Announcement

Collapse
No announcement yet.

FreeBSD Continues Work On Ridding Its Base Of GPL-Licensed Software

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • trasz
    replied
    Originally posted by WorBlux View Post

    The reason being that they want to do things that v3 restricts. In terms of legal clarity v3 has fewer questions about it's meaning than v2.
    You are probably right that there are fewer questions - but the remaining ones are much more dangerous. I'm not sure if there's a publicly available analysis which explains the actual reasons for GPLv3 embargoes, but they are quite non-obvious, at least to a layman like me.

    Leave a comment:


  • WorBlux
    replied
    Originally posted by trasz View Post

    This is true about GPL2, but GPLv3 is a minefield. There's a good reason some companies introduced complete embargo on GPLv3.
    The reason being that they want to do things that v3 restricts. In terms of legal clarity v3 has fewer questions about it's meaning than v2.

    Leave a comment:


  • trasz
    replied
    Originally posted by WorBlux View Post
    GPL is a legal risk, yes. However it's not particularly hard to mitigate, and you can reasonably expect a fair bit of warning before it get to a lawsuit. If they don't like copyleft for thier own reasons, that's fine, but lets not pretend it's a legal landmine.
    This is true about GPL2, but GPLv3 is a minefield. There's a good reason some companies introduced complete embargo on GPLv3.

    Leave a comment:


  • WorBlux
    replied
    GPL is a legal risk, yes. However it's not particularly hard to mitigate, and you can reasonably expect a fair bit of warning before it get to a lawsuit. If they don't like copyleft for thier own reasons, that's fine, but lets not pretend it's a legal landmine.

    Google's dalvik is basically a clone of the Java API, and it's the core of their android application platform. If it were GPL they could credit sun/oracle for the header file and write whatever re-implementation they wanted. Sun even included a linking exception for these headers, so that there's zero chance your third-party app developers would be sued. However Mr. Rubin just didn't like the GPL though he had no hope of actually replacing the kernel at the core of the system.

    Maybe Oracle's claims on the API go too far, and the supreme court hasn't issued a final ruling on it yet. Personally I think that putting that claim an an API you held forth as a standard, and that borrowed heavily from prior open standards is pretty sketch, but that's neither here nor there as I don't own a black robe.

    But let's imagine if the class-path headers had been Apache 2. Google could have just kept the header file with it's notices and licenses intact, linked against whatever re-implementation, deletion, or modification they wished, and license the result under a Googlecorp license. Certainly not a result that Sun or Oracle ever wanted.

    Leave a comment:


  • jabl
    replied
    Originally posted by WorBlux View Post

    No, no, no, not even close. This wasn't a matter of one little driver. This was an absolutely massive violation... Busybox, the linux kernel the, GNU (C Library, Coreutils, Readline, Parted, Wget,Compiler Collection, Binutils, and Debugger) , and a good number of userspace utilities.
    Thanks for clarifying, I had forgotten these details.

    Then how did resident council not only allow a transfer of ownership twice without a proper audit, but also ignore notifications from the community for years? This was either a fuck-up for the record books, or it was the intentional decision of management that thought they could or should get away with blatant and extensive copyright violations.
    We can argue 'til we're blue in the face whether this was due to incompetence in not performing due diligence, or incompetence in not understanding the license requirements, or if they indeed blatantly thought they could get away with it, but the fact remains that a copyleft license represents a legal risk vs. a permissive license. So that's what corporation will prefer, for better or worse.

    If Java had been apache 2, Oracle v. Google would not have progressed as far as it did.
    Huh. I haven't looked into the details, but doesn't this case revolve around Google reimplementing the java API? If they had instead used the official openjdk Oracle's case would be much weaker? How would it matter if openjdk would have been apache instead of GPL+classpath exception?

    Leave a comment:


  • WorBlux
    replied
    Originally posted by jabl View Post

    As an example of what happened with the GPL, consider the Linksys WRT54G saga. Company A bought company B, which had bought some hardware from company C, which had outsourced the driver work for said hardware to company D
    No, no, no, not even close. This wasn't a matter of one little driver. This was an absolutely massive violation... Busybox, the linux kernel the, GNU (C Library, Coreutils, Readline, Parted, Wget,Compiler Collection, Binutils, and Debugger) , and a good number of userspace utilities.

    Now, lawyers and their ilk are paid to protect their clients,
    Then how did resident council not only allow a transfer of ownership twice without a proper audit, but also ignore notifications from the community for years? This was either a fuck-up for the record books, or it was the intentional decision of management that thought they could or should get away with blatant and extensive copyright violations.

