Slashdot Mirror
RMS Weighs In On SPF/Sender-ID License
NW writes "In a recent message to the MARID list RMS weighs in on the licensing issues of Sender-ID/SPF and Microsoft:
'Microsoft's Sender-ID license is directly incompatible with free
software regardless of which free software license is used. Free
software means users are free to run it, study and modify the source,
and to redistribute it with or without changes. Free to do so means
there is no requirement to ask or tell anyone that you are doing so.'" "MARID" stands for MTA Authorization Records in DNS; here's the IETF MARID working group's charter. (Read more below.)
Stallman's message continues: "The Microsoft license for Sender-ID directly forbids release of software with all these freedoms, so it is impossible for any program to be free software under Microsoft's regime. I've been expecting to see something like this ever since Gates started talking about spam. This license is an example of Microsoft's strategy for killing off free software as an alternative to Windows. Microsoft first patents something, then incorporates it into a format or protocol, then tries to make it de rigueur while excluding those it wishes to exclude. In the absence of resistance, Microsoft has a good chance of imposing whatever standards it likes. Let us, therefore, resist it here and now."
I've STFC (Scanned the charter) and from what I can gather, it's simply a new record type on the DNS'. Surely the MTA would then query the DNS responsible for the domain for this record, and act accordingly; so what's the problem? I'm sure Sendmail can be made fully capable of this, or any other lookup tool.
Code, Hardware, stuff like that.
I'm surprised the author didn't link directly to Microsoft as well...here's the missing link.
If we let Microsoft, through some machinations during our anti-spam re-engineering or in any other manner, take any measure of control over what has, until now, been an 100% open-standard email infrastructure, email will be fragmented and ultimately ruined, far worse than any cadre of spammers could ruin it.
It is trivial to do what "caller ID" does in an open fashion. And it is absolutely crucial that we do exactly that. No "complicated" licenses, no fancy agreements, no lawyers. Just pick a standard, and follow it.
Letting Microsoft have any involvement in the email infrastructure - other than using it - will be a disaster. And it wll be all the more terrible because of how easily it can be prevented.
Want to Know How to Cheat the GPL? Read On!
Newsflash: OSS community dissatisfied with Microsoft's actions. The shock caused by this devastatingly original sentiment is almost immeasurable.
Not exactly. To the Free Software Foundation, "Free" has *always* been about being "open source" as you would put it. "Open source" was a relatively recent term adopted by people because people kept confusing zero cost with freedom to modify the source code and do what you want with it. RMS has been using the term "free" to describe that for decades.
So, the license RMS is ranting about doesn't apply, and there doesn't appear to be another license on the Microsoft site. Having said that the Microsoft license does not stop the distribution of source, in fact there's a specific clause allowing it (2.2), you just have to include a paragraph in the source code. Nor does RMS say what his problem is, aside from "Grrr, it's Microsoft".
Of course the SPF implementation is still "non-licensed", there's no mention of restrictions, although they do point out there are patents all over the anti-spam arena.
But hey, we don't expect people to look at this stuff, lets just add yet another protocol.
its probably a good thing. If anyone could amend the software, they could, for example, add a section that says 'but accpet all spam.com emails'.
I understood that the protocol was to be made into a standard, so how would changing the software help us?
The Licence (pdf) says that MS grants you a non-transferable licence to use it and sell it on to end-users.
If you do redistribute the source code, its fine, but you must add a clause to your licence that says the software may contain IP owned by MS, and that anyone obtaining such derived source must go ask MS for permission to use their bits directly - you can't give that away.
So I can only surmise that when RMS says it is incompatible with free software, he means the GPL. It is acceptable to use the software, look at it, but you can give it to someone else, but they cannot take away the terms MS set. Sounds a bit like the GPL, but with different terms. (hey RMS, you don't want to agree to those terms, you don't have to use the software).
Just a little contrast for those who read only one level deep.
