someone takes all of our source code, slaps a different
> license on it and calls it something else, I would be first in line to
> call up my lawyer to get them to stop doing that.  But that's never been
> the case here.

Haha ! That's *exactly* what happened to us, and is the closest
we've ever gotten to legal action over licensing :-).

> Go back and read my response to Bradley again and think about what a
> company goes through when someone shows up knocking at their door saying
> "I am a representative of copyright holders of the kernel, and want you
> to release all the code you are shipping."  They batten down the hatches
> and work to fight against it for all of the reasons I already gave.

But that's *not* what happens. You're implying that this is first
contact. It isn't. The developers have already gone to that same
company, tried to find the engineers who wrote that code, and asked
them "hey, need any help in getting your code merged upstream to make
your lives easier for your next product?"

Someone only shows up knocking at their door when that approach has
failed - for *years*.

> Compare that to a _developer_ going to that same company, finding the
> engineers who wrote that code, and asking them "hey, need any help in
> getting your code merged upstream to make your lives easier for your
> next product?"

Oh snap, eh ! :-).

> Now you can work with that company, getting them to upstream bits and
> pieces of their code, until they are suddenly really invested in this
> community much more so than before and they see the business benefit of
> working together.
> 
> It's a totally different question, approach, and in the end, our way
> works, while the SFC's way does not.

You seem to think the two are completely mutually exclusive. That's
not correct. The SFC has great flexibility in negotiations, and
is responsible to the developers who allow them to act on their behalf.

Do you really think SFC is some kind of "independent" actor in these
things ? SFC has an agenda, as does everyone. But developers interests
are *paramount* for them.

> I object to the SFC's position of "let us handle those pesky copyright
> issues for you" (paraphrased), as when a developer does that, they give
> up the real power that they have.  The SFC's a one-trick pony (give us
> the code, all of it, throw it over the wall or we will sue), while as a
> developer, I have 101 tricks I can use to achieve even a better
> end-solution (the company is part of the community, not alienated by
> it.)

Again, that's not what is done. SFC also does these 101 tricks, and
just like you they have to do them in *private*, to avoid embarrassment
to the company in question.

Which may be why you have a wildly distorted view of what the SFC
actually does when negotiating with companies.

> Developers are in a more powerful position than they realize, and I
> object to the SFC taking that power away.  In fact, the SFC _needs_
> developers in order to even be in business, if no developer signs their
> agreements, there's nothing for them to do!

This is a misrepresentation of what the SFC does. As I've said
before the SFC is like a union. Their interest is in their membership's
rights.

> So I strongly support developers getting the rights to their copyrights,
> not because it can be then used as a legal club to wield against others,
> but as a way to help ensure that their company continues to always
> invest and support Linux, as they know it works out better when everyone
> has a stake in it, not just individuals, and not just corporations.

This is 100% agree with ! Developers - KEEP YOUR OWN COPYRIGHTS !
I have always done so for Samba. It can be hard, but as Greg says
here keeping your state as an individual gives you a voice.

> We really are one big happy family here, but when the SFC (or the FSF)
> gets involved, we start bickering and problems happen.  It did so with
> Busybox, and it is now doing so in Linux.  And I don't want that to
> happen.

SFC is part of the family. Might be the ones you don't want to invite
to your wedding, but they're related nonetheless :-).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sun, Aug 28, 2016 at 08:55:42AM -0400, Theodore Ts'o wrote:
> 
> For the record, I believe there can be a case for the shiny red
> button. I just want Linus, and not the SFC (or some --- as admitted
> by the SFC --- minority set of developers), to be the one who decides
> when it's appropriate to push it.
> 
> I've said it before, and I've said it again.  For me, this is much
> more about a project governance issue.  We don't let random pissed off
> army officers decide when to start World War III...

Ted, there is a massive inconsistency here.

For decisions on legal action you want a top-town, corporate
power structure - with only authorized management making
decisions on when and how to proceed.

But for the project as a whole Linus has clearly said he
expects self-interest to govern peoples actions.

*You can't have it both ways* ! If self interest governs
peoples actions in joining in the project, then self interest
also governs their activities in enforcing the license.

What you seem to have trouble with is that other contributors
have *different* self-interests to you when it comes to enforcement.

You don't agree, and that's fine. But you can't control what
other people chose to do, just like you can't control if they
decide to participate in the project or not. People will do
what they feel is in their own self-interest - just as you
are doing here.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Sat, 2016-08-27 at 21:24 -0700, Jeremy Allison via Ksummit-discuss
wrote:
> On Sat, Aug 27, 2016 at 07:43:29PM -0600, James Bottomley wrote:
> > 
> > Heh, well, if I called bullshit, I'd lose my reputation for
> > politeness
> > (although perhaps Linus would finally come to respect me).  Let me
> > just
> > point at that your 0.57% or however you define it, is why no
> > corporation currently trusts you or wants to talk to you unless
> > forced
> > by their lawyers.  Without mutual trust, there's no basis for
> > negotiation, so all your attempts at compliance are overshadowed by
> > this end game.
> 
> In an discussion, when you accuse your oponent of flat-out lying
> and being untrustworthy there's no place left to go.
> 
> Let's not do that. I don't think it's helpful.

I attacked the argument not the man.

> However, "no corporation currently trusts you or wants to talk to
> you unless forced by their lawyers" is inaccurate (note I don't
> think you're lying, just mistaken here).
> 
> My employer is a large funder of Conservancy (check their funding
> spreadsheet for details), and I promise you we talk without legal
> requests to do so (even though Karen managed to crash the badging
> system here last time she visited :-).

OK, I'll modify no to hardly any.  However, Google isn't such a great
exemplar given that it's currently doing its new kernel under apache-2
and sees this as an advantage.

> > Your inability to recognise that there are other methods beyond 
> > holding out this 0.57% club, and that a lot of other people have 
> > achieved significant compliance and even community contributions 
> > using them, is why your statements generate such a lot of strong 
> > reactions.  It reminds me a lot of the 70s and 80s "Mr President, 
> > under what conditions would you be willing to press the nuclear 
> > button?" which isn't really a world I want to go back to.
> 
> That isn't the question that's being asked though. The question
> that is being asked is "should there be a nuclear button *at all* ?".
> 
> Your opinion on that is clear and I understand why you hold it.
> There are many other developers who hold the same opinion, but
> lots of them work on FreeBSD not Linux.
> 
> Respectfully, I don't agree with you. Greg and Ted seem to agree
> with you, Linus (like me) seems to imagine there can be a case for
> that shiny red button.

That's a bit of a straw man: I've drawn the equivalency between
litigation and the nuclear button, but I've never said there shouldn't
be one.

I've actually spent a lot of time carefully preserving this option:
it's not actually an easy feat in modern America to ensure you own
copyright in your own code, but I've done it.  I certainly believe that
once you press it, you're forever contaminated by the fallout.

James


> To be honest I never would have put you down as a CND supporter
> (but I suppose all those years you spent in a tent at Greenham
> Common should have given me a hint :-).
> _______________________________________________
> Ksummit-discuss mailing list
> Ksummit-discuss@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss
> 

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[David Woodhouse]

> I've said it before, and I've said it again.  For me, this is much
> more about a project governance issue.  We don't let random pissed off
> army officers decide when to start World War III.

This, too, is completely inappropriate hyperbole. It is bizarre to draw
comparisons between the level of destruction that a nuclear war would
involve, and the act of holding a few law-breakers to account when years
of attempting to get them to stop breaking the law has failed.

Remember, Harald held criminals to account in Germany for years without
any signs of triggering armageddon.

The only people who have *anything* to fear are those who are breaking the
law.

Even though I abhor what Patrick McHardy is doing, I still can't quite
find it in my heart to have *sympathy* for his victims. Because it's not
as if he's just taking random pot-shots at passers-by on the street. These
people defended their actions in court, and lost.

In some way, we should all take responsibility for Patrick. Because if we
hadn't been *so* lax about holding offenders to account, and if we hadn't
allowed *so* much rampant abuse of our code to pass without taking action,
there wouldn't have been so much low-hanging fruit for Patrick to make use
of.

We'd all have been better off with *someone* doing what Conservancy does,
and taking the time to work with companies to bring them into compliance
-- using the far-off threat of litigation that nobody *really* wants to
resort to, purely to keep them at the table..

> Similarly Linux has
> establish consensus processes that take into accout *all* of the
> stakeholder,

Linus explicitly declined to take copyright assignments, actually, so no
consensus is required. Of course, you still only really have anything to
fear from litigation if you'd actually *lose* it.

And sure, courts can be fickle but it's not exactly hard to make sure you
are *clearly* obeying the licence.

-- 
dwmw2

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Sat, Aug 27, 2016 at 09:24:54PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> Your opinion on that is clear and I understand why you hold it.
> There are many other developers who hold the same opinion, but
> lots of them work on FreeBSD not Linux.
> 
> Respectfully, I don't agree with you. Greg and Ted seem to agree
> with you, Linus (like me) seems to imagine there can be a case for
> that shiny red button.

For the record, I believe there can be a case for the shiny red
button.  I just want Linus, and not the SFC (or some --- as admitted
by the SFC --- minority set of developers), to be the one who decides
when it's appropriate to push it.

I've said it before, and I've said it again.  For me, this is much
more about a project governance issue.  We don't let random pissed off
army officers decide when to start World War III.  Similarly Linux has
establish consensus processes that take into accout *all* of the
stakeholder, which yes, includes the those "evil corporations" that
Bradley loves to bash so much in his conference talks.  (Both Linus,
Greg, and I have alluded to Bradley's talks, because fortunately, they
are available on YouTube.  And we've been looking at them, and then
comparing them to what has been claimed to be the SFC's position by
Bradley, Karen, and yourself.)

The SFC seems to be willing to take on a small subset of developers
and seems to have asserted "we will do what our clients tell us to
do".  We might not or might not be able to stop the SFC, just as there
are limits to what we could do to stop Patrick McHardy.

But Linus has stated pretty clearly what his preferences are, and if
the SFC is going to 100% back the position Bradley has taken in his
linux.conf.au talk vis-a-vis "we have to take on the kernel module
question in as many legal venues as possible" and "having exhausted
Busybox because companies have switched to Toybox due to the
litigation risks, Linux is the next great battleground for the GPL"
--- then perhaps it's understandable why a number of kernel developers
aren't going to trust the SFC's agenda and motives.

					- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 2509 bytes --]

On Sun, 2016-08-28 at 09:47 +0200, Greg KH wrote:
> 
> So I strongly believe that without the help of companies contributing to
> Linux, we wouldn't be here where we are today.  It's taken everyone to
> get here, we can't do it alone.  So let's never try to cut ourselves off
> of people we perceive as "the enemy", and instead, treat them as merely
> "oh, they don't quite get it yet", and work to educate them and bring
> them into our community[2].

Greg, this is completely unhelpful hyperbole. All your examples are
arguing against a massive straw man.

Nobody is calling companies "the enemy", or trying to say that they
have not contributed massively to the development of Linux.

Of *course* we want corporate involvement. But we just want everyone to
follow the terms of the licence.

There is a *small* minority of bad actors who simply don't do that the
licence requires of them. And it *isn't* harmless. When a closed but
"good enough" solution exists, it massively reduces the motivation to
work on a *proper* open source solution. Without OpenAFS, we'd have got
true AFS support in the kernel much sooner. Without the nVidia driver,
we'd have have much faster progress on nouveau. Without the binary-only 
Broadcom wireless drivers, we'd have had a much better platform for
OpenWRT and the like to develop on.

Sure, some GPL violations are a "victimless crime", but many aren't.
Many violators actually do complete with honest companies who are
paying the extra cost of doing the right thing, and undercutting them
by taking the shortcuts.

James said that the "solid business rationale" for contributing to
GPL'd code is based on the fact that "your competition HAS TO show you
the code they would complete with you on".

That's *my* stress on the words "HAS TO", of course — because in a
world where nobody was *ever* actually held to the terms of the
licence, and everyone got away with just treating it as if it were BSD
and contributing back only when they felt like it, the bottom would
fall out from under James's "solid business rationale".

Failing to contribute GPL'd code back when the GPL says you "have to"
is a risk. You seem to be arguing that you want to make it
unambiguously *not* a risk to break the law in that way, and you don't
seem to realise that we *need* it to be a risk because that's the
underpinning of *all* the quiet negotiations that we *hope* will always
be sufficient to resolve every violation.

-- 
dwmw2

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Sat, Aug 27, 2016 at 09:34:01PM -0700, Jeremy Allison wrote:
> On Sat, Aug 27, 2016 at 10:58:42PM -0400, Steven Rostedt wrote:
> > 
> > I'm not sure Greg's answer is really "never". But I think this is
> > similar to the analogy of dealing with rogue nations. Going to war is
> 
> It seemed pretty clear to me that Greg's answer was that there
> was no possible situation where he would countenance an enforcement
> lawsuit against a GPL violator.
> 
> I really don't want to put words in anyones mouth or misread their
> intent so if I am mistaken or misread what he wrote I'd love to be
> corrected here.

Ok, I'm not saying "never should legal action be taken", but what I am
saying is the same thing that Linus said, "only under the most dire
circumstances", the nuclear option.

So yes, if someone takes all of our source code, slaps a different
license on it and calls it something else, I would be first in line to
call up my lawyer to get them to stop doing that.  But that's never been
the case here.

What is the case is that so far, I have seen that it is _ALWAYS_ better
to work with the offending company than it is to go in with lawyers.  Or
representatives.

Go back and read my response to Bradley again and think about what a
company goes through when someone shows up knocking at their door saying
"I am a representative of copyright holders of the kernel, and want you
to release all the code you are shipping."  They batten down the hatches
and work to fight against it for all of the reasons I already gave.

Compare that to a _developer_ going to that same company, finding the
engineers who wrote that code, and asking them "hey, need any help in
getting your code merged upstream to make your lives easier for your
next product?"

Now you can work with that company, getting them to upstream bits and
pieces of their code, until they are suddenly really invested in this
community much more so than before and they see the business benefit of
working together.

It's a totally different question, approach, and in the end, our way
works, while the SFC's way does not.

I object to the SFC's position of "let us handle those pesky copyright
issues for you" (paraphrased), as when a developer does that, they give
up the real power that they have.  The SFC's a one-trick pony (give us
the code, all of it, throw it over the wall or we will sue), while as a
developer, I have 101 tricks I can use to achieve even a better
end-solution (the company is part of the community, not alienated by
it.)

Developers are in a more powerful position than they realize, and I
object to the SFC taking that power away.  In fact, the SFC _needs_
developers in order to even be in business, if no developer signs their
agreements, there's nothing for them to do!

So I strongly support developers getting the rights to their copyrights,
not because it can be then used as a legal club to wield against others,
but as a way to help ensure that their company continues to always
invest and support Linux, as they know it works out better when everyone
has a stake in it, not just individuals, and not just corporations.

We really are one big happy family here, but when the SFC (or the FSF)
gets involved, we start bickering and problems happen.  It did so with
Busybox, and it is now doing so in Linux.  And I don't want that to
happen.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Sat, Aug 27, 2016 at 08:35:50PM +0200, Wolfram Sang wrote:
> Greg, Linus,
> 
> Putting all the enforcement issues aside, there is one sentence that
> struck me:
> 
> > > And corporations are a _huge_ part of our community, and frankly,
> > > the only reason we are where we are today.
> 
> I don't question the first part of the sentence, but I disagree to
> 'the only reason' in the second part.
> 
> The reason where we are today is the result of _all people_ contributing
> to Linux. I think our community is a lively mixture of particitpants
> hacking because of commercial, technical, enthusiastic, ideological and
> what not reasons. The beauty (and the challenge) is all of us working
> together. IMO this is one very important part which attracts some of the
> special talent which makes our community awesome. For me, it surely did.
> And that talent usually can't be attracted by, say, large investments or
> similar (which admittedly attracts other special talent and is OK, too).
> 
> So, I don't think it is fair to give credits "where we are today" _only_
> to the commercial side. And I have a hard time believing this view is
> fundamentally different from yours?

Ok, yes, that was worded a bit poorly, but we are developers, not
lawyers, and obviously no one is proof-reading our emails :)

The fact that we have made Linux a very friendly place to work with has
helped corporations help us out.  Almost everyone contributes to Linux
in a selfish manner, as I always say, and as Linus just said so again.

And that's great, as we want people to be selfish this way, because it
turns out that the solution for one company is almost always good for
everyone else as well.  And, the work that companies do in being selfish
are almost always things that any one of us working "on our own" would
have never done.

Some specific examples:
  - huge SMP support.  Yes, Alan got basic SMP support working in Linux,
    but in order to scale much larger we had to do different things.  As
    SMP hardware was rare, it took companies that had that hardware to
    do the work in the kernel to get things to work better.  Because of
    that we got access to RCU, which without that, we would have never
    been able to work as well as we have.  Look at the BSDs for an
    example of this, they don't have access to RCU, and they can't
    scale.
  - New hardware support, without access to specs, or hardware to test
    on, it takes a long time to get a kernel working.  USB 2 and USB 3
    support was sponsored by companies who had access to the specs
    early, and wanted to sell their hardware.  Linux was the better for
    this as we ended up getting it first.  Again, the BSDs are just now
    getting the basics of USB 3 support, as it's having to be done by
    people on their "own time".
  - LSM support.  My "day job" at the time was working on security
    things for Linux, and when the topic of a LSM came up at the kernel
    summit, I saw a way that I could get my employer to "sponsor" that
    work.  Without that, I certainly wouldn't have done it, as really,
    who wants to mess with that type of thing unless they have to?  :)
  - "Enterprise" features.  IBM pumped a lot of money into Linux to
    advance a lot of functionality that we didn't have, but it was
    perceived[1] that other operating systems did have at the time.
    These are things that on our own, we would have never done as we
    wouldn't have cared, nor would we have ever had access to hardware
    that "large".

And then there's the basic issue of the fact that when Linux kernel
developers get hired to work on the kernel full time, we get the chance
to both help our employer out (by letting them sell hardware) and we get
the chance to notice where other things need to be done.  I'm sure that
you have seen this when you are working for a client and notice that
"hey, we should really fix up all of those USB error messages some time
in the future" :)

So I strongly believe that without the help of companies contributing to
Linux, we wouldn't be here where we are today.  It's taken everyone to
get here, we can't do it alone.  So let's never try to cut ourselves off
of people we perceive as "the enemy", and instead, treat them as merely
"oh, they don't quite get it yet", and work to educate them and bring
them into our community[2].

thanks,

greg k-h

[1] When Solaris released their code many years ago, I poked around in
    it to see how they had solved many of the problems that we had had
    to implement in Linux based on "It's in Solaris so we have to have
    it in Linux as well!".  Turns out that Solaris never really did
    implement a lot of those things that they were talking about on
    their pretty marketing brochures.  We were working against a
    marketing department that was desperate for sales, so they were
    making stuff up based on what they thought the customer wanted.  If
    they would have gotten the sales, then maybe Solaris would have
    gotten the features.  So in a way, Solaris's marketing department
    was a driving force in how well Linux succeeded in those markets.

[2] Again, look at Intel as an example of how well this works.  They
    used to be a horrid example of a company abusing the GPL.  Also now
    look at Microsoft's support for Linux as another way that us being
    nice actually helps us.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1123 bytes --]

On Sat, 2016-08-27 at 21:40 -0700, Jeremy Allison via Ksummit-discuss
wrote:
> 
> "legal penalties" are a last, worst option - that I think
> everyone agrees with. The core issue to me is - should
> "legal penalties" *ever* be an option ?

As I said before, they have to be an option.

Because otherwise you basically don't have a negotiating position at
all.

The GPL gives a *legal* framework under which a party is required to do
certain things. You can't even point that fact out to a violator
without *some* kind of implicit suggestion that they might be held to
their legal obligations.

If all it took was "it'll be good for you and everyone else is doing
it" then we wouldn't actually need the GPL licence at all; a BSD
licence would be sufficient.

And if we added a clause to the kernel's COPYING file which made it
says that "legally you have to release source... but we promise we'll
never sue if you don't", then that basically *turns* it into a BSD
licence for most purposes.

Legal penalties are a last worst option. Absolutely. But they have to
*be* an option.

-- 
dwmw2



[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Theodore Ts'o wrote a little while ago:
> and act even on matters where Linus has expressed a clear preference that
> it is *not* in the best interst of Linux,

I can't figure out which matter you're talking about here.  It can't be
VMware, because, as I posted yesterday [0], I specifically talked with Linus
about VMware before Conservancy made a commitment to work with Christoph, and
Linus said "what they're doing is in bad taste and someone should probably do
something about it".

> It's the fact that the Conservancy feels that it can cherry pick
> developers,

The cherry-pick went the other way: developers cherry-picked *us*.  As
previously explained [1], developers came to Conservancy to ask us to help
them enforce because no one else would help.  Once Harald's organization,
gpl-violations.org, was defunct, it was tough to keep saying "no" to them, so
we finally just said "yes".  (BTW, Harald told us in April that he may get
gpl-violations.org running again, and if so he will coordinate with
Conservancy.)

Also, either side can terminate the enforcement agreements at any time: the
developers if they no longer trust Conservancy, or Conservancy can terminate
if Conservancy chooses not to help those developers enforce anymore.

