Slashdot Mirror
Open Source in the Military?
djmcmath asks: "Does anyone have any experience with Open Source Software and/or GPL'd software in military applications? I'm only asking because I'm involved in work on the combat systems for a new submarine, and had considered an Open Source solution. (I apologize, I must be intentionally vague for obvious reasons.) So ignore the obvious questions (Is it really suitable? Are closed-source proprietary options better? Does MS have a good solution?) and skip to the good stuff. What about the fact that my code would be classified Secret under US Code Umptifratz? I cannot distribute my code (and it's changes) without being tried for treason. What happens to the rest of the combat system code when I submit my GPL'd module?" Open Source and the Military: it's a tricky combination of keeping what can be open, open and keeping your secrets...well, secrets! However, open source in the military need not be as high profile as weapons systems. One of the only major OS projects that I'm aware of that had any form of military involvement was GRASS, the open-source GIS system. I'm sure there may be a few others out there. Does anyone know of other OS projects with military association? If there are any projects out there that interface with classified bits, how did you deal with those issues?
I cannot distribute my code (and it's changes) without being tried for treason
Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.
I can't say that I don't give a fuck. I've just run out of fuck to give.
You only need to distribute the source to the people that you distribute the binary to.
Presumably the binary is covered by the same secrecy rules as the source, so the only people entitled to the source are the miltary.
Although, if the binary is in a bomb, you may also need to distribute the source to the poor sod that you drop it on.
A quote from the FAQ which I believe applies to your situation:
"The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization. But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the users, under the GPL. Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you."
Greg
To a shark, you are just another food choice...
The terms of the GPL simply state that if you sell a GPL product to a customer, you must provide the source to that customer.
Red Hat, Mandrake, and the like are being nice enough to provide iso images of their software for your download - they are not required to.
So what are the ramifications? Well, if the military sells your GPL solution to a 3rd country, they have to provide the source to that 3rd country, as well.
In other words, in this case, GPL (or no) makes no difference at all. GPL code can be "top secret" as long as the customer has full access to the code.
The idea of the GPL is that "If I bought it, I can do as I please with it - and if I sell it, so can whoever I sell it to..."
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I actually have had to deal with this an the GPL really isn't your biggest concern, but first, let me address that.
The GPL is a set of licensing terms between the author and whomever he distributes the code to. If you are working directly with the Navy (unlikely) then writing and consuming the GPL code would pose no problem since your not distributing to anyone.
If you are working for a contractor, then it is a bit more hairy. You can still write the code GPL and distribute it to the Navy under the GPL. This of course gives the Navy whatever rights to the code so that they could redistribute it if they choose. It does not allow some guy in Florida to obtain secret info though. You would have to first give him a binary for him to have grounds to ask for the source and of course, classified source code produces classified binaries so this isn't an issue.
The real issue is QA. There are all sorts of processes (I know at least for Surface Systems) covering COTS verses in house software. Now, I spent a great deal of time working things out with QA and this is what we came up with when I first asked to use an OS library in a tactical program:
First, I had to vouch for the code. That meant I literally had to go through it line by line and make sure there were no possible backdoors in it. Also, if I modified more than a certain percentage of the library, then I was responsible for bringing that library up to in-house standards (which I'm sure you know is a real pain in the ass).
Don't worry about the licensing terms, they aren't going to be a sticking point likely. QA is what is going to kill you... (and it will only get worse if your program carries a higher classification).
int func(int a);
func((b += 3, b));
Perhaps he meant espionage - the release of state secrets to an enemy of the state.
I can't say that I don't give a fuck. I've just run out of fuck to give.
IANAL, however I did work in military intelligence and information security.
From what I understand, in this case, the government agency responsible for the code changes would be required to distribute those changes to any agency they distribute the binaries too... This should not, as I understand it, mean the individual users of the software.
For example, lets say the Navy sends copies of the binaries to Electric Boat(a sub manufacturer). They would be required to send the source to Electric boat as well.
However, in this case, it is Electric Boats IT department that is the receiver of the binary, NOT the electric boat employee who uses the software. Therefore, the source can legally be kept inside a safe at the CMCC(classified material control center), shown only to the IT department and others with an established need to know.
However, in any case, regardless of license, if the source changes reveal classified information it would be illegal to release them to the general public. I'd wager that even if that turned out to be a direct violation of the GPL, the classification side of the case would win in court.
With all that said, I would recommend you push for release of all source changes that do not reveal classified information. I realize that might not be much, but what you can, go for it.
Treason is an overstatement, but in his case, the penalties would be stiff, and could depending on the circumstances and who he distributes it to, could be considered treason. The non disclosure agreement sets penalties of 10 years and 10,000 dollars for EACH violation of the security regs. For example:
Classified fact a
classified fact b
classified fact c
classified fact d
classified fact e
If those were real classified facts, I could easily end up in jail for 50 years for this post.
It may not technically be treason, but it can be as severe and match the spirit of treason if not the letter of the definition.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
Just a note on how military are involved on spreading the evil "specter" all over the world. Just one name that means all:
"TCP/IP"
It's open, clear and crystal like water. The whole world uses it. 90% of open/closed source network systems depend on it. It's open, it's readable. And it's ARPA...
What else is needed to talk about the military involvement? From start to end, many things done on computers are orginally military by their nature... First computers were created for military needs, let's not forget this. And today nearly everyone uses them. From Taco to Ben Laden...
I am a programmer in the USAF, and my squadron (for security reasons I cannot say what my unit does) uses OSS.