Mars
So, we have Microsoft in the distinctly red corner with their proprietary standard.
Let's face it, as vocal as the OSS community is these days, there's not a lot that can be done to stop Microsoft from doing whatever the hell they like, so long as it's legal(!). Sure, sendmail is OSS software, but I got the impression that SPF is pretty much independent of the MTA software anyway.
But, in the blue corner, we have plenty of heavyweight companies who are big on Linux and big on e-mail who have teams of lawyers that have undoutedbly been over this license already, and found the problems.
We have IBM, the people who make Lotus Notes, which is still pretty widely used, IIRC. We have Novell, who now own SuSE/Ximian and are betting the shop on Linux, who produce NetWare. We also have Sun, who are getting vocal on OSS, which produces Solaris, which seems to power a large proportion of MTAs around the globe.
The best defense, surely, is to make sure these companies understand the issues with SPF, and don't implement it in their own products. After all, Microsoft won't get that far without support from other companies, since much as they'd like to, they don't currently control the world's Internet server market....
Too early in the morning I guess... ;-)
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
As the inventor, no doubt MS will hold the patent. So you have to license it, whether for GPL or otherwise.
If the license isn't GPL compatible then GPL software can't use it.
The kind of freedom RMS is referring to can't be taken away or used to discriminate between users - free as in zero price can be.
"If you do redistribute the source code, its fine, but you must add a clause to your licence that says the software may contain IP owned by MS, and that anyone obtaining such derived source must go ask MS for permission to use their bits directly - you can't give that away."
Sounds nasty, an obvious play would be to get this non-standard widely accepted then for MS to refuse permission to new licensee's unless they pay a fee.
That would then lock out free software.
Because you need their permission to get the license, they can tack whetever terms onto the deal they like in order for you to obtain that permission.
Another popular trick of MS's is to claim that a new version of software is a different product. They have done this several times, most famously when they said Windows 98 isn't Windows 95.
So you could find that Sendmail future versions get cut out aswell.
Best to avoid this one.
I have personally met several of the Microsoft employees who are doing the work on Sender-ID. I have ever reason to beleive that they are working in good faith to try and make sure this technology can be deployed by everyone, including GPLed software. The problem is that Microsoft is a huge company and things like the licensing issue are handled by Microsoft lawyers, not the people directly involved in SenderID.
I know that the SenderID MS folks are working with MS lawyers, and the MS lawyers are working with lawyers from the FSF, Open Source Initiative (OSI), and IBM (for postfix). The IETF working group co-chair has given MS until early August to get this problem resolved.
Personally, I'm going to give Microsoft lawyers a little more time before I try to outright kill the SenderID RFC.
SPF support for most open source mail servers can be found at libspf2.
Finally, now I know what to think about all this.
:P
I was beginning to wonder if I was supposed to think MS had done something right for once...
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Why shouldn't free software be the first to implement secure email? Imagine how much easier Linux advocacy would be if we could say: "SPAM? - I thought that was a Windows problem?..."
Imagine this conversation:
Tech: What's the problem?
User: I get all this SPAM, and I can't read my real email.
Tech: Let me guess, you're still using Windows, right?
User: How'd you know?
Tech: Because you're still getting SPAM. If you upgrade to Linux, which uses the SPAM-blocking mail protocol, your SPAM problem will go away... I'll send you a CD in the mail.
What really irks me is that rather than invent new solutions to existing problems, the free software community waits for a commercial vendor to implement a solution, and then copies it. What we should really be doing at this point is implementing a SPAM-free mail protocol in free software, which, once it became the standard, would force commercial companies into compliance, rather than trying to play a game of dodge-the-patent-lawsuit by copying someone else's improperly done anti-SPAM protocol.
Let's face the facts here, folks: if we wait for Microsoft to implement an anti-SPAM protocol, they'll do it wrong, and the free software world will be stuck trying to ensure compatibility with an interface that is fundamentally broken in the first place.
The society for a thought-free internet welcomes you.
