LWN on the Patent Encumbrence of SELinux

Anonymous Coward writes "LWN has a story about patents in SELinux. The article says: "Much of the actual work in the implementation of SELinux was done by Secure Computing Corporation (SCC). SCC, in its implementation of SELinux, used a technology that it calls type enforcement. As it turns out, SCC has a patent on this technology." Sigh.

For the Good of the Community

[pryan]

I've been watching this on the Linux Security Module mailing list and have high hopes that SCC sticks to their original promise and not place restrictions on the use of this technology. There are plans to get this into the Linux 2.5 development tree and eventually have it available in 2.6. This is the sort of security technology we desperately need in a popular OS, so let's hope SCC does not prevent its movement towards integration with the main Linux source tree.

Re:For the Good of the Community

[fw3]

I've been watching this on the Linux Security Module mailing list

SCC, NSA and other interested parties have noted that TE and DTE (domain/type enforcement) are patented respectively by SCC and NAI labs (both of which have contributed substantial code to SELinux.

SCC's statement on their website was vague, simply saying: will be no restrictions on the use of TE by the Linux open source community ... will release source code for all the modifications to the existing kernel and for a general-purpose security policy engine under the GPL

LSM itself does not implement TE or DTE and is not affected by these patents. LSM is a standard framework allowing(many) system security implementations to be used in the linux kernel without needing extensive re-writes for every kernel release.

Things that are not clear (to me and I think to most of the participants in this 'issue' with SELinux) include:

• on what would this patent be restricted / enforced? - closed source?
• exactly who is allowed unrestricted use? Linux? GPL-code? BSD?
• when these and other questions are answered, will the letter (spirit?) of GPL be preserved?
• When THAT has been determined, how will the various contributors to SELinux respond?

These aren't simple answers, I think SCC's original statment was clear about *intent* and I sincerely hope they'll clarify adequately and in a manner that allows development / deployment of SELinux based tools to proceed.

Questions:
At what level of patent-restrictions would GPL be broken?

• restricting use of the patent in proprietary sytems of all types?
• proprietary code incorprating GPL code but not distributed? (this is allowed under GPL)
• Other 'free' software licenses (BSD, public domain, Artistic ...)

Not knowing the details, I don't think there's much to discuss until SCC (and hopefully NAI) clarify their plans wrt these patents and issue clear statements.

My impression is that they're acting in good faith; I'm ok with their taking down the vague statments from the web page while developing something that we can all count on.

The statment quoted on LWN about "needing to negotiate a license to use TE commercially" looks ill-informed. SCC has released GPL'd code which implements TE I believe that limiting that code from commercial use would violate GPL.

I strongly suspect that various folks at SCC weren't communicating adequately (Imagine that! geeks/marketing/etc not having the best communication skills?! :-)).

Got my finger crossed in hopes this works out smoothly.

My IANAL conclusion

[autocracy]

Basically, patenting something in software and then GPLing it means you're the only one who can write the code that does that, but anyone can modify and redistribute what you've done. Kind of confusing, but basically it means that a certain method of doing something in software can now only be done if it's under the GPL - interesting.

I think that this also falls under the class of submarine patents. Either way, if I'm right in my conclusion, they can't do anything about it - you can't "unlicense" a GPL license; and it's non-exclusive, so anybody that has it can keep it going even after you stop offering it...

Summary: Chill out in the walk-in freezer!

Re:My IANAL conclusion

[Raphael]

Basically, patenting something in software and then GPLing it means you're the only one who can write the code that does that, [...]

Sorry, but you are wrong. See my previous comment in this thread. According to section 7 of the GPL, you must distribute your code with a royalty-free license or not distribute it at all (or not under the GPL).

So now Secure Computing Corporation (SCC) can do several things:

• Confirm their previous statement: "There will be no restrictions on the use of TE by the Linux open source community.". TE is the Type Enforcement technology on which they have a patent. Basically, the usage of TE in any GPL code (commercial or not) would be allowed.
• Claim that they did not understand what the GPL implied and say that they never intended to allow a royalty-free usage of their patent in GPL software. They could then try to warn all those who have received a copy of their code and tell them to stop distributing it.

They have no other choice: either they comply with the GPL and allow royalty-free usage in any GPL code, or they cancel their contributions and stop the SELinux project. Given the nature of their contribution, the third option (releasing binary-only drivers under a proprietary license enforcing the patents without modifying the kernel) cannot be applied, so the options are limited for them.