[0] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2016-August/003637.html
[1] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2016-August/003620.html
--
   -- bkuhn
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sun, Aug 28, 2016 at 12:47:20AM -0400, Theodore Ts'o wrote:
> On Sat, Aug 27, 2016 at 04:35:21PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> > On Sat, Aug 27, 2016 at 04:13:25PM -0700, Linus Torvalds wrote:
> > > 
> > > Quite frankly, after having watched a few videos of Bradley talking
> > > about what he does and _why_ he does it, I really would never want to
> > > have him or the SFC represent Linux in court. Ever. Not unless they
> > > make it very clear that their agenda has changed.
> > 
> > So the thing I think you're missing here, is your own agument
> > about enlightened "self interest".
> > 
> > Yes, Bradley and Conservancy have an agenda. They represent
> > us (Samba) when that agenda and self interest *align with
> > ours*. When they don't, nothing happens (remember they only
> > act on our behalf).
> > 
> > It's just like development - they want one legal thing, you
> > want another. Only when the two align do you work together.
> 
> Jeremy --- suppose there was a single person who had contributed to
> Samba, and he had a different opinion from the rest of the Samba team,
> and he went to the Conservancy on his own, and he and the Conservancy
> decided to take legal action on that one person's behalf (since it
> helped pursue the Conservancy's agenda, even if it didn't advance
> Samba's interests) --- and so it was something that you and the rest
> of the Samba developers didn't think was in the best interest of the
> Project.  In fact, what if that legal action was something that
> disrupted a relationship with a company that you considered extremely
> strategic?
> 
> What would happen then?  (Assume you weren't on the board, so you
> wouldn't be able to put the kibosh on it that way.)  Perhaps more
> importantly, would you think that was morally a sound thing to do?

I would be pissed off, for sure. But first I'd ask them
why they felt they needed to do so ? What wasn't the
Samba leadership doing that they wanted us to do ?

If they had been raising the issue for a long time, and
had been ignored or their concerns sidelined without any
resolution then I'd still be pissed off, but I'd understand
why they did what they did.

And I'd have no grounds to prevent them from doing.

Samba has been forked in the past by people who wanted different
things than we were willing to do - which came from a far
more acrimonious internal discussion than this one within
Linux (as forks often do).

How did we publicly respond ? Like this:

https://www.samba.org/samba/tng.html

"I look forward to seeing more development in TNG now that the
developers are not constrained by the more conservative elements
of the Samba Team (such as myself!) and I will be delighted to
see the project flourish. There has been only one viable SMB
server solution for the free software community for far too long,
and a world with only one choice is a boring place indeed.

Andrew Tridgell
October 2000"

The fork failed, but that's not the point.

tridge always had more class than all the rest of us
put together.

> It's the fact that the Conservancy feels that it can cherry pick
> developers, and act even on matters where Linus has expressed a clear
> preference that it is *not* in the best interst of Linux, is why I
> think the term "rogue agent" very much applies.

See above for why I think you're wrong in calling Conservancy
a "rogue agent".

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 07:43:29PM -0600, James Bottomley wrote:

> However, Some developers do trust you and you've built a coalition of
> the willing around that and you're off selecting targets; but our
> problem, as a community, is that what you do with your coalition
> affects all of us and impacts the project we care about deeply.

The fact that some developers felt it necessary to join a
coalition to enforce their copyright rights suggests that
they don't feel that the current structures around protecting
Linux are doing a good enough job of doing so. You might
want to think about why that is.

On another note - why does Bradley get such a bad rap ?

Personally, and having worked with him long enough, I
think it's because when Bradley and Conservancy have
to step into a situation it's because it's already gone
beyond the normal methods of community engagement and
policing.

My opinion of Bradley is that he is similar to Winston Wolf
in Pulp Fiction. You don't call him in until you need
him, but when you "got no friends in the 818 and someone
needs to pick up itty-bitty pieces of GPL-violating code
from your upholstery" then he's the guy whose number you
need to remember :-).

We as developers usually get to play good cop to other
developers, asking them to do the things that they really
would like to do anyway. When they're prevented from doing
that for whatever reason then you do need a bad cop to
make the case to the people who are controling the actions
of said developers that cooperation is good for all in the
long run.

Without someone willing to do that thankless task - and it
*IS* a thankless task as this mailing list thread has so aptly
proven - all the good cops are left doing is asking if
you need more coffee and donuts whilst you decide if
you want to do the right thing. Some people will never
get there on their own (see my previous comments about
Apple, EMC, Isilon and NetApp for examples).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Sat, Aug 27, 2016 at 04:35:21PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> On Sat, Aug 27, 2016 at 04:13:25PM -0700, Linus Torvalds wrote:
> > 
> > Quite frankly, after having watched a few videos of Bradley talking
> > about what he does and _why_ he does it, I really would never want to
> > have him or the SFC represent Linux in court. Ever. Not unless they
> > make it very clear that their agenda has changed.
> 
> So the thing I think you're missing here, is your own agument
> about enlightened "self interest".
> 
> Yes, Bradley and Conservancy have an agenda. They represent
> us (Samba) when that agenda and self interest *align with
> ours*. When they don't, nothing happens (remember they only
> act on our behalf).
> 
> It's just like development - they want one legal thing, you
> want another. Only when the two align do you work together.

Jeremy --- suppose there was a single person who had contributed to
Samba, and he had a different opinion from the rest of the Samba team,
and he went to the Conservancy on his own, and he and the Conservancy
decided to take legal action on that one person's behalf (since it
helped pursue the Conservancy's agenda, even if it didn't advance
Samba's interests) --- and so it was something that you and the rest
of the Samba developers didn't think was in the best interest of the
Project.  In fact, what if that legal action was something that
disrupted a relationship with a company that you considered extremely
strategic?

What would happen then?  (Assume you weren't on the board, so you
wouldn't be able to put the kibosh on it that way.)  Perhaps more
importantly, would you think that was morally a sound thing to do?

It's the fact that the Conservancy feels that it can cherry pick
developers, and act even on matters where Linus has expressed a clear
preference that it is *not* in the best interst of Linux, is why I
think the term "rogue agent" very much applies.

						- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

James Bottomley wrote earlier today:
> Knowing there's a threat of legal action lurking in the background produces
> far different conversations because it puts the other party on the legal
> defensive ... for all of us

Your primary argument centers around the idea that the mere *existence* of
*anyone* willing to file a lawsuit about a Linux violation irreparably
thwarts your ability to exercise your unique compliance-seeking skills.  Greg
has made similar arguments.  If that's true, then I wonder what time frame
you're talking about, since Harald has been filing lawsuits since 2004, and
has filed so many about Linux.  Conservancy has filed none; rather, we helped
fund and provided some logistical support for Christoph's lawsuit.

> Well, my recollection of the first conversation about VMware in San Diego
> airport in 2012 was you telling me you wanted to go after them and me
> giving you all my concerns around the possibility of an adverse judgement.

That was just a short time after we discovered a Linux violation was also
present in addition to VMware's BusyBox violation [0], a full two years
before Christoph became involved and three years before he chose to sue.
(This timeline has been in the VMware lawsuit FAQ on Conservancy's website
since the lawsuit was filed [1].)  That FAQ makes reference to the fact
that we sought assistance from "every industry contact we had".

You were among those industry contacts.  That very LinuxCon week you mention,
I encouraged you, Greg, and Jim Zemlin to do whatever you could to attempt to
get VMware to DTRT and comply with GPL.  I specifically asked you and Jim to
reach out to them, since as LF Board members, you would have direct contacts
with VMware, as a member company that funds LF.

Also, I believed, as you say, that you were skilled in some types of
negotiation that I am not.  (I specifically recall saying to you as I left
for my flight: "we've just discovered the violation, so there's time; please
do what you can in the meantime".)  The large group of copyright holders who
were unhappy at VMware's violation then waited for years for all of you to
work your magic, but VMware never complied.  I now understand...
> the problem would have been that your terms aren't mine.

... that whole part of the exercise was moot because you probably didn't want
VMware to comply, anyway.  That explains a lot; thank you for telling me.

> On Sat, 2016-08-27 at 19:02 -0700, Bradley M. Kuhn wrote:
> > Everyone here is talented and has different skills; please don't
> > assume that yours are the only ones that produce value and good
> > results.
James Bottomley wrote:
> I'm wasn't, but I get the impression you do.

Your impression is incorrect.  I have great respect for your skill in
achieving GPL compliance outcomes in the specific industry sectors where
you've deployed them.  I believe your stories of all the successes you've had
and told me about over the years, and I thank you for that work.

[0] VMware's BusyBox violation was resolved *without* litigation, and VMware
    still ships, AFAIK, a GPL-compliant BusyBox as part of their products
    today -- yet another counter example to the incorrect memes about BusyBox
    and its enforcement in this thread.

[1] https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-faq.html
--
   -- bkuhn
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 09:18:36PM -0600, James Bottomley wrote:
> On Sat, 2016-08-27 at 16:02 -0700, Jeremy Allison via Ksummit-discuss
> wrote:
> > The GPL allows legal penalties for non-compliance. We
> > know this as there have already been such.
> > 
> > Your project has been enourmously successful - more so
> > than any other Free Software project in the world. And it
> > did so under the GPL.
> > 
> > You now appear to want to change the conditions under which
> > most contributors added code - to one that has no legal
> > penalties for non-compliance with the license.
> 
> This might also be a core issue.

I agree this is a core issue.

> I believe everyone participating in this debate agrees there
>should be consequences for non-compliance. 

That isn't clear to me at all, unless "ask again, try and
be nicer" counts as a consequence. I don't believe that it
does.

>  However, some people believe that the emphasis on "legal penalties"
> produces an escalating atmosphere that precludes other avenues.

"legal penalties" are a last, worst option - that I think
everyone agrees with. The core issue to me is - should
"legal penalties" *ever* be an option ?

My opinion (for Samba, the only area my opinion matters and
feel free to tell me to bugger off a Linux kernel list and
I'll shut up) is that they should. I would have sued the
bastards renaming my code and adding a license manager for
example :-). I'm only glad I didn't have to.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 10:58:42PM -0400, Steven Rostedt wrote:
> 
> I'm not sure Greg's answer is really "never". But I think this is
> similar to the analogy of dealing with rogue nations. Going to war is

It seemed pretty clear to me that Greg's answer was that there
was no possible situation where he would countenance an enforcement
lawsuit against a GPL violator.

I really don't want to put words in anyones mouth or misread their
intent so if I am mistaken or misread what he wrote I'd love to be
corrected here.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 07:43:29PM -0600, James Bottomley wrote:
> 
> Heh, well, if I called bullshit, I'd lose my reputation for politeness
> (although perhaps Linus would finally come to respect me).  Let me just
> point at that your 0.57% or however you define it, is why no
> corporation currently trusts you or wants to talk to you unless forced
> by their lawyers.  Without mutual trust, there's no basis for
> negotiation, so all your attempts at compliance are overshadowed by
> this end game.

In an discussion, when you accuse your oponent of flat-out lying
and being untrustworthy there's no place left to go.

Let's not do that. I don't think it's helpful.

However, "no corporation currently trusts you or wants to talk to
you unless forced by their lawyers" is inaccurate (note I don't
think you're lying, just mistaken here).

My employer is a large funder of Conservancy (check their funding
spreadsheet for details), and I promise you we talk without legal
requests to do so (even though Karen managed to crash the badging
system here last time she visited :-).

> Your inability to recognise that there are other methods beyond holding
> out this 0.57% club, and that a lot of other people have achieved
> significant compliance and even community contributions using them, is
> why your statements generate such a lot of strong reactions.  It
> reminds me a lot of the 70s and 80s "Mr President, under what
> conditions would you be willing to press the nuclear button?" which
> isn't really a world I want to go back to.

That isn't the question that's being asked though. The question
that is being asked is "should there be a nuclear button *at all* ?".

Your opinion on that is clear and I understand why you hold it.
There are many other developers who hold the same opinion, but
lots of them work on FreeBSD not Linux.

Respectfully, I don't agree with you. Greg and Ted seem to agree
with you, Linus (like me) seems to imagine there can be a case for
that shiny red button.

To be honest I never would have put you down as a CND supporter
(but I suppose all those years you spent in a tent at Greenham
Common should have given me a hint :-).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Sat, 2016-08-27 at 16:02 -0700, Jeremy Allison via Ksummit-discuss
wrote:
> The GPL allows legal penalties for non-compliance. We
> know this as there have already been such.
> 
> Your project has been enourmously successful - more so
> than any other Free Software project in the world. And it
> did so under the GPL.
> 
> You now appear to want to change the conditions under which
> most contributors added code - to one that has no legal
> penalties for non-compliance with the license.

This might also be a core issue.  I believe everyone participating in
this debate agrees there should be consequences for non-compliance. 
 However, some people believe that the emphasis on "legal penalties"
produces an escalating atmosphere that precludes other avenues.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Sat, 2016-08-27 at 19:02 -0700, Bradley M. Kuhn wrote:
> James Bottomley wrote, a few minutes ago:
> > I believe you but I don't believe you had any conversations which 
> > could lead to a significant change in business practices, which is 
> > my primary issue.... Your inability to recognise that there are
> > other methods
> 
> Everyone here is talented and has different skills; please don't 
> assume that yours are the only ones that produce value and good
> results.

I'm wasn't, but I get the impression you do.  I also wasn't talking
about results, I was talking about methods.  Knowing there's a threat
of legal action lurking in the background produces far different
conversations because it puts the other party on the legal defensive
... for all of us, not just for you.

>   Anyway, this is why we brought VMware's violation [0] (and many 
> other ones too) to you, to Greg, to Jim Zemlin, and to many others 
> *before* we even began our Step 1. I told you privately many times 
> what I now say publicly: you can acheive important compliance results 
> that we can't, but vice-versa is also true.

Well, my recollection of the first conversation about VMware in San
Diego airport in 2012 was you telling me you wanted to go after them
and me giving you all my concerns around the possibility of an adverse
judgement.  Beyond wanting my copyrights, I don't recall you asking for
any strategic input.

> > but our problem, as a community, is that what you do with your
> > coalition affects all of us and impacts the project we care about 
> > deeply. ... Without mutual trust, there's no basis for negotiation

That's not quite what I said since the latter statement referred to the
process of negotiating compliance not negotiating within a community. 
 However, I suppose that is a valid point I didn't raise, so I'll
address it.

> Together, we're greater than the sum of our parts, if we all see past
> "my way or the highway" tendencies. Our coalition did that, by 
> disclosing, to you and the LF, the violation reports that Conservancy 
> received, so you could work on them first.

Well, you told me you were going after them.  I didn't realise that
meant you were also offering me the opportunity to get them to settle
on your terms ... However, now I do, the problem would have been that
your terms aren't mine.

>  When will you show similar cooperation and trust?

Since co-operation and trust seems to mean disclosure of intended
actions, I believe I have.  If it is to mean more, it would have to be
mutual.

James

> [0] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2016-
> August/003562.html
> --
>    -- bkuhn

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Steven Rostedt]

On Sat, 27 Aug 2016 16:02:10 -0700
Jeremy Allison via Ksummit-discuss
<ksummit-discuss@lists.linuxfoundation.org> wrote:

> On Sat, Aug 27, 2016 at 06:26:55PM +0200, Greg KH wrote:
> > 
> > Again, when the lawyers get involved, you have lost.  I know you feel
> > that you have to get lawyers involved to "win" the last bit of a fight,
> > but really, that's pointless, because you just lost.  
> 
> This seems to be your answer to the question:
> 
> "Can you describe the conditions you personally would feel justify
> filing a lawsuit over GPL non-compliance ?"
> 
> and your answer is "never".
> 
> That's a valid answer, and I respect that.
> 
> However, other Linux devs feel differently as they joined the
> Conservancy GPL Compliance Project For Linux Developers. There
> are licenses that embody the "no consequence for non compliance"
> attitude, the most popular being the BSD or MIT licenses of course.
> 
> 

[...]

> You now appear to want to change the conditions under which
> most contributors added code - to one that has no legal
> penalties for non-compliance with the license.
> 
> If you really want that I'd genuinely be interested in you
> making such a proposal to the Linux kernel developers and
> askng them to change the license. Not being a kernel developer
> (other than some small cifsfs changes) I have no skin in the
> game but I'd love to see the results of that vote, I think
> it would be fascinating (and I give no predictions as to which
> way that vote would go).

Who can predict that? Nobody ever expected Brexit to pass, right? ;-)

Anyway, if you ask 10 Linux kernel developers how they feel about their
contributions to the kernel and the GPL, you'll get 10 different
answers. The Linux kernel is owned by several copyright owners, and
thus, everyone has the ability to choose how they will respond to
non-compliance. Some may want to have the Conservancy to support them,
others may not. It's really up to them. Obviously Linus and Greg choose
not to. But they can't control what others may do.

Karen handed me a contract (again), and I still haven't had time to
read it (lots of personal matters at hand at the moment). I wont know
if I'll sign it till I've fully read it.

Personally, I believe the GPL has been the reason for the success of
Linux, and yes, part of that is that people don't want to be sued for
non-compliance. But copyright isn't the same as a trademark where one
must defend it when an issues is known (at least in the US). Greg and
Linus feel that diplomacy is the best method for getting companies to
come around. But that takes time. Lawsuits are similar to going to
war, and although war has faster results, usually those results do not
end up as well as diplomacy would have in the long run.

I'm not sure Greg's answer is really "never". But I think this is
similar to the analogy of dealing with rogue nations. Going to war is
never actually off the table, but it's something that one really will
avoid. One doesn't need to threaten lawsuits (or war), but the fact
that lawsuits (and war) do exist and can be used, does live in the back
of minds of those that are not in compliance.

Basically what I'm trying to say is that this is nothing like making
Linux have a BSD license, but that GPL insists that people share, and
that's the intent of the license. Being in non-compliance isn't just
against the law, but also makes you look like a schmuck, and you can be
shamed for that. One isn't shamed for not sharing the BSD code, because
the BSD intent is do what you want, we'll just make more.

-- Steve

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

James Bottomley wrote, a few minutes ago:
> I believe you but I don't believe you had any conversations which could
> lead to a significant change in business practices, which is my primary
> issue.... Your inability to recognise that there are other methods

Everyone here is talented and has different skills; please don't assume that
yours are the only ones that produce value and good results.  Anyway, this is
why we brought VMware's violation [0] (and many other ones too) to you, to
Greg, to Jim Zemlin, and to many others *before* we even began our Step 1.
I told you privately many times what I now say publicly: you can acheive
important compliance results that we can't, but vice-versa is also true.

> but our problem, as a community, is that what you do with your
> coalition affects all of us and impacts the project we care about deeply.
> ... Without mutual trust, there's no basis for negotiation

Together, we're greater than the sum of our parts, if we all see past
"my way or the highway" tendencies. Our coalition did that, by disclosing,
to you and the LF, the violation reports that Conservancy received, so you
could work on them first. When will you show similar cooperation and trust?

[0] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2016-August/003562.html
--
   -- bkuhn
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Sat, 2016-08-27 at 14:18 -0700, Bradley M. Kuhn wrote:
> I *thought* this list was for KS proposal meta-discussion,

Ideally if we can resolve it in email, we don't need a session ...

>  but this thread is now mostly substance and very little meta. :) 
> However, AFAICT, no one has declared this thread as off-topic, and 
> generally speaking, I believe everyone in the GPL Compliance Program 
> for Linux Developers, including me, is glad to see GPL enforcement 
> discussed openly.  So, I'm continuing with replies:
> 
> Today, Greg made references to a talk I gave, and drew broad 
> conclusions about my beliefs.  Yesterday, Linus made reference to an 
> LWN comment I made, and made conclusions about my moral character. 
>  This is a complex topic, and the entire breadth of everyone's view 
> cannot be summarized by out of context snippets.  I do think Greg's 
> summary of my talk is inaccurate on many fronts, but the details on
> that don't really matter.

OK, let me try for an accurate summary of the salient issues: A lot of
kernel developers don't trust your motives enough to let you enforce
their copyrights.  Personally, I don't believe you even understand what
it takes to convince a company of the business rightness of the GPL and
thus, when you say "we tried talking to them", I believe you but I
don't believe you had any conversations which could lead to a
significant change in business practices, which is my primary issue.

However, Some developers do trust you and you've built a coalition of
the willing around that and you're off selecting targets; but our
problem, as a community, is that what you do with your coalition
affects all of us and impacts the project we care about deeply.

There is a factual disagreement about what enforcement in other
projects gained them.  However, the loss of momentum in busybox is
factual and does resonate and so does the theory that it's because of
too many enforcement actions.

> I believe we function well as a community by trying lots of different
> strategies in parallel.  This works for Linux development itself, and 
> it works for GPL enforcement too.  I, Greg, and many others have done
> excellent work convincing companies to abide by GPL without lawsuits.
>   Nearly all the work by the GPL Compliance Program for Linux 
> Developers doesn't use lawyers or lawsuits.  We all use the same 
> strategy, and *almost* all the same tactics to achieve GPL compliance
> for Linux.

What's this "we"?  Community is generated by contribution and most
contribution gives rise to copyright.  If you had enough copyright in
Linux, you wouldn't need a coalition because you could enforce on your
own.

> Our disagreement is over a finer point of a specific tactic that is 
> only relevant in roughly 0.57% [0] of GPL violations, which is this: 
> "What do we do in those cases that have no resolution for years, 
> after many try to gain compliance and failed. Should anyone sue in
> that case?".

Heh, well, if I called bullshit, I'd lose my reputation for politeness
(although perhaps Linus would finally come to respect me).  Let me just
point at that your 0.57% or however you define it, is why no
corporation currently trusts you or wants to talk to you unless forced
by their lawyers.  Without mutual trust, there's no basis for
negotiation, so all your attempts at compliance are overshadowed by
this end game.

Your inability to recognise that there are other methods beyond holding
out this 0.57% club, and that a lot of other people have achieved
significant compliance and even community contributions using them, is
why your statements generate such a lot of strong reactions.  It
reminds me a lot of the 70s and 80s "Mr President, under what
conditions would you be willing to press the nuclear button?" which
isn't really a world I want to go back to.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Sat, Aug 27, 2016 at 5:02 PM, Matthew Garrett <mjg59@coreos.com> wrote:
>
> OK. A vendor sells 500,000 network-connected devices running a version of
> Linux that has a vulnerability in the network driver that's discovered a
> year later. The hardware is custom, they refuse to release source, and
> they've discontinued the product line, so nobody else is able to fix it. Is
> it acceptable to engage in litigation in order to ensure that owners of
> these devices can receive a security update, even if by doing so we alienate
> the vendor and cause them to choose another kernel in future?