The site Boycott Caller-ID for E-mail has been saying this for a very long time. Since the merging of SPF and Caller-ID into Sender-ID it's been getting a bit out-of-date, but the patent issues are still valid.
æeee!
'Microsoft license does not stop the distribution of source, in fact there's a specific clause allowing it (2.2), you just have to include a paragraph in the source code. Nor does RMS say what his problem is, aside from "Grrr, it's Microsoft". '
m _s enderid.mspx
The problem *IS* that paragraph, it makes the license extendable, since anyone who wants to use/give away/do anything with, it in future would have to get permission from MS.
"Our provision of this source code does not include any licenses or any other rights to you under any Microsoft intellectual property. If you would like a license from Microsoft you need to contact Microsoft directly"
There is no limit set on that permission, so MS can change the license terms using that paragraph at any time for any future product.
"So, the license RMS is ranting about doesn't apply"
Yes it does (Published 23rd June 2004):
http://www.microsoft.com/mscorp/twc/privacy/spa
"If you are a software developer and are interested in implementing this specification in software, please review the terms of the Caller ID for E-Mail Implementation License before you begin, as the patent license discusses the rights that Microsoft would grant you or your organization."
They *should* have called it "Freedom Software" rather than hijacking the word free and beating everyone over the head with insane "free as in..." rants when people are rightly confused.
Sure, it's big with Exchange in corporate enterprises and in the client arena with Outlook & Outlook express.
But sendmail running on some UNIX-type server provides the majority of backbone email routing, especially at ISP level, and DNS is invariably done with BIND on other UNIX boxes. This does not strike me as an area that MS have much capability of muscling in on with a proprietary protocol.
Or am I missing something here?
Gentoo Linux - another day, another USE flag.
From: Ted Hardie
Subject: Regarding the recent licensing thread
To: ietf-mxcomp@imc.org
Date: Mon, 19 Jul 2004 11:27:41 -0700
Some points on the recent licensing postings:
1) This discussion has been unprofessional in the extreme. Contributors to this working group have been accused of failing in a duty they did perform, and that is rude and unproductive. The Microsoft IPR filing related to callerid was posted with their first ID, which is exactly what is required. Those who have been waiting for such a statement either don't understand the process or have not been paying attention, and their acting offended about things now carries no weight. A refresh with the new name and some details on coverage is warranted for clarity before the documents go to the RFC editor, but that is a paper trail issue, not substantive.
2) The IETF is an engineering body, and it makes engineering decisions. It cares about licensing only as it affects the ability to implement and deploy a standard. Religious opinions on the sanctity of specific license texts belong elsewhere. The sudden appearance of this as a separate topic without reference to the engineering choices misses the point of how the IETF makes these calls: in the context of the engineering decisions. Comments based solely on the licensing terms without regard to the engineering choices they affect *do not speak to the question working groups need to decide*. The sudden appearance of new working group participants after postings inviting them to comment is welcome *if they contribute to the engineering discussion*. But if you are here to comment on licensing outside of the engineering context, you are wasting your electrons.
3) The IETF has published standards with defensive patents many times, and the use of a reciprocal/royalty free license is a common way for contributors to protect themselves from later claims while still encouraging the creation of an interoperable, open standard. Trying to persuade the working group that something is outside the norm when the IETF IPR page is full of contrary examples insults the intelligence of the group, as well as insulting the contributors who are providing a royalty free license.
4) Armchair lawyers often assume things about patents and licensing which aren't true. Get a real lawyer to read things you're concerned about and have them talk to the contributor's lawyers about things that concern you. The creation of a licensed "libipr" called by other applications may be all it takes to have licenses with severe restrictions co-exist with royalty free/reciprocal licenses; this isn't something you can assume one way or the other. You really have to have professionals check. And when you find things that concern you, be aware that this license isn't responsible for ways you may already have bound yourself; if you signed an agreement with HP Lovecraft that said "I will only acknowledge Chthulhu in my code", don't blame Microsoft for requiring an IPR notice. Take it up with the Elder Gods.
