Ask Slashdot: "Pseudo-Free" Software in Major Distributions?

PugMajere submitted the following: "I've been looking into using SSH and rdist to distribute around 2 gig worth of data to about 1000 machines nightly. Rdist (v6.1.5) would be perfect for this, as it automatically forks to send data to multiple machines, but it isn't totally free software. The problem is with SSH. To use SSH with rdist you need the server side of SSH on each of the machines that are running the rdist server. The licensing fees for this are simply astronomical for this kind of application. While researching all this I noticed that Red Hat includes rdist (6.1.5) in its distribution. I also now know the rdist license terms. Rdist isn't free to use in a commercial setting if it involves another company. So, if you have two companies running Linux, that are collaborating on some project, and sharing some of the data using Linux and rdist, they owe Magnicomp money. My real question here is: Does anyone else realize this? How many other packages have similar arrangements that are going to cause major headaches in the future?"

Re: Debian does distribute non-free software

While it is true that Debian distinguishes between free and non-free software according to the DFSG, this does not imply that Debian is only distributing free software. Far from it. Three weeks ago I counted 334 non-free packages in potato. If we add the contrib packages that depend on non-free software, say another 150 packages (don't know the exact number), it will be true to say this: Debian distributes about 484 non-free packages. This is contrary to Debian's 'social contract' which begins with the phrase "Debian Will Remain 100% Free Software" (then goes on to explain that 100% free software means free + non-free software! )

Re:rsync not rdist

rsync is more like rcp than rdist. In particular, rsync does not support a configuration file, nor does it support copying files to multiple machines at the same time.

Not so fast...

[Brian+Knotts]

I know that that part makes it sound like you can *use* the software for whatever you like, but...

From the ssh COPYING file:

--------------------------------------------------

(b) You may use the program for non-commercial purposes only, meaning that the program must not be sold commercially as a separate product, as part of a bigger product or project, or otherwise used for financial gain without a separate license. Please see Section 2, Restrictions, for more details.

--------------------------------------------------

And...from the ssh FAQ:

--------------------------------------------------

3.2 May I legally run ssh?

The UNIX version of ssh 1.2.27 may be used freely for non-commercial purposes and may not be sold commercially as a separate product, as part of a bigger product or project, or otherwise used for financial gain without a separate license. The definition of "commercial use" is generally interpreted as using ssh for anything that would generate financial gain, such as logging into a customers system to do administration, or providing ssh as a secure login to your partners or vendors.

In email between Data Fellows and the maintainer, the following questions were asked and answered:

================================================== =============
S: Steve Acheson, FAQ Maintainer
P: Petri Nyman, F-Secure SSH Product Manager for Data Fellows

S)Can a company use the 1.2.26 release of the SSH software freely for
S)internal support and administration without violating the license
S)agreement?

P)You can freely use it for internal support and administration of your own
P)equipment located in your premises.

S)Does connecting from one machine to another via SSH to
S)read email, do work, etc, violate this agreement?

P)No, unless you provide this ability to a third party or connect to a third
P)party's computer to provide a service.

S)Does connecting from a purchased PC client SSH software to a non-licensed
S)SSH server violate the agreement?

P)No.

S)Does connecting to a remote site, that is not company owned, but company
S)administered, via SSH to do administrative work violate the agreement?

P)Yes. You need a commercial license for that.
================================================ ===============

--------------------------------------------------

So, I'd say that it's at least legally questionable if you use ssh to connect to client machines, or vice-versa.

--

Re:Easiest "Ask Slashdot" question yet-use the GPL

[pb]

For those who don't want to see free software become tainted, this is another reason to use the GPL.

However, a decent answer to this question would involve trying to look for a solution, maybe something like SSLrdist would be appropriate. It's based on SSLeay, USC rdist, and stuff from NetBSD. So it looks free to me, and that's a good place to start. Comments?

ssh / sdist

[ninjaz]

You should be using ssh-1.2.27, as it's the most recent 1.2.x version, which doesn't have the noxious licensing terms of ssh 2.x Quoth the license:

(b) Activities other than copying, distribution and modification of the Program are not subject to this License and they are outside its scope. Functional use (running) of the Program is not restricted.

