VMWare Linux Lawsuit Still Going On

A lot of people (including me, for a time) thought that the Hellwig v. VMWare lawsuit, alleging that VMWare infringed upon the Linux Kernel copyright and violated the GPL, had been lost and was over. It’s being appealed. Things are moving slowly because the German court shuts down for much of the summer.

A Nice, Sensible Statement about Women in Silicon Valley

This is regarding the stupid memo issued by an ex-Google-employee, which got lots of news coverage for no reason I can understand. There has been that sort of jerk at places where I’ve worked before, but usually the complaints of jerks at work don’t leave the work place. There was nothing but old prejudices in this one, and I don’t understand why it became news.

I previously wrote The Empathy Gap: Why Women are Treated Badly in Open Source Communities. The issues I wrote about there extend beyond Open Source to the broader tech community.

There happen to be a lot of women in engineering, legal, and management positions at my customer firms. As a class, they seem to be at least as sharp as a man regarding their jobs. As a consultant, I am reporting to women quite often, and in general find them wonderful to work with.

I think it’s a pity that we have fewer women in Amateur Radio than men. Amateur Radio is unique in that it’s a technical pursuit, a way to meet people worldwide, and a path to technical self-education, but it isn’t employment or school. Women are sorely under-represented. In general, I feel it’s unhealthy for any community that isn’t specifically about the issues of one gender to have a gender imbalance in its participants.

I remain curious about the causes and would like to do more about the problem.

And of course I feel the same way about under-representation of women in the broader technical community.



A Note About Our Legal Counsel

Our legal counsel is Heather Meeker of O’Melveny and Meyers, who also happens to be the author of the book “Open (Source) For Business, A Practical Guide to Open Source Software Licensing.”

Heather is without doubt the best attorney in the Open Source field. I recommend her wholeheartedly to anyone and everyone!

Heather is not responsible for my opinions on this blog or elsewhere. I speak for myself.

What the Apache – Facebook React.js Issue Means to Companies

Update: Facebook will place React.js and several other programs under the straight BSD license.

[My apologies to the ReactOS project, which I named in the first version of this article. The software in question is React.js]

Recently the Apache project banned React.js, a Facebook project, from inclusion in Apache projects. The ban is over a patent license which Facebook issued for React.js. This license should be of concern to companies that could now be using React.js, perhaps without even knowing it.

The current text of the Facebook patent grant is at https://github.com/facebook/osquery/blob/master/PATENTS

Without this grant in explicit text, there would still be a patent grant which is implicit in the BSD license. This arises from an equitable doctrine in law, you can’t grant a license and then “trick” the recipient by suing them for doing exactly what you gave them permission to do.

The problem is that Facebook has replaced the implicit grant with an explicit one with a “strong” retaliation clause. If a company uses React.js, they essentially give Facebook a license to their ENTIRE patent portfolio, no matter how large. Actually, they agree to forego to sue for infringement, but it’s essentially the same thing. Most companies would find this unacceptable. This is called a “strong retaliation clause”.

Facebook has gone to a version 2 of their patent grant text, but there is still the same problem with the breadth of the patent grant. Version 1 implicitly banned counter-suit after Facebook sued you, Verison 2 explicitly permits counter-suit.

What we usually do in the Open Source world, and what we find acceptable in Open Source licenses, is to limit the termination to lawsuits regarding patents exercised in that specific Open Source software. So, if Facebook were to state that if you sue anyone regarding your patent grants that are exercised in the React.js software, your license terminates, that would be OK. Indeed, Apache uses similar text in their own licenses. This is called a “weak retaliation clause.”

Of course, we in the Open Source world would rather that software patents went away entirely. I am joined in this sentiment by many of my industrial customers who have been the target of non-practicing-entities and other software patent abuses.

Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers

It’s my strong opinion that your company should avoid the Grsecurity product sold at grsecurity.net because it presents a contributory infringement and breach of contract risk.

Grsecurity is a patch for the Linux kernel which, it is claimed, improves its security. It is a derivative work of the Linux kernel which touches the kernel internals in many different places. It is inseparable from Linux and can not work without it. it would fail a fair-use test (obviously, ask offline if you don’t understand). Because of its strongly derivative nature of the kernel, it must be under the GPL version 2 license, or a license compatible with the GPL and with terms no more restrictive than the GPL. Earlier versions were distributed under GPL version 2.

Currently, Grsecurity is a commercial product and is distributed only to paying customers. Under their Stable Patch Access Agreement, customers are warned that if they redistribute the Grsecurity patch, as would be their right under the GPL, that they will be assessed a penalty: they will no longer be allowed to be customers, and will not be granted access to any further versions of Grsecurity. GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.