5) Generic rants about patents belong on your national I-hate-the-patent-office list. Rants about the IETF's standing decision *against* requiring a specific license or class of licenses belong on the IPR list, but are very likely to be redundant to arguments already made. Read the archives.
New drafts are now out, waiting for careful review. I urge the working group to review them carefully and to focus on how they can be interpreted, coded, and deployed. We have a lot of work to do.
Ted Hardie
Yes! Someone HAS created such a web page. See: http://www.technoids.org/maridterms.html
SPF support for most open source mail servers can be found at libspf2.
I think we need to take a look at where forged sender spam comes from before we are willing to consider trying to detect forgery as a means to detect a message as being spam. In the past, small time spammers did forgery to avoid flooding their one mailbox. Now days, bigger spammers have domain names (often thousands of them) and don't have to worry about that issue. But there are still spammers doing forgery. Most of these using the infected zombie machines on insecure home computers often connected 24x7 via "always on" DSL or Cable.
If the providers hosting these users would:
- block outbound port 25 from these users (with certain exceptions)
- require SMTP AUTH to log in to their provided mail server
- rate limit mail sent through that mail server (for example no more than 30 messages per hour)
then this would go a long way to defeat the utilization of these infected machines as a spamming tool.I mentioned an exception to the port 25 blocking. They should simply allow port 25 for anyone who mentions certain keywords indicating they need it. While there is some spamming that originates at the DSL or Cable user, that doesn't account for much right now. So sure, someone intent on spamming can call in to customer support and ask "please enable SMTP for my access account". But they would be fewer in number than those who ask the same because they just want to run their own home mail server without having to forward through the ISP's mail server. And one simple way to do this is to ship DSL/Cable modems with SMTP access disabled except for the provider mail servers. And manufacturers could do that if providers would set up private IP addresses to access their mail servers (so by default SMTP would be allowed to 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16 and 192.168.0.0/16). Someone who wanted to run their own mail server could simple change the settings. The average user who lets machines become infected would know nothing about it.
Like anything else, this isn't a solution to spam. But it is a viable alternative to forgery detection in terms of catching most of the spam from most of the sources being used by the spammers that do use sender address forgery.
now we need to go OSS in diesel cars
"1) This discussion has been unprofessional in the extreme. "
Get a thicker skin.
"2) The IETF is an engineering body, and it makes engineering decisions. It cares about licensing only as it affects the ability to implement and deploy a standard. "
The wording requires you get a license from Microsoft and that any future products require a license too. So clearly this problem comes under the "ability to implement" part of the sentence.
3) There is no such thing as a 'defensive' patent. Ted cannot see into the mind of Microsoft and determine their intent is to only use it for defence. Therefore he cannot make this statement with any substance behind it.
4) Non substantial argument. The license is very clear, show me a lawyer that says otherwise.
5) Agreed.
"New drafts are now out, waiting for careful review. I urge the working group to review them carefully and to focus on how they can be interpreted, coded, and deployed. We have a lot of work to do. "
Oh boy, we have a spec that has issues XYZ,
he's telling them to look at X and only X. i.e. to ignore Y & Z and make a decision based on only part of the information.
If you don't like being infected with the GPL, you're perfectly free to reinvent the wheel and rewrite whatever GPLed code you were thinking of using. Or contact the author and cut a deal.
If GPLed code were truely "free", this wouldn't be necessary.
Well yes, the GPL does deprive us of that most vital and precious of our freedoms - the freedom to use other people's hard work in order to make unfree software that deprives those foolish enough to use it of their freedom.
It was a dark day for freedom indeed when RMS invented the GPL.
If Microsoft were the only company to implement this protocol, it would be more effective than they ever dreamed:
Microsoft should be congratulated, not censured, for coming up with such a scheme to help edge detection of spam.