    The crucial difference, of course, is that Apache doesn't require a derivative work to be distributed under the same license, which is the big difference between permissive and copyleft licenses.
    This doesn't mean that it's always appropriate or inappropriate for a corporate project. If Java had been apache 2, Oracle v. Google would not have progressed as far as it did. There are good reasons you may not want a competitor to be able to re-license or hide code.
    Last edited by WorBlux; 20 January 2021, 11:21 AM.

    Leave a comment:


  • jabl
    replied
    Originally posted by WorBlux View Post
    GPL 2 doessn't talk about linking anywhere. And conceptually linking a farily easy calling something in another module by name. The real problem is the relation between linking and derivative work. Apache says linking alone should make something be considered a derivative work. Plain GPL (without the linking exemption) uses the full definition of derivative work in copyright law, which makes most cases of linking against GPL a derivative work.
    The crucial difference, of course, is that Apache doesn't require a derivative work to be distributed under the same license, which is the big difference between permissive and copyleft licenses.

    As an example of what happened with the GPL, consider the Linksys WRT54G saga. Company A bought company B, which had bought some hardware from company C, which had outsourced the driver work for said hardware to company D. Now, company D had neglected to comply with the GPL, leading to company A being on the receiving end of a lawsuit. Now, lawyers and their ilk are paid to protect their clients, so it's quite clear that they advice against depending on GPL code unless there are no alternatives (the Linux kernel ecosystem being one of the relative few GPL bastions left where the advantages of the code outweigh the downside of the license (from the view of the corporate lawyers)).

    Of course, for end users this turned out well in the end. We got the source code for the WRT54G wifi chips, kickstarting what eventually became the OpenWrt project.

    Leave a comment:


  • trasz
    replied
    Originally posted by anarki2 View Post

    NFS (like most traditional Unix software) is a pile of garbage in terms of AuthN and AuthZ, regardless of the security of the transport channel. The octal permissions, sticky bit, "ACL" which is mostly just a gimmick and has no resemblence to actual ACLs, groups not being able to hold groups, and all the other ridiculous limitations dating back to the 80s or even 70s, it just blows my mind how the Unix world actually survived the 2000s Internet explosion until most AuthZ and AuthN stuff essentially moved from the OS to higher levels (in most of the cases, to webapps). Do you know how you can prevent a Docker user from gaining sudo rights? I tell you: no way. That's Docker AuthZ for ya.

    So no, NFS having or lacking TLS support is the least of my concerns.
    What you're saying about NFS only applies to the old NFSv3. NFSv4 is much better, especially so in FreeBSD, where it can eg support proper NFSv4 ACLs instead of the old, and not particularly useful, draft POSIX ones.

    Leave a comment:


  • WorBlux
    replied
    Originally posted by mdedetrich View Post

    Use Apache 2 which contains a patent clause then. Most companies I work for that do open source work use Apache2 and also funnily enough every company I have worked for has avoided GPL (2 or higher) like the plague for their open source work, from what I gathered its a massive PITA for lawyers especially defining what "linking" means (among other things).
    GPL 2 doessn't talk about linking anywhere. And conceptually linking a farily easy calling something in another module by name. The real problem is the relation between linking and derivative work. Apache says linking alone should make something be considered a derivative work. Plain GPL (without the linking exemption) uses the full definition of derivative work in copyright law, which makes most cases of linking against GPL a derivative work.

    And I'm not one to say any particular license is the best in all cases. If the legal department says they like Apache 2 because there's less uncertainty, and that's what you use, it's still a OSS licence at the end of the day and makes better software and computing for everyone.


    Leave a comment:


  • Qaridarium
    replied
    Originally posted by jabl View Post
    IIRC MongoDB switched from AGPL to their own SSPL because in their opinion AGPL didn't go far enough in protecting them against cloud service providers.
    But yes, given SaaS etc, in some sense AGPL is more in the spirit of protecting the four freedoms than plain GPL. However, I wonder whether the FSF has the political capital to spend on a more rigorous GPLv4 considering already GPLv3 caused a massive schism in the community. Heck, even some GNU projects have refused to update to v3 due to fear of losing users (glibc is still LGPLv2.1).
    yes it is very sad that the people do not have the will and the power to stand up for what is right.
    something like SSPL should be the GNU GPLv4

    to make sure something like the ASP loophole never happens again.

    Leave a comment:

Working...
X