The sdist program it comes with is the secure replacement for rdist (and has no restrictions on Functional use as per the COPYING file in the ssh distribution).

Re:ssh / sdist

[ninjaz]

Not as far as I know.. The latest version at the time of the rootshell incident was 1.2.26, and is detailed here This is the last mention of ssh in this light on bugtraq.

Re:ssh / sdist

[arl+bean]

There is a GPL secure shell called lsh under development. See http://www.net.lut.ac.uk/psst/ I have not tried it and it does currently have the warning

This directory contains snapshots of lsh development. lsh is a free implementation of the ssh protocol.
lsh is far from finished; don't expect these snapshots to compile or work, and even if they appear to work, beware that lsh currently does *NOT* provide any security at all.
/Niels Möller

Re:ssh / sdist

[_Sprocket_]

Check out this link. It talks about the entire "Rootshell Incident", including the IBM team's "findings" and later retraction.

Basically, there was never a verifiable problem with SSH 1.2.26 (the version available when this whole incident took place). The IBM team that suggested a possible exploit (the same warning Rootshell latched on to in attempts to explain their compromise) ended up retracting their claim. However, panic and some politics have made this whole issue unclear.

1.2.27 took care of a hard-to-duplicate issue involving Kerberos support. And, as of right now, I'm not aware of any exploits at all against 1.2.27 (current version in the SSH1 tree).

I'd be glad to hear of any new developments I've missed out on. :)

Re:Rdist is under BSD license

[Bill+Sebok]

6.1.4 is the last version under the BSD licence. I did a diff -r of 6.1.4 vs. 6.1.5 and the only thing changed (besides the licensing) is some comments added with details about running rdist with ssh.

I am a bit perturbed that there was no mention of 6.1.5 or the license change on the rdist developers list. The first I heard of 6.1.5 was some note on the list asking for help with 6.1.5.

"even if the person behind MagniComp is the individual who did the work at USC (one Michael Cooper)" It is the same person. Michael Cooper left USC for Sun. MagniCorp is (I think) his own corporation for stuff he has done that is not concerned with Sun.

If someone wants a copy of rdist 6.1.4 I can send it.

Re: Debian does distribute non-free software

[Phil+Hands]

Hi Bruce,

While you may have written the scripts that were used to build ``bo'' CDs, I think we should probably credit Andreas Jellinghaus, who did an almost total rewrite for ``hamm'' (a.k.a. Debian 2.0).

I then maintained that set of scripts, but there has since been another rewrite by Steve McIntyre (for ``slink'', a.k.a. Debian 2.1), with contributions from a whole bunch of people on debian-cd@lists.debian.org.

Apart from that, you are correct in saying that the Official Debian GNU/Linux CDs contain only software that meets the Debian Free Software Guidelines.

Cheers, Phil.
P.S. rsync ? I think you mean rdist. rsync is GPL. Debian's rdist is rdist-6.1.3 (usc.edu:/pub/rdist) which is BSD.

Alternatives, and some comments

[Bruce+Perens]

Try Omirr, the Online Mirror Daemon, or Rsync. Both are free software.

This would not have happened if you were using Debian, because Debian considers the license of each package for compliance with the The Debian Free Software Guidelines, the document that later became the Open Source Definition.

Thanks

Bruce

Re:Alternatives, and some comments

[Bruce+Perens]

OK, Debian ships the free version in the Debian ships the free version. Maybe if you extract the red hat source package you can tell what version they ship - they don't install license files on their system the way Debian does.

I'm more than a bit wary of a program with two very different licenses on the same site. It sounds as if some left hands don't know what the right ones are doing.

Bruce

Re:Alternatives, and some comments

[Bruce+Perens]

But that's not the BSD license! That's a BSD-license with an addendum that makes it non-free. The "BSD" tag on the .rpm is wrong, and would mislead the customer into believing that adendum was not there!

Gotcha!

Bruce

Re:Alternatives, and some comments

[Bruce+Perens]

It turns out I was right, AC. Apology accepted :-)

Re:Alternatives, and some comments

[Bruce+Perens]

One would think that a license that prohibits your use of the program for commercial gain would get in the way of completing your work. In this case, Debian protected you from that license, allowing you to get your work done. RH, through an innocent oversight no doubt, did not.

Re:Have you looked at libio license?

[Bruce+Perens]

Yes, it's annoying. I'm tempted to put together a LGPL version of libio - I wrote one once for Zortech C++, it took about a week.

Bruce

Re: Debian does distribute non-free software

[Bruce+Perens]

It's not in any current Debian distribution (I ran find on my Debian mirror). If it was in an older distribution, it was probably the BSD-licensed version.

Bruce

Nope, Red Hat version is non-free.

[Bruce+Perens]

I spoke too quickly. Debian ships the free version. Red Hat's version is restricted by an addition to the BSD license that makes it non-free.

Bruce

Re: Debian does distribute non-free software

[Bruce+Perens]

Oops, it's in the Debian netstd package. Debian is shipping a free version. The Red Hat version has an addition to the BSD license that makes it non-free.

Bruce

Re:100% redhat FUD.

[Bruce+Perens]

Nope, sorry. Debian contains an earlier version under an unmodified BSD license. The RH version doesn't allow commercial use.

Bruce

Re:Summary

[Bruce+Perens]

Yeah rdist. It's getting late. Thanks for the verification.

Re: Debian does distribute non-free software

[Bruce+Perens]

OK, I created the scripts (and the concept of the Debian Official CD and its policies). I've no wish to steal credit from people who have re-written them in recent times.

I got rsync and rdist confused in more than one posting. Sorry. Time to go to sleep.

Thanks

Bruce

Re:Older BSD rdist?

[Bruce+Perens]

Nope, it's not that old.

Re:informing redhat...

[Bruce+Perens]

I'm sure they know by now. And I'm sure it wasn't deliberate and they'll fix it right away. OK, RH let one get by and Debian didn't, but I agree it's not RH's policy to let this stuff slip by and they will fix it.

Bruce

Re: Debian does distribute non-free software

[Bruce+Perens]

There's no non-free software on the Debian Official CD. If you want to use the non-free stuff, you have to get a non-free CD from your CD distributor that's separate from the Official CD, or you have to download it. In either case, the words "non-free" are staring you in the face.

The Debian Social Contract was not written to eliminate non-free software from the face of the earth, but to keep it out of Debian's "main" directory. The contrib and non-free directories aren't an official part of Debian.

Bruce

Re: Debian does distribute non-free software

[Bruce+Perens]

I wrote the scripts that master the Debian Official CD set. The ISO 9660 files that are the output of these scripts are distributed to CD manufacturers by Debian. If you want to call it the Official CD, you can replicate the ISO 9600 images that Debian distributes to you, but you can not change them. You can of course distribute other versions of Debian as long as you do not call them official.

The Official CD ISO 9660 images do not contain non-free software. They do contain an old BSD version of rsync.

Bruce

Summary

[Bruce+Perens]

Let's see if I've got this straight. There are three rsync licenses. The license on their web site is seriously non-free. The license in the red hat version has an addendum to the BSD license that doesn't allow for-profit use, so it's non-free as well. The red hat one-line license indicator just says "BSD" and that's wrong. The Debian version is from 1996 and is under the straight BSD, so it's free software.

Bruce

Re:Welcome to $Linux$

[Bruce+Perens]

Everything in Linux is like this. They grab you by telling you everything is free then when you want to do anything necessary to get a big corporatoin running, your forced to fork over big bucks to companies you've never heard of

That, sir, is why we're so "fanatical" about licenses. To protect you from exactly what you described.

Thanks

Bruce

Re: Debian does distribute non-free software

[Bruce+Perens]

I checked. There's really an addendum to the Red Hat version that makes it non-free. Extract the source package and look just before the usual BSD license text.

Re:rsync not rdist

[aqua]

Rsync is GPLed, and a lot more efficient than rdist for most purposes -- the debian ISO mirror process is one good example.

If you do go with rdist-style distribution, check into sdist, which might (I can't recall with any certainty) have a more liberal license than rdist, and uses SSH.

For the SSH portion, there are troubles. Free implementations of ssh are underway (the ssh1 license allows some levels of commercial use, ssh2's is too restrictive to be commercially useful), but taking their time.

Linux & the Pseudo Free Software

[jbgreer]

It's nice to see so many folks chiming in with comments about ssh & rdist replacements; the competition to build a better mousetrap sometimes seems a bit ridiculous, but then you run into a situation like this and you're grateful.
Unfortunately, being able to name a replacement is not the point. The point is that someone out there is not going to know that there is a licensing distinction for some piece of software including on one of the distros and they're going to violate the terms of the license. And they're going to get caught. And they're going to raise a stink. Not that this is a real problem; I think all of the distributions should band together to develop some universal mechanism for informing users when they are installing a "pseudo-commercial" licensed product.
I think that rpm, yast, apt and whatever tools that are used to install packages should be modified to present the license to a user when it varies from the license used by a majority of the distribution. Or that a user should have to read/accept each license in kind.

Re:Have you looked at libio license?

[Jason+Merrill]

The plan is to remove the GCC requirement. The new exception will be

// As a special exception, you may use this file as part of a free software
// library without restriction. Specifically, if other files instantiate
// templates or use macros or inline functions from this file, or you compile
// this file and link it with other files to produce an executable, this
// file does not by itself cause the resulting executable to be covered by
// the GNU General Public License. This exception does not however
// invalidate any other reasons why the executable file might be covered by
// the GNU General Public License.

Re:Have you looked at libio license?

[JoeBuck]

But the LGPL also have problems; it isn't suitable for embedded systems customers, who have, in effect, been paying most of the bills for gcc development (via Cygnus support contracts). Switching libio to the LGPL would not be acceptable to the people that are doing or paying for most of the work.

The current license (GPL with special exception) requires that at least one .o file be compiled with gcc. But the LGPL has many more requirements: the executable must be shipped in linkable form, and there are other requirements as well.

Switching libio to the LGPL will make matters worse for many. Some other solution is needed.

You're wrong on the terms

[hatless]

The license terms look similar to those for MySQL. That is, it's free of charge when a person, company or org puts it on its own machines, regardless of who uses the machines. Payment and/or negotiation are required for redistribution.

As with MySQL, you seem to be welcome to build resale solutions around it without anyone getting paid, so long as your app leaves it to the customer to obtain and install rdist themselves separately.

The terms are weird and tortuous, but they do not seem to require payment for commercial or business-to-business use per se.

Re:Have you looked at libio license?

[msw]

Richard assured me in Paris that all the necessary permissions have been granted for the glibc maintainers to change the libio license to LGPL.

rsync not rdist

[consumer]

You should use rsync instead. It's faster, and support SSH.

Re:rsync not rdist

[__aasmho4525]

hello all. i totally agree. it should be noted that rsync is generally best at being used to "pull" content, where rdist is best at "pushing" it. different paradigm, different design goals. i've found pull to be (arguably) easier to manage in *most* cases; i find it easier to make pull emulate push, but the other way around seems significantly more difficult to achieve. both serve their purposes well. i myself i use rsync wherever possible. it's horribly efficient when synchronizing very large structures of related directory structures around. cheers! Peter

Look at cfengine

[Splork]

cfengine is a GNU project which easily replaces rdist. It uses its own protocol rather than relying on a seperate program (ie: rsh or ssh) to transfer the data. Encrypted transfers are an option in the most recent (v1.5) version.

Check it out at the cfengine home page

Rdist is under BSD license

[jurgen]

I don't know who MagniComp is, but the version of rdist included with RedHat is 6.1.3 from University of Southern California and is distributed under the BSD license.

MagniComp appears to have forked their version off the USC source tree and "hijacked" the license. This is possible with the BSD license, which is why some of us feel that the GPL is better. The However, they definitely can't lay any claim on the version of rdist that comes with RedHat... even if the person behind MagniComp is the individual who did the work at USC (one Michael Cooper), that version had not yet been hijacked, so it's safe.

Re:Rdist is under BSD license

[A+Masquerade]

RedHat 6.0 includes rdist 6.1.5 which is under the Magnicorp license.

The answer is to fork from the last free rdist version and then merge in any relevant bug fixes (you probably need to clean room this so that you aren't accused of just hijacking the Magnicorp version). Could this code fork be transfered to GPL?

BTW RedHat used to use a different rdist. The Michael Cooper version is much superior and we want to stay with that if at all possible. People do need an rdist version - rsync can't do somethings at present (ie script triggers on updates) although modifying rsync in that way is another option.

various things

[cs]

1: Ssh1 is not that expensive, just ssh2.
2: You don't need the server stuff on your 1000
hosts, just on the central one. Just have the
clients pull the files from the server (eg from
a cron job, like we do here).
3: Use rsync instead of rdist - it's much better.

Re:Are software licenses legal?: Revisited.

[Surak]

Unfortunately, yes. The courts have traditionally held that licenses *are* enforceable.

The Berne convention, the basis for most international copyright laws, states that all original works are automatically copyrighted and that the author, unless she specifically waives certain rights by declaring otherwise, is entitled to every protection under the copyright law, including the right to redistribute the work.

Basically, without the license, you have NO right to copy the work or really even to use it, except under "fair use" exemptions. What entails "fair use" is somewhat vague...and depends greatly on the type of work in question.

If software licenses were held to be unenforceable, however, this would be GREATLY *hurt* the free software movement, which actually depends on these licenses. Remember that the GPL, and other similiar licenses are just that: they are software liceneses and they do place restrictions on how software can be copied, modified and distributed. The fact that these restrictions are designed to protect people's rights to redistribute and modify free software is completely irrelevant.

The real question is not whether software licenses are enforceable per se, but whether or not *certain provisions* of these licenses are enforceable, such as restrictions about who and who cannot use a program.

I would say that distribution and copying can be controlled under copyright, but personally I would argue that if someone has *paid* for a license to use a program then that person cannot be denied the right to use the program under fair use, but if someone was *given* a program, but the license does not allow distribution to that particular person (or company) then they *could* be denied the right to use the program.

For a complete discussion by an excellent copyright attorney, you should check out "The Software Developer's Complete Legal Companion" by Thorne D. Harris III (Prima Publishing).

DISCLAIMER: I am not a lawyer, so this represents only a laypersons opinion. You should consult a lawyer if you really need to.

Licenses for everythying!!!

[mwcjr]

One of my favorite comics, an old Fifth Wave I think, has a person paying for software with a check that says that it is presented as is and that it's cashing functionality isn't guarenteed. :-)

Have you looked at libio license?

[poopie]

Basically this means that you can't make commercial software on linux that uses libio unless you use a GNU compiler.

-----------------------

http://www.cygnus.com/pubs/gnupro/4_libs/c_The_G NU_C++_Iostream_Library/libioIntroduction_ to_Iostreams.html

Licensing terms for libio

Since the iostream classes are so fundamental to standard C++, the Free Software Foundation has agreed to a special exception to its
standard license, when you link programs with libio.a.

As a special exception, if you link this library with files compiled with a GNU compiler to produce an executable, this does not cause the
resulting executable to be covered by the GNU General Public License. This exception does not however invalidate any other reasons why
the executable file might be covered by the GNU General Public License.

The code is under the GNU General Public License (version 2) for all purposes other than linking with this library which means that you can
modify and redistribute the code as usual; remember that, if you do, your modifications, and anything you link with the modified code, must
be available to others on the same terms.

Re:Are software licenses legal?: Revisited.

[werdna]

The enforceability of shrink-wrap or non-wrap license agreements certainly remains, at least, an open question. While at least one Circuit Court (the Seventh) has found them to be enforceable, several others have not enforced shrink-wrap provisions for various reasons. Recent District Court cases in other Circuits have characterized the Seventh Circuit position as "the minority view."

In short, I respectfully dissent from the second sentence of the message to which I respond.

I note, with interest, that recent efforts to add a new article 2 to the UCC were directed to precisely this question, which would tend to support OSS non-wrap licenses. It is ironic that these proposals were largely rebuffed without much analysis by the open source community, precisely because the proposals were also supported by IP holders.

It is important to recall that, at least, the Stallman view --which eschews the notion of public domain free software in favor of GNU-like licenses-- depends upon the enforceability of Copyrights and related license agreements.

Open Source Compliance Opinions

[werdna]

In my legal practice, I am more and more frequently asked by clients (one or more a month now) to review ALL licenses of incorporated or embedded open source code and to advise or opine as to the specific obligations arising from the mix of software and the manner in which it the software is mixed with putatively proprietary code.

Unsurprisingly, clients' first question is whether (and if so, how much and how) code must be distributed in open source or at least offered for distribution. They are often surprised that there may be serious questions whether the software can be distbuted at all!

As it turns out, these questions are rarely easy ones to answer, even after assuming that the agreements are all fully enforceable. On the other hand, the failure to perform such an analysis can lead to substantial downsides such as the suggested example.

The SSH Legal Issue

[_Sprocket_]

Before I get going on this, I'd like to begin by stating "I am not a lawyer." My observations are based on application of "common sense" to the documentation included. However, if common sense was infallible when applied to law, the Law profession would be much less lucrative!

With that being said...

Commercial use of SSH generally requires a license. But there are non-commercial allowances in both SSH1 and SSH2. The trouble is what the definition of "non-commercial" includes. SSH2 is very restrictive and pretty much discounts any use of the suite near anything "commercial" in any manner. SSH1 allows for greater leeway:

The file named COPYING that is included in the distribution reads:

Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing. Similarly, a consultant may freely install this software on a client's machine for his own use, but if he/she sells the client a system that uses SSH as a component, a separate license is required. If a company includes this program or a derivative work thereof, as part of its product, commercial licensing is required.

The interpretation I get from this is that a Commercial enterprise may use SSH1 as long as it is not a part of a specific service. Administration of local servers is OK. Services that include "Remote secure backups of your systems for pennies a day!" or "Checking accounts now come with secure online banking!" that includes SSH1 as its method of secure communications do not fit in the "non-commercial" license.

Once again, it would be wise to point out that it seems the folks selling SSH later decided against this kind of policy. SSH2's license is much more restrictive and reserves "non-commercial" licensing to personal use and educational use as part of academic research and/or teaching (note: educational institutions don't get to use it for administration).

But you're not out of the legal woods yet. SSH1 uses a whole slew of libraries and intellectual property that adds additional layers of license concerns. Thankfully, most of them are cleared by allowances for use of those properties in SSH1.

Two big concerns that aren't covered include IDEA and RSA. IDEA is easy to get around by not including it in your compile (opting for Blowfish instead). RSA is a tougher issue. You'll have to look at it yourself if you're still trying to figure it out (I luck out with a license granted to the US Government for RSA since a partial Gov't grant helped develop it at MIT).

Are software licenses legal?: Revisited.

[orichter]

This re-raises the issue:

Are software licenses legal or enforcable.
It's one thing when Microsoft has a license which states that by clicking on this button, you sign your soul over to bill, but I never clicked such a button when I installed my Redhat 5.2. Would this make Redhat responsible for license violations. Can you enforce a contract which one side has never even seen? I suspect the ideas of software licenses will have to be revisited by the legislature at some point (Scary thought).