So why don't you name them and shame them very publicly and try
everything else first?

If the vendor still exists, and sells other devices, make a big stink
about it. It sounds like you've talked to them in private already, but
why do you still call them "a vendor" now when you start talking about
wanting to sue them?

Because without that, the answer is always going to be absolutely no,
simply because of the "absolute last option" thing.

And you talk about how you're helping users, but how many of them
would actually upgrade? Very few people end up upgrading firmware even
when it's automatic, much less so if it would mean that they'd switch
to OpenWRT or DD-WRT or something (since presumably the *existing*
firmware ends up having lots of non-GPL'd sources that you wouldn't
get even with a lawsuit)?

In other words, you say it is "for the users", but it still smells to
me like it's actually "for the lawsuit".

In practical terms, how would that help Linux?

I can understand being annoyed. I'm annoyed by bad companies too. But
I'm also saying that lawsuits aren't automatically the solution, and
you really have to ask yourself if it's worth it. And you have to do a
lot of other things first.

             Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

[-- Attachment #1: Type: text/plain, Size: 1148 bytes --]

On Aug 27, 2016 6:49 PM, "Linus Torvalds" <torvalds@linux-foundation.org>
wrote:
>
> On Sat, Aug 27, 2016 at 4:30 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > Can you clarify whether or not you believe that source availability for
> > owners of devices that run Linux (even if the vendor chooses not to
> > participate upstream) is something you consider to be good for the
project?
>
> That question makes no sense.
>
> Without an actual case, and without being able to judge the upsides
> *AND* downsides, your question is just silly.

OK. A vendor sells 500,000 network-connected devices running a version of
Linux that has a vulnerability in the network driver that's discovered a
year later. The hardware is custom, they refuse to release source, and
they've discontinued the product line, so nobody else is able to fix it. Is
it acceptable to engage in litigation in order to ensure that owners of
these devices can receive a security update, even if by doing so we
alienate the vendor and cause them to choose another kernel in future?

(other than sales numbers, which I don't have direct insight into, this is
not a hypothetical)

[-- Attachment #2: Type: text/html, Size: 1430 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Sat, Aug 27, 2016 at 4:30 PM, Matthew Garrett <mjg59@coreos.com> wrote:
>
> Can you clarify whether or not you believe that source availability for
> owners of devices that run Linux (even if the vendor chooses not to
> participate upstream) is something you consider to be good for the project?

That question makes no sense.

Without an actual case, and without being able to judge the upsides
*AND* downsides, your question is just silly.

You have clearly shown that you don't care about downsides.  You don't
seem to think it matters that yes, companies get very antsy about
lawsuits even when they _themselves_ are not the target.

Because yes, I know for a *fact* that some companies stopped using
BusyBox just because of the lawsuits. They weren't targeted, they
weren't misusing it, they just decided that "it's a litigious project,
it's simply not worth the risk".

And what is the source you would get available? Is it just the
standard kernel sources? To be good to the project, there needs to be
a point to the lawsuit - not just some technicality.

For example, there's a number of fly-by (mainly Chinese) companies
that really seem to just put Linux on their devices and churn out
one-offs. What does the project get from going after such a company
that didn't even modify the source code, or made some silly one-liner
things?

I know that some people are absolutely *itching* to see how copyright
actually works in China, and I don't doubt for a second that there
would be cases there if you want it for a test case.

But is there something really interesting going on? Or did you just
want a test-case in China (or wherever)? Or was there just a
proprietary module that you didn't like and you try to make a derived
work on despite our years of accepting them?

These are questions that a person who cares about the *project* should ask.

Your questions seem to be questions that are asked by somebody who
cares about compliance first.

See the difference?

            Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 04:13:25PM -0700, Linus Torvalds wrote:
> 
> Quite frankly, after having watched a few videos of Bradley talking
> about what he does and _why_ he does it, I really would never want to
> have him or the SFC represent Linux in court. Ever. Not unless they
> make it very clear that their agenda has changed.

So the thing I think you're missing here, is your own agument
about enlightened "self interest".

Yes, Bradley and Conservancy have an agenda. They represent
us (Samba) when that agenda and self interest *align with
ours*. When they don't, nothing happens (remember they only
act on our behalf).

It's just like development - they want one legal thing, you
want another. Only when the two align do you work together.

So far it's worked very well (just like Linux :-).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

On Aug 27, 2016 6:13 PM, "Linus Torvalds" <torvalds@linux-foundation.org>
wrote:

> We need to be very clear about this. The only possible situation where
> license enforcement makes sense is when it's good for the *project*.
> Not when it's good for license enforcement.

Can you clarify whether or not you believe that source availability for
owners of devices that run Linux (even if the vendor chooses not to
participate upstream) is something you consider to be good for the project?

[-- Attachment #2: Type: text/html, Size: 635 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 04:13:25PM -0700, Linus Torvalds wrote:
> On Sat, Aug 27, 2016 at 4:02 PM, Jeremy Allison <jra@samba.org> wrote:
> >
> > Dealing with legal and compliance issues is *mandatory* for all
> > open source projects larger than one developer and their dog
> > with a github account.
> 
> You state that as an absolute fact, but there is nothing that really
> backs that up. An as mentioned, there really are very real arguments
> against your "fact".

Well I'm remembering the early days of Samba, where we
ran into lawyers pretty early. I also work with lawyers
in my day job who have to talk to small FLOSS projects all
the time (many who are just one person + dog + github).

So maybe I'm biased :-). I also could be wrong as well
(it does happen :-).

> Quite frankly, after having watched a few videos of Bradley talking
> about what he does and _why_ he does it, I really would never want to
> have him or the SFC represent Linux in court. Ever. Not unless they
> make it very clear that their agenda has changed.
> 
> Why? Because he explains how he feels that "strong copyleft" is
> inherently good, and Linux is the only remaining project big enough
> and meaningful enough to force legal attention on the GPL.
> 
> In other words, his publicly stated motivation for license compliance
> isn't for the good of the kernel - it's for the good of his license
> enforcement.
> 
> Quite frankly, if you let people like that be in charge of your legal
> team, you're crazy. That's insane. I'm not insane.

I could watch (in fact I *have* watched) some of your public
talks and say "if you let people like that be in charge of
your developer team, you're crazy" :-).

Everyone has some peculiarities (to quote Avenue Q: "Everyone's
a little bit racist, sometimes" :-). You really have to judge
their work, not their public persona I find.

> The only people I'd ever let be in charge of a lawsuit around Linux
> are the people who have the best interests of Linux in mind.

That's funny - tridge and my original criteria for being
on the Samba Team was being able to make a decision on
behalf of Samba that went against the interests of your
employer. We were very excited when we first saw that happen
with IBM employees.

> Definitely not people with an agenda, where Linux is just the *tool*.
> 
> We need to be very clear about this. The only possible situation where
> license enforcement makes sense is when it's good for the *project*.
> Not when it's good for license enforcement.

So I 100% agree with this. Which is why when Conservancy
represents us it's only after consulting with and reaching
consensus with the project developers and stakeholders (as
not all stakeholders develop code - we have the "Samba Team"
mail alias that represents this).

People can have a personal agenda, then put it aside when it's
time to go to work. I've seen Bradley do that - but then again
as I said I've known him a long time.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Sat, Aug 27, 2016 at 4:02 PM, Jeremy Allison <jra@samba.org> wrote:
>
> Dealing with legal and compliance issues is *mandatory* for all
> open source projects larger than one developer and their dog
> with a github account.

You state that as an absolute fact, but there is nothing that really
backs that up. An as mentioned, there really are very real arguments
against your "fact".

Quite frankly, after having watched a few videos of Bradley talking
about what he does and _why_ he does it, I really would never want to
have him or the SFC represent Linux in court. Ever. Not unless they
make it very clear that their agenda has changed.

Why? Because he explains how he feels that "strong copyleft" is
inherently good, and Linux is the only remaining project big enough
and meaningful enough to force legal attention on the GPL.

In other words, his publicly stated motivation for license compliance
isn't for the good of the kernel - it's for the good of his license
enforcement.

Quite frankly, if you let people like that be in charge of your legal
team, you're crazy. That's insane. I'm not insane.

The only people I'd ever let be in charge of a lawsuit around Linux
are the people who have the best interests of Linux in mind.

Definitely not people with an agenda, where Linux is just the *tool*.

We need to be very clear about this. The only possible situation where
license enforcement makes sense is when it's good for the *project*.
Not when it's good for license enforcement.

                      Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Sat, Aug 27, 2016 at 06:26:55PM +0200, Greg KH wrote:
> 
> Again, when the lawyers get involved, you have lost.  I know you feel
> that you have to get lawyers involved to "win" the last bit of a fight,
> but really, that's pointless, because you just lost.

This seems to be your answer to the question:

"Can you describe the conditions you personally would feel justify
filing a lawsuit over GPL non-compliance ?"

and your answer is "never".

That's a valid answer, and I respect that.

However, other Linux devs feel differently as they joined the
Conservancy GPL Compliance Project For Linux Developers. There
are licenses that embody the "no consequence for non compliance"
attitude, the most popular being the BSD or MIT licenses of course.

Indeed there are popular alternative kernels under those
licenses as I'm sure you're aware.

But they are not the license you have. You have the GPL.

The GPL allows legal penalties for non-compliance. We
know this as there have already been such.

Your project has been enourmously successful - more so
than any other Free Software project in the world. And it
did so under the GPL.

You now appear to want to change the conditions under which
most contributors added code - to one that has no legal
penalties for non-compliance with the license.

If you really want that I'd genuinely be interested in you
making such a proposal to the Linux kernel developers and
askng them to change the license. Not being a kernel developer
(other than some small cifsfs changes) I have no skin in the
game but I'd love to see the results of that vote, I think
it would be fascinating (and I give no predictions as to which
way that vote would go).

But at that point you would have the condition you articulate
above. You could ask non-compliant companies to send in code,
and keep patiently working with them if they refused.

I do feel I should point out to you that this strategy has
not worked with Apple, EMC, Isilon or NetApp - all of whom
have significant kernels based on code under the BSD license
but have refused to return any valuable code to the parent
project.

But maybe the FreeBSD devs haven't just given them enough
time or been nice enough to them or asked them enough times.

Maybe this experiment will turn out in their favour, it may
be too early to tell (and Samba works on all the *BSD's so
I'm ok either way :-).

In the meantime if you want to work on a kernel with your
preferred license could you please fix the missing per-thread
credentials in FreeBSD ? Samba has been needing that for years
now (almost as long as I've been needing RichACLs in Linux :-).

> Both you and Karen keep saying "we have to know and defend this", but
> that's what burned Busybox to the ground, and is what is threatening the
> future of gcc as well.  It's great that Samba has survived this type of
> enforcement effort, but as Jeremy has pointed out, he's done that
> primarily by working directly with the companies, not having legal
> people get involved.  So thanks Jeremy for proving my point :)

If you think that was the point I was making, I feel you didn't
understand what I said.

I said that the outcome of lawsuits wasn't always the "loss" you
seem to claim, and that the Microsoft vs EU lawsuit (although not
a compliance-based one) is an excellent counterexample. Everyone
in that lawsuit ended up winning, even Microsoft (give or take a
billion dollars or so, which is pocket change for them :-).

When I do compliance work for Samba - before Conservancy ever
hears about it (because I'm talking developer to developer),
I'd like to think the companies I work with talk to me because
I'm a nice guy and very helpful.

But on more than one occasion when I've been talking to the devs
they also arrange a meeting with their legal staff involved.

What they always want to ask is if what we have architected
or discussed together is sufficient to comply with their responsibilities
under the GPL.

The reason they take me seriously, and I even get a seat at the table,
is because of the work that Conservancy (and others) have done to
ensure that GPL compliance is something that must be respected.
Would I get a conversation going without that ? Maybe - but on
more than one occasion I've only ever had a callback from the
developers *after* I've sent a notice to the company they they
are violating our license, a situation which if it continued
could lead to real legal consequences for their products.

> So please stop this now, it's not helpful, but instead, hurtful, and
> harmful to our very survival.

Greg, that's insulting to the hard work by Karen and Bradley
and Conservancy staffers and is such a naive statement I find
it hard to believe you believe it.

It reminds me of the "if only the lawyers would leave us alone
we'd live in a sunshine paradise of unicorns and rainbows - us
developers together" attitude I used to have back in the early
1990's when I first discovered the GPL.

You are second in command of a project that has generated literally
*trillions* of dollars of revenue around the world and you think
that involvement in legal issues is hurtful and harmful to the survival
of that project.

I have news for you - Linux passed out of that phase around
1.10 in 1994 when you first got TCP/IP support (I think I
have the history right, it was around then we decided to
port Samba from SunOS to Linux as you finally had networking :-).

Dealing with legal and compliance issues is *mandatory* for all
open source projects larger than one developer and their dog
with a github account.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Sat, Aug 27, 2016 at 11:35 AM, Wolfram Sang <wsa@the-dreams.de> wrote:
> Greg, Linus,
>
> Putting all the enforcement issues aside, there is one sentence that
> struck me:
>
>> > And corporations are a _huge_ part of our community, and frankly,
>> > the only reason we are where we are today.
>
> I don't question the first part of the sentence, but I disagree to
> 'the only reason' in the second part.

So I think Greg may have phrased it badly. Yes, the "only reason" part
is clearly not the case, but it could definitely be rephrased slightly
differently:

  "only because we have actively embraced companies being involved are
we where we are today".

It's not that "only companies" have made Linux be what it is today -
you are obviously very much right in pointing out that there's been a
lot (and still is!) individual contributors.

But it absolutely is the case that _only_ by working with companies
have we been able to succeed like we have been.

I just spent some time watching some of Bradley's youtube videos just
to compare his public stance with what is then claimed in this thread
(and private emails), and quite frankly, a lot of it was populist
"corporations are evil" stuff.

It's a very popular sentiment in some corners, but it's clearly
bullshit. Corporations tend to be largely selfish, yes, but so are
individuals.

And the thing is - a community of enlightened self-interest where
people and corporations work together because they all feel that it's
good for themselves ("selfish" behavior) is absolutely what we want
and need (and I'd argue have).

The reason open source works is exactly *because* the process works
with people who have their own interests at heart.

Yes, lots of people have other reasons for embracing open source too,
but without the basic self-interest angle you simply cannot get to the
point where you have a positive reinforcement cycle of people *and*
companies being involved.

So demonizing companies because they are "selfish" is just plain
stupid. Yet people do it.

What we need to do - and what we largely *have* been doing in the
Linux community - is to emphasize exactly the fact that open source is
a way to be selfish and get great results. Because that's the real
power of cooperation.

The whole "proprietary software is evil" mantra and the "corporations
are inherently bad" stuff is just crazy talk. It's insane, it's
stupid, and it's self-limiting.

Dismissing that kind of crazy talk is definitely a big reason for why
Linux is where it is today.

It's why Linux has never had anything to do with the FSF.

People call me many things, but very few people call me stupid.

                    Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

I *thought* this list was for KS proposal meta-discussion, but this thread is
now mostly substance and very little meta. :) However, AFAICT, no one has
declared this thread as off-topic, and generally speaking, I believe everyone
in the GPL Compliance Program for Linux Developers, including me, is glad to
see GPL enforcement discussed openly.  So, I'm continuing with replies:

Today, Greg made references to a talk I gave, and drew broad conclusions
about my beliefs.  Yesterday, Linus made reference to an LWN comment I made,
and made conclusions about my moral character.  This is a complex topic, and
the entire breadth of everyone's view cannot be summarized by out of context
snippets.  I do think Greg's summary of my talk is inaccurate on many fronts,
but the details on that don't really matter.

I believe we function well as a community by trying lots of different
strategies in parallel.  This works for Linux development itself, and it
works for GPL enforcement too.  I, Greg, and many others have done excellent
work convincing companies to abide by GPL without lawsuits.  Nearly all the
work by the GPL Compliance Program for Linux Developers doesn't use lawyers
or lawsuits.  We all use the same strategy, and *almost* all the same tactics
to achieve GPL compliance for Linux.

Our disagreement is over a finer point of a specific tactic that is only
relevant in roughly 0.57% [0] of GPL violations, which is this: "What do we
do in those cases that have no resolution for years, after many try to gain
compliance and failed. Should anyone sue in that case?".  Greg says: "No,
never."  The consensus in Conservancy's GPL Compliance Program for Linux
developers is: we're giving up on the GPL as a strategy if we let those 0.57%
just get away with violating, because even though the number is small, that
group contains the truly bad actors; they'll set example for future bad
actors.  One reason (among many) we should bring lawsuits in those rare cases
is to show everyone the 99.43% that they are much better off working with the
community.  We have plenty of evidence from company representatives who say
clearly: "I can't get my company to comply unless the threat of lawsuit is
realistic; we agree it's totally reasonable to sue the very few bad actors".
Greg, representatives of some the same companies that I know you've worked
with to improve compliance have told me and Karen that directly.

Greg, in your email today, you've called for us to close up our Program:
> So please stop this now, it's not helpful, but instead, hurtful, and
> harmful to our very survival.

The GPL Compliance Program for Linux Developers only does this work because
real developers who have written code upstream in Linux work actively with
Conservancy.  You've ask them to stop working with us.  Fortunately, they can
see your directive above and act.  The enforcement agreements are revocable.
Every one of our many coalition members could walk away tomorrow, and I
assure you that we'll close up the Program if they do.

> and not change to being rude and disrespectful to our users and developers
> by getting lawyers involved.

I do know lawyers who are rude and disrespectful by default.  (I also know
some Linux developers who are rude and disrespectful by default.)  But you're
saying above that can't be categorically true about lawyers (or Linux
developers): namely, that *all* lawyers are rude and disrespectful, in every
situation.  In our coalition's Linux enforcement actions, we don't typically
bring a lawyer into the conversation until we're close to what I called Step
(3) [1].  But, even when we do, we'd only employ a respectful and friendly
lawyer.  I stopped working with rude and disrespectful lawyers years ago.

> Let's please stick to what has gotten us this far,

You ignore that we got this far by working in parallel toward the same goal.
The GPL Compliance program for Linux Developers is more than four years old
now.  Before that, Harald was enforcing for Linux -- more litigiously than
our coalition ever would, BTW -- since 2004.  So, extremely rare litigation,
guided by Linux developers, has been part of "what got us this far" for at
least 12 years.  Greg: you, and James, and me, and Karen, and Conservancy,
and gpl-violations.org, and every member of the GPL Compliance Program for
Linux Developers are all part of the "us" that "got us this far".

Greg wrote, on 27 August 2016:
> Look at the existing vendors you see today as not as "offenders" but rather
> as "potential members of our community" and treat them that way.
Karen and I wrote together on 19 July 2016 [2]:
>>> Today's violators can then become tomorrow's contributors.
I wrote on 8 November 2009 [3]:
>> We therefore must ensure that enforcement action is reasonable and
>> friendly. I view every GPL violator as a potential FLOSS contributor, and
>> try my best to open every enforcement action with that attitude.

...and I made similar statements as far back as 2002.  My position on this
has never changed; I agreed with what you said today before you said it.
Karen has also always held this position.  Most importantly, to my knowledge,
every developer in the GPL Compliance Program for Linux Developers agrees.

> It's great that Samba has survived this type of enforcement effort, but as
> Jeremy has pointed out, he's done that primarily by working directly with
> the companies, not having legal people get involved.  So thanks Jeremy for
> proving my point :)

You're misattributing Jeremy's statements as well.  Jeremy said specifically
that he works *with* Conservancy and that our methods *don't* get lawyers
involved until the very tiniest fraction of situations where it's absolutely
necessary.  If Jeremy proved your point, then he also proved that Conservancy
and our coalitions *are using the method of enforcement you want*.

> that's what burned Busybox to the ground...and is what is threatening the
> future of gcc as well.

You're assessments of BusyBox and GCC are definitely incorrect.  (BusyBox is
still widely used and deployed, and the future of GCC is much more
complicated than any enforcement-specific issues.)  But I won't go into
details on that because I worry it's just too far off topic for this list.

Finally, I'll address just one more of your assumptions about my values:
> You value the GPL over Linux, and I value Linux over the GPL.  You are
> willing to risk Linux in order to try to validate the GPL in some manner.

... which is false.  Before you posted the above, I had already told you in
response to your private email (which contained the same text) that it
misrepresented my values.  I won't bore the list with everything I said in my
private reply, but here's the most relevant part:

  You said that you "care more about Linux than the GPL".  I would probably
  agree with that.  But, I do care about software freedom generally much more
  than I care about Linux *or* the GPL.  I care about Linux because it's the
  only kernel in the world that brings software freedom to lots of users.
  The GPL is a tool that helps Linux do that, but I don't see the GPL as a
  moral pinnacle.  It's a tool and a strategy to advance software freedom.
  Linux doesn't matter merely because it's GPL'd.  It matters because it's
  *great software* *and* it's GPL'd.

The GPL Compliance Program for Linux Developers works together to ensure all
users may copy, modify, and redistribute all versions of that great software.


[0] I didn't just guess at this number.  I searched my email archives, which
    roughly show that I've been sent reports of at least 3,000 GPL violations
    in my life, and I count only 17 defendants who have ever been sued by
    Erik Andersen, Christoph Hellwig, FSF or Conservancy (i.e., I'm counting
    BusyBox and Linux violations in there together, which should
    theoretically make the numbers as high as possible).  That gives me
    99.43% of GPL violators -- again, only count the ones I personally have
    been informed of -- have never been sued.  I didn't include Harald's
    lawsuits because I'm not really sure on the count of his cases, but
    someone who'd like to can go through
    http://gpl-violations.org/news/archive/ and count them up and update my
    numbers, but I think to make it a good estimate, you'd have to also
    update the denominator to count all violations ever reported to the
    gpl-violations.org mailing list too, which sadly are not online at the
    moment. ( links from http://gpl-violations.org/mailinglists/ are dead.)