;-)
We use Samba for sharing printers between Windows NT and Solaris. We don't change the source code, but we do use OSS. I believe that we also use GCC for some things, because (and I am not 100% sure on this since I am not a sysadmin) I don't think Solaris comes with a C compiler. We also use DivX for... I could tell you but then I'd have to kill you
I've thought about this before because of our software licensing. Let's say Microsoft thinks they need a license audit. What's more important: maintaining our security by not allowing Microsoft access to sensitive computer systems, or complying with their "copyright" policies? If a computer is located in a secure area protected by federal classification law, who will know?
It goes both ways. The government could potentially abuse the GPL, but they could do the same to the draconian licensing terms in commercial software. It is my experience that the people in charge of acquiring systems will make sure their subordinates comply with the law. The higher-ups at my squadron stress that we must obey licensing laws because it's The Right Thing To Do.
I like open source software. I think it's the greatest thing since sliced bread. But for some applications, such as classified computer systems, it may be best to stick to closed source if you need to change the open source software.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I worked on a terrain database analysis tool, called ZCAP,
that was funded a few years back by U.S. Army STRICOM
and the Defense Modeling and Simulation Office
We distributed the application (and still do) in a complete package
that included a number of supporting free source applications, such as gnuplot
and tcl/tk. We handled the combination of free source, (no longer)export-restricted
software, and proprietarty libraries by loosely integrating
using system calls under a tk-based gui. Not very clean, but there
is a lot of good code in there, and I'm planning to gpl it in the near future.
If you can't release your source code, don't use the GPL.
:)
Why? Because a lot of us GPL fans are Buddhist, Pacifist, Hippie types!
Seriously... I don't want you using my software to help kill people.
But you can't under the GPL, stop anyone from using the software to do things you don't like, as long as they comply with the GPL. Open Source is about making software freely available - if you do that, you have to be willing to let people use it for things you may not like.
I have also talked to Stallman about putting a clause in the GPL about not using the GPL in military systems because of these concerns
Now your advocating clsoing the source to people whose world view conflicts with yours. Beyond teh difficulty in sorting out what would be limited and what wouldn't, since you can change the terms of another writer's license, why limit this to the military? Either the source is open and free to all, under the same terms, or it isn't. This gets real close to MS' FUD about viral code - all of a sudden you can't reffly use and distribute code you've created beacuse it incorporates someone else's more restrictive license.
If you want to limit your code's uses, write seperate modules that don't incorporate others code. Unfortunately, you cna't have things both ways Open Source and Restrictions on End Users.
I'm a consultant - I convert gibberish into cash-flow.
That brings up the question of embedded devices in general, e.g. what if the binary is in night vision goggles or a satellite radio issued to troops? They presumably can't be given the classified source code. I discussed embedded devices with RMS a long time ago and back then, he seemed to think it was technically a GPL violation, but if the code in the device can't be changed (i.e. it's in ROM) then it didn't really count as software, so he wasn't too worried. At that time, embedded CPU's weren't so ubiquitous and those that existed were mostly tiny and didn't run much GPL'd code. It might be time for a more formal policy on stuff like this.
Of course, the GPL'd code owner can always grant GPL exemptions for specific purposes (the GPL itself has a clause saying this and I think the FSF has given a few exemptions in the past), so the surest way to be in good standing is if you can get permission from the owner.
Disclaimer: IANAL and I don't speak for the FSF.
First off, run, do not walk, do not pass go, straight to the base/department legal department. Do not attempt to do ANYTHING until they OK it - the regulations surrounding secret-level work are inordinately hairy and convoluted, and only a lawyer specialized in classified-work law can answer your question definitively.
The other note, which is useful when discussing this with aforementioned lawyer: any work done under a Classified label (or higher) has different rules than "normal" work. Basically, any license that gets applied to the code only applies to those with a clearance at least as high as the code was written. Thus, if your code is Classified, I don't care if it has the BSD license, GPL, Bob's SuperFree License, or whatnot. Anyone without a Classified clearance isn't entitled to see it. Period.
This is a case where the murky grounds of National Security trumps Copyright (and other Intellectual Property) law. The law still holds, but it's restricted to the circle of security it's at.
National Security law basically allows you to use anybody else's code, provide you compensate them in a just and reasonable manner. As far as I've experienced, this means that you have to pay them the basic asking price on the free (i.e non-classified) market, and they don't get to say "no, you can't use it". For GPL/BSD/Open Source licenses, the asking price is Free, so well, they've been "compensated" as they've normally would.
In this case, Classifed work can certainly suck in Open Source code and not release it until it gets unClassified. And, as a side note, there is no "leaking" - people are not entitled to distribute code to non-cleared people, so it's not like Trade Secrets. It stays locked up until it's declassfied.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
You're missing an important distinction here. The GPL limits what restrictions (none) you can place on redistribution of source code as a term of the license CONTRACT.
Security classifications, in contrast, are a matter of LAW.
This is an important distinction that comes up periodically. E.g., there's a fair amount of software that is used to control the operation of amateur radio station equipment. The licenses inevitably require that the user have suitable FCC (or local equivalent) certification suitable for the operation of this equipment, probably due to FCC regulations. Does this violate the GPL? I would argue it doesn't - it's the FCC that requires a license to operate the equipment, not the author, and the sole purpose of this restriction is to limit the author's liability in those cases when the receiver acts in bad faith.
Ditto the occasional licenses that require the receiver be old enough to enter into a binding contract. Of course it's silly to say that a 17-year-old can't make valuable contributions, but the law says that contracts with 17-year-olds are never binding except for some relatively rare circumstances. (E.g., they can be emanicpated by a court, by enlistment in the military, or by marriage. Or it could be a "necessity" such as a contract for housing.)
I think the same argument can be made here. Are you willing to make the source code available to any agency legally entitled to view it? If so, then I think you can still use the GPL.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken