I don;t know. I suppose it depends on what you mean by "interfered with." Does it mean from the object code's or the user's perspective?
FOr example, "Yes, there is a spiffy network card. It is an alias for the Loopback Adapter!" or "There is a TV channel like that. Oops it is all static."
(The above areas seem unwise to try under the GPL3, but there are better ways).
Or how about hiding specific tools behind or inside the hypervisor so that the code can run unaltered but the code doesn't do as much that is interesting. So instead of storing tv shows, it can only essentially script the storage of the tv show, the rest is handled underneath through encrypted connections, drm, etc. In short, the software is simply not trusted any more than a router on the internet is trusted with your credit card number. No analog hole.
A third option would be to use the hypervisor to actively alert (if possible) the vendor to an unauthorized change of software, the RIAA, the MPAA, etc. Maybe catalog the files on the system and send the BSA a list?
So while it might allow the software to *run* perhaps even without interference, it might also allow allow for all manner of other systems including robust DRM that can coexist with OSS software, interference in personal matters, and plenty of other things.
nothing in the GPLv3 says that it has to run as well. For example, a non-authorized OS might boot, but not before some hardware is turned off... "Yes, it runs." "Does it do anything interesting?" "Well, I can ping it from the network..."
Ok, that was an extreme example (that might not be permissible) but nothing precludes a new GPL3 Tivo from disabling the tv capture hardware, for example, when an unauthorized OS is detected. At least that is my reading...
It is informative to read the requirements on a quarterly scan.
My reading of this and the audit requirements is that they do not open up the data to review. The scan is more along the lines of a vulnerability scan (from an external viewpoint), and the audit is an audit of your procedures and compliance with your procedures.
Most small businesses don't need to worry about either of these, but as you grow....
You still have to worry about transport. And you have to worry about the security of every component that you transport things through. I generally recommend:
1) Remove, to any extent possible, any questions of transport. Ideally, treat everything as a public network.
2) If you want to store credit card track data for later approval (only storage subsequent to approval is prohibited), think twice or thrice about it. If it is necessary, though, there are compliant ways to do this.
3) Review all logs regularly in order to ensure that protected data is not accidently ending up in the log.
Re:It is too complex!
on
PCI Compliance
·
· Score: 3, Informative
I am not qualified to do an external audit but I do provide assistance to smaller businesses which need to do internal reviews, help understand what is required, etc.
The PCI-DSS 1.1 is actually relatively flexible. It is possible to show that valid business needs preclude certain requirements (such as video surveillance of server rooms) and that any possible threats are being dealt with in other ways. See the appendix on compensating controls.
Assuming you have somewhat competent help on security, about 80% of the work is in the area of documentation. You can't just be compliant, you have to document your policies, show that they are in fact compliant, and so forth.
Honestly, I help small convenience stores to PCI-DSS security evaluations (as the equivalent of an internal audit-- my goal is to help them reach complaince, not to provide independant varification of such compliance). It is a pain, but not impractical. Most of the requirements are basic industry-standard best practices. Anything that is too overwhelming for the little guy can be dealt with in compensating controls.
The key rules to minimize issues are:
1) Store only what you need. The less you store, the fewer areas of concern you have. 2) Build and maintain secure systems. 3) Establish and defend appropriate security perimeters. 4) Document, document, document.
This isn;t rocket science. And quite frankly, 1-3 ought to apply to everyone anyway...
This is an interesting discussion. However, I note (again, IANAL):
Acts that have no legitimate business purpose. In the context of pre-release, preventing comparisons serves a valid business purpose. Engineering samples, beta, etc may not properly represent the finished product. In general, preventing comparisons should be perfectly valid if there is "consideration", if the customer gets something in return. For example, special access to info and products. It is perfectly valid for a contract to restrict the flow of information.[emphasis mine] I would agree that such clauses are not clearly prohibited in your list of criteria, but this one is arguable at least by your post. For example, in this case, you are dealing with a large public release, and it is a condition of access to the basic product of the company that they don't publish performance comparisons. In short your specific examples don't apply to this one.
I do a lot of db work in the FOSS world. I could see some additional arguments for legitimate business interests (truth in marketing) as well as arguements that despite these interests, the contract as generally enforced does not meet them and serves only ends beyond those which are legitimate (preventing questioning of one's own statements in particular in areas such as performance).
But again, because it is not obviously invalid, how much do you want to spend on it? How many months or years? How many thousands of dollars?
Granted. But that's the difference between linking in 20 libraries "just because" versus one's code actually making use of those 20 libraries.
No. Because *use* is functional and not protected. At least in the US, Canada, and Germany. I don't know about the UK. IANAL, again.
Given that software is functional, and the point of libraries is a repository of functionality, trying to go back to the idea of a "creative" standard seems somewhat humorous.
Actually, I think the whole application of copyright to software is humourous. THe idea is that copyrights are supposed to offer incentive for authors to provide works which will eventually become part of the public domain. The current application of copyright to software does not do this. Regardless of the laws involved, the effective term of the copyright of Windows is indefinite because a) when it becomes part of the public domain, no computers will be able to run it and b) when it becomes part of the public domain, only small portions of it (object code, screen output) will be effectively accessible.
Note that the Gates v Bando case in particular was not around when the GPL2 was drafted and hence may have presumed more protection than might be afforded. WHile this has not been applied in the same way across the circuits of the US, the same principles are usually at work. I.e. there is a difference between an idea and the expression of that idea. The former isn't subject to protection but the latter is.
Working as a software engineer I can tell you that reading other peoples' code, there is a lot of originality in code and a lot of it isn't a good thing;-) Try reading the SQL-Ledger code some time....
Furthermore, screen output may be copyrighted, so it may be possible to have separate programs even running on separate computers which create unauthorized derivative works under certain cases. For example, an argument might be made that programs which add transparency to walls in games might create derivative works regardless of how they are implemented.
But, I guess that comes down to the idea of whether one chose a library "because it was there" vs "because function X is really good at doing what it does, signifying a good bit of creativity/effort in its design".
Or maybe because it fills a useful function? Since when are useful functions subject to copyright as opposed to patent law?
The fact that, in general, optimization of an optimal algorithm is as much a creative as a brute-force approach and that optimizations are the main reason to choose one library over another (beyond one library simply lacking certain functions; with functionality questionably a basis to claim copyright) just makes the whole situation more murky.
Without a doubt. But this doesn't change the fact that the program itself does not include those expressive elements. Even when it is run, nothing precludes one from writing another library which the program would also support.
Right, but the thing is that that's hypothetical. Given the very nature of software, it's possible to fundamental alter the underlying library of almost any program and maintain the same functionality (although you might violate some patents along the way).
Patents are a very different issue. If you have patents, then none of what I am saying applies to those patent rights:-).
I think a more realistic standard is to recognize just how common the underlying library is in the real world, not to draw on hypotheticals. From that standard, dynamically linking against glibc, which provides a posix-like standard, would be very different to dynamically linking against cube 3d's rendering engine library.
I am not sure. There are many areas which do offer drop-in library replacements without the backing of standards. ODBC, for example. By your argument, if I create a library with the same API as cu
Under a simple copyright scheme, whether I connect 1 user or 500 users to a server, I pay the same amount. Since server software has far fewer sales than client software, the little guy pays more than his fair share for use, while the big guy pays less. I would argue that even with things like site licenses, and the like, the little guy still pays less than he/she might if everyone paid the same amount per copy of the system.
As much as I hate CALs, I think they serve a purpose. Whether or not they are strictly necessary is another question.
Now the cool thing about FOSS is that we can do it on a pure copyright model because we can charge the person who needs the improvements for those improvements, thus avoiding the question above because software development is paid for immediately and not only after the fact.
Back to my original point (IANAL). I suspect a clause in an adhesion contract which says something to the effect that "you may not publish any performance comparisons between our product and others" seems suspect on the surface. Whether or not any of a number of doctrines may be used to attack such a contract provision is not something I can clearly answer myself. However, it does seem likely to me that such a clause could be attacked because (meaning this is the red flag that I see) it seems to restrain a user's behavior beyond ways which are reasonable in a free market, and that the user doesn't really have a choice in the matter. Again, it seems that in such a situation *some* sort of attack should be possible.
Again, this means going to court in order to publish your benchmark. It means going up against Oracle's attourneys, who may know that although they might lose on merits alone, that they may be able to slow the process down and force a settlement that leaves the provision intact generally. It means that one might be subject to an injunction preventing you from publishing the comparison during the trial. And it means a lot of money and time down the drain. Which means that nobody is likely to do this just so they can publish a benchmark or performance study.
My own feeling here is that the question of the law probably doesn't matter at the moment. My own (non-law) buisness rule is that a contract or license means what the other party says it means unless or until it is worth going to court over. Thus a lot of contracts are enforceable not because they have the clout of the *law* on their side but because the have the clout of a *lawyer* on their side.
Under it, copyright law does not apply to resale of copyrighted works. Only the initial sale.
Current US Copyright law preserves the right to install and use software as distinct from copying it. Thus, although it is a contract violation, it is arguably beyond the scope of US copyright law per se to install a single copy of software on multiple computers, possibly by different owners, as long as the medium changes ownership on each sale. (I.e. I install it on my machine, sell you the disk....). EULA's are designed to prevent this poblem.
The alternative would be to rescind the First Sale Dictrine.
Otherwise, outside of First Sale and installation issues, I see no reason for EULAs.
BTW, EULAs are entirely distinct from copyright (though they may base some aspects on copyright law) and therefore have a number of interesting qualities:
1) EULAs are not in force prior to installation of the software. If a EULA has a clause which forbids selling component CD's separately, this does not affect a business that does this prior to installing the software. I.e. the EULA terms do not extend to whatever the reseller does with them.
2) EULAs as adhesion contracts would probably be held to a higher standard than negotiated contracts and may be (not aware of any case testing this yet) barred from regulating any behavior beyond what a customer would ordinarily expect. This is one of my major reasons for thinking that the Oracle no-benchmark clause may be challengeable by someone with sufficient time, money, and inclination (but please consult a lawyer first). We have been seeing similar cases in terms of use contracts recently but these are usually related to consumers.
Ok. IANAL, of course. Read the following sections:
1) Source code, definition of "Corresponding Source"
2) Section 6, opening paragraph, requirement that Corresponding Source as a whole is licensed under the GPL v3.
3) Section 7, first two paragraphs, and final paragraph. THese provide that any other software licenses other than the GPL v3 can be removed from any part of the Corresponding Source in the process of conveyance. Furthermore, any license exceptions such as a linking exception can be removed from your code by anyone who merely conveys the sotware.
This leads me to conclude two things: 1) The GPL v3 prohibits linking to any component under any BSD license since one cannot grant permission to remove the BSDL from the code distributed verbatem and also
2) THe GPL v3 allows removal of any linking exceptions one grants by anyone who merely distributes the software and therefore has no copyright control over any part.
I can see how the antitivoization clauses might also be copyright misuse.
IANAL, but I generally agree with your assessment as far as you take it. But are they as enforceable as negotiated contracts? Are they subject to ductrines of adhesion? Are they more limited than might appear in your discussion?
For example, if I negotiate a contract with you and it has an arbitrarion clause which we both agree to, is that different than an adhesion contract relating to a service or product where there is no possibility of negotiation?
I believe that there are good economic reasons in a proprietary software development company to use software licensing. The big issue is this: Software development is expensive. In order to recoup costs associated, one must find some way to spread the cost around.
When you publish books, the publication is restricted to those who have appropriate copyright permissions. These can then charge enough to compensate the author for the cost of writing, but not so much as to remove the books from the market. The balance depends on the market (the smaller the market, the higher the costs-- I have some linguistics books which were nearly $100 for a paperback and no, they were not rare books).
Similarly, when you publish software, it is desirable to be able to distribute the software in such a way as to distribute the cost of development among the users in a fair and equitable way. Sofware licensing accomplishes this. However, it also means that, like writing books, there is a substantial risk that the work done will never be financially recouped.
Please note, I am a FOSS advocate of the highest degree. I think that FOSS has a large number of benefits and allows for a more efficient, less risky, etc. software development model. However, my understanding of such is based on the economic function which software licenses have generally served. Note also that FOSS generally replaces software license restrictions with service contract restrictions so one may not always be "Free" if one requires support by outside entities.
IANAL, but you may want to look up "contract of adhesion" in a law dictionary and do some reading into questions of how it impacts consumer product law.
Secondly, the actual laws on the books (in the US at least) seem to make an exception relating to infringement for the purpose of installing software, so there seems to be no indication that the issue is one of copyright infringement at all.
No. Derivative works include not only transformations of an existing work but also "sequals" to a work. Look, for example, at The Wind Done Gone and the struggle against the copyright holder of Gone With the Wind. Now, you might think that this is stupid, but commercial ventures are given a lot less leeway to further "develop" an existing work. And using the excuse that "it was designed precisely to be developed by others" doesn't work as an excuse. Look no further than greeting card companies and their copyrighting (and trademarking) of various characters for sublicensing. True, but this is a subset of what I was talking about. In the sequel or different perspective case, original elements of a copyrighted work are transformed and included in a new work. This includes storylines, character backgrounds, etc. Similarly, software screen output may be copyrighted and other programs which alter that screen output may create derivative works under some circumstances.
In short, what matters is that creative, expressive content beyond that which is functionally required is transformed and included in significant ways. I do not believe that this impacts dynamic linking.
One of the more understandable tests for determining derivation is called the Gates Test (after a case involving Gates Rubber) and is also called the AFC test. Abstract the works, filter out nonprotected content (including functional ideas), and compare what is left.
You're missing the point. The problem doesn't come into effect because you're using the header file to a library. The problem is that you're linking against the library, and the library is copyrighted. As you point out, the program and the dynamic library become conjoined in the address space, in virtually the same way a static library would be (in fact, for gcc, the difference in compilation is usually as simple as "-shared" vs "-static"). The fact that you don't necessarily provide the dynamic library with your program doesn't sound like a reasonable excuse for the merging of the two separate works. In short, it's legally dubious (consider the pending case of companies trying to sell data to special DVD players to create family-friendly censored films) thanks to the vagueness of copyright law.
They are sufficiently separate that GDB can go through a stack dump of library calls. Note that static linking at least creates an aggregate work which may or may not be subject of additional protections (my guess after research is not, when done after compiling by a linker), but still requires the author's permission to redistribute as a whole.
For linking to imply derivation, you would have to show that your copyrighted, expressive elements of your work ended up in my application. This must go beyond mere functional elements, and merely copying into the same protected memory space (but different address ranges) wouldn't in my view count.
If I hypotethetically created a library win assembly with identical function access points, but entirely different internals, and it could be with the program with no further alterations, then it would seem to me that this would allow the works to be separable from a derivation perspective. If this is the case, at best, you might be able to argue that the protected memory space might be a collected work but it would not make my program derivative simply because it copies your library into the same protected memory space and uses its ABI to execute portions.
Extending this slightly, if I create a library with an identical API to yours, but different internals, and I use the linker to do the symbol resolution (since symbol resolution would be non-expressive and only function-oriented), it could be loaded into RAM as compatible replacement, this again suggests that the expressive content of your library is not required to run my program and therefore it is not a derivative work. At best you are left with the idea that it is a collected work and this might not even be the case (be
The major thing is that previous versions of the GPL expressly limited copyright term changes to the preparation of derivative works. THe GPL v3 provides that additional permissions beyond the scope of the GPL v3 through the mere act of distribution:
"Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
IANAL, (and I Am an American, so this may only apply to the US) but I have been doing a lot of research into this. One of the better sources I have found is the Eclipse Licensing FAQ because it tends to link to laws and legal analysis unlike the FSF which seems to link to rantings of the way RMS thinks the licenses *should* work in the Republic of GNU.
Copyright law seems to define derivative work as a work which involves the transformation of one copyrighted work into another. For example making a movie out of a book. There are actually fairly well established approaches to analyzing whether a work is in fact derivative. My readings of this subject have lead me to conclude that:
1) Static linking always creates a new copyrighted work which may be either a derivative or a compilation. Either way, redistribution requires copyright license. 2) Dynamic linking by itself is not reason to think that a work is derivative. 3) Dynamically linking add-ons, as well as separate programs could create derivative works under certain circumstances (though these are unrestricted in the GPL provided that certain distribution requirements are met).
Since I am not a lawyer, understand that this is mostly technical reasoning here. My law undertanding my be completely off, or may only apply in limited circumstances or jurisdictions. Hence while this makes for interesting conversation, it is not legal advice.
Copyright only covers expressive elements
Since 1991 (coincidently the year the GPL v2 was released), the US has used a standard of originality in addressing what is subject to copyright protections, as opposed to a sweat of the brow standard. In this approach mere facts cannot be copyrighted, only expressive content. Hence recipies are generally difficult to copyright (though if the instructions were in iambic pentameter....), as are general lists of other facts.
Dynamic Linking in C
When one creates a dynamic linked application in C, one includes a header file, which usually (if best practices are followed) is simply a list of facts. In the source code, this is done by #include which tells the preprocessor to strip the comments out of the header file and place what is left in the application where it is. While it would certainly be possible to include expressive elements in a header file, I think these would be difficult to show in general.
If you filter out the lists of facts from the header file, if there is nothing significant left, it is not derivative. Note that this does not prevent someone from including lots of expressive material in the header files, but this does not preclude the developer manually copying the function declarations (which are mere facts not subject to protection) into his source file or own headers by hand.
The linker then resolves symbols between the libraries used and the program calling the functions. Again, this is purely functional, and I would find it to be difficult at least to argue that this means that there is a derivative work. Dynamically loaded libraries are kept by the linker in separate address spaces (but the same protected memory segments) than the calling application. Thus they are loosely coupled.
Think about it. Are all Windows programs derivative works of WIndows libraries? Could Microsoft litterally say "no more versions of Cygwin or MinGW" and use copyright law to force something like this? What about ODBC drivers?
Dynamic linking in Perl
In Perl, the 'use' statement has an effect of loading a Perl module into a separate logical memory space, and allowing function calls to be ampped beween these similar to a linker. I would find it difficult to argue that, even given the combination in RAM, that issuing a 'use' statement creates a derivative work. Since there are no header files, this actually seems safer in Perl than in C.
What about other add-ons?
In some cases screen output has been seen as copyrighted work. Thus add-ons may violat
Copying it into RAM is allowed by the US Copyright Act, I think, but IANAL.
[I]t is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided: (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner . . .. The issue is that these appear to be adhesion contracts which have a special set of rules attached. But they are contracts nonetheless and have been upheld as such by several courts, I believe (but again IANAL).
"Should you fail to register any of the evaluation software available through our web pages and continue to use it, be advised that a leather-winged demon of the night will tear itself, shrieking blood and fury, from the endless caverns of the nether world, hurl itself into the darkness with a thirst for blood on its slavering fangs and search the very threads of time for the throbbing of your heartbeat. Just thought you'd want to know that. Alchemy Mindworks accepts no responsibility for any loss, damage or expense caused by leather-winged demons of the night, either."
What am I agreeing to here?
IANAL, but note that there are specific issues with EULAs also as distinct from negotiated contracts. In short, an individual who needs to run Windows is more or less forced to agree to an adhesion contract. There may also be questions of unconscionability, and other issues to consider.
Moral of the story: Consult a lawyer as to whether Alchemy Mindworks is really within their legal right to disclaim damages from leather-winged demons of the night* enforcing their contracts.
IANAL, but Oracle has a solid case, just like Lexmark had a solid case against SCC for slavishly copying the copyrighted software from their toner unit chips. Yet SCC prevailed in a defense of copyright misuse.
Oracle's case amounts to "You agreed to it." The attack on it might relate to questions of contracts of adhesion, procedural unconscionablily, competition law, or the like. In short, I think there is a good chance based on other contracts which have been voided that with enough time and effort, this clause might be vulnerable.
I believe that there are a number of bases relating to consumer contract law and copyright law which could be used to attack the Oracle clause. I have neither the money nor the time for such a fight though, and I would sooner pick a fight with some dual-license vendor over whether linking means derivation (because that equation is closer to my business than anything to do with Oracle).
As for your points regarding the GPL v3, I do agree that there are *serious* concerns that the license might be so far overreaching that it might be unenforceable on the basis of copyright misuse (particularly the implications of section 7 as relates to the Complete Corresponding Source Code). However, I do not see this being a viable method of attaching the GPL v2. One bit of analysis which makes similar claims is a bit of legal analysis mentioned in my latest journal entry (Why I Hesitate....).
The major arguments that I have seen relating to the GPL v2 are:
1) Section 2(b) could be seen as overreaching and pushing the limits of copyright law, laying claim to code that the author has no right to claim. This claim usually fails to mention at all the "mere aggregation" clause which would seem to include any work including the program other than a derivative work.
2) That the GPL is copyright misuse because it attacks the very system that copyright law was set up to protect. I would find this difficult to imagine in a court opinion because of the number of businesses which have successfully used the GPL to protect Thus the courts should not prevent businesses from deviating from standard licensing models just because they are at some point unusual.
Furthermore, the GPL v2 can be read easily as being fairly limited in scope (only those works where sufficient creative content is transferred could be derivative works, and mere dynamic linking would probably not apply. As such, the FSF's faq to the contrary, the scope of the effect of the GPL v2 may actually be quite limited. (This is not the case with the GPL v3.)
My most recent journal entry has a bunch of information on the GPL v2 and v3 as it relates to one of my projects.
IANAL, but I think the Oracle studies parts are probably quite challengable and probably difficult to enforce. The question is, how much money do you want to pay to prove that to a court?
Contract law does change a number of things, but it doesn't cause EULA's to vaporize. They are after all "End User License *Agreements*" where "Agreement" is used to imply a contract relationship.
I would also note that the GPLv3 has dropped all pretenses of being anything other than a contract. It doesn't state that it isn't a contract anymore, and certain clauses go well beyond copyright agreements (i.e. they give some people the right to manage terms of a copyright license independant of any copyrights of their own).
Personally, though IANAL, I think the differences are subtle but not altogether meaningless.
As with my point before, I think that a group of hobbiests collaborating across international boundaries for this sort of thing would almost certainly attract the attention of a lot of governments. I would expect a lot of spies in a project like this eventually.
At the same time, you are right. Rockets (which are restricted) and UAVs are both relatively easy to build. Rockets are somewhat problematic because they are far more weapons-ready than UAVs.
BTW, I don;t think that we need a "diplomatic solution" to the War on Terror. I think we need a "Diplomatic base for a solution" as a good first step. Unfortunately the Bush Administration seems intent on doing the right things (getting the US Troops out of Saudi Arabia) in the wrong ways (invading Iraq) and thus complicating matters.
We should be strong enough to stop worrying about what happens when we leave Iraq and put that in the hands of Iraqis by: 1) Issuing a statement stating that we are guests assisting the Iraqi democratically elected government and that if asked by them to leave, we will do so. 2) Issuing a statement that says that one condition for our cooperation is the expulsion of armed militias other than the Iraqi Army and the Iraqi Police from any official or unofficial government capacity. The Badr Brigades continue to be associated with the government? We leave on the grounds that the Iraqi government did not live up to their obligations.
We should begin high-level negotiations with Iran and Syria. We should negotiate from a position of strength, knowing that they want security guarantees. We can give them such guarantees provided that certain conditions are met. 1) No funding groups that attack civilians inside the Israeli Green Line (we should not support the occupation of Golan, Gaza, or the West Bank nor should we protect Israeli targets there). 2) Guarantees and additional controls preventing the development of nuclear weapons. 3) Pressure would be put on Israel to disarm their nuclear arsenal or face restrictions on military aid. 4) Outstanding ICJ judgements would need to be settled as soon as possible. 5) The conditional security guarantee lasts as long as 1-2 are in force. If they are broken, we no longer extend such a guarantee.
We should immediately look to accellerate the reunification of the Korean peninsula. This means declaring the Korean War officially over, dismantling the DMZ to the extent necessary to up in a rail link, ensuring air passenger service between the two countries, and moving towards reunification. Right-wing think-tanks dont like this because they are afraid a unified Korea would become closely aligned with China.
We should double the bounty on the capture or arrest of any Al Qaeda leader.
What about publishing original research in peer-reviewed journals?
If you analyze designs of NASA, ESA, and Russian cargo and human transport rockets, and offer ideas for the designs of the future, all based on publically available information?
How about we get better? Lets only look at foreign rocket designs:-) Leave the US ones out of it, and then offer published advice to NASA (and anyone else who can read)....
Slashdot Mirror
I don;t know. I suppose it depends on what you mean by "interfered with." Does it mean from the object code's or the user's perspective?
FOr example, "Yes, there is a spiffy network card. It is an alias for the Loopback Adapter!"
or
"There is a TV channel like that. Oops it is all static."
(The above areas seem unwise to try under the GPL3, but there are better ways).
Or how about hiding specific tools behind or inside the hypervisor so that the code can run unaltered but the code doesn't do as much that is interesting. So instead of storing tv shows, it can only essentially script the storage of the tv show, the rest is handled underneath through encrypted connections, drm, etc. In short, the software is simply not trusted any more than a router on the internet is trusted with your credit card number. No analog hole.
A third option would be to use the hypervisor to actively alert (if possible) the vendor to an unauthorized change of software, the RIAA, the MPAA, etc. Maybe catalog the files on the system and send the BSA a list?
So while it might allow the software to *run* perhaps even without interference, it might also allow allow for all manner of other systems including robust DRM that can coexist with OSS software, interference in personal matters, and plenty of other things.
nothing in the GPLv3 says that it has to run as well. For example, a non-authorized OS might boot, but not before some hardware is turned off... "Yes, it runs." "Does it do anything interesting?" "Well, I can ping it from the network..."
Ok, that was an extreme example (that might not be permissible) but nothing precludes a new GPL3 Tivo from disabling the tv capture hardware, for example, when an unauthorized OS is detected. At least that is my reading...
It is informative to read the requirements on a quarterly scan.
My reading of this and the audit requirements is that they do not open up the data to review. The scan is more along the lines of a vulnerability scan (from an external viewpoint), and the audit is an audit of your procedures and compliance with your procedures.
Most small businesses don't need to worry about either of these, but as you grow....
You still have to worry about transport. And you have to worry about the security of every component that you transport things through. I generally recommend:
1) Remove, to any extent possible, any questions of transport. Ideally, treat everything as a public network.
2) If you want to store credit card track data for later approval (only storage subsequent to approval is prohibited), think twice or thrice about it. If it is necessary, though, there are compliant ways to do this.
3) Review all logs regularly in order to ensure that protected data is not accidently ending up in the log.
I am not qualified to do an external audit but I do provide assistance to smaller businesses which need to do internal reviews, help understand what is required, etc.
The PCI-DSS 1.1 is actually relatively flexible. It is possible to show that valid business needs preclude certain requirements (such as video surveillance of server rooms) and that any possible threats are being dealt with in other ways. See the appendix on compensating controls.
Assuming you have somewhat competent help on security, about 80% of the work is in the area of documentation. You can't just be compliant, you have to document your policies, show that they are in fact compliant, and so forth.
Honestly, I help small convenience stores to PCI-DSS security evaluations (as the equivalent of an internal audit-- my goal is to help them reach complaince, not to provide independant varification of such compliance). It is a pain, but not impractical. Most of the requirements are basic industry-standard best practices. Anything that is too overwhelming for the little guy can be dealt with in compensating controls.
The key rules to minimize issues are:
1) Store only what you need. The less you store, the fewer areas of concern you have.
2) Build and maintain secure systems.
3) Establish and defend appropriate security perimeters.
4) Document, document, document.
This isn;t rocket science. And quite frankly, 1-3 ought to apply to everyone anyway...
In the context of pre-release, preventing comparisons serves a valid business purpose. Engineering samples, beta, etc may not properly represent the finished product. In general, preventing comparisons should be perfectly valid if there is "consideration", if the customer gets something in return. For example, special access to info and products. It is perfectly valid for a contract to restrict the flow of information.[emphasis mine] I would agree that such clauses are not clearly prohibited in your list of criteria, but this one is arguable at least by your post. For example, in this case, you are dealing with a large public release, and it is a condition of access to the basic product of the company that they don't publish performance comparisons. In short your specific examples don't apply to this one.
I do a lot of db work in the FOSS world. I could see some additional arguments for legitimate business interests (truth in marketing) as well as arguements that despite these interests, the contract as generally enforced does not meet them and serves only ends beyond those which are legitimate (preventing questioning of one's own statements in particular in areas such as performance).
But again, because it is not obviously invalid, how much do you want to spend on it? How many months or years? How many thousands of dollars?
Granted. But that's the difference between linking in 20 libraries "just because" versus one's code actually making use of those 20 libraries.
No. Because *use* is functional and not protected. At least in the US, Canada, and Germany. I don't know about the UK. IANAL, again.
Given that software is functional, and the point of libraries is a repository of functionality, trying to go back to the idea of a "creative" standard seems somewhat humorous.
Actually, I think the whole application of copyright to software is humourous. THe idea is that copyrights are supposed to offer incentive for authors to provide works which will eventually become part of the public domain. The current application of copyright to software does not do this. Regardless of the laws involved, the effective term of the copyright of Windows is indefinite because
;-) Try reading the SQL-Ledger code some time....
a) when it becomes part of the public domain, no computers will be able to run it and
b) when it becomes part of the public domain, only small portions of it (object code, screen output) will be effectively accessible.
Note that the Gates v Bando case in particular was not around when the GPL2 was drafted and hence may have presumed more protection than might be afforded. WHile this has not been applied in the same way across the circuits of the US, the same principles are usually at work. I.e. there is a difference between an idea and the expression of that idea. The former isn't subject to protection but the latter is.
Working as a software engineer I can tell you that reading other peoples' code, there is a lot of originality in code and a lot of it isn't a good thing
Furthermore, screen output may be copyrighted, so it may be possible to have separate programs even running on separate computers which create unauthorized derivative works under certain cases. For example, an argument might be made that programs which add transparency to walls in games might create derivative works regardless of how they are implemented.
But, I guess that comes down to the idea of whether one chose a library "because it was there" vs "because function X is really good at doing what it does, signifying a good bit of creativity/effort in its design".
Or maybe because it fills a useful function? Since when are useful functions subject to copyright as opposed to patent law?
The fact that, in general, optimization of an optimal algorithm is as much a creative as a brute-force approach and that optimizations are the main reason to choose one library over another (beyond one library simply lacking certain functions; with functionality questionably a basis to claim copyright) just makes the whole situation more murky.
Without a doubt. But this doesn't change the fact that the program itself does not include those expressive elements. Even when it is run, nothing precludes one from writing another library which the program would also support.
Right, but the thing is that that's hypothetical. Given the very nature of software, it's possible to fundamental alter the underlying library of almost any program and maintain the same functionality (although you might violate some patents along the way).
Patents are a very different issue. If you have patents, then none of what I am saying applies to those patent rights :-).
I think a more realistic standard is to recognize just how common the underlying library is in the real world, not to draw on hypotheticals. From that standard, dynamically linking against glibc, which provides a posix-like standard, would be very different to dynamically linking against cube 3d's rendering engine library.
I am not sure. There are many areas which do offer drop-in library replacements without the backing of standards. ODBC, for example. By your argument, if I create a library with the same API as cu
Good point.
But here is a counter-point.
Under a simple copyright scheme, whether I connect 1 user or 500 users to a server, I pay the same amount. Since server software has far fewer sales than client software, the little guy pays more than his fair share for use, while the big guy pays less. I would argue that even with things like site licenses, and the like, the little guy still pays less than he/she might if everyone paid the same amount per copy of the system.
As much as I hate CALs, I think they serve a purpose. Whether or not they are strictly necessary is another question.
Now the cool thing about FOSS is that we can do it on a pure copyright model because we can charge the person who needs the improvements for those improvements, thus avoiding the question above because software development is paid for immediately and not only after the fact.
Back to my original point (IANAL). I suspect a clause in an adhesion contract which says something to the effect that "you may not publish any performance comparisons between our product and others" seems suspect on the surface. Whether or not any of a number of doctrines may be used to attack such a contract provision is not something I can clearly answer myself. However, it does seem likely to me that such a clause could be attacked because (meaning this is the red flag that I see) it seems to restrain a user's behavior beyond ways which are reasonable in a free market, and that the user doesn't really have a choice in the matter. Again, it seems that in such a situation *some* sort of attack should be possible.
Again, this means going to court in order to publish your benchmark. It means going up against Oracle's attourneys, who may know that although they might lose on merits alone, that they may be able to slow the process down and force a settlement that leaves the provision intact generally. It means that one might be subject to an injunction preventing you from publishing the comparison during the trial. And it means a lot of money and time down the drain. Which means that nobody is likely to do this just so they can publish a benchmark or performance study.
My own feeling here is that the question of the law probably doesn't matter at the moment. My own (non-law) buisness rule is that a contract or license means what the other party says it means unless or until it is worth going to court over. Thus a lot of contracts are enforceable not because they have the clout of the *law* on their side but because the have the clout of a *lawyer* on their side.
The problem is this (IANAL):
You have the "First Sale Doctrine."
Under it, copyright law does not apply to resale of copyrighted works. Only the initial sale.
Current US Copyright law preserves the right to install and use software as distinct from copying it. Thus, although it is a contract violation, it is arguably beyond the scope of US copyright law per se to install a single copy of software on multiple computers, possibly by different owners, as long as the medium changes ownership on each sale. (I.e. I install it on my machine, sell you the disk....). EULA's are designed to prevent this poblem.
The alternative would be to rescind the First Sale Dictrine.
Otherwise, outside of First Sale and installation issues, I see no reason for EULAs.
BTW, EULAs are entirely distinct from copyright (though they may base some aspects on copyright law) and therefore have a number of interesting qualities:
1) EULAs are not in force prior to installation of the software. If a EULA has a clause which forbids selling component CD's separately, this does not affect a business that does this prior to installing the software. I.e. the EULA terms do not extend to whatever the reseller does with them.
2) EULAs as adhesion contracts would probably be held to a higher standard than negotiated contracts and may be (not aware of any case testing this yet) barred from regulating any behavior beyond what a customer would ordinarily expect. This is one of my major reasons for thinking that the Oracle no-benchmark clause may be challengeable by someone with sufficient time, money, and inclination (but please consult a lawyer first). We have been seeing similar cases in terms of use contracts recently but these are usually related to consumers.
At least me know that the Alchemy Mindworks EULA does not appear to be a derivative work of D&D ;-)
IANAL, of course....
Ok. IANAL, of course. Read the following sections:
1) Source code, definition of "Corresponding Source"
2) Section 6, opening paragraph, requirement that Corresponding Source as a whole is licensed under the GPL v3.
3) Section 7, first two paragraphs, and final paragraph. THese provide that any other software licenses other than the GPL v3 can be removed from any part of the Corresponding Source in the process of conveyance. Furthermore, any license exceptions such as a linking exception can be removed from your code by anyone who merely conveys the sotware.
This leads me to conclude two things:
1) The GPL v3 prohibits linking to any component under any BSD license since one cannot grant permission to remove the BSDL from the code distributed verbatem and also
2) THe GPL v3 allows removal of any linking exceptions one grants by anyone who merely distributes the software and therefore has no copyright control over any part.
I can see how the antitivoization clauses might also be copyright misuse.
IANAL, but I generally agree with your assessment as far as you take it. But are they as enforceable as negotiated contracts? Are they subject to ductrines of adhesion? Are they more limited than might appear in your discussion?
For example, if I negotiate a contract with you and it has an arbitrarion clause which we both agree to, is that different than an adhesion contract relating to a service or product where there is no possibility of negotiation?
I believe that there are good economic reasons in a proprietary software development company to use software licensing. The big issue is this: Software development is expensive. In order to recoup costs associated, one must find some way to spread the cost around.
When you publish books, the publication is restricted to those who have appropriate copyright permissions. These can then charge enough to compensate the author for the cost of writing, but not so much as to remove the books from the market. The balance depends on the market (the smaller the market, the higher the costs-- I have some linguistics books which were nearly $100 for a paperback and no, they were not rare books).
Similarly, when you publish software, it is desirable to be able to distribute the software in such a way as to distribute the cost of development among the users in a fair and equitable way. Sofware licensing accomplishes this. However, it also means that, like writing books, there is a substantial risk that the work done will never be financially recouped.
Please note, I am a FOSS advocate of the highest degree. I think that FOSS has a large number of benefits and allows for a more efficient, less risky, etc. software development model. However, my understanding of such is based on the economic function which software licenses have generally served. Note also that FOSS generally replaces software license restrictions with service contract restrictions so one may not always be "Free" if one requires support by outside entities.
IANAL, but you may want to look up "contract of adhesion" in a law dictionary and do some reading into questions of how it impacts consumer product law.
Secondly, the actual laws on the books (in the US at least) seem to make an exception relating to infringement for the purpose of installing software, so there seems to be no indication that the issue is one of copyright infringement at all.
No. Derivative works include not only transformations of an existing work but also "sequals" to a work. Look, for example, at The Wind Done Gone and the struggle against the copyright holder of Gone With the Wind. Now, you might think that this is stupid, but commercial ventures are given a lot less leeway to further "develop" an existing work. And using the excuse that "it was designed precisely to be developed by others" doesn't work as an excuse. Look no further than greeting card companies and their copyrighting (and trademarking) of various characters for sublicensing. True, but this is a subset of what I was talking about. In the sequel or different perspective case, original elements of a copyrighted work are transformed and included in a new work. This includes storylines, character backgrounds, etc. Similarly, software screen output may be copyrighted and other programs which alter that screen output may create derivative works under some circumstances.
In short, what matters is that creative, expressive content beyond that which is functionally required is transformed and included in significant ways. I do not believe that this impacts dynamic linking.
One of the more understandable tests for determining derivation is called the Gates Test (after a case involving Gates Rubber) and is also called the AFC test. Abstract the works, filter out nonprotected content (including functional ideas), and compare what is left.
You're missing the point. The problem doesn't come into effect because you're using the header file to a library. The problem is that you're linking against the library, and the library is copyrighted. As you point out, the program and the dynamic library become conjoined in the address space, in virtually the same way a static library would be (in fact, for gcc, the difference in compilation is usually as simple as "-shared" vs "-static"). The fact that you don't necessarily provide the dynamic library with your program doesn't sound like a reasonable excuse for the merging of the two separate works. In short, it's legally dubious (consider the pending case of companies trying to sell data to special DVD players to create family-friendly censored films) thanks to the vagueness of copyright law.
They are sufficiently separate that GDB can go through a stack dump of library calls. Note that static linking at least creates an aggregate work which may or may not be subject of additional protections (my guess after research is not, when done after compiling by a linker), but still requires the author's permission to redistribute as a whole.
For linking to imply derivation, you would have to show that your copyrighted, expressive elements of your work ended up in my application. This must go beyond mere functional elements, and merely copying into the same protected memory space (but different address ranges) wouldn't in my view count.
If I hypotethetically created a library win assembly with identical function access points, but entirely different internals, and it could be with the program with no further alterations, then it would seem to me that this would allow the works to be separable from a derivation perspective. If this is the case, at best, you might be able to argue that the protected memory space might be a collected work but it would not make my program derivative simply because it copies your library into the same protected memory space and uses its ABI to execute portions.
Extending this slightly, if I create a library with an identical API to yours, but different internals, and I use the linker to do the symbol resolution (since symbol resolution would be non-expressive and only function-oriented), it could be loaded into RAM as compatible replacement, this again suggests that the expressive content of your library is not required to run my program and therefore it is not a derivative work. At best you are left with the idea that it is a collected work and this might not even be the case (be
When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
IANAL, (and I Am an American, so this may only apply to the US) but I have been doing a lot of research into this. One of the better sources I have found is the Eclipse Licensing FAQ because it tends to link to laws and legal analysis unlike the FSF which seems to link to rantings of the way RMS thinks the licenses *should* work in the Republic of GNU.
Copyright law seems to define derivative work as a work which involves the transformation of one copyrighted work into another. For example making a movie out of a book. There are actually fairly well established approaches to analyzing whether a work is in fact derivative. My readings of this subject have lead me to conclude that:
1) Static linking always creates a new copyrighted work which may be either a derivative or a compilation. Either way, redistribution requires copyright license.
2) Dynamic linking by itself is not reason to think that a work is derivative.
3) Dynamically linking add-ons, as well as separate programs could create derivative works under certain circumstances (though these are unrestricted in the GPL provided that certain distribution requirements are met).
Since I am not a lawyer, understand that this is mostly technical reasoning here. My law undertanding my be completely off, or may only apply in limited circumstances or jurisdictions. Hence while this makes for interesting conversation, it is not legal advice.
Copyright only covers expressive elements
Since 1991 (coincidently the year the GPL v2 was released), the US has used a standard of originality in addressing what is subject to copyright protections, as opposed to a sweat of the brow standard. In this approach mere facts cannot be copyrighted, only expressive content. Hence recipies are generally difficult to copyright (though if the instructions were in iambic pentameter....), as are general lists of other facts.
Dynamic Linking in C
When one creates a dynamic linked application in C, one includes a header file, which usually (if best practices are followed) is simply a list of facts. In the source code, this is done by #include which tells the preprocessor to strip the comments out of the header file and place what is left in the application where it is. While it would certainly be possible to include expressive elements in a header file, I think these would be difficult to show in general.
If you filter out the lists of facts from the header file, if there is nothing significant left, it is not derivative. Note that this does not prevent someone from including lots of expressive material in the header files, but this does not preclude the developer manually copying the function declarations (which are mere facts not subject to protection) into his source file or own headers by hand.
The linker then resolves symbols between the libraries used and the program calling the functions. Again, this is purely functional, and I would find it to be difficult at least to argue that this means that there is a derivative work. Dynamically loaded libraries are kept by the linker in separate address spaces (but the same protected memory segments) than the calling application. Thus they are loosely coupled.
Think about it. Are all Windows programs derivative works of WIndows libraries? Could Microsoft litterally say "no more versions of Cygwin or MinGW" and use copyright law to force something like this? What about ODBC drivers?
Dynamic linking in Perl
In Perl, the 'use' statement has an effect of loading a Perl module into a separate logical memory space, and allowing function calls to be ampped beween these similar to a linker. I would find it difficult to argue that, even given the combination in RAM, that issuing a 'use' statement creates a derivative work. Since there are no header files, this actually seems safer in Perl than in C.
What about other add-ons?
In some cases screen output has been seen as copyrighted work. Thus add-ons may violat
of another copy or adaptation of that computer program provided:
(1) that such a new copy or adaptation is created as an essential step in the utilization of the computer
program in conjunction with a machine and that it is used in no other manner . . .
From one EULA:
"Should you fail to register any of the evaluation software available through our web pages and continue to use it, be advised that a leather-winged demon of the night will tear itself, shrieking blood and fury, from the endless caverns of the nether
world, hurl itself into the darkness with a thirst for blood on its slavering fangs and search the very threads of time for the
throbbing of your heartbeat. Just thought you'd want to know that. Alchemy Mindworks accepts no responsibility for any loss,
damage or expense caused by leather-winged demons of the night, either."
What am I agreeing to here?
IANAL, but note that there are specific issues with EULAs also as distinct from negotiated contracts. In short, an individual who needs to run Windows is more or less forced to agree to an adhesion contract. There may also be questions of unconscionability, and other issues to consider.
Moral of the story: Consult a lawyer as to whether Alchemy Mindworks is really within their legal right to disclaim damages from leather-winged demons of the night* enforcing their contracts.
* Are these meant to refer to BSA agents?
IANAL, but Oracle has a solid case, just like Lexmark had a solid case against SCC for slavishly copying the copyrighted software from their toner unit chips. Yet SCC prevailed in a defense of copyright misuse.
Oracle's case amounts to "You agreed to it." The attack on it might relate to questions of contracts of adhesion, procedural unconscionablily, competition law, or the like. In short, I think there is a good chance based on other contracts which have been voided that with enough time and effort, this clause might be vulnerable.
I believe that there are a number of bases relating to consumer contract law and copyright law which could be used to attack the Oracle clause. I have neither the money nor the time for such a fight though, and I would sooner pick a fight with some dual-license vendor over whether linking means derivation (because that equation is closer to my business than anything to do with Oracle).
As for your points regarding the GPL v3, I do agree that there are *serious* concerns that the license might be so far overreaching that it might be unenforceable on the basis of copyright misuse (particularly the implications of section 7 as relates to the Complete Corresponding Source Code). However, I do not see this being a viable method of attaching the GPL v2. One bit of analysis which makes similar claims is a bit of legal analysis mentioned in my latest journal entry (Why I Hesitate....).
The major arguments that I have seen relating to the GPL v2 are:
1) Section 2(b) could be seen as overreaching and pushing the limits of copyright law, laying claim to code that the author has no right to claim. This claim usually fails to mention at all the "mere aggregation" clause which would seem to include any work including the program other than a derivative work.
2) That the GPL is copyright misuse because it attacks the very system that copyright law was set up to protect. I would find this difficult to imagine in a court opinion because of the number of businesses which have successfully used the GPL to protect Thus the courts should not prevent businesses from deviating from standard licensing models just because they are at some point unusual.
Furthermore, the GPL v2 can be read easily as being fairly limited in scope (only those works where sufficient creative content is transferred could be derivative works, and mere dynamic linking would probably not apply. As such, the FSF's faq to the contrary, the scope of the effect of the GPL v2 may actually be quite limited. (This is not the case with the GPL v3.)
My most recent journal entry has a bunch of information on the GPL v2 and v3 as it relates to one of my projects.
IANAL, but I think the Oracle studies parts are probably quite challengable and probably difficult to enforce. The question is, how much money do you want to pay to prove that to a court?
Contract law does change a number of things, but it doesn't cause EULA's to vaporize. They are after all "End User License *Agreements*" where "Agreement" is used to imply a contract relationship.
I would also note that the GPLv3 has dropped all pretenses of being anything other than a contract. It doesn't state that it isn't a contract anymore, and certain clauses go well beyond copyright agreements (i.e. they give some people the right to manage terms of a copyright license independant of any copyrights of their own).
Personally, though IANAL, I think the differences are subtle but not altogether meaningless.
Agreed with your points. Just noting that the restrictions on use are not entirely gone with all OSS licenses.
As with my point before, I think that a group of hobbiests collaborating across international boundaries for this sort of thing would almost certainly attract the attention of a lot of governments. I would expect a lot of spies in a project like this eventually.
At the same time, you are right. Rockets (which are restricted) and UAVs are both relatively easy to build. Rockets are somewhat problematic because they are far more weapons-ready than UAVs.
BTW, I don;t think that we need a "diplomatic solution" to the War on Terror. I think we need a "Diplomatic base for a solution" as a good first step. Unfortunately the Bush Administration seems intent on doing the right things (getting the US Troops out of Saudi Arabia) in the wrong ways (invading Iraq) and thus complicating matters.
We should be strong enough to stop worrying about what happens when we leave Iraq and put that in the hands of Iraqis by:
1) Issuing a statement stating that we are guests assisting the Iraqi democratically elected government and that if asked by them to leave, we will do so.
2) Issuing a statement that says that one condition for our cooperation is the expulsion of armed militias other than the Iraqi Army and the Iraqi Police from any official or unofficial government capacity. The Badr Brigades continue to be associated with the government? We leave on the grounds that the Iraqi government did not live up to their obligations.
We should begin high-level negotiations with Iran and Syria. We should negotiate from a position of strength, knowing that they want security guarantees. We can give them such guarantees provided that certain conditions are met.
1) No funding groups that attack civilians inside the Israeli Green Line (we should not support the occupation of Golan, Gaza, or the West Bank nor should we protect Israeli targets there).
2) Guarantees and additional controls preventing the development of nuclear weapons.
3) Pressure would be put on Israel to disarm their nuclear arsenal or face restrictions on military aid.
4) Outstanding ICJ judgements would need to be settled as soon as possible.
5) The conditional security guarantee lasts as long as 1-2 are in force. If they are broken, we no longer extend such a guarantee.
We should immediately look to accellerate the reunification of the Korean peninsula. This means declaring the Korean War officially over, dismantling the DMZ to the extent necessary to up in a rail link, ensuring air passenger service between the two countries, and moving towards reunification. Right-wing think-tanks dont like this because they are afraid a unified Korea would become closely aligned with China.
We should double the bounty on the capture or arrest of any Al Qaeda leader.
How is that for a start?
What about publishing original research in peer-reviewed journals?
:-) Leave the US ones out of it, and then offer published advice to NASA (and anyone else who can read)....
If you analyze designs of NASA, ESA, and Russian cargo and human transport rockets, and offer ideas for the designs of the future, all based on publically available information?
How about we get better? Lets only look at foreign rocket designs