[1] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2016-August/003637.html
[2] https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/
[3] http://ebb.org/bkuhn/blog/2009/11/08/gpl-enforcement.html
-- 
Bradley M. Kuhn
President & Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Julia Lawall]

On Sat, 27 Aug 2016, Bradley M. Kuhn wrote:

> Greg KH wrote at 08:43 (PDT):
> > [CCFinder is a] much different tool than what James was referring to.  The
> > work that the LF has been doing is not based on CCFinder, and (in my
> > opinion) is much more powerful and provides much more information about
> > attribution of work and the proof of where all code changes came from.
>
> It's really tough to know what this new tool is based on, because it's not
> Open Source and Free Software (not yet anyway).  It's a tool that's been
> presented in talks, but the data and code behind it remains hidden.
>
> Both I and Karen have talked extensively on multiple occasions with dmg,
> the tool's author.  He verified for me explictly that CCFinderX remains
> indeed state-of-the-art (and still really hard to install ;).  He
> indicated that his system, while it may or may not using CCFinderX's code
> directly [0], has technology that's roughly the same.  Anyone who has worked
> with CCFinderX and reviewed dmg's talks can see the obvious similarity.
>
> The key new contribution it sounds like dmg has made is data curation.
> From his verbal description, it sounds like dmg has done a really excellent
> job reconstructing the history of contributions to Linux that don't appear
> directly in Git.  I'm excited to (eventually) see his data!
>
> In April, I of course asked dmg to make the tool and the data available
> publicly under an Open Source and Free Software license, and he said he will
> do it eventually, but for the moment only his University team and the Linux
> Foundation (as funders of the work) have access to it, and they aren't
> willing to share their software and knowledge at the moment with others.
>
> [0] dmg was cagey on all this because he's an academic and has not yet had
>     the work published academically, and he lives under a publish-or-perish
>     regime.  I'm sympathetic; he's between a rock and hard place.  Indeed,
>     I've been looking lately into how unfriendly CS academia still remains to
>     Open Source and Free Software that's developed in public -- and it's
>     still as bad as when I was in graduate school.  I had so hoped it'd
>     gotten better.

As an academic, I don't see the issue.  I've never rejected a paper
because the tool was already open source.  On the contrary, reviewers
increasingly complain that a tool is not available, and so they can't see
how it works.  I don't know who dmg is or in what community he wants to
publish, but the more typical reason for not making a tool available is
that the author is not comfortable with the current state, and doesn't
have time to put it into a state that he is proud of, or doesn't currently
have the resources to be able to manage outside contributions.  I guess
that the same happens in non-academic contexts as well.  Maybe this person
is concerned that if the tool is available, others will be able to collect
the data this person wants to collect.  But typically it is only the tool
developer who will initially have the time, motivation, vision, etc
necessary to collect and interpret the data in an interesting way.

julia

> --
> Bradley M. Kuhn
> President & Distinguished Technologist of Software Freedom Conservancy
> ========================================================================
> Become a Conservancy Supporter today: https://sfconservancy.org/supporter
> _______________________________________________
> Ksummit-discuss mailing list
> Ksummit-discuss@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss
>

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Wolfram Sang]

[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]

Greg, Linus,

Putting all the enforcement issues aside, there is one sentence that
struck me:

> > And corporations are a _huge_ part of our community, and frankly,
> > the only reason we are where we are today.

I don't question the first part of the sentence, but I disagree to
'the only reason' in the second part.

The reason where we are today is the result of _all people_ contributing
to Linux. I think our community is a lively mixture of particitpants
hacking because of commercial, technical, enthusiastic, ideological and
what not reasons. The beauty (and the challenge) is all of us working
together. IMO this is one very important part which attracts some of the
special talent which makes our community awesome. For me, it surely did.
And that talent usually can't be attracted by, say, large investments or
similar (which admittedly attracts other special talent and is OK, too).

So, I don't think it is fair to give credits "where we are today" _only_
to the commercial side. And I have a hard time believing this view is
fundamentally different from yours?

   Wolfram


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Greg KH wrote at 08:43 (PDT):
> [CCFinder is a] much different tool than what James was referring to.  The
> work that the LF has been doing is not based on CCFinder, and (in my
> opinion) is much more powerful and provides much more information about
> attribution of work and the proof of where all code changes came from.

It's really tough to know what this new tool is based on, because it's not
Open Source and Free Software (not yet anyway).  It's a tool that's been
presented in talks, but the data and code behind it remains hidden.

Both I and Karen have talked extensively on multiple occasions with dmg,
the tool's author.  He verified for me explictly that CCFinderX remains
indeed state-of-the-art (and still really hard to install ;).  He
indicated that his system, while it may or may not using CCFinderX's code
directly [0], has technology that's roughly the same.  Anyone who has worked
with CCFinderX and reviewed dmg's talks can see the obvious similarity.

The key new contribution it sounds like dmg has made is data curation.
>From his verbal description, it sounds like dmg has done a really excellent
job reconstructing the history of contributions to Linux that don't appear
directly in Git.  I'm excited to (eventually) see his data!

In April, I of course asked dmg to make the tool and the data available
publicly under an Open Source and Free Software license, and he said he will
do it eventually, but for the moment only his University team and the Linux
Foundation (as funders of the work) have access to it, and they aren't
willing to share their software and knowledge at the moment with others.

[0] dmg was cagey on all this because he's an academic and has not yet had
    the work published academically, and he lives under a publish-or-perish
    regime.  I'm sympathetic; he's between a rock and hard place.  Indeed,
    I've been looking lately into how unfriendly CS academia still remains to
    Open Source and Free Software that's developed in public -- and it's
    still as bad as when I was in graduate school.  I had so hoped it'd
    gotten better.
-- 
Bradley M. Kuhn
President & Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Fri, Aug 26, 2016 at 04:54:15PM -0700, Bradley M. Kuhn wrote:
> > Because right now, I'm getting some _very_ mixed messages.
> 
> ... a wise man once said, "talk is cheap; show me the code".  So, judge me by
> my actual actions, not by twisting my words.  It's easy to do because all
> this work has been done transparently.  As a public charity, you can look at
> Conservancy's 990s and see all financial details related to GPL enforcement.
> As I said in another post, in more than ten years, Conservancy has been
> involved in exactly *two* lawsuits, with plenty of public documentation of
> what happened there.  Recently, I and Karen were the *only* ones who were
> willing to publicly criticized Patrick McHardy for being unnecessarily
> litigious and non-transparent [1].  Overall, we only began the GPL Compliance
> program for Linux developers because developers *asked* for it.  We remain
> accountable to them.  We published the Principles of Community-Oriented GPL
> Enforcement, which were endorsed and/or lauded by many Linux developers,
> including the entire Netfilter team, as well as other charitable
> organizations including FSF, FSF Europe and the Open Source Initiative.
> 
> 
> I *think* you are saying that I'm doing something wrong and hurting Linux.
> I'm not only willing to hear you on that -- in fact, I am alarmed and want to
> understand immediately what it is.

As I said earlier, you are somehow saying that if we don't "defend" the
GPL in courts, we need to give up on it.

And that's just flat out not true, as I said before.

Your LCA talk this past year, which is online, you say many things about
how the BusyBox lawsuits worked out (caused the creation of Toybox), how
LLVM came about (supported because companies didn't want to deal with
the FSF and GPLv3), and how that the only thing left to "fight over" is
Linux.

I don't want to fight.  For when you start fighting like this, you have
lost, as I, and Linus now, keep pointing out.

Again, when the lawyers get involved, you have lost.  I know you feel
that you have to get lawyers involved to "win" the last bit of a fight,
but really, that's pointless, because you just lost.

Someone in a reddit thread about this email conversation said, in trying
to quote Linus, something along the lines of "the nuclear option should
have been done to Allwinner a long time ago".  And that proved my point
exactly.  Allwinner was a pain for a very long time.  But as developers,
and through the efforts of a lot of people at the Linux Foundation and
Linaro, Allwinner is now a contributor to the kernel, and actively
sponsors developers to write GPLv2 code for their chips.  So, if, after
talks like yours (between a representative of a kernel copyright holder
and the company) breaks down, you would be forced to take legal action.
And then we lost, even if you would have "won" the suit.

Seriously, this is NOT how to to things.  Over the years yes, my
position has changed from being pissed when I see devices ship without
code for their changes, to realizing that I actually can do much more
than any lawyer can.  I can take those developers and make them part of
our own project, ensuring we can survive.

Also, in your LCA talk you say about Linux kernel modules, and if I get
this quote wrong, please let me know,
	"And we’re going to have to actually adjudicate that, we don’t
	have a choice now. I used to shy away from this because it’s
	considered so controversial but we won’t have copyleft if we
	don’t have this confrontation."

And that's a very dangerous thing to say, or do.  Because again, if you
want to adjudicate this, that means you are willing to loose.

I told you this in the lobby of LinuxCon last year in Ireland around a
table with many others present.  You value the GPL over Linux, and I
value Linux over the GPL.  You are willing to risk Linux in order to try
to validate the GPL in some manner.  I an not willing to risk Linux for
anything as foolish as that.  And I told you that then in front of a
small audience, and am willing to do so now in front of a much larger
one.

Both you and Karen keep saying "we have to know and defend this", but
that's what burned Busybox to the ground, and is what is threatening the
future of gcc as well.  It's great that Samba has survived this type of
enforcement effort, but as Jeremy has pointed out, he's done that
primarily by working directly with the companies, not having legal
people get involved.  So thanks Jeremy for proving my point :)

Let's please stick to what has gotten us this far, and not change to
being rude and disrespectful to our users and developers by getting
lawyers involved.  That way we know will cause us to fail.

I routinely say that the only thing that will cause Linux to fail is if
we do something stupid to ourselves, it's not going to happen by
something outside of us.  I see this as one of those extremely stupid
things that we could easily do to ourselves that would cause us
to fail.

Again, learn from history, suing people is not the way to survive.
Working with the developers is the way.  As companies like Intel (who
used to be one of the worse offenders of the GPL out there before
members of our community worked very hard to turn them around) and
Allwinner and RockChip (getting more and more involved in our community)
and even Microsoft (who now gets huge revenue from running Linux and is
sponsoring kernel development because of this).

Look at the existing vendors you see today as not as "offenders" but
rather as "potential members of our community" and treat them that way.
It is the way we will continue to survive and grow.  To not do so, is to
kill off our own future.

Do you know who the next "Intel" will be as a huge corporate sponsor of
Linux developers and intrinsic to our future?  I sure don't, but I do
know that by treating offenders with lawyers, you ensure that they never
will be that type of supporter.

It's just like we treat new developers, you never know who will start
out with just one patch, realize it's a lot of fun, and continue on to
becoming a core developer.  I started that way, and so did everyone
except Linus.  You have to treat everyone with respect in order to
ensure that you can grow and survive.

So please stop this now, it's not helpful, but instead, hurtful, and
harmful to our very survival.

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Greg KH]

On Fri, Aug 26, 2016 at 01:19:58PM -0400, Karen Sandler wrote:
> On Fri, 2016-08-26 at 12:37 -0400, James Bottomley wrote:
> 
> >  The idea that your opinion only counts if you've already agreed to
> > support SFC actions.  Effectively it disenfranchises the majority in
> > the kernel and leads directly to a lot of the irritation that's been
> > coming out on the list.
> 
> The whole reason I proposed the session (in addition to information
> sharing) is to get feedback on our work from those who don't participate
> and be coordinated as possible with the work you, Greg and others not in
> our coalition do in your GPL compliance efforts. We're obviously already
> in touch with those who are in our coalition. :)

As I've said before, I don't think the Kernel Summit is a good place for
this as it involves legal issues, and the Kernel Summit is about
technical issues.

But, I do like Linus's proposal of "only developers" in the room talking
about stuff like this.  No lawyers, or managers, or "representatives"
present.  That could be "fun".

As you well know, lawyers can easily get disbarred for discussing things
with clients of others when the client's lawyers are not present, even
in "friendly situations".  Almost all of us are already clients of other
lawyers, given our corporate affiliations, and clients can not waive
that right to not have council present when talking about things to
other lawyers.  So proposing a session like you have, seems like a huge
risk for anyone there.  Unless you expect us all to drag our own lawyers
along, and again, I don't want to attend a kernel summit where I am
forced to do that.

> > I just said that I think there's a viable way forward from the
> > worst case outcome and the LF has been funding the tool work we'll need
> > to survive in that world.
> 
> Conservancy has coordinated with these efforts. We've discussed the tool
> extensively with its primary author and gave feedback from our work to
> inform its progress.  We're glad they plan to release their newer tools
> (and most importantly, curated data) soon under a free and open license.
> The base tools used for that work, of course, Conservancy has already
> been using for some time in our compliance work:
> 
> https://sfconservancy.org/copyleft-compliance/vmware-code-similarity.html

That's much different tool than what James was referring to.  The work
that the LF has been doing is not based on CCFinder, and (in my opinion)
is much more powerful and provides much more information about
attribution of work and the proof of where all code changes came from.
Daniel's work was presented at a meeting in Barcelona that I think you
attended, along with many other legal open source people.  An updated
version of the tools and their capabilities was also presented this week
at LinuxCon for everyone to see:
	https://lcccna2016.sched.org/event/7RUK

As you know, academics take attribution very seriously, please don't
imply you have been working on this project with Daniel and Kate when
as far as I know, no one from the SFC as been doing so.

thanks,

greg k-h

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]

On Fri, 2016-08-26 at 17:19 -0700, Linus Torvalds wrote:
> Not only is "linking" not something that has any legal meaning, but
> the GPLv2 doesn't even mention it.  Yet people _continually_ talk
> about linking.

They do, and it's a pain.

> But what the license says - and more importantly, what copyright law
> itself actually is all about - is not linking, but "derived work".

You're close to one of the other errors that people continually make.

The licence specifically talks about "derivative or collective works".

It isn't just about "derived work" in the sense of "is your module a
derived work of the kernel?".

It also includes "is your module shipped as part of a collective work
including the kernel?".

And I'm not intending to get into specific *answers* to those questions
in this case, but we should not forget that they *are* the questions. 

You're right; we should not keep talking about "linking".

And we should not keep talking about "derived work" as if it's all that
matters.

-- 
dwmw2

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Josh Triplett]

On Fri, Aug 26, 2016 at 05:41:36PM -0400, Theodore Ts'o wrote:
> These sorts of legal / political questions are things for which I
> believe the Kernel Summit isn't well equipped to handle.  In
> particular, if the SFC has a pre-existing agenda --- that is, if they
> have clients and have lawyers who who believe very strongly that the
> next step is to "bring the question to a lot of Courts"[1] --- and
> they want a forum to try to convince kernel developers to support them
> in trying to force the courts around the world to give us an answer to
> legal questions around the GPL --- that's inherently a political
> question, and I don't think it's appropriate give them a soapbox to
> try to let them advance that agenda at the Kernel Summit.

I think we can expect better than that.  We regularly give platforms to
people who work for various entities, and they know not to use that
platform as a soapbox, even when their employer/organization holds a
particular position.  I think the same thing applies here, and I
personally would trust Conservancy folks to help drive an actual
*discussion* about these issues, where their own position rates a
mention but not a soapbox.  I don't think KS should host a rally; I *do*
think KS should host a session on the state of legal issues around the
kernel, what direction we want to see those go in, and what technical
and development practices may interact with those, including both our
existing practices and any potential proposals for changes to those
practices.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Fri, Aug 26, 2016 at 05:19:55PM -0700, Linus Torvalds wrote:
> On Fri, Aug 26, 2016 at 4:58 PM, Jeremy Allison <jra@samba.org> wrote:
> > Can you describe the conditions you personally would feel justify
> > filing a lawsuit over GPL non-compliance ?
> 
> You asked Ted, but I'll answer for one of the conditions for me: that
> it is not some gray area. It has to be a pretty damn clear violation.
> 
> Quite frankly, I've seen a lot of people be confused about what the
> GPLv2 actually says over the years. The most common confusion is the
> whole thing about "linking". It gets mentioned a lot.
> 
> Not only is "linking" not something that has any legal meaning, but
> the GPLv2 doesn't even mention it.  Yet people _continually_ talk
> about linking.
> 
> I think the confusion actually comes from the FSF itself, and the
> original LGPL discussions, where the FSF at some point tried to
> convince people that linking against a GPL library somehow meant that
> the end result was a "derived work" in a very different way than "mere
> aggregation". It comes from some GPL maximalist argument, and it's
> where the whole LGPL came from, after all.
> 
> So a *lot* of people think that "linking" means that the GPLv2 is
> automatically in effect.
> 
> But what the license says - and more importantly, what copyright law
> itself actually is all about - is not linking, but "derived work".
> 
> And there's a _lot_ of gray areas there, and no, technical measures
> does not make something derived or not.
> 
> In the kernel, we have tried to kind of clarify our thinking with the
> whole module interface, and the EXPORT_SYMBOL_GPL() distinction - the
> argument being one of both intent (which does have some legal weight,
> although the key word there is "some") and just to clarify that some
> parts are so clearly "internal Linux implementation" that if you need
> them, you're clearly not an independent module.
> 
> But everybody should know that that is not necessarily black and white
> either. Are GPL'd shim modules that use that EXPORT_SYMBOL_GPL() and
> thjen export something else (non-GPL'd) that uses them legal? They
> certainly fail the _smell_ test. A technical trick doesn't really have
> any legal meaning. If I were a judge (and I'm not, not even a lawyer),
> I'd certainly frown on it, but I might not take the initial
> EXPORT_SYMBOL_GPL() distinction all that seriously _either_.
> 
> Anyway, end result is that there's a lot of very murky "what is
> actually a derived work" issues.
> 
> I'd not be interested in ever having a lawsuit to "clarify" such an
> issue. I don't think it would really clarify anything anyway (it will
> just set one boundary in one case for one specific thing).
> 
> So it has to be a pretty damn obvious violation.

So it's a "I know it when I see it" boundary, like porn or
indecency :-).

Actually, that was pretty damn helpful. At least it shows there
is a "this far and no further" line beyond which you think a
lawsuit can be appropriate. I was getting worried that there
was no violation so egregious that you'd think was worth legal
action.

That way lies BSD-land.. (and the mountains of Madness :-).

Actually, your feelings are pretty similar to mine (other than
the harsh words about the FSF, but then again they did kill
your dog :-).

I try and set a similar set of boundaries when it comes to
Samba - which can load the equivalent of kernel modules via
our pluggable VFS interface.

My rules are:

1). In kernel - not my business (unless you're crazy enough
to try and put the entirety of Samba in-kernel) - go forth
with my blessings.

2). In kernel-but with "special“ system calls used by Samba
VFS modules. Here I want the source code for the Samba VFS
module released, but what's in the kernel is your business.

Interestingly enough there have been some vendors who tried
to argue they could keep their system calls secret by hiding
the Samba VFS code - but we ended up with a successful outcome
(in one case by getting them to commit next release to a
fully specified syscall interface as the one they were using
was too ugly to support long term).

3). In a separate process - but Samba talks to it via IPC.
Still not my code, but it's getting closer depending on how
closely tied the IPC is. If your daemon simply won't do anything
without Samba talking to it, then I'd argue this is probably
a derived work. But it depends. This is the most difficult
case, similar to your "independent module" question above.

I usually say if the IPC interface has other uses than just
Samba (i.e. the NFS server uses it too), then it's not a
derived work. I've successfully gotten several companies
to architect their solutions this way to avoid any possible
violation questions. It usually gets them to create a better
solution as well, as thinking about an interface having to
be used by multiple consumers almost always ends up in a better
design.

4). Code modifications to Samba itself. You code is *mine*.
Unless you're Amazon of course, who run Samba4 Active Directory
in their cloud and never ship to their customers :-). Even then
they're slowly but surely getting their changes upstream by
contracting with one of the vendors who employ Samba Team
members.

There are many other grey areas, but the main thing I try
and do by enumerating these rules is to give clarity to
corporations wanting to use the code.

The only time we've ever come close to a lawsuit was a long
time ago with a company that just renamed the source code
files, added a license manager and tried to sell us as a
proprietary solution ! Even then it was only after we contacted
their main purchaser to let them know what they were buying
that these guys went back to stealing car radios, or whatever
previous petty criminality they used to make a living doing.

Having said that these are just my opinions, and I know there
are differing opinions within the Samba Team developers.

The main thing is that we all reach consensus before asking
Conservancy to take any action on our behalf. The other Team
developers trust Conservancy to act in a responsible way.

The way to ensure that happens is to join the Conservancy
"GPL Compliance Project For Linux Developers" so your
individual voice is heard. I'm sure they'd love to have
you ! :-).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 4:58 PM, Jeremy Allison <jra@samba.org> wrote:
>
> Can you describe the conditions you personally would feel justify
> filing a lawsuit over GPL non-compliance ?

You asked Ted, but I'll answer for one of the conditions for me: that
it is not some gray area. It has to be a pretty damn clear violation.

Quite frankly, I've seen a lot of people be confused about what the
GPLv2 actually says over the years. The most common confusion is the
whole thing about "linking". It gets mentioned a lot.

Not only is "linking" not something that has any legal meaning, but
the GPLv2 doesn't even mention it.  Yet people _continually_ talk
about linking.

I think the confusion actually comes from the FSF itself, and the
original LGPL discussions, where the FSF at some point tried to
convince people that linking against a GPL library somehow meant that
the end result was a "derived work" in a very different way than "mere
aggregation". It comes from some GPL maximalist argument, and it's
where the whole LGPL came from, after all.

So a *lot* of people think that "linking" means that the GPLv2 is
automatically in effect.

But what the license says - and more importantly, what copyright law
itself actually is all about - is not linking, but "derived work".

And there's a _lot_ of gray areas there, and no, technical measures
does not make something derived or not.

In the kernel, we have tried to kind of clarify our thinking with the
whole module interface, and the EXPORT_SYMBOL_GPL() distinction - the
argument being one of both intent (which does have some legal weight,
although the key word there is "some") and just to clarify that some
parts are so clearly "internal Linux implementation" that if you need
them, you're clearly not an independent module.