By operating under their policy of terminating customer relations upon distribution of their GPL-licensed software, Open Source Security Inc., the owner of Grsecurity, creates an expectation  that the customer’s business will be damaged by losing access to support and later versions of the product, if that customer exercises their re-distribution right under the GPL license. Grsecurity’s Stable Patch Access Agreement adds a term to the GPL prohibiting distribution or creating a penalty for distribution. GPL section 6 specifically prohibits any addition of terms.  Thus, the GPL license, which allows Grsecurity to create its derivative work of the Linux kernel, terminates, and the copyright of the Linux Kernel is infringed. The GPL does not apply when Grsecurity first ships the work to the customer, and thus the customer has paid for an unlicensed infringing derivative work of the Linux kernel developers with all rights reserved.  The contract from the Linux kernel developers to both Grsecurity and the customer which is inherent in the GPL is breached.

As a customer, it’s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity.

I have previously endorsed a company that distributes enhanced versions of GPL software to paying customers, but that company operated differently (and in a way that I would recommend to Grsecurity). They did not make any threat to customers regarding redistribution. They publicly distributed their commercial version within 9 months to one year after its customer-only distribution.

This other company was essentially receiving payment from its customers for the work of making new GPL software available to the public after a relatively short delay, and thus they were doing a public benefit and were, IMO, in compliance with the letter of GPL though perhaps not the spirit. In contrast, Grsecurity does no redeeming public service, and does not allow any redistribution of their Linux derivative, in direct contravention to the GPL terms.

In the public interest, I am willing to discuss this issue with companies and their legal counsel, under NDA, without charge.

I am an intellectual property and technology specialist who advises attorneys, not an attorney. This is my opinion and is offered as advice to your attorney. Please show this to him or her. Under the law of most states, your attorney who is contracted to you is the only party who can provide you with legal advice.

SpaceX Over-Stated Re-Use of Dragon Capsule on CRS-11 Mission.

SpaceX has made a tremendous achievement in recovering 11 first stages so far, and recovering one after re-use. However, the re-use of the Dragon capsule during the CRS-11 mission was over-stated. What was re-used was the pressure vessel. This means that the craft from the CRS-4 mission was stripped down to its hull and then rebuilt. It’s essentially a new spacecraft built upon an old shell.

SpaceX is not able to re-use the capsule after it lands in salt water without this complete rebuild. Someday they may be able to achieve full reuse, when they can land the capsule on solid ground.

Update: At the ISS R&D conference, Elon Musk stated that the first capsule re-use cost as much as, or more than, a new Dragon capsule. Water intrusion was listed as one of the causes. All of this confirms what I previously stated. However, SpaceX has expressed that they may be able to prevent water intrusion in later flights, leading to a capsule that is more readily reusable.

At the same conference, Musk announced that non-parachute landings for Dragon 2 were being abandoned, so apparently there will be no ground landings. Apparently the original propelled landing design used legs protruding from the heat shield, and these were deemed unworkable.

How an Amateur Electrician Can Easily Create Lethal "Hot Skin" On an RV

Amateur electricians can get away with some mistakes at home that can be lethal when made while wiring an RV. Why? A recreational vehicle has the hot, neutral, and protective ground connections just like your home. But unlike your home, the RV has no permanent ground connection. When plugged into a generator, the RV and generator will often be isolated from ground, affording no protection from shock hazards. A proper generator setup connects ground and neutral at the generator and bonds them to a ground rod or other low-resistance connection to a real earth ground.  But we know that most generator users have never done anything like that.

At an RV park or anywhere you plug your RV into electrical service, you can lose your proper protective ground connection because the ground pin breaks off of your RV’s plug, or a mis-wiring in your RV or the park’s wiring breaks the ground connection. But the park’s electrical system still has neutral and ground connected, while your RV doesn’t. The problem with this comes if some failure in your RV then causes a connection between the hot wire and what should be your ground connection. Rather than immediately blowing the circuit breaker, as it would in your home or a correctly-grounded RV, this situation creates “hot skin”. The metal shell of your RV is connected to lethal electric power. A person who walks up to your RV and touches it can then become the path of all of that power to ground, and can be electrocuted simply by brushing against your RV. Several people have died or have been severely injured from such situations. Children are especialy vulnerable. Imagine a child standing barefoot in wet grass and touching your RV. In a hot-skin situation, that child might die.