Re:My IANAL conclusion

[Lonath]

IANAL, of course, but my reading of the GPL is that if you (the pure thought patent owner) put your pure thought patented code into GPLed code and release it, you've given up control over that implementation of your pure thought patent. And, anyone can take the code covered by the pure thought patent and extend it just as the GPL says they can. Of course, this might mean that you can modify it under the GPL, but you can't run it. If that's the case, then the GPL is worthless, and it needs to be modified to allow execution of code covered by pure thought patents, and of derivatives to that code.

Also, there is something called estoppel, which might apply here. But, basically if you promise something, and people do things based upon that promise, you can't go back and change it later and screw everyone over. I am not sure if it applies here, but companies shouldn't be able to say one thing, then wait a few years then change their minds.

Re:Opposing views

[oever]

So according to the license, all GPL code that implements a software patent cannot be distributed when there is a license fee for the patent.

If this is true, free software can easily be damaged by patent lawyers.

Conclusion: abolish software patents.

Legal implications of this ?

[o'reor]

This, along with the RedHat patents in the Linux Kernel, rises a series of good questions :

• how are those patents going to benefit the companies that filed them ? It's mainly a closed-source word out there, how are they to prove that a competitor used the same technology in a closed-source product ?
• it does not appear to harm the free software community for the moment, but what later ? What if those components are no longer distributed under a free license ? SE Linux raises the problem with the explicit mention being removed from their pages, as mentionned by LWN.
• isn't it just a problem with the US patent office, who are overloaded with work, who do not always check the validity of a patent with regards to prior art, and the US legal system which allows lawyers of big companies to blackmail and racket smaller companies on unfair patent claims ? See this site which refers to a previous /. post on the subject. I personnaly think that kind of situation is an incentive for RedHat and SELinux to spend big bucks on patents.

I clearly don't see the free software community benefiting from this situation. Individual programmers will have to face both the possiblity that a rogue company sues them unfairly for patent infringement, and the possibility that another company, owning patents on parts of free software, changes its attitude towards the GPL and decides to un-GPL their code and go proprietary.

Say "thanks" to US lawyers and Powers That Be for allowing that nightmare to come true.

Re:Because so few people have actually READ the GP

Actually, it is even a little rosier for Open Source. That company was contracted by NSA to do this work. Thus they were paid already for the use of their patent in this manner.

If they did not want this consequence, they should not have accepted the contract. A typical contract of this nature usually gives the government rights on the source code. That is why the government can make it available.

Time for a free patents consortium?

[Bazzargh]

In the commercial world, patent wars often end with the formation of a consortium that holds the patents and enforces them (where necessary). Is there such an organisation for open source? If not, why not?

It might seem a bit daft in the current case where SCC have GPL'd their code, but consider this:

1. Company A dual license their product - free under the GPL, and non-free under a closed license. The free version could contain community patches, the non-free version could not, but the non-free version could be licensed by a third party without that third party having to open its source. Patent fees would apply in this case.

2. Company R supports GPL'd product L, Company M makes closed-source product W. R patents several of the changes they have made. They are then sued for patent infringement by M - R countersues, via the umbrella group for infringements in W, not for patents they hold directly, but for patents held by the umbrella group on behalf of members.

This assumes you can GPL license and enforce patents on people who are using the patented invention, rather than a copy of the code, in their product (code copying is obviously covered by the GPL directly). I don't know that this is true - and I doubt that Stallman would approve. However it might increase the sense of safety people have with patents like this and the Red Hat ones waiting in the wings; it may also encourage more companies to GPL, since they retain the ability to chase closed-source competitors who steal their ideas.

Just a thought.

OPEN Patents!

[Compulawyer]

I've said it before, but it seems particularly appropriate in this thread. If Open Source code is novel, then it should be patented. Then a patent license similar to the GPL copyright license can be used to ensure that Open Source users can use the functionality in the code. If an Open Source patent License (OK, I'll coin a term -- the OPL - Open Patent License) is used in conjunction with the GPL, think what a remarkable impact it would have on code development.

All it would take is one killer app license under the OPL to create public demand. Then if anyone wanted to duplicate that functionality, the OPL would allow it -- BUT the corresponding GPL (or the OPL itself if properly worded) would require developers to release source code with their implementation.

I submit that this would have an even GREATER impact than the GPL. Developers would be free to try widely disparate approaches to achieving the patented functionality. The different algorithms and approaches could be compared with the best methods prevailing because the best code would be that actually used. Think of the contribution to computer science possible with widespread comparison of designs. I think the industry-wide effects would result in much higher-quality code in general.