But everybody should know that that is not necessarily black and white
either. Are GPL'd shim modules that use that EXPORT_SYMBOL_GPL() and
thjen export something else (non-GPL'd) that uses them legal? They
certainly fail the _smell_ test. A technical trick doesn't really have
any legal meaning. If I were a judge (and I'm not, not even a lawyer),
I'd certainly frown on it, but I might not take the initial
EXPORT_SYMBOL_GPL() distinction all that seriously _either_.

Anyway, end result is that there's a lot of very murky "what is
actually a derived work" issues.

I'd not be interested in ever having a lawsuit to "clarify" such an
issue. I don't think it would really clarify anything anyway (it will
just set one boundary in one case for one specific thing).

So it has to be a pretty damn obvious violation.

We should not be another crazy Oracle. Those guys are just looking
like morons with their crazy legal theories. And I'm not saying that
just because they keep losing.

And quite frankly, I've seen some crazy legal theories from the people
who want to maximize the reach of the GPL. Things that would literally
depend on the jury and judge not having a clue.

                  Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Fri, Aug 26, 2016 at 4:34 PM, Theodore Ts'o <tytso@mit.edu> wrote:
> On Sat, Aug 27, 2016 at 01:04:13AM +0200, Luis R. Rodriguez wrote:
>> Its important these summits take into consideration to all sides, equally.
>
> Agreed, but will the Conservancy take into considerations all sides
> and all copyright holders?

I was actually talking about the Linux Foundation legal summits, as
you suggested. I had given up at this point of any of this spoken
about at KS...

But -- since you insist on considering this for KS -- let me make it
clear that I am personally not a fan of any of these topics spoken
about *loosely* to at KS, but "best tactics for compliance" seems
sensible and neutral (Linus gave a few good tactical ideas on vouching
for good citizens, etc), and letting folks ask questions sounds like
another nice opportunity for folks to get information about SFC does.
I'll note Karen particularly just offered a Q&A session. That's all...
That seemed fair and neutral. It didn't seem to be agend'ish..

Is a Q&A not OK? Is that agenda'ish?

Perhaps talking about "when has last resort line been reached?" a bit
too sensitive to a few corporate copyright holders, but I suspect
having a friendly discussion over this with a majority of developers
present might be a win for the community. Not up to me -- just saying,
it seems these are the things most folks are interested in helping
chime in.

> Or will it pick and choose which
> developers it will listen to?

If a Q&A is offered I think you can be moderator as you coordinate KS.

> And how will it decide if there is
> disagreement amongst the copyright holders in their clubhouse?

Well you mean internally on the mailing list? Currently -- just as is
done here, through a list. As the group grows I suspect we may need
something more efficient though... One idea is to use the kernel web
of trust and an encrypted survey mechanism, to collect polls and get
results. In fact if we wanted to do this with all of Linux's
contributors today we could easily do this as well using similar
survey practice, you can even anonymize the actual data of responses
from individuals -- you'd just list the results. We could even keep
results private to KS.

> Saying that you will striving for consensus is nice, but it's pretty
> clear from these threads that there won't be 100% agreement all the
> time.

Just like Linux development.

> If consensus can't be achieved, what then?  Will there be
> voting?

Its a good question, we haven't had to scale yet but above I give a
simple algorithmic example of a possible solution if we needed to.

> Will it be weighted by how much code various copyright
> holders might own?

That's another great question, should the answer be ironed out at KS ?
If we had tools to help us with this what should it look like? What
would folks like it to look like ?

> Does the Conservancy reserve the right to throw
> out copyright holders who don't vote the right way?

The Principles (recently linked) are new and are followed, it was
inspired by the recent Patrick crap. Is that fair? Are there questions
on the Principles?

https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/

> I would think a responsible person would want to know answers to these
> and similar questions before lending their name/reputation to the
> Conservancy.

Indeed!

> After all, these are pretty critical governance issues.

100% agreed. I don't think anyone part of the alliance takes any of
this lightly. If you do -- let us know.

> Maybe this is something that should be on the Conservancy's web site,
> along with a list of those copyriht holders who have already agreed to
> support the Conservancy?

A few can and have publicly done this already, for obvious reasons,
some prefer for this to not be disclosed. Its not different than the
corporate mumbo jumbo stuff.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Fri, Aug 26, 2016 at 07:02:36PM -0400, Theodore Ts'o wrote:
> 
> Ah, but *which* developers?  There are a huge number of entities who
> own copyrights in the Linux kernel.  Does the Conservancy get to pick
> and choose which developers they will listen to?  What about the
> companies that own copyright in the Linux kernel, such as Red Hat,
> IBM, Intel, Google, and others?  Do they get a seat at the table?

It's pretty clear that this applies to individual copyright holders who
have joined Conservancy's GPL Compliance Project for Linux Developers,
not corporations with their own legal department and lawyers who can
make decisions about compliance for themselves.

Even closer to my analogy of a union than I originally thought,
actually :-).

By definition these are developers who agree with the published
"Principles of Community-Oriented GPL Enforcement" document, which
does a good job of setting out when and how enforcement should be
handled.

> What about Linus's opinions?  Is the Conservancy going to at least ask
> the major copyright holders whether they are OK with a lawsuit before
> going ahead, and stop if they say No?  Or so long as you can find some
> number of developers who say, "go for it!" you'll start filing the
> paperwork at the courthouse?

Can you describe the conditions you personally would feel justify
filing a lawsuit over GPL non-compliance ?

Even if you reply "never" that would be a good data point to understand
your opinions on this.

> There have been at least some representation made by Conservancy staff
> that appear to denote that they have their set of developers and that
> they are going to do what they are going to do, regardless of what
> other copyright holders might think.  Perhaps it might be
> understandable why some might feel that your term of "rogue actor"
> might actually be appropriate?

If following this:

https://sfconservancy.org/copyleft-compliance/principles.html

means you are a "rogue actor", then I question your understanding
of the language.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

Linus,

Linus Torvalds wrote at 14:51 (PDT):
> For example, we had a really nasty issue with Patrick McHardy, and
> sadly, the companies involved apparently didn't dare talk about it for
> fear of bad press (even if the badness was from our side). I was
> actually informed by Karen that the SFC finally made the thing public
> (thanks Karen - I really appreciated that), but when I went looking
> for it

The link to that statement, which Karen and I made jointly, is here:
   https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/

> So _excuse_ me for not finding Bradley Kuhn very trustworthy on this
> issue.

I don't expect you to trust me; we don't know each other very well.

However, you don't need to trust me to examine my or Conservancy's
actions, because they're very transparent and any mandate that I have to
do GPL enforcement for Linux comes from Conservancy's agreements with
Linux developers who signed agreements that ask Conservancy to act.

> He's on public record on doing exactly that I am arguing we should
> *NOT* be doing.

No, that's not what I've said, neither on nor off the public record.

To step back, the chain of events of what Conservancy does in Linux GPL
enforcement is a simple flowchart:

0. Talk to the Linux developers in our coalition about the violation until
   there's general consensus about what to do next.

1. Approach violating company and ask nicely for them to comply, and offer
   help them do so.

    (a) If they do comply, thank them and (if they want) help them upstream
        the code and/or form a community to help work on it (for firmwares).
        "goto all_the_other_work_Conservancy_does_that_is_not_enforcement;"

    (b) If they don't comply, try to help them comply by giving them detailed
        technical reports about what parts of their product aren't in
        compliance.

2. If still no compliance & a long time has yet to go by: goto 0.

3. After that long time has passed, talk to the Linux developers in our
   coalition to see if someone feels a lawsuit is necessary.

4. After all that & much time has passed, support any Linux developer(s) who
   wants to file a lawsuit, in the way they specify they want that help.

And, in the four years that Conservancy has run the GPL Compliance program
for Linux developers, we got to (4) *exactly once*, with VMware, and we even
sat in (3) for quite a while, until Christoph joined the coalition and
decided he wanted to act [0].

In your last email, you quoted me (out of context) on a comment I made
regarding a situation where *we were already at step 4* (i.e., VMware's
violation).  There are lots of tactics and details to consider when we reach
steps 3 and 4, and those include: how the GPL appears to the Courts, whether
they can achieve clarity in interpretation of the GPL, what venue makes
sense, and whether we'll get a certain decision.  Also, it's likely that
true clarity won't come until steps (3) and (4) are a hit multiple times,
which may never happen (in history, any novel legal instrument has
required multiple Court cases to understand fully).  However, my
observation of that does not mean I'm *seeking* to hit steps (3) & (4).
Anyone who has done GPL enforcement with me can tell you that I *loathe*
Steps 1(b), (2), (3) and (4).  For the record, step 1(a) is the only
one I *want*, and I always try everything I can think of to get to 1(a).

Meanwhile, I do suspect you would rather Conservancy operate transparently
and comment publicly as much as we can.  Of course, Conservancy *could* just
do our work silently, communicate only with our coalition of developers, and
refuse to talk to the wider Linux community.  We *don't* do that because we
believe in openness and transparency.

Speaking just for myself, I'm *glad* to be held accountable by the Linux
developer community.  That's why I'm bothering to respond in this thread, why
I've done many calls over the years with LF's TAB, and why I propose talks to
every single Linux Foundation conference and leave plenty of time for Q&A.  I
believe if I'm involved in enforcing the GPL on Linux, the Linux community
has a right to question my activities and expect answers.

But, please, don't take open and transparent comments out of context and
assume that such statements on narrow issues of specific situations implies a
conspiratorial agenda.  It doesn't, and the *actions* show that...

> Because right now, I'm getting some _very_ mixed messages.

... a wise man once said, "talk is cheap; show me the code".  So, judge me by
my actual actions, not by twisting my words.  It's easy to do because all
this work has been done transparently.  As a public charity, you can look at
Conservancy's 990s and see all financial details related to GPL enforcement.
As I said in another post, in more than ten years, Conservancy has been
involved in exactly *two* lawsuits, with plenty of public documentation of
what happened there.  Recently, I and Karen were the *only* ones who were
willing to publicly criticized Patrick McHardy for being unnecessarily
litigious and non-transparent [1].  Overall, we only began the GPL Compliance
program for Linux developers because developers *asked* for it.  We remain
accountable to them.  We published the Principles of Community-Oriented GPL
Enforcement, which were endorsed and/or lauded by many Linux developers,
including the entire Netfilter team, as well as other charitable
organizations including FSF, FSF Europe and the Open Source Initiative.


I *think* you are saying that I'm doing something wrong and hurting Linux.
I'm not only willing to hear you on that -- in fact, I am alarmed and want to
understand immediately what it is.  But, you've not pointed to any specific
problematic action that I've taken.  Plus, before moving to Step (4) with
VMware, I asked you in person how you felt about enforcement against VMware,
and you said "what they're doing is in bad taste and someone should probably
do something about it".  You certainly did *not* say "please don't pursue
that!"  I am delighted to be accountable for my actions, but I'm baffled here
trying to figure out what action you're criticizing and why you didn't tell
me to stop when I explicitly sought your opinion.

Regardless, I'm happy to keep discussing the details with you and everyone
else, saying as much as is appropriate publicly.  I and Karen both were
hoping everyone who is stakeholder regarding Linux (i.e., the copyright
holders and developers) could have a discussion at KS about this.

Linus Torvalds wrote elsewhere in the thread:
> But as I started out saying, I actually support discussing this at the
> kernel summit, it's just that I absolutely do *not* think it's about
> having lawyers present.

IANAL, and I also agree that everyone showing up at KS with their
lawyers by their side is a _horrible_ idea.  Anyway, there are no actual
legal questions to discuss -- rather, nearly every issue raised are
*policy* questions.  Policy discussion should include actual
stakeholders (which, with regard to GPLv2, means anyone who is a
copyright holder in Linux).


[0] https://sfconservancy.org/copyleft-compliance/vmware-lawsuit-faq.html#why-lawsuit
    has the full story on how these steps went with VMware.
    
[1] Company representatives of all sorts have been thanking us for
    weeks, BTW, for finally coming forward and criticizing McHardy's
    lawsuits, because, as Linus mentioned, companies have been freaked out
    about it and "didn't dare talk about for fear of bad press".  (And,
    Conservancy did get some bad press and aggressive complaints from a few
    for our statement on it.)  But we did it because we believed it was right
    for the community, and because companies that try hard to comply with the
    GPL were asking us to do so.  We felt it important to go public about
    what we knew and had learned, because companies were scared and many
    didn't know what was going on, therefore creating a net-search-findable
    explanation about the situation was essential for the community.
-- 
Bradley M. Kuhn
President & Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Sat, Aug 27, 2016 at 01:04:13AM +0200, Luis R. Rodriguez wrote:
> Its important these summits take into consideration to all sides, equally.

Agreed, but will the Conservancy take into considerations all sides
and all copyright holders?  Or will it pick and choose which
developers it will listen to?  And how will it decide if there is
disagreement amongst the copyright holders in their clubhouse?

Saying that you will striving for consensus is nice, but it's pretty
clear from these threads that there won't be 100% agreement all the
time.  If consensus can't be achieved, what then?  Will there be
voting?  Will it be weighted by how much code various copyright
holders might own?  Does the Conservancy reserve the right to throw
out copyright holders who don't vote the right way?

I would think a responsible person would want to know answers to these
and similar questions before lending their name/reputation to the
Conservancy.  After all, these are pretty critical governance issues.
Maybe this is something that should be on the Conservancy's web site,
along with a list of those copyriht holders who have already agreed to
support the Conservancy?

Cheers,

					- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Luis R. Rodriguez]

On Fri, Aug 26, 2016 at 05:41:36PM -0400, Theodore Ts'o wrote:
> On Fri, Aug 26, 2016 at 03:53:19PM -0400, James Bottomley wrote:
> > 
> > I think the disagreement is over *when* you give up and go for the
> > final resort.  And who you trust to take that decision.
> >
> 
> At the end of the day this is really a governance question.  There are
> a huge number of stakeholders involved.  It includes the kernel
> developers who do the work; and those who own the copyright; and those
> who pay many of our salaries; and those who might pay our salaries in
> the future if we can convince them to be good citizens; and so on.
> Not all of them will be represented at the Kernel Summit.
> 
> It will include those entities who are GPL maximalists and who believe
> that kernel modules are always infected by the GPLv2, and those who
> take a looser interpretation of that particular issue.  And that's a
> political question and a legal interpretation question.

<-- snip -->

> These sorts of legal / political questions are things for which I
> believe the Kernel Summit isn't well equipped to handle.  In
> particular, if the SFC has a pre-existing agenda --- that is, if they
> have clients and have lawyers who who believe very strongly that the
> next step is to "bring the question to a lot of Courts"[1] --- and
> they want a forum to try to convince kernel developers to support them
> in trying to force the courts around the world to give us an answer to
> legal questions around the GPL --- that's inherently a political
> question, and I don't think it's appropriate give them a soapbox to
> try to let them advance that agenda at the Kernel Summit.

Its a great point, however, that does mean SFC and developers part of the
kernel developer SFC alliance cannot get feedback from other contributors when
last-resort measures really have been reached. That seems to a pretty
neutral topic to consider.

If not, and I *personally* understand if its not possible to discuss this at KS,
at the very least this thread seems to clarify that many of us seem to be on
the same page than previously thought, legal action should be last resort. The
exception to everyone being on the same page seems of course to be the lack of
trust towards a few folks at SFC, or maybe just one. If that is a concern of
yours, you care about Linux and amicable compliance over Linux, and if you can
legally join SFC, you can vocalize your opinion on our lists when we review
matters -- you can help shape the opinion of the SFC kernel developer alliance.
Consensus is what we strive for.

> I've already gotten more than one request from representatives from
> other non-developer stakeholders requesting that they also be able to
> attend.  And in fairness, if we were to give the SFC a soapbox, then
> there will be any number of lawyers who would want to attend to make
> sure that the interests of their clients would also be protected ---
> and under what standards of fairness would we give lawyers with a
> specific agenda that they want to push access, but deny access for
> other lawyers to attend?  Let's just not go there.

I'd like to give a little wake up call then to those developers who *do care*
about the situation but feel hopeless. You should not feel hopeless, and you
should be able to echo your opinions and care. If you cannot care about how we
should do compliance on the project you contribute to, a right has been taken
away from you. You may or may not care about that -- and that's also one reason
why I personally think some of this is not appropriate to KS -- I suspect a
good portion of developers simply don't give a shit, and that's fine! If you'd
like to care though and want that right, consider an employer that gives you
that right.  There are a few. As I see it, its to the interest of the companies
and our community that that kernel developers that do care can express review /
consent over matters. Its the type of thing that will help avoid these sorts of
shitstorms.

> The Linux Foundation has run Legal Summits before, and has invited
> kernel developers to give input to the legal beagles at those Legal
> Summits.  But we're talking about the Kernel Summit here, and not a LF
> Legal Summit.

Its important these summits take into consideration to all sides, equally.

  Luis

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Fri, Aug 26, 2016 at 03:42:13PM -0700, Jeremy Allison via Ksummit-discuss wrote:
> The other thing to remember is Bradley isn't the one making the
> decisions here. It's the developers - *ALWAYS* the developers.
> Bradley and the Conservancy staff can give advice, but they do
> not do *anything* without a direct mandate from the copyright
> holders.
> 
> Conservancy acts when developers ask them to. It isn't accurate
> to think of Bradley or Conservancy as a rogue actor running around
> doing their own thing. 

Ah, but *which* developers?  There are a huge number of entities who
own copyrights in the Linux kernel.  Does the Conservancy get to pick
and choose which developers they will listen to?  What about the
companies that own copyright in the Linux kernel, such as Red Hat,
IBM, Intel, Google, and others?  Do they get a seat at the table?

What about Linus's opinions?  Is the Conservancy going to at least ask
the major copyright holders whether they are OK with a lawsuit before
going ahead, and stop if they say No?  Or so long as you can find some
number of developers who say, "go for it!" you'll start filing the
paperwork at the courthouse?

There have been at least some representation made by Conservancy staff
that appear to denote that they have their set of developers and that
they are going to do what they are going to do, regardless of what
other copyright holders might think.  Perhaps it might be
understandable why some might feel that your term of "rogue actor"
might actually be appropriate?

As I said in another e-mail; at the heart of this question is really a
governance / polity issue, and I don't believe the Kernel Summit is
well situated to address these sorts of questions, as we don't have
all of the stakeholders present.

						- Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Fri, Aug 26, 2016 at 02:51:16PM -0700, Linus Torvalds wrote:
> On Fri, Aug 26, 2016 at 12:33 PM, Jeremy Allison <jra@samba.org> wrote:
> >
> > These days we rely on Conservancy doing the kind of back-room negotiation
> > that they are really good at, and they've never failed us on this. Lawsuits
> > *are* a last-ditch nuclear option.
> 
> Jeremy, I trust *you*.
> 
> But I do not trust Bradley, for example.

Thanks. I'm in the happy position of trusting both you *and*
Bradley. But I know you don't know him as well as I do.

> Bradley talks the talk here when called out on it, but elsewhere he
> clearly sees enforcement not as just a last ditch nuclear option. I've
> heard that complaint from people in private conversations, but you can
> find it in public posts too.
> 
> For example, we had a really nasty issue with Patrick McHardy, and
> sadly, the companies involved apparently didn't dare talk about it for
> fear of bad press (even if the badness was from our side). I was
> actually informed by Karen that the SFC finally made the thing public
> (thanks Karen - I really appreciated that), but when I went looking
> for it I find Bradley Kuhn making comments like these:
>...

Linus, I hope you of all people realize what can happen when you take people's
email quotes out of context. You end up with things like this:

http://www.theregister.co.uk/2016/08/26/linus_torvalds_calls_own_lawyers_nasty_festering_disease/

Which isn't a nuanced look at the discussion we are having here :-).

You have to remember you get to talk to the engineers about GPL
violations, who sheepishly look at their shoes and say, "yeah,
I'm talking to management about fixing that." That's the approach
I take too when talking about GPL violations. But if that doesn't
work (and there are some companies for which it really doesn't),
then you have to talk to management.

Bradley has to have that talk with the management instead. That can give
a completely different perception of what is going on ("fsck you,
we're never giving you that code" :-). Remember, Conservancy are
the people we call in when we're not getting anywhere through the
unofficial channels.

I've (very) occasionally been on one of those calls. They're
not pleasant.

The other thing to remember is Bradley isn't the one making the
decisions here. It's the developers - *ALWAYS* the developers.
Bradley and the Conservancy staff can give advice, but they do
not do *anything* without a direct mandate from the copyright
holders.

Conservancy acts when developers ask them to. It isn't accurate
to think of Bradley or Conservancy as a rogue actor running around
doing their own thing. They're more like the union rep who does
the tough negotiations with the employer. No one likes the union
rep. (or maybe I've lived in the USA too long :-).

> Look, guys. This is Bradley EXPLICITLY talking about using the courts
> as a way to "clarify" issues.
> 
> So _excuse_ me for not finding Bradley Kuhn very trustworthy on this
> issue. He's on public record on doing exactly that I am arguing we
> should *NOT* be doing.
> 
> Lawsuits aren't about "clarification". They aren't something we should
> hope for in order to "proceed with more certainty".

Corparate lawyers talk like that ("clarification"). It's the language
they understand. No one files lawsuits for "clarification", if they
do (and there have been amazingly few open source lawsuits compared
to the litigous hell that is proprietary software) they're either a
bad actor doing it for money (not mentioning names here) or they're
trying to get compliance (Conservancy).

> Please, see above. If you're on the Conservancy board of directors,
> maybe you should clarify with Bradley, who is listed as _president_ of
> the board, what that mission actually is?
> 
> Because right now, I'm getting some _very_ mixed messages.

I think the best message Conservancy has made on GPL compliance is here:

https://sfconservancy.org/copyleft-compliance/principles.html

and I *know* everyone there is on board with that ! As for
the general mission - more Free Software for all ! :-).

https://sfconservancy.org/about/

"Software Freedom Conservancy helps promote, improve, develop,
and defend Free, Libre, and Open Source Software (FLOSS) projects.
Conservancy provides a non-profit home and infrastructure for FLOSS
projects. This allows FLOSS developers to focus on what they do best
— writing and improving FLOSS for the general public — while
Conservancy takes care of the projects' needs that do not relate
directly to software development and documentation."

I think we all want the same thing. To mess with the code :-).

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 12:33 PM, Jeremy Allison <jra@samba.org> wrote:
>
> These days we rely on Conservancy doing the kind of back-room negotiation
> that they are really good at, and they've never failed us on this. Lawsuits
> *are* a last-ditch nuclear option.

Jeremy, I trust *you*.

But I do not trust Bradley, for example.

Bradley talks the talk here when called out on it, but elsewhere he
clearly sees enforcement not as just a last ditch nuclear option. I've
heard that complaint from people in private conversations, but you can
find it in public posts too.

For example, we had a really nasty issue with Patrick McHardy, and
sadly, the companies involved apparently didn't dare talk about it for
fear of bad press (even if the badness was from our side). I was
actually informed by Karen that the SFC finally made the thing public
(thanks Karen - I really appreciated that), but when I went looking
for it I find Bradley Kuhn making comments like these:

  http://lwn.net/Articles/695014/

Let me highlight that l;ast sentence:

   "Finally, while discussions about GPL and its derivative/combined
works requirements are basically “old hat” to our community, the
discussion is completely new to the Courts. We'll have to bring the
question to a lot of Courts in a lot of different ways to get clarity.
But, once we do that, then we'll know, and everyone can proceed with
more certainty."

Look, guys. This is Bradley EXPLICITLY talking about using the courts
as a way to "clarify" issues.

So _excuse_ me for not finding Bradley Kuhn very trustworthy on this
issue. He's on public record on doing exactly that I am arguing we
should *NOT* be doing.

Lawsuits aren't about "clarification". They aren't something we should
hope for in order to "proceed with more certainty".

> Full disclosure: I'm on the Conservancy Board of Directors, so I obviously
> agree with their mission.

Please, see above. If you're on the Conservancy board of directors,
maybe you should clarify with Bradley, who is listed as _president_ of
the board, what that mission actually is?

Because right now, I'm getting some _very_ mixed messages.

                  Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Theodore Ts'o]

On Fri, Aug 26, 2016 at 03:53:19PM -0400, James Bottomley wrote:
> 
> I think the disagreement is over *when* you give up and go for the
> final resort.  And who you trust to take that decision.
>

At the end of the day this is really a governance question.  There are
a huge number of stakeholders involved.  It includes the kernel
developers who do the work; and those who own the copyright; and those
who pay many of our salaries; and those who might pay our salaries in
the future if we can convince them to be good citizens; and so on.
Not all of them will be represented at the Kernel Summit.

It will include those entities who are GPL maximalists and who believe
that kernel modules are always infected by the GPLv2, and those who
take a looser interpretation of that particular issue.  And that's a
political question and a legal interpretation question.

(Disclosure: given that I supervised the student at MIT who ported the
Transarc's Andrew File System to Linux back in the 1990's, and who
requested a clarification from Linus that taking pre-existing third
party code and linking it to the Linux kernel via a kernel module
wouldn't make it a derived work leading to GPL infection, it should be
pretty clear where I fall on that spectrum.  During those early years
the Linux AFS port enabled the use of Linux by a huge number of MIT
students, faculty, and staff, as well as at other universities such as
CMU and even some National Labs.  As such, I consider that work to be
a Good Thing and am *completely* unapologetic if it upsets some of the
GPL maximalists out there.)

These sorts of legal / political questions are things for which I
believe the Kernel Summit isn't well equipped to handle.  In
particular, if the SFC has a pre-existing agenda --- that is, if they
have clients and have lawyers who who believe very strongly that the
next step is to "bring the question to a lot of Courts"[1] --- and
they want a forum to try to convince kernel developers to support them
in trying to force the courts around the world to give us an answer to
legal questions around the GPL --- that's inherently a political
question, and I don't think it's appropriate give them a soapbox to
try to let them advance that agenda at the Kernel Summit.

[1] https://lwn.net/Articles/695014/

I've already gotten more than one request from representatives from
other non-developer stakeholders requesting that they also be able to
attend.  And in fairness, if we were to give the SFC a soapbox, then
there will be any number of lawyers who would want to attend to make
sure that the interests of their clients would also be protected ---
and under what standards of fairness would we give lawyers with a
specific agenda that they want to push access, but deny access for
other lawyers to attend?  Let's just not go there.

The Linux Foundation has run Legal Summits before, and has invited
kernel developers to give input to the legal beagles at those Legal
Summits.  But we're talking about the Kernel Summit here, and not a LF
Legal Summit.

       	    	  	     	      	    - Ted

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1736 bytes --]

On Fri, 2016-08-26 at 12:33 -0700, Jeremy Allison via Ksummit-discuss
wrote:
> These days we rely on Conservancy doing the kind of back-room negotiation
> that they are really good at, and they've never failed us on this. Lawsuits
> *are* a last-ditch nuclear option.

Without the option of a lawsuit, there *is* no negotiation. The GPL has
certain requirements and they are backed up by law. If you don't have
that, you might as well have a BSD licence.

You won't get far in negotiating with someone to release their
modifications if the code in question is under a BSD licence and you
start the conversation by saying "You need to release the changes you
made or... we'll be sad". And that's *precisely* the same as the GPL if
you state up front that you'll never sue. You'll just get laughed at.

Conservancy quite rightly use legal action as a last resort after all
other reasonable avenues have been exhausted. But you can't abandon it
completely.

And the idea that legal action against violators would scare away those
who are using the software *legally* is laughable. There is *always*
risk...

If you use commercial software and don't pay for the licence, you can
be sued.

If you use Free Software and don't comply with the licence, you can be
sued.

And even if you write it yourself, you have to be really careful your
engineers don't pick up code snippets they found on the Internet... or
you can be sued.

Whatever you do, you have to actually follow the rules and do it right.
Holding persistent violators to the rules the hard way, if they refuse
to do the right thing after years of negotiation, *really* shouldn't
scare off anyone sensible from using Free Software.

-- 
dwmw2

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Fri Aug 26 19:03:56 UTC 2016, Linus Torvalds <torvalds@linux-foundation.org> wrote:

> So note how I said earlier that it's not an entirely black-and-white thing.
> ...
> We've also seen how even successful lawsuits haven't actually helped
> the project involved. So there was certainly an education there too -
> for the developer side.

(This may also be a re-port, sorry if so - just joined the list
so not sure if my previous posting of this went through).

Apologies for the drive-by posting. I'm not normally on this list,
but this discussion is important enough I wanted to correct the
above point.

The Samba project has never sued anyone over GPL-violations. We've
discussed violations with companies more times than I can remember,
but never had to go to court over the GPL being violated on our code.

These days we rely on Conservancy doing the kind of back-room negotiation
that they are really good at, and they've never failed us on this. Lawsuits
*are* a last-ditch nuclear option.

However, we do have experience with one successful lawsuit, which
provides a good counter example to the comment above.

Samba and the FSFE were the last entities standing in the Microsoft vs EU
anti-trust lawsuit. We even helped cost them over $1b in fines.

Next month I'll be going up to my second invite-only Microsoft plugfest
of the year - this one set up specifically for the Team that sued them.

I'll be visiting several of my friends there, including one of their
lawyers (although the rest of them are engineers :-).

The Microsoft vs EU lawsuit was not only successful, it helped the
Samba project a great deal. The documentation that was released because of
the lawsuit has provided impetus for a great deal of new Samba development,
as well as creating a diverse marketplace of new proprietary competitors
(which has helped raise everyones code and improved interop for the users).

None of this would have happened without the successful lawsuit, rancorous
though it was at the time (and in public too :-).

So as someone said earlier, this is not an entirely black-and-white thing :-).

Jeremy.

Full disclosure: I'm on the Conservancy Board of Directors, so I obviously
agree with their mission.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 12:45 PM, Matthew Garrett <mjg59@coreos.com> wrote:
>
> We agree that quiet negotiation is the preferred tactic. We agree that
> lawsuits may be necessary as a final resort. It doesn't seem like
> we're disagreeing on anything fundamental in that respect. What Karen
> has suggested is an opportunity for the kernel community to give clear
> input into when that final resort should be acceptable.

Heh. Sounds like we do indeed end up agreeing here, there was nothing
I disagreed with in this email for example.

Maybe I read more into Bradley's saying than I should have, but it
_really_ rubbed me the wrong way.

I really think the biggest impact of the GPL have been almost
_entirely_ outside any legal issues, and that it's a great document
not because it's a great legal piece of writing, but because of much
bigger issues.

That may be why I reacted *so* negatively to seeing it argued that
it's pointless without enforcement. Almost none of the successes of
the GPL have ever been about the legal side.

To put it in ridiculously overly grandiose historical terms: nobody
enforces the magna carta any more - it's not like you need to. It's
the *ideas* that matter, and the fact that it changed the world.

But as I started out saying, I actually support discussing this at the
kernel summit, it's just that I absolutely do *not* think it's about
having lawyers present.

Because that's not the point.

           Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Fri, 2016-08-26 at 15:55 -0400, Matthew Garrett wrote:
> On Fri, Aug 26, 2016 at 3:53 PM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Fri, 2016-08-26 at 15:45 -0400, Matthew Garrett wrote:
> > > We agree that quiet negotiation is the preferred tactic. We agree
> > > that lawsuits may be necessary as a final resort. It doesn't seem
> > > like we're disagreeing on anything fundamental in that respect. 
> > > What Karen has suggested is an opportunity for the kernel 
> > > community to give clear input into when that final resort should 
> > > be acceptable.
> > 
> > I think the disagreement is over *when* you give up and go for the
> > final resort.  And who you trust to take that decision.
> 
> Doesn't that sound like a worthwhile thing to discuss at Kernel 
> Summit?

Give me a framework for how you'd propose agreeing a resolution on that
one.  I'm asking because it's very much something that's likely to
produce a lot of heat and very little light.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Fri, Aug 26, 2016 at 3:53 PM, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
> On Fri, 2016-08-26 at 15:45 -0400, Matthew Garrett wrote:
>> We agree that quiet negotiation is the preferred tactic. We agree
>> that lawsuits may be necessary as a final resort. It doesn't seem
>> like we're disagreeing on anything fundamental in that respect. What
>> Karen has suggested is an opportunity for the kernel community to
>> give clear input into when that final resort should be acceptable.
>
> I think the disagreement is over *when* you give up and go for the
> final resort.  And who you trust to take that decision.

Doesn't that sound like a worthwhile thing to discuss at Kernel Summit?

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Fri, 2016-08-26 at 15:45 -0400, Matthew Garrett wrote:
> On Fri, Aug 26, 2016 at 3:03 PM, Linus Torvalds
[..]
> > I'm sure you've heard the term "GPL maximalist". It's not a pretty
> > thing, and it's hurting us. We were successful exactly because we 
> > were *not* maximalists.
> > 
> > We absolutely should fight that fringe movement.
> 
> We agree that quiet negotiation is the preferred tactic. We agree 
> that lawsuits may be necessary as a final resort. It doesn't seem 
> like we're disagreeing on anything fundamental in that respect. What 
> Karen has suggested is an opportunity for the kernel community to 
> give clear input into when that final resort should be acceptable.

I think the disagreement is over *when* you give up and go for the
final resort.  And who you trust to take that decision.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Fri, Aug 26, 2016 at 3:03 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, Aug 26, 2016 at 10:49 AM, Matthew Garrett <mjg59@coreos.com> wrote:
>>
>> And yet Linksys were still in violation (even on the WRT54GL!) in
>> 2008, resulting in a lawsuit (which they settled). That was after two
>> and a half years of quiet negotiation between the FSF and Linksys.
>> People had raised a stink. Discussions happened. Linksys didn't come
>> into compliance until the suit was filed, and to this day they
>> continue to distribute Linux-based routers and provide the source.
>>
>> Which part of this was inappropriate? What should have been done instead?
>
> So note how I said earlier that it's not an entirely black-and-white thing.
>
> I do think that there is some final point where lawyers do need to get
> involved. But it really should be seen as a last effort thing. It's
> the nuclear option.

As far as I know, the last time the SFC was involved in a lawsuit was
in 2010. Since then they've worked with a large number of vendors and
secured the release of significant quantities of code. We're not
talking about ambulance chasers, here.

> It is *not* something we should be belligerent about, and something
> you use as a threat. It is very much not a "we can all decide to give
> up on the GPL, or we can enforce it in Courts".

It's hyperbole, but there's truth to it. Some vendors will be
receptive to quiet negotiation, especially in cases where there's very
similar precedent (router vendors seem to be well behaved here). But
if vendors start pushing back, and if it becomes known that there are
no consequences for pushing back, that's likely to change. If it's
viewed as socially beneficial to release GPLed source, but not viewed
as a hard requirement, the distinction between the GPL and a BSD-style
license vanishes, which is what Bradley means by "giving up on the
GPL". For companies that don't see any social or technical benefit in
releasing their source (vendors producing cheap short-term products
who'll never have to rebase patches, for instance), the only incentive
is the legal one. I understand why you're just not that interested in
that case, but there are huge numbers of users who are. Doing what we
can to help them is worthwhile.

> And the thing is, I think that the reasons to bring in lawyers have
> weakened markedly over time. I'm sure you remember back when some
> people used to argue that the GPL was invalid and unenforceable. It
> was a completely bullshit argument, and had absolutely no sane
> thinking behind it, but it definitely existed.

Oh, I agree, and it's much easier *because* lawyers were involved in
the past. But there's still plenty of edge cases, and the VMWare case
demonstrates that there are still significant vendors who won't do the
right thing even if there's been plenty of quiet negotiation.

> At the same time, when we've obviously convinced people the GPL is
> serious and real, I'm actually seeing *more* noise to go to war, not
> less. That makes no sense.

I think you're misinterpreting what people are saying. People want to
make sure that if we do go to war, that we win. That means having a
strong cohort of copyright holders who can't be weakened by corporate
pressure, and making it clear that lawsuits won't be ruled out. Nobody
*wants* to go to court, not even Bradley. It's only happening because
everything that could be done before that was done, and failed.

> As a result, we should be much *less* inclined to make legal threats,
> since so much of the industry has been convinced. Not all, no, but the
> GPL has actually become an accepted license inside a lot of companies.
> Some of those companies used to rant against it and call it "cancer".

The number of companies using Linux has increased significantly since
2010. The number of lawsuits has decreased. Evidence suggests that
everybody involved *is* less inclined to make legal threats.

> I'm sure you've heard the term "GPL maximalist". It's not a pretty
> thing, and it's hurting us. We were successful exactly because we were
> *not* maximalists.
>
> We absolutely should fight that fringe movement.

We agree that quiet negotiation is the preferred tactic. We agree that
lawsuits may be necessary as a final resort. It doesn't seem like
we're disagreeing on anything fundamental in that respect. What Karen
has suggested is an opportunity for the kernel community to give clear
input into when that final resort should be acceptable.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Bradley M. Kuhn]

> On Fri, Aug 26, 2016 at 8:28 AM, Rik van Riel <riel@redhat.com> wrote:
>> The downstream freedoms seem to be generating new upstream
>> communities all around us, for example OpenWRT.

Linus Torvalds replied at 09:34 (PDT) on the same day:
> And I call bullshit. Anybody who tries to point to the lawsuits and
> say that they were a big factor in the success of OpenWRT is actively
> ignoring all the other - and hugely *bigger* factors - in the
> successes of OpenWRT.

It's tough to know what factors made OpenWRT *more* successful in the years
after the enforcement action in 2003 against Linksys and Cisco.  However,
it's a fact that the WRT54G enforcement action bootstrapped that community.
Specifically, the first checkin to the original OpenWRT SVN repository was
the source release that we received out of that enforcement action [0].
There was a similar outcome for Samsung TV's [1].

WRT54G was the first ever enforcement action with a coalition of copyright
holders -- including Harald Welte, (primary BusyBox developer) Erik
Andersen, FSF, and others.  These days, Conservancy models our coalitions
after the 2003 one that Harald and I coordinated -- with as many
transparency improvements as we can think of (e.g., the publication of the
Principles).  BTW, funny story from that enforcement action: Harald ended
every conference call with "Why have we not sued Cisco yet?"  I fought
*Harald* to talk him *out* of filing a lawsuit on that one, and in the end,
we succeeded by *not* filing a lawsuit.  Lawsuits are always a last resort
*after* nothing else works.

I'm not a lawyer; I'm a developer-turned-community-activist-&-organizer.
Linux developers for *years* came up to me at conferences and say: "Why do
you only enforce for BusyBox?  Why don't you help *me* enforce for Linux? I
know of products that violate GPL and no one is doing anything about it!"
After almost a decade, I stopped ignoring them, because I believe the
developers who write Linux are important.  Their views matter, and what they
want done about their license matters.

Relatedly, Linus, I even changed my position on copyright assignment over
time because of your arguments.  When I was young, I thought upholding GPL
required universal, mandatory copyright assignment, which has the downside
of creating inequities in a community -- no matter how carefully constructed
that assignment document.  I now believe copyright assignment -- to one's
employer, to another developer, or to a charity like Conservancy or FSF --
should always be 100% optional.  The upshot, though, is a democratic system;
all copyright holders' opinions are relevant.

Those copyright holders will disagree with each other, but we should all
keep talking, rather than ostracizing some opinions.  A KS session where we
can do so face-to-face seems the best venue -- rather than falling into the
actual discussion in a thread on a list intended only to discuss the
meta-issue of the merits of having the discussion. :)

Linus Torvalds wrote further in another part of the thread:
>  I believe the SFLC (and now SFC) approach is poison.

SFLC has not been Conservancy's law firm for a long while.  Karen and I have
learned from past mistakes.  We published the Principles to lead the charge
on avoiding lawsuits as much as possible, and encouraging GPL enforcement
transparency .  (Personally, I'm very disappointed that Patrick McHardy
isn't answering to the Linux community about what he's up to.)

> a bit of public shaming is not bad.

I believe public shaming is the second-to-last resort, because public
shaming is sometimes worse for a company's responsiveness and willingness to
reconcile than a lawsuit.  It depends on the situation.

> [a lawsuit] is very much a last resort. It has huge negative consequences.
> ...I do think that there is some final point where lawyers do need to get
> involved. But it really should be seen as a last effort thing.

I agree completely.  In its more than a decade of existence, Conservancy has
only participated directly in one lawsuit (with Erik Andersen, over
BusyBox), and helped fund another one (Christoph's against VMware).  That's
it.  We don't take a litigation decision lightly, we do it very rarely, and
only after every other idea has been tried over a long time period.

That's my position, and my position on lawsuits hasn't changed since 2003.
If you thought my position was something different, you've misunderstood.


[0] At the time I took the source release that we got from the
    enforcement action -- which was made public within a few weeks of when I
    first got it -- and the diff was 100% clean against what the OpenWRT
    developers checked in as r1.  I didn't coordinate with those developers;
    they chose on their own to download that source release and start
    building a Free Software project around it.

[1] https://www.samygo.tv/ -- which is based on sources Conservancy got
    released in the BusyBox lawsuit against Samsung.  I didn't coordinate
    with those developers; I don't even know them.  They found the release
    we got from Samsung in the lawsuit and built a firmware-mod community
    around it.  And, BTW, Samsung participates regularly upstream now.
-- 
Bradley M. Kuhn
Distinguished Technologist of Software Freedom Conservancy
========================================================================
Become a Conservancy Supporter today: https://sfconservancy.org/supporter

[Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Jeremy Allison]

On Fri Aug 26 19:03:56 UTC 2016, Linus Torvalds <torvalds@linux-foundation.org> wrote:

> So note how I said earlier that it's not an entirely black-and-white thing.
> ...
> We've also seen how even successful lawsuits haven't actually helped
> the project involved. So there was certainly an education there too -
> for the developer side.

Apologies for the drive-by posting. I'm not normally on this list,
but this discussion is important enough I wanted to correct the
above point.

The Samba project has never sued anyone over GPL-violations. We've
discussed violations with companies more times than I can remember,
but never had to go to court over the GPL being violated on our code.

These days we rely on Conservancy doing the kind of back-room negotiation
that they are really good at, and they've never failed us on this. Lawsuits
*are* a last-ditch nuclear option.

However, we do have experience with one successful lawsuit, which
provides a good counter example to the comment above.

Samba and the FSFE were the last entities standing in the Microsoft vs EU
anti-trust lawsuit. We even helped cost them over $1b in fines.

Next month I'll be going up to my second invite-only Microsoft plugfest
of the year - this one set up specifically for the Team that sued them.

I'll be visiting several of my friends there, including one of their
lawyers (although the rest of them are engineers :-).

The Microsoft vs EU lawsuit was not only successful, it helped the
Samba project a great deal. The documentation that was released because of
the lawsuit has provided impetus for a great deal of new Samba development,
as well as creating a diverse marketplace of new proprietary competitors
(which has helped raise everyones code and improved interop for the users).

None of this would have happened without the successful lawsuit, rancorous
though it was at the time (and in public too :-).

So as someone said earlier, this is not an entirely black-and-white thing :-).

Jeremy.

Full disclosure: I'm on the Conservancy Board of Directors, so I obviously
agree with their mission.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Rik van Riel]

On Fri, 2016-08-26 at 12:03 -0700, Linus Torvalds wrote:
> 
> And the thing is, I think that the reasons to bring in lawyers have
> weakened markedly over time. I'm sure you remember back when some
> people used to argue that the GPL was invalid and unenforceable. It
> was a completely bullshit argument, and had absolutely no sane
> thinking behind it, but it definitely existed.
> 
> For the people who haven't been around enough, just google for it.
> That insane argument has been made.
> 
> Nobody makes that argument any more. The GPL is obviously enforceable
> and that it's simply not an issue. Legal departments *know* it is
> enforceable.
> 
Legal departments know sections 3, 4, 5 and 6 of
the GPL are enforceable because they have been
enforced in court, and judges have decided they
are enforceable.

There is something to be said for the argument
that the lawyers are no longer needed, because
they have already done their jobs, however I
am not aware of eg. GPL section 2 having been
tested the same way.

This may also be why the VMware thing had been
dragging on for 7 (IIRC) years before a lawsuit
was eventually filed. It appears to be about a
different part of the GPL than the sections that
everybody now agrees are enforceable.

I totally agree that a lawsuit should be an
absolute last resort. However, after 7 years
of attempts to resolve the issue, without 
progress towards a resolution, probably qualifies
as a "last resort" situation.

I do not think the conservancy would get much
support if it were enthusiastic about starting
lawsuits.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 10:49 AM, Matthew Garrett <mjg59@coreos.com> wrote:
>
> And yet Linksys were still in violation (even on the WRT54GL!) in
> 2008, resulting in a lawsuit (which they settled). That was after two
> and a half years of quiet negotiation between the FSF and Linksys.
> People had raised a stink. Discussions happened. Linksys didn't come
> into compliance until the suit was filed, and to this day they
> continue to distribute Linux-based routers and provide the source.
>
> Which part of this was inappropriate? What should have been done instead?

So note how I said earlier that it's not an entirely black-and-white thing.

I do think that there is some final point where lawyers do need to get
involved. But it really should be seen as a last effort thing. It's
the nuclear option.

It is *not* something we should be belligerent about, and something
you use as a threat. It is very much not a "we can all decide to give
up on the GPL, or we can enforce it in Courts".

It's essentially echoing "if you're not with us, you are against us".
It's a completely false dichotomy, and sane people should resist that
kind of illogical thinking and behavior.

It is simply not a valid argument for going to war. It never has been.

And the thing is, I think that the reasons to bring in lawyers have
weakened markedly over time. I'm sure you remember back when some
people used to argue that the GPL was invalid and unenforceable. It
was a completely bullshit argument, and had absolutely no sane
thinking behind it, but it definitely existed.

For the people who haven't been around enough, just google for it.
That insane argument has been made.

Nobody makes that argument any more. The GPL is obviously enforceable
and that it's simply not an issue. Legal departments *know* it is
enforceable.

And that's part of a bigger (and good) pattern: people actually know
and understand the GPL, and there are tons and tons of companies that
really believe in it. Lawsuits aren't even "educational" any more.

We've also seen how even successful lawsuits haven't actually helped
the project involved. So there was certainly an education there too -
for the developer side.

At the same time, when we've obviously convinced people the GPL is
serious and real, I'm actually seeing *more* noise to go to war, not
less. That makes no sense.

We solved the whole perception issue, and there is no question
what-so-ever that the GPL is enforceable, but instead of making some
people happier, to some o them it's a sign that "now we need to take
the fight to the next level".

That BS. That's completely idiotic thinking. We've *won*. People know
that not only is the GPL a valid license, they see and acknowledge
that it's a very successful model of development (another thing that
certainly was not universally acknowledged).

These days we only have *more* to lose, and less upside.

As a result, we should be much *less* inclined to make legal threats,
since so much of the industry has been convinced. Not all, no, but the
GPL has actually become an accepted license inside a lot of companies.
Some of those companies used to rant against it and call it "cancer".

I'm sure you've heard the term "GPL maximalist". It's not a pretty
thing, and it's hurting us. We were successful exactly because we were
*not* maximalists.

We absolutely should fight that fringe movement.

                  Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Fri, Aug 26, 2016 at 1:21 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> But within this discussion it's somewhat interesting to note that the
> Linksys WRT54GL that is now known as a "Linux router" was actually
> once one of the bad guys. They *hadn't* originally released source
> code for the WRT54G, and there was a stink, and the company noticed,
> and things got much better.

And yet Linksys were still in violation (even on the WRT54GL!) in
2008, resulting in a lawsuit (which they settled). That was after two
and a half years of quiet negotiation between the FSF and Linksys.
People had raised a stink. Discussions happened. Linksys didn't come
into compliance until the suit was filed, and to this day they
continue to distribute Linux-based routers and provide the source.

Which part of this was inappropriate? What should have been done instead?

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 9:48 AM, Rik van Riel <riel@redhat.com> wrote:
>
> What I am saying is that the end user freedoms
> specified in the GPL are just as important as
> the upstream community behind the original
> project, since the end user freedoms enable new
> projects, and new communities.

.. and my argument is that lawsuits and threats of lawsuits actually
make communities and projects less likely.

So they are just counter-productive.  The lawsuits and threats of
lawsuits hurt users too when they cause companies to stop supporting
open source.

Of course, like anything, it's a balance. There are no black-and-white
issues. But so far, I haven't seen anything that came even *close*.

And I have seen lots of cases where the threat of suing only hurt.

> There is a lot of nudging and shaming going on,
> but little on the opposite direction.
>
> I wonder if it would make sense for an organization
> like SFC to compile a list of devices that are GPL
> compliant?

Oh, absolutely. And I don't think it's even the SFC that should do it
(although I think it would be good to do so).

There's a lot of lists of supported hardware, and I absolutely agree
that what should generally go on the top of that list is not just "it
works", but "this device not only works, but the vendor has been
explicitly helping".

And I do think it happens. Look at things like the Linksys WRT54GL.
It's *ridiculously* old and weak hardware, but it actually gets good
reviews on Amazon partly exactly because of its Linux support. OpenWRT
doesn't actually recommend any particular vendors (so the good guys
don't get a shout-out, which is a bit sad), but I think DD-WRT does.

But within this discussion it's somewhat interesting to note that the
Linksys WRT54GL that is now known as a "Linux router" was actually
once one of the bad guys. They *hadn't* originally released source
code for the WRT54G, and there was a stink, and the company noticed,
and things got much better.

So again, I'm not arguing against raising a stink. If you see
problems, talk about them.

It's literally only the "bring in the lawyers" I argue against.

And to get back to the original thing that made me react so strongly:
I am in VIOLENT disagreement with Bradley Kuhn's completely insane
statement that "we have two options: we can all decide to give up on
the GPL, or we can enforce it in Courts".

I think history and sanity shows that Bradley Kuhn is completely wrong
on this, which is why I reacted _so_ strongly to it.

Quite frankly, I don't want to have *anything* to do with that kind of
mentality, and I definitely don't want to have anything to do with a
SFC that thinks that way.

I was up on stage just two days ago saying how I love the GPLv2
because of how it creates community, and then I get back home and get
pointed to that quote by Bradley.

Christ.

Excuse me for still being entirely LIVID about that idiotic remark.
And it might have been just a throw-away one that Bradley didn't even
think about, but I do think it's telling. I've heard similar noises
before, and this needs to be *stopped*.

> Companies that sell Linux devices could submit their
> devices for inclusion on that list, with a URL to
> the source code, etc.

There has actually been certification proposals in the past, and some
of them even happened. I remember seeing the penguin on packaging. I
think the "unofficial" ones are likely more flexible and able to react
better, but I don't think certification is necessarily *bad*.

Look at what Benson Leung made happen in the USB-C cable space by
completely unofficial "certification". I think that is powerful, and
yes, I certainly support things like that.

                      Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Karen Sandler]

On Fri, 2016-08-26 at 12:37 -0400, James Bottomley wrote:

>  The idea that your opinion only counts if you've already agreed to
> support SFC actions.  Effectively it disenfranchises the majority in
> the kernel and leads directly to a lot of the irritation that's been
> coming out on the list.

The whole reason I proposed the session (in addition to information
sharing) is to get feedback on our work from those who don't participate
and be coordinated as possible with the work you, Greg and others not in
our coalition do in your GPL compliance efforts. We're obviously already
in touch with those who are in our coalition. :)

> I just said that I think there's a viable way forward from the
> worst case outcome and the LF has been funding the tool work we'll need
> to survive in that world.

Conservancy has coordinated with these efforts. We've discussed the tool
extensively with its primary author and gave feedback from our work to
inform its progress.  We're glad they plan to release their newer tools
(and most importantly, curated data) soon under a free and open license.
The base tools used for that work, of course, Conservancy has already
been using for some time in our compliance work:

https://sfconservancy.org/copyleft-compliance/vmware-code-similarity.html

karen

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 9:34 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> So there's been lots of nugding and discussions and talking to people
> going on when companies sometimes need encouragement to behave well.
> And public shaming too - I think the things that Matthew does when he
> points out truly crap hardware or horrible security issues are
> *wonderful*.

I'd like to just highlight this, because (obviously) I and Matthew
disagree on lots of things quite violently, but that doesn't mean that
we have to disagree on everything. Not at all.

When a company (or individual) does something bad, I'll be the last
person to say that you shouldn't speak out about it. That would indeed
be very hypocritical.

I'm not at all a believer in some kind of "dark backroom deals" kind
of behavior either.

When people violate the license (or do other really questionable
things - I think Matthew had an epic rant about just plain shit code,
which isn't exactly _illegal_ but perhaps should be ;), a bit of
public shaming is not bad.

It's literally "bringing in the legal guns" that I argue against. It's
very much a last resort. It has huge negative consequences.

Telling a company "btw, you know that that is actually illegal" is one
thing. Go ahead. Do it publicly. Shame them in public, or talk to them
strongly in private if you have the connections. Talk to other people,
and tell them to not buy the crap.

Make a stink.

Companies are big and complex things, and parts of the company may not
even have *realized* what was going on (or may not have realized it
was illegal).

Or they may be actively working on fixing things, but can't do it
until the next version, or whatever.

Sometimes it's a bit like software bugs: we can't fix what's out there
right now, but we can try to make the next release better.

It's when you have lawyers threatening lawsuits that you get that
turtle response, and get the managers saying "we can't afford to do
open source" or "maybe we should push a BSD alternative instead".

That's the thing that kills the next version and kills the project,
rather than fixing it.

          Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Rik van Riel]

On Fri, 2016-08-26 at 09:34 -0700, Linus Torvalds wrote:
> On Fri, Aug 26, 2016 at 8:28 AM, Rik van Riel <riel@redhat.com>
> wrote:
> > On Thu, 2016-08-25 at 22:24 -0700, Linus Torvalds wrote:
> > > 
> > > What matters are the people - and companies - that actually
> > > develop
> > > and contribute code, and make the future happen.
> > 
> > Are you saying that the freedom of end users
> > to modify the software running on their Linux
> > devices is irrelevant?
> 
> Irrelevant? No. And are companies who violate the license a good
> thing? No.
> 
> But they really don't make a difference. In a very literal sense.
> They
> aren't improving the code - even in the hidden product itself.

They do not have to for the GPL to work.

What matters is that the users downstream
from them have the freedom to modify the
code on their devices.

> 
> > The downstream freedoms seem to be generating
> > new upstream communities all around us, for
> > example OpenWRT.
> 
> And I call bullshit. Anybody who tries to point to the lawsuits and
> say that they were a big factor in the success of OpenWRT is actively
> ignoring all the other - and hugely *bigger* factors - in the
> successes of OpenWRT.

I am not saying the lawsuits are any factor in
the success of OpenWRT.

What I am saying is that the end user freedoms
specified in the GPL are just as important as
the upstream community behind the original
project, since the end user freedoms enable new
projects, and new communities.


> I'm sure you've had many of the same discussions that I have had with
> other open source people working in various places who are sharing
> horror stories about how some project was a nightmare and parts of
> the
> company was doing bad things.
> 
> So even the good companies tend to have their warts.

Of course the good companies make mistakes.

They tend to get corrected after working with
those companies for some period of time,
sometimes several years.

> So there's been lots of nugding and discussions and talking to people
> going on when companies sometimes need encouragement to behave well.
> And public shaming too - I think the things that Matthew does when he
> points out truly crap hardware or horrible security issues are
> *wonderful*.

There is a lot of nudging and shaming going on,
but little on the opposite direction.

I wonder if it would make sense for an organization
like SFC to compile a list of devices that are GPL
compliant?

Companies that sell Linux devices could submit their
devices for inclusion on that list, with a URL to
the source code, etc.

The stick of shaming and GPL enforcment efforts
might be more effective if there is also a carrot,
directing customers towards the devices that are
compliant.

> We need to stop the antagonistic threatening stances, and we need to
> stop having lawyers involved, and have people who can actually talk
> to
> companies *without* getting that "turtle" response.
> 
> Because that approach really does have a proven track record.  And
> I'm
> pretty sure you know that too.

Lawsuits appear to be the absolute last resort
for the SFC.

If there are people who believe the non-lawsuit
GPL compliance work by the SFC is still too
antagonistic, it may be worth discussing exactly
why people feel that way, and whether anybody
has ideas for better ways to go about GPL
compliance.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[James Bottomley]

On Fri, 2016-08-26 at 11:23 -0400, Karen Sandler wrote:
[...]
>  When Conservancy acts either publicly or with any legal action, we 
> do so on behalf of and in coordination with the kernel developers 
> that are part of our coalition.  We talk extensively with those 
> developers before taking any action. Anyone who joins our coalition
> is part of those conversations.

This is a big part of what bothers me about the way this is happening. 
 The idea that your opinion only counts if you've already agreed to
support SFC actions.  Effectively it disenfranchises the majority in
the kernel and leads directly to a lot of the irritation that's been
coming out on the list.

[...]
> As I told you in person, you're exaggerating what the dismissal said,
> and what its impact may be. As I believe you're aware, a German 
> lawyer unconnected to Christoph's case published a memo in German 
> about the case:

To clarify, I did note that an appeal is ongoing; I didn't prejudge the
outcome, I just said that I think there's a viable way forward from the
worst case outcome and the LF has been funding the tool work we'll need
to survive in that world.

> Finally, James, Greg, you both talked about your approaches working 
> with companies internally to keep them upstreaming and to not violate 
> GPL. With larger, older software companies that act more rationally -
> - like IBM and Intel which Greg mentioned -- this work is invaluable.

My point was that the business principles that underlie compliant
behaviour are explicable to all companies, including smaller, less open
source savvy ones, and I have direct experience doing this.

James

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Fri, Aug 26, 2016 at 8:28 AM, Rik van Riel <riel@redhat.com> wrote:
> On Thu, 2016-08-25 at 22:24 -0700, Linus Torvalds wrote:
>>
>> What matters are the people - and companies - that actually develop
>> and contribute code, and make the future happen.
>
> Are you saying that the freedom of end users
> to modify the software running on their Linux
> devices is irrelevant?

Irrelevant? No. And are companies who violate the license a good thing? No.

But they really don't make a difference. In a very literal sense. They
aren't improving the code - even in the hidden product itself.

And the lawsuits definitely drove more people *away* from busybox (and
in a very real sense the GPL) than producing more useful source code.
So the lawsuits didn't actually help.

> The downstream freedoms seem to be generating
> new upstream communities all around us, for
> example OpenWRT.

And I call bullshit. Anybody who tries to point to the lawsuits and
say that they were a big factor in the success of OpenWRT is actively
ignoring all the other - and hugely *bigger* factors - in the
successes of OpenWRT.

That's the whole point. Even if you get some improvements, if you do
that while dismissing all the absolutely _huge_ negatives, you're not
doing good. You are making things worse.

The things that helped OpenWRT _enormously_ were things like

 (a) the general success of open source (over the FSF hardliner GPL stance).

Seriously.

Anybody who dismisses this historical fact either just crazy or blind.

The rms and the FSF actively pushed the whole industry away from the
GPL (and they still do). The reason you find lots and lots of
companies using the GPL and other open source today is very much the
fact that the groups that pushed "open source" instead of "free
software" were successful in showing companies how this was actually a
better development model, and in showing how you get such incredible
returns from participating in the process.

There are a lot of people talking up the advantages of the BSD license
in the industry. And it's not because they don't believe in giving
back - this is inside companies that rely on and love open source.
It's because they can't work with the crazies.

Really. Anybody who argues differently is deluded.

I don't actually think you are that deluded.

 (b) the "good guys".  The companies that actually ended up helping
(or at not least hindering - I'm not trying to delide myself either,
and a lot of companies are still pretty neutral and not actively
participating even if they are then happy to be in compliance).

Yeah, many of the good guys definitely needed nudging too. In fact,
most of them did. Most companies that we today consider some of the
biggest supporters of Linux have not necessarily always done the right
thing in the past.

I'm sure you've had many of the same discussions that I have had with
other open source people working in various places who are sharing
horror stories about how some project was a nightmare and parts of the
company was doing bad things.

So even the good companies tend to have their warts.

But don't tell me you don't drive 5mph over the speed limit or jaywalk
or do other illegal things every once in a while. Nobody is *that*
clean.

So there's been lots of nugding and discussions and talking to people
going on when companies sometimes need encouragement to behave well.
And public shaming too - I think the things that Matthew does when he
points out truly crap hardware or horrible security issues are
*wonderful*.

But the way those things have been successful has been by making
friends, not enemies. It's been by nudging people, not threatening
them with lawsuits (or by bringing them).

There's been a lot of people who have gone to companies, and tried to
explain why they should do the right thing. I've done so. I'm pretty
sure Greg has done so even more. There are lots and lots of people who
really have done a lot of nudging. And I can pretty much guarantee
that they'll all say that the lawsuits have made it _harder_ to do
those things, not easier.

When lawyers get involved, companies go into "turtle" mode, and just
pull everything inside the shell of the legal stuff. Just try it. If
you threaten a lawsuit, what you get back is "talk to our lawyers".
Not "let's try to work this out". That's just how things work.

And *THAT* is what I'm arguing.

We need to stop the antagonistic threatening stances, and we need to
stop having lawyers involved, and have people who can actually talk to
companies *without* getting that "turtle" response.

Because that approach really does have a proven track record.  And I'm
pretty sure you know that too.

                 Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Rik van Riel]

On Thu, 2016-08-25 at 22:24 -0700, Linus Torvalds wrote:
> On Thu, Aug 25, 2016 at 9:48 PM, Matthew Garrett <mjg59@coreos.com>
> wrote:
> > 
> > Users benefit from code availability, even if it isn't contributed
> > upstream.
> 
> The thing is, long term, what really matters is the eventual upstream
> contribution.
> 
> The non-contributor company that isn't contributing is by definition
> not spreading his DNA around. They don't matter in the long run.
> 
> What matters are the people - and companies - that actually develop
> and contribute code, and make the future happen.

Are you saying that the freedom of end users
to modify the software running on their Linux
devices is irrelevant?

The downstream freedoms seem to be generating
new upstream communities all around us, for
example OpenWRT.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Karen Sandler]

Firstly, to all as another reminder on this: please remember that this
is a public list, and already a variety of industry lawyers representing
a variety of interests are reading it.

Linus,

I'll take some inspiration from your tone: You are completely
inconsistent and you exaggerate our activities.

We have been committed to approaching companies in a friendly fashion
and avoiding law suits at all costs. You'll note that in the years I've
been Executive Director of Conservancy that there has been a single law
suit that we have been connected to - Christoph's suit that we are
funding. Initiating the Principles of Community-Oriented GPL Enforcement
[1] and our blogpost about Patrick [2], which we also discussed, has
been an important part of our work.

I never said what you quote me as saying.  What I did say, as you'll
recall, is that allowing violations can create precedent as to norms and
expectations in the field. I also said that if we don't have
community-driven enforcement, we'll likely see more individual
developers trying to enforce on their own, and not in a coordinated
fashion. I also believe that unless we have community-driven
enforcement, important issues about the GPL will be decided in cases
brought by companies suing each other over their business squabbles
(which we've also seen already), which really may not yield the results
we want as community. When Conservancy acts either publicly or with any
legal action, we do so on behalf of and in coordination with the kernel
developers that are part of our coalition.  We talk extensively with
those developers before taking any action. Anyone who joins our
coalition is part of those conversations.

I think we see different parts of the compliance process. We get reports
from folks that are frustrated because they can't get the code that they
should be able to in order to do a particular thing that interests them.
We follow those Principles, which have been endorsed by four other
charities, the Netfilter team, and Harlad Welte, whose enforcement Greg
lauds.

I did appreciate your comments on stage at Linux and your commitment to
copyleft. From where we're sitting, we see that this doesn't mean a
whole lot if there's no one following up with those companies that
*don't* ever hire or collaborate with upstream developers and refuse to
comply.  There have been in-house attorneys, developers and device users
that have thanked me for our work.  Those who work for software
companies have told me that it gives them traction within their own
companies in pushing for them doing the right thing. This is why we aim
to treat today's violators as tomorrow's contributors, we keep their
identities private and we insist on compliance above all else.

As someone else said, "the GPL isn't magic pixie dust."

James,

As I told you in person, you're exaggerating what the dismissal said,
and what its impact may be. As I believe you're aware, a German lawyer
unconnected to Christoph's case published a memo in German about the
case:

http://junit.de/spezialisierung-mainmenu-12/open-source-im-unternehmen-2/662-sind-bearbeiter-von-software-zukuenftig-urheberrechtlich-schutzlos-unser-statement-zur-vmware-entscheidung-des-landgerichts-hamburg

There is currently no English version, but as I understand it, this says
two main points:

* that the court applied standards in their analysis that have been
outdated for more than 20 years.

* that the court didn't process information on infringing code even
though all necessary information was on the table. The author even
suggests that this could violate a constitutional right.


I originally started this thread when encouraged by a few kernel
developers  because I wanted to carefully provide information to anyone
who wanted it,  and hear opinions from anyone who cared to and was able
to give them, in a form that what *not* publicly archived and allowed
for real-time communication.  I think we've gone considerably off
topic :)


Finally, James, Greg, you both talked about your approaches working with
companies internally to keep them upstreaming and to not violate GPL.
With larger, older software companies that act more rationally -- like
IBM and Intel which Greg mentioned -- this work is invaluable.  GPL
compliance needs both types of people working on it.  I agree there are
some violations you can resolve that we can't using your methods, but
there are also clearly many violations where your methods don't work.
We want to be well-coordinated, which is why I proposed this session.

karen


[1] https://sfconservancy.org/copyleft-compliance/principles.html

[2]
https://sfconservancy.org/blog/2016/jul/19/patrick-mchardy-gpl-enforcement/

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Fri, Aug 26, 2016 at 1:24 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> What matters are the people - and companies - that actually develop
> and contribute code, and make the future happen.

Sure. And do you want 4 more enterprise clustering filesystems, or
another complete rewrite of the page allocator for a 3% performance
improvement under a specific database workload, or do you want a bunch
of teenagers who grow up hacking this stuff because it's what powers
every device they own? Because honestly I think it's the latter that's
helped get you where you are now, and they're not going to be there if
the thing that matters to you most is making sure that large companies
don't feel threatened rather than making sure that the next 19 year
old in a dorm room can actually hack the code on their phone and build
something better as a result. It's what brought me here in the first
place, and I'm hardly the only one.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Thu, Aug 25, 2016 at 9:48 PM, Matthew Garrett <mjg59@coreos.com> wrote:
>
> Stop pretending that there have been no benefits from this. It's
> clearly untrue.

You have lost your ability to read.

It's the *downsides* I've been talking about. The absolutely huge
downsides of litigation (and just threats of litigation).

The ones you are dismissing despite all the evidence.

Go back and read Greg's email, maybe you can force yourself to
actually understand.

> But right now you're on the Fox News side of the truth/lies line, and it's> not a good look

Plonk. Now you're just ranting.

I don't think this is productive. And it's not like you're going to be
at the kernel summit anyway since you have publicly stated you don't
even want to be a developer, so it is pointless anyway. Go make your
own GPLv3 project, and enforce that all you want, and see how that
works out for you.

So I don't think I'll bother replying to your rants any more.

> Users benefit from code availability, even if it isn't contributed upstream.

The thing is, long term, what really matters is the eventual upstream
contribution.

The non-contributor company that isn't contributing is by definition
not spreading his DNA around. They don't matter in the long run.

What matters are the people - and companies - that actually develop
and contribute code, and make the future happen.

That's what keeps the project actually _alive_.

Are there lazy and bad companies? Yes. But they don't actually
*contribute* anything anyway, they just package stuff and move on.
Exactly like you say - their product cycles are too short to care.
They won't have added any sw value even in their own product.

But those companies don't even *MATTER* from a development standpoint.
It's not like they created anything new and wonderful anyway.

Yes, they are leeches.  So what? It's not pretty.

In the optimal situation, you can try to beguile them and lure them
out, and hope they become productive members of society.

But when you start blasting around with the legal guns, even the
*good* guys will decamp. They don't want to get anywhere _near_ the
war zone.

And what we *definitely* don't need are the lawyers that just dismiss
all the code and effort and community that actual real contributors -
individual and corporate - have done for decades.

Those lawyers should just go away. Because they are worse than the leeches.

             Linus

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Fri, Aug 26, 2016 at 12:25 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Aug 25, 2016 at 8:07 PM, Matthew Garrett <mjg59@coreos.com> wrote:
>>
>> No, we're not. I mean, sure, if what you care about is corporate
>> support, we're doing fine.
>
> What I care about is getting code contributions back. That's kind of
> the whole *point* of the GPLv2. Not the legalese. Growing the source
> code base by having participation in the project.

That's what you care about. That's not what your users care about.
They care about code *availability*, not contribution. They don't care
whether their vendor participates upstream. They just care about being
able to fix their shitty broken piece of hardware when the vendor
won't ship updates.

> But that corporate support is exactly what you then on the other hand
> claim to be trying to _force_ with the enforcement actions.
>
> And the thing is, there really are lots of very good reasons to
> believe that we're getting more code willing code contributions back
> thanks to friendly terms with corporations, compared to any enforced
> action and being difficult.

But… there isn't. There just really isn't. Of the things I've bought
running Linux in the past year, maybe 25% have been able to provide
source, and in one case that involved me having to call them, tell
them I was a copyright holder, threaten to sue and then also tell them
that I'd found several security vulnerabilities in their product. And
this was a brand name vendor! They're never going to directly work
with upstream because they don't have long product cycles and they
gain nothing from it, but the users who get hold of their source are
benefiting hugely.

> It turns out that corporations actually *want* to be compliant for the
> most part. At least as long as they see you as a friend, not a foe.
>
> And lawsuits tend to turn friends into foes.
>
> See what the BusyBox maintainer who actually went down the lawsuit
> path says in [1].

Rob's always missed the point here. Sure, the Busybox cases didn't
result in more code in upstream Busybox. But they did result in
several vendors shipping source, and other vendors in the same space
doing so out of fear of having the same thing happen to them. And
users took that code, and they fixed it and they made something
better. And they shared that better version with other people, and
they realised that code availability made their life better and some
of these people are kids who are going to be amongst the next
generation of people who are going to show up here and start sending
you patches, and others are going to be people living on the street
who don't get their phones hacked by their former partner because they
were able to obtain an updated OS without having to buy a new phone,
and others are people building projects like the Freedom Box which
exists only because AP vendors are afraid enough of lawsuits that they
released enough source to let others build new things on top of that.

Stop pretending that there have been no benefits from this. It's
clearly untrue. If you want to argue that the corporate involvement
has been worth more than the community benefit that results from
lawsuits, fine. I'll disagree, but it's a consistent position. But
right now you're on the Fox News side of the truth/lies line, and it's
not a good look. Users benefit from code availability, even if it
isn't contributed upstream.

> We have been very successful exactly because we didn't have the insane
> antagonism.

And again, you're using a definition of "successful" that doesn't
match "we". Where's your sense of wonder? How can you look at this
amazing thing you've created and not realise that so much of its
beauty is down to people doing things you've never thought of? So much
of what Linux has achieved in the world has had nothing to do with
upstream contribution, and we should care about that as much as we
care about the number of vendor git commits.

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

On Thu, Aug 25, 2016 at 8:07 PM, Matthew Garrett <mjg59@coreos.com> wrote:
>
> No, we're not. I mean, sure, if what you care about is corporate
> support, we're doing fine.

What I care about is getting code contributions back. That's kind of
the whole *point* of the GPLv2. Not the legalese. Growing the source
code base by having participation in the project.

You try to dismiss it as "if what you care about is corporate
support", with the implication that that would be somehow
small-minded.

But that corporate support is exactly what you then on the other hand
claim to be trying to _force_ with the enforcement actions.

And the thing is, there really are lots of very good reasons to
believe that we're getting more code willing code contributions back
thanks to friendly terms with corporations, compared to any enforced
action and being difficult.

It turns out that corporations actually *want* to be compliant for the
most part. At least as long as they see you as a friend, not a foe.

And lawsuits tend to turn friends into foes.

See what the BusyBox maintainer who actually went down the lawsuit
path says in [1].

So I care about actually getting source code back.

One fairly well-known definition of insanity is "doing the same thing
over and over again and expecting different results".

Let's learn from previous mistakes, rather repeating the same old
mistake like you seem set on always doing.

The FSF already tried the antagonistic model, which is why people
started using "Open Source" instead.

We have been very successful exactly because we didn't have the insane
antagonism.

                 Linus

[1] https://lwn.net/Articles/478361/

Re: [Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Matthew Garrett]

On Thu, Aug 25, 2016 at 10:46 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> I'm not aware of anybody but the lawyers and crazy people that were
> happy about how the BusyBox situation ended up. Please pipe up if you
> actually know differently. All it resulted in was a huge amount of
> bickering, and both individual and commercial developers and users
> fleeing in droves. Botht he original maintainer and the maintainer
> that started the lawsuits ended up publicly saying it was a disaster.

It resulted in a huge number of people getting access to the source
code they were entitled to. It's a huge part of the success of
projects like OpenWRT, which in turn has formed the basis of a huge
number of (compliant) commercial Linux products. It's convinced
multiple Android vendors to ship source, which has allowed people to
continue updating their phones even after the manufacturer has given
up on them. We have entire companies who exist purely because they
were able to build on the work of code released under duress. Claiming
that "All it resulted in was a huge amount of bickering" is untrue,
and you should know better than to say so.

> There's another side to this issue, which people seem to be ignoring.
> Yes, not only is there the risk of loss (I've talked to Karen about
> this, and am shocked every time she says "but we need to resolve
> things one way or the other". Hell no. We're doing really well without
> any resolution at all, thank you).

No, we're not. I mean, sure, if what you care about is corporate
support, we're doing fine. But if what you care about is people who
get hold of Linux-based devices being able to look at the code and
figure out how they work, it's a fucking disaster. Sure, if you buy a
wireless router you'll probably get a GPL notice - but only because
almost every significant wireless router manufacturer was threatened
with or lost a lawsuit. It's the same story with TVs. But if you look
at product lines where there haven't been any lawsuits, you'll find
almost ubiquitous Linux and an equally ubiquitous lack of source code.
If that's your idea of "doing really well", that's fine. But many
people have been involved because they have different standards, so
let's not pretend that "we" means all Linux contributors here.

[Ksummit-discuss] [CORE TOPIC] GPL defense issues

[Linus Torvalds]

[ So I was pointed to this discussion and Greg's answer in particular,
but I'm not on the ksummit-discuss mailing list so keep me cc'd if you
want to reply to me ]

I'm going to quote Greg's email in its entirety, because it is a thing
of beauty.

On Fri, Aug 25, at 5:59:14 PM PDT, Greg KH wrote:
> On Wed, Aug 24, 2016 at 09:06:19PM -0700, Bradley M. Kuhn wrote:
> > Greg KH wrote:
> > > I don't want Linux to be a test case for the GPL as you put it
> > > recently.
> >
> > I am certainly sympathetic to your position.  But I myself don't
> > have the power nor will to make Linux into GPL's test case; a confluence of
> > external events already did that without my help.  I've been involved with
> > copyleft enforcement and policy for almost copyleft's entire existence.  I
> > observe now that the last 10 years brought something that never occurred
> > before with any other copylefted code.  Specifically, with Linux, we find
> > both major and minor industry players determined to violate the GPL, on
> > purpose, and refuse to comply, and tell us to our faces: "you think that we
> > have to follow the GPL?  Ok, then take us to Court.  We won't comply
> > otherwise."  (None of the companies in your historical examples ever did
> > this, Greg.)  And, the decision to take that position is wholly in the hands
> > of the violators, not the enforcers.
> >
> > In response, we have two options: we can all decide to give up on the GPL, or
> > we can enforce it in Courts.
>
> I call bullshit on this.

Can I just pipe up and say "Amen!"

In fact, let me say that I actually think we *should* talk about GPL
enforcement at the kernel summit, because I think it's an important
issue, but we should talk about it the way we talk about other issues:
among kernel developers. No lawyers present unless they are in the
capacity of a developer and maintainer of actual code, and in
particular, absolutely not the Software Freedom Conservancy.

I personally think this arguing for lawyering has become a nasty
festering disease, and the SFC and Bradley Kuhn has been the Typhoid
Mary spreading the disease.

The most shining moment for the SFC - hey, it's the lead-in on the
wikipedia page - was the GPL compliance enforcement for BusyBox.

And let us not kid ourselves. That may be the shining moment for SFC,
but it was *not* a shining moment for BusyBox.

I'm not aware of anybody but the lawyers and crazy people that were
happy about how the BusyBox situation ended up. Please pipe up if you
actually know differently. All it resulted in was a huge amount of
bickering, and both individual and commercial developers and users
fleeing in droves. Botht he original maintainer and the maintainer
that started the lawsuits ended up publicly saying it was a disaster.

So I think the whole GPL enforcement issue is absolutely something
that should be discussed, but it should be discussed with the working
title

 "Lawyers: poisonous to openness, poisonous to community, poisonous to
projects".

> And frankly, I'm tired of hearing it, as it's completely incorrect and
> trivializes the effort that thousands of people have been doing for 25+
> years to preserve the rights that the GPL grants us.

Absolutely.

Let's just be honest and very clear for a moment. I realize that that
is hard when talking about legal issues, but let's just cut through
all the bullshit and try.

The fact is, the people who have created open source and made it a
success have been the developers doing work - and the companies that
we could get involved by showing that we are not all insane crazy
people like the FSF.

The people who have *destroyed* projects have been lawyers that
claimed to be out to "save" those projects.

So let's just make this very very obvious: when Bradley Kuhn says "we
can all decide to give up on the GPL, or we can enforce it in Courts",
we should look at actual history, and learn from it.

Because Bradley Kuhn is so incredibly full of shit that this *needs*
to be stated openly.

Let's be clear about this: lawsuits destroy. They don't "protect".

Lawsuits destroy community. They destroy trust. They would destroy all
the goodwill we've built up over the years by being nice.

> > There's another vocal and significant minority of Linux contributors and
> > users who oppose GPL enforcement.  Greg, I wouldn't have pegged you for being
> > in that camp until this thread, but it seems that you now are. :)
>
> I have NEVER said I oppose "GPL enforcement", I will say that I oppose
> the way that _you_ approach this task.
>
> And here is why.
>
> I too have had people say to my face, numerous times, "you think that we
> have to follow the GPL?  Ok, then take us to Court.  We won't comply
> otherwise."  And guess what, no one took anyone to court, and every
> single time, I ended up with the code[1].
>
> As you well know, when you take legal action against someone, you have
> to be prepared to lose, and accept the consequences of that loss.
>
> Frankly, I am not prepared to lose, and there is no way in hell that I
> am willing to accept the consequences of such a loss.

There's another side to this issue, which people seem to be ignoring.
Yes, not only is there the risk of loss (I've talked to Karen about
this, and am shocked every time she says "but we need to resolve
things one way or the other". Hell no. We're doing really well without
any resolution at all, thank you).

But quite apart from the risk of loss in a court, there real risk is
something that happens whether you win or lose, and in fact whether
you go to court or just threaten: the loss of community, and in
particular exactly the kind of community that can (and does) help. You
lose your friends.

Because lawsuits - and even threats of lawsuits - makes companies way
less likely to see you as a good guy. Even when you're threatening
somebody else, everybody else around the target starts getting really
really antsy.

I talked to an Oracle lawyer a few months ago, and told him their
lawsuit just makes Oracle look bad. The lawyer was dismissive, and
tried to explain how it's silly how people take lawsuits personally,
and talked about how layers _understand_ that lawsuits aren't
personal, and that they are still friends outside the court.

I'm sure a lawyer can "understand" how lawsuits aren't actually
something personal at all, but lawyers really seem to be the *only*
people who "understand" that.

The fact is, lawsuits (and threats of lawsuits) do not make for
friends. You just look like a bully.

I will just quote the rest of Greg's email, because I think it is *so*
on point that I definitely couldn't have said it better myself, and
the only thing I can do is say "Bravo!" and say how strongly I believe
that Greg is right. I'll just say things even more outright: I believe
the SFLC (and now SFC) approach is poison.

Let's talk about this at the kernel summit by all means.

Let's talk about the lies spread by Bradley Kuhn, and about the
projects where the SFLC and SFC killed them and salted the earth with
their "help".

                     Linus

--- rest of Greg's email left quoted because it needs to be read twice --

> You have told me yourself that you are willing to take that risk, and I
> have told you that I am not.  I want Linux to succeed, I think it's the
> right way to develop a software project, it's personally immensely
> satisfying work, and the benefits it brings to millions of people
> allowing them to create and control their lives is invaluable.
>
> I've spent the last decade of my life working to support, grow, and
> enhance our community.  And corporations are a _huge_ part of our
> community, and frankly, the only reason we are where we are today.  We
> _have_ to work to bring more companies and their developers into our
> group, never working to purposefully alienate anyone.
>
> Here's what happens when you threaten legal action against a company:
>         - they instantly stop talking to any "external" developer that
>           might have been working with them to figure this community and
>           license thing out.  So much for our "back channel" to them
>           that was slowing starting to pay off.
>         - they bring in more lawyers, and react defensively to protect
>           themselves, as that's what they have to do to preserve the
>           company.
>         - Anyone in the company that pushed to use Linux is now seen as
>           "wrong" and instantly is pissed off that external people just
>           messed up their employment future.
>         - Anyone in the company that resisted the use of Linux (possibly
>           in ways that caused the code not to be released over the
>           objection of the previously mentioned people) are vindicated
>           in their opinion of those "hippy"[2] programmers who develop
>           Linux.
>         - The lawyers know that now that you are willing to accept that
>           loosing is an option, and will do everything in their
>           capability to ensure that it happens (drag it out, annoy the
>           hell out of developers by disposing them, burn your money in
>           whatever way they can, etc.)
>
> Now, even if, after many years of work on your part, you do get that
> code, what is the end result?  You have made an enemy for life from the
> people who brought Linux into the company, you have pissed off the
> people who didn't like Linux in the first place as they were right and
> yet you "defeated" them.  Both of those groups of people will now work
> together to never use Linux again as they don't want to go through that
> hell again, no matter what.
>
> And look, we have a case study of this, BusyBox.  That's exactly what
> happened numerous times.  Some of those people/companies you upset had
> enough resources to create a competing project to replace it and ensure
> that they never have to deal with that mess again.
>
> And yes, you are "vindicated", but at what cost?  You have the code,
> it's useless as it's old, obsolete, not mergable, and oops, your
> development community is now dead and the project is obsolete.
>
> So, turn it around, and look at how _we_ have been doing enforcement in
> the Linux community for the past 25 years.
>
> We do it quietly, working with companies, from within, convincing them
> that yes, this license that seems so strange and crazy is really worth
> following, not only because it is the law (companies ignore the law all
> the time, it's called risk management), but because it turns out it is
> the right thing to do from a business point of view.  It's cheaper to do
> so, the benefit is huge, and the return on investment is immense when
> they join together to work with us, instead of off in their own bubble.
>
> By doing this, the people that pushed for Linux in their company are
> vindicated and love you more, some of the naysayers are convinced,
> slowly, of the real truth here, and boom, you now have grown and
> strengthened your community and the feedback loop continues.
>
> Now back to one of those companies that told me to my face I was going
> to have to sue them.  I just reviewed a major patch set from that
> company a few weeks ago[3]  Would that have worked if I had taken legal
> action against them?  No way!  They are now a part of our community and
> helping to make it succeed as their company relies on it.[4]  It took
> many many years of work, but it happened.
>
> So, by working with people, and showing them the BENEFIT of the GPL,
> we grow our community, ensure our survival, and win converts to the
> license itself as now those people have a stake in it as their company
> relies on it.
>
> A very smart senior kernel developer once told me over drinks in a bar
> in Germany many years ago, something along the lines of "A foolish man
> bangs on the outside trying to change a company, a wise and cunning man
> works from within the company, changing it from inside such that it
> never knew what happened."
>
> And look, that's _exactly_ what we have done.  Us "punks" have grown up,
> changed companies from within in ways that no one had ever imagined was
> possible, and now hold major influence within them, if not total control
> in some instances!  Look at the success of Linux, we took over the
> world, by working from the bottom up, embracing and taking over all
> possible industries in ways that has never been done before.
>
> And we did it all by not suing anyone, as some of us know that's the
> quickest way to piss businesses off and make enemies.[5]
>
> Now you are in a problem here.  Being the representative of a number of
> copyright holders, you only can use a legal approach in order to try to
> get companies to comply.  All you have is a threat of litigation, which
> clouds the viewpoint you are coming from (as is evident in your original
> statement above about "enforce or give up".)
>
> But me, and hundreds like me, who are the developers of the code, and
> the people with the most at stake in the project, have more tools at our
> disposal in order to achieve the goal of getting the code created by
> companies, and bringing them into "the fold."  Bringing a developer in
> to talk to people, and work with people, and discussing things
> face-to-face, without any lawyers involved, is a incredibly powerful
> force. Yeah, it's not flashy or public, it's slow, a grind, frustrating,
> thankless, and burns airline miles like crazy.
>
> But it's working.  And has worked.  So to dismiss the way a large number
> of us have been doing this for decades as "not working" is personally
> hurtful, and totally short-sighted.  I feel we have the proof that this
> _does_ work based on the success of Linux.
>
> Remember, "carrot vs. stick", "honey vs. vinegar", and the like.  Maybe
> it's just me and my "attachment parenting" model of approaching the
> world, but I honestly think that it's better to be nice to people than
> to piss them off, if you wish to have them join you in your goals.
>
> Another proof point, look at Microsoft and the BSA.  How many companies
> did they piss of when they went in with lawyers to enforce their
> licenses?  Wasn't it Fender Guitar that flat out refuses to ever use
> anything from Microsoft again because of that?  We don't ever want to be
> accused of acting like that to any company.
>
> And yes, I know you work with companies before resorting to legal
> action.  But it's not the developers of the project working with the
> company, it's their representative, a VERY big difference, as is seen by
> how it has worked out with Busybox.
>
> This has gotten way off topic, sorry, but I felt I had to set the record
> straight of being accused of not working on, or wanting to, enforce the
> license of the project I have spent decades working on, that I feel is
> one of the main reasons it has succeeded.
>
> As you like to quote Linus, I will too, "once the lawyers are involved,
> you have lost".
>
> And you can quote me, "I do not want to lose."
>
> So, back on topic, I think that the kernel summit should be left to
> technical issues, as well as development issues (how maintainers work,
> how releases happen, if we will finally turn off bugzilla, etc.)  Let's
> keep the legal, and political, things out of it, in my opinion that
> doesn't belong there.
>
> Especially as I don't want to have to have my lawyer present in order
> for me to be able to attend :)
>
> thanks,
>
> greg k-h
>
>
> [1] It always, without fail, totally sucked.
> [2] Personally I prefer being called a "punk", as that's much more
>     accurate as to where the majority of us came from, yourself
>     included.
> [3] It still sucked, they haven't learned much, but they are trying and
>     willing to learn.
> [4] I want to resist the analogy of a drug pusher "first hit is free!",
>     so I'll bury it here in a footnote.
> [5] Till and Harald did take people to court, and it was good, but the
>     issues there were much different than what you are proposing, and
>     the stakes were much lower.
>