There are a few things you can do to protect against this. First, fit your RV with GFI or dual-function (GFI+AFCI) circuit breakers on all of the branch circuits, if it presently has the old non-GFI breakers. Second, use a “Power Management” device that protects you from mis-wiring, like those sold by Progressive Industries (http://www.progressiveindustries.net/). The right device will be listed to provide “Reverse Polarity Protection” and
“Open Ground Protection”. Not just surge protection! A surge protector alone won’t in general protect from grounding problems.

You’ll spend a few hundred dollars adding GFI breakers and a power-management system to your RV. But their protection from situations that can otherwise kill an innocent person is priceless.

Power management systems are more picky about the power provided to them than your RV or circuit breakers would be without them. They’ll insist on an adapter plug that provides a neutral-to-ground connection at your generator before they allow its power on-board. But they will protect from most grounding mistakes. Once in a while, they’ll refuse to connect power from a trailer park source that is mis-wired. You’ll need to take that up with the park when that happens.

NEVER wire any device to the ground wire when it should be connected to the neutral wire. Yes, it will appear to work correctly, but it can create hot skin if your RV ever does not get a proper ground connection at the plug.

Amateur electricians are often confused by grounding. I had one argue that a bulb connected from hot to ground could not create “hot skin”. He tested it himself and when he disconnected the ground pin, the bulb just went out! He just could not conceive that a bulb that had gone out could still conduct electricity if someone completed the circuit from his trailer to ground with their body. There was no way I could convince him. This guy may kill some innocent person someday with his incorrect wiring. Don’t be like him.

Understanding the "GPL is a Contract" court case

There’s been a lot of confusion about the recent Artifex v. Hancom case, in which the court found that the GPL was an enforceable contract. I’m going to try to explain the whole thing in clear terms for the legal layman.

Artifex is the current owner of the Ghostscript software. Ghostscript is an interpreter of the Postscript language, it renders Postscript and PDF to print and images, and it translates Postscript and PDF to a plethora of other file formats. Ghostscript was created by L Peter Deutsch (“L” is his first name, not an initial) known online as “Ghost”. Peter created the software in 1984 to be dual-licensed, in other words to have both an Open Source license (originally the Open-source-like Aladdin Free Public License, later the GPL) and a commercial license. Thus, Peter made Ghostscript available without charge for people who were using it in Free systems and were willing to share their modifications to it with him and the world, and he made it available for a fee to companies that were putting Ghostscript in their printers or commercial software and weren’t interested in sharing their own code as Open Source.

Peter was the pioneer of dual-licensing, although MySQL usually gets credit for that. He closed the first commercial contract for Ghostscript years before MySQL existed. This was, however, using the Aladdin license, which, although inspired by the GPL, is just short of qualifying as Open Source or Free Software license because it prohibits sale or a fee for distribution. Peter also released each version of Ghostscript with the GPL after a one-year delay, since the code was evolving rapidly and his intent with the Aladdin license was only to prevent proprietary software products from having a “free ride” on code with immediate commercial value.

Peter retired from software development in 2002 to become a composer and musician and sold Ghostscript to Artifex.  Artifex later stopped using the Aladdin license, and switched to releasing each version of Ghostscript under the GPL without delay, having concluded that the “free rider” problem was no longer commercially significant and that straightforward use of the GPL alone would simplify Artifex’s story to the world and improve relationships with the Open Source / Free Software community.

Artifex recently brought suit against Hancom, which Artifex alleges was using Ghostscript in one of its products, without either purchasing a commercial license or complying with the GPL. This case is still in progress. What’s made news recently is that the court found that the GPL was an enforceable contract, and is allowing the case to proceed as a complaint of breach of contract, not just copyright infringement (as most similar cases have).

The actual text of the Magistrate’s finding is:
Defendant contends that Plaintiff’s reliance on the unsigned GNU GPL fails to plausibly demonstrate mutual assent, that is, the existence of a contract. Not so. The GNU GPL, which is attached to the complaint, provides that the Ghostscript user agrees to its terms if the user does not obtain a commercial license. Plaintiff alleges that Defendant used Ghostscript, did not obtain a commercial license, and represented publicly that its use of Ghostscript was licensed under the GNL GPU. These allegations sufficiently plead the existence of a contract. See, e.g., MedioStream, Inc. v. Microsoft Corp., 749 F. Supp. 2d 507, 519 (E.D. Tex. 2010) (concluding that the software owner had adequately pled a claim for breach of a shrink-wrap license).
The entire court document is here.