Don't tell me that Open Source cannot get patents. If someone bothered to look, they could find a patent attorney who would be thrilled to get a patent for Open Source code as long as someone paid the filing fees (for small entities, about $350). I am a registered patent attorney and I would be thrilled to prosecute one of these applications. I'm sure I am not alone.

Re:OPEN Patents!

[Phil+Hands]

Patents on software are a moronic idea.

As a lawyer, how would you like to have to check each tactic you were planing to use in defending one of your clients, before actually using it, in order to check that it had not been patented by another lawyer?

That what the patent industry is trying to do to us. They (you?) pretend they're are doing us a favour (chanting "Innovation", "Protection of Property" etc), but in fact you are burdening us with the extra workload of (if anyone could be bothered) having to check every line of code against a patent database, or in the absence of that, getting sued for thinking of an idea after (of sometimes several years before) someone else.

Not only that, but the patents are worded to ensure that they provide almost no information whatsoever to someone interested in the technique they describe, so the claimed goal of driving forward the state of the art is total nonsense (can you cite a single instance of a Computer Scientist referring to patents in order to learn a novel technique? I doubt it).

Software patents are a government authorised tax on the software industry to make monopolistic corporations and patent lawyers rich. They have no positive effect on the state of the art in the field of computing whatsoever.

Unfortunately the patent lawyers are in charge of the patent offices, and those arms of government that are supposed to regulate them, so we're likely to end up as thoroughly shafted in Europe as is the current situation in the USA.

Having said all that, patents on other, material inventions seem totally fine to me, so I'm not saying patents or patent lawyers are evil per se, just the ones that try to take my (software) toolbox away, when I made my toolbox myself.

Re:What is Type Enforcement?

I'm going from memory, as I haven't used "TE" for about 4 years now. Since I'm giving a high level description of it, and I'm no longer an employee of SCC, I shouldn't be breaking any NDAs.

It was a pain to use as a developer as even though you were root, you were limited to what you could do!

The OS is modified to include a "type" in addition to user and group in the filesystem. All of the filesystem tools were modified to use this "type"

For example, for your mail server you would create a mail "type", and associate only mail related files with this mail type.

Even if you are root, but aren't logged into the mail type, you can't do anything with those files.

If a remote root exploit is found on sendmail, the hacker can do *nothing* as they are locked down.

Associate types for different areas of your system and you will have a pain in the ass system to administrate, let alone be able to hack!

Or something like that.

What does the patent have to do with this?

[rew]

IANAL... but,

Maybe I'm stupid (Well, feel free to call me stupid: I just read the slashdot header and not the referenced articles), but as I see it, they also used patented techology from Seagate on their harddisks during the development. Does that mean that Seagate can claim a licence fee on distributing Linux? No!

Same here. They used a patented technology in the process of improving the Linux code. So that doesn't make the Linux code fall under the patent....

Now, "Type enforcement" is a technology that dates back from at least the early seventies (Pascal, algol). Those patents are either expired, or there is prior art. Or maybe they patented something like "type enforcement in relation to computer security". Well, that was invented in the sixties.....

Roger.

Re:Opposing views

[Chris+Johnson]

No, no, no, no, no. Intent is nothing! It's down to the wording of the actual license. Nobody is going to care about the 'since they came to play in our sandbox they must have MEANT to do XYZ'. Treachery is not itself against the law, just certain implementations of it are.

The outcome to watch for is (4) SCC blows away their license to distribute Linux and then shuts down all Linux distribution that involves their patented stuff, until the patented stuff is completely removed. The reason to watch for this is as follows: while destroying your own product (a Linux distribution) is bad business, there is enough outside interest in doing great damage to Linux that it WILL become rewarding to do so, to the extent that the patent becomes indispensable. If the patent becomes completely indispensable to Linux, the value of buying out or subverting the patent holder becomes astronomical to a competitor- some of whom claim to have rather a lot of money.

This holds for ANY patent being licensed into Free software, not just the SCC.

Too late

[Grax]

IANAL

Once SCC approved the use of Type Enforcement under the GPL they cannot revoke that use or change the terms of use same as if you purchased a product and they later raised the price retroactively and sent you a bill.

SCC approved use of the patented technology under the GPL so they cannot legally stop others from using it under the GPL. One of the advantages to this for them is that they still retain full legal rights to prevent their technology from being used in closed source apps without a legal agreement with SCC.

So if Microsoft wanted this technology embedded into Windows XXP they have to either pay up or GPL their OS.