This finding confused a lot of people. Was the GPL not enforceable before this case? The FSF has claimed the GPL is a license, not a contract, so is the court contradicting the FSF?
The GPL was found to be an enforceable set of copyright terms (a license) in a previous case, Jacobsen v. Katzer. I had the privilege of being pro-bono (no fee, for the public good) expert witness on that case. What has changed now is that for the purposes of the court, the GPL is both a license, which can be enforced through a claim of copyright infringement, and a contract, which can be enforced through a claim of breach of contract. You can allege both in your court claim in a single case, and fall back on one if you can’t prove the other. Thus, the potential to enforce the GPL in court is somewhat stronger than before this finding, and you have a case to cite rather than spending time in court arguing whether the GPL is a contract or not. If you are in Federal Court in the Northern District of California, the court must consider this finding, other courts can consider it and in general will.

That the GPL is a contract hardly came as any surprise to people familiar with the law. Lawyers and judges view any collection of terms as a contract, and tear-open licenses are the norm these days. But the FSF had its own reasons to say it’s a license, reasons that might be more important to the philosophy of Free Software than the court.
Contracts require consent between two parties who join in the contract, if they are to be enforced. The GPL (and many other licenses that come with products) doesn’t have a signature page, so there is no explicit consent. If there is consent at all, it’s the implied consent that has become standard for “tear-open” licenses. Your acceptance of the license is indicated by some action, in this case integrating the code into your product.

The default under copyright law is all rights reserved, which means “you can’t do anything with this” with some minor exceptions that are called “fair use”Thus, if you integrate the software into your product, distribute it, or perform some other action that is restricted by copyright, you must have accepted the license because your alternative would be all rights reserved. Thus, the FSF asserts that the GPL is a license because they feel consent isn’t really necessary, they don’t want to argue about consent in court, and they believe that they can do all of the enforcement they need using a complaint of copyright infringement. Also, tear-open licenses were a much more foggy issue in law when the GPL came about. And then there’s the philosophical matter:

The Free Software Foundation is all about Your Software Freedom. So, they wouldn’t want to take away your freedom in any way. Contracts are a means by which people trade some rights which they could otherwise exercise for some rights they don’t have – but which FSF feels they should have by default. FSF wants you to have the right to use, modify, and redistribute all software without restriction, and this means you should get the source code for all software. In the proprietary software world, you contract for the right to run one copy of the software while giving up your rights to examine, modify, or redistribute it, and often even the right to talk about it freely – for example the right to publish a critical review or a performance benchmark of the software. FSF doesn’t like the idea of people giving up their own rights. So, they very carefully constructed the GPL so that it does not ask you to give up any rights you already have, and only grants rights which you would not otherwise have. So, it’s “freedom positive”, it only gives freedom without taking any away. Thus, FSF feels that the GPL doesn’t need to be a contract. It only needs to be a license because it does not need the contract’s feature of having you make promises to give up some rights.

If the FSF philosophy seems unusual to you, sit down and consider how much software violates your privacy these days, how it can actually control you, and how you are at the mercy of criminals who understand the software better than you and send “viruses” to mess up your computer. My computer running the GNU and Linux software isn’t entirely virus-proof, but it’s immune to “Wannacry” and a lot of the garbage that most of you tolerate. I am in control of all of my software. Are you?

Does the FSF lose anything because the court said the GPL is a contract? I don’t see how. The court didn’t say it’s not a license.

Another interesting point in the case is that the court found Artifex’s claim of damages to be admissible because of their use of dual-licensing. An economic structure for remuneration of the developer by users who did not wish to comply with the GPL terms, and thus acquired a commercial license, was clearly present. In Jacobsen v. Katzer, the lower court found that Jacobsen had not adequately pleaded damages resulting from the breach by stating “by reason of the breach, Plaintiff has been harmed”, although my testimony to the Appeals court laid out Jacobsen’s damages in greater detail. This is further reason for developers to offer dual-licensing (which I generally recommend).

The case is not over, and one attorney I work with remains adamant that the GPL is still not a contract, while others are just as adamant that it is. It’s possible that the district court might not find for Artifex’s contract claim, or that we could see an appeals court rule again on whether the GPL is a contract or not.

My North Korea Photo

This was taken in the blue conference room between North and South Korea which we see in the news so much. I am standing on the North Korean side, and the guards outside the window are North Korean. This is the only place you can safely (and legally) walk into North Korea and walk back out again. My thanks to the (South) Korean Copyright Commission, who provided me with such a nice trip there and paid for my hotel for 10 days, not just for the duration of their conference.

Bruce Perens in the Joint Security Area meeting room, on the North Korean side.

My 30th Anniversary in Open Source!

This marks 30 years of my continuous contributions to Open Source software. About 30 years ago, at Pixar, I contributed Electric Fence to the world. That’s so long ago that I made my contribution to a USENET group. Just a few days ago, I contributed i18n-edit.