I'm no expert, and oliverthered's already addressed most of this, so I'll just pull a few points out:
6. UNICODE strings only: there's nothing wrong with that. Remember that the NT kernel is UNICODE-native. Step into any of the system's MBCS calls (except maybe not the lstrxxxA ones) and you'll see it convert your string to UNICODE and then call the UNICODE API. Keeping all your strings as UNICODE internally may save a few bytes memory overhead but you're adding memory and conversion overhead with every call.
And even if you're programming Windows in C++ you *should* be using UNICODE so everything just works internationally. Even if you're not writing a GUI - remember the filesystem is UNICODE based too.
10. Runtime not bundled with OSes: no - if this isn't mentioned in the article then it is on MS's site: the VB6 runtime comes with XP. That's relevant here because it means the runtime has XP's support life not VB6's. I'd be very surprised if the runtime wasn't in a default install of Windows 2000 too.
The employer is aware of it and I have a verbal agreement to do so.
So go back to them and ask (nicely!) for a written agreement, disclaiming their interest in the project. The FSF insist you do this if you want to contribute to GNU projects like GCC, binutils, etc.
No, you don't have rights to the original content, but under the same laws that let Red Hat et al copyright their ISOs full of GPL works you could probably copyright the encoding - just not do anything with it without the label's permission.
There are two issues here: does the company get the original GPL code (I'd say no) and does the company get the OP's changes to the GPL code (I'd say yes).
But the original clrealy stated, 'but the parts from the above sources were integral pieces and without them, my code wouldn't work'.
That could mean anything, though - from "my program relys on function foo from library bar", which clearly is separable, down to "I took their loop and added a dozen lines new logic", which maybe isn't.
If your code is a derivative of GPLed code, then the derivative is under the GPL, regardless of any other agreements.
OK, but any work he added isn't. The summary reads as if his code should be protected because it was linked to GPL code? As I read it (IANAL) they *do* have rights to all the code he wrote, whether it came into the building with other GPL code or not, but not the ActiveState/IBM portions of the code.
Let's assume he linked MyNewFile.c with GPLFile.c to make MyApp which he distributed under the GPL. He remains the original author of MyNewFile.c so he's free to relicence it, e.g. he could link it with BSDFile.c and sell the resulting MyCommericalApp without opening the source. The problem is that his IP agreement with his company gives them rights to MyNewFile.c when he brought it into the building - realistically the verbal agreement isn't going to stand up.
So they do have rights to DayJob.c and MyNewFile.c, and can patent them, but not GPLFile.c. If MyApp is already out there in the world as GPL then they likely won't be able to stop it or enforce patents on it since the OP was the legit owner of the code when it was released; however, if MyNewFile.c was *never* previously released then they probably now can stop him distributing it independently because he's no longer free to call it GPL without their permission.
Even if he didn't add any new files, just added some new lines to an existing GPL file, I imagine this still stands: once you've ripped out the original GPLed lines then the company own the rest.
Why in the hell do you need an RSS aggregator in your web browser?
IE already supports scheduled downloads and pages to watch - it's just a logical extension of that, I guess. Integration would also let you grab RSS links from pages very easily.
Remember MS is now well on the RSS bandwagon - there are hundreds of employee blogs to give them a more friendly face and they offer feeds for new downloads, security bulletins, developer articles etc.
If it is a non-IE browser, it requires a round-trip to the server. How crappy is that? Like the people at MS could not write some simple standards compliant JavaScript to check if a freaking field is empty or not before a form post.
No, they're just being cautious. They can QA ASP.NET against IE. They aren't going to QA ASP.NET againat every browser under the sun. If Jox Sixpack gets a script error reading an ASP.NET hosted site, who's he going to blame - the browser or the site? The web dev can't force a new browser on Joe Sixpack - all they can do is complain to MS.
You can, so I've heard, convince it to serve complex javascript to mozilla and firefox by adding the user agent strings to web.config.
I don't recognise "multipart" so I can't see who you really are, but -
If you're with GOMP, do you know what Scott Robert Ladd (a.k.a. ChaoticCoyote) is up to? He hasn't been here, or his blog; his website's down and he's been missed on the GCC list a few times.
Obviously everyone'll wish him all the best if he's moved on but can only hope nothing terrible's happened instead:-/
It's usually where you've assume that user input or decoded data won't exceed a certain length, and if the user deliberately enters too much data then they can scribble over the call stack and e.g. change the function return pointer and take control of the program. See Wikipedia.
Yeah, I read the AC's interpretation of EU law. No, I haven't read the actual EU law statutes. I'd be surprised if it was as simple as that. And I went on to say I think permitting the one-PC-only restriction is fair.
Oh? The (UK) one I have on my desk says "This ticket is not transferable" on the back.
I meant particularly things like underground travelcards in London - you're not supposed to be able to buy it, travel for a few hours then sell it to someone else. But I guess it's not enforcably illegal, you see tramps trading in them a lot.
The one PC thing - I don't know. You get three components without activation, after that you'll have to argue it with MS on the phone. Chances are you'll need a whole new PC by then anyway - changed RAM socket, changed motherboard power supply connector, etc.
Five minutes on google to start a download for a no-activation ISO, vs. at least that much time per activation?
OK, I read it ("I replaced") as you reinstalled your OS for the sake of it. I guess you might have meant "when I reinstalled my PC". But activation's never taken me five minutes anyway.
In all the years MS has been in business they have consistently tried to increase their anti-piracy attempts, therefore it is inconsistant to assume they will suddenly reverse that policy.
Now you've misread me. I didn't say that at all, I was saying that MS increasing their anti-piracy attempts will be precisely your problem. By the "lock-in argument" I meant that you have to trust MS to continue providing an activation service or your software won't work, along the lines of the usual slashdot argument "I won't use XYZ proprietry file format because I have to trust the vendor if I can't extract all the data myself".
Furthermore any attempts thus far that MS has made to negate pirated versions have been quickly and easily circumvented, in all releases and service packs of every Windows OS ever released.
OK, fair enough, I'm up on warez:-p But if you install an official one and it breaks your machine can you install the hacked one over the top to fix it or will you have to reinstall?
If you have a license for my software I have no "right" to degrade the license you paid for...
They're not degrading the license. You had to activate it before, you have to activate it now. The activation mechanism's changed, that's all.
OK, the XP w/SP2 OEM EULA says: "You can activate the Product through the use of the Internet or telephone; toll charges may apply." but (IANAL) that doesn't sound strong enough to mandate Microsoft to provide Internet activation - the EULA's largely what *you* agree to do/not do, not them.
EU software law requires that no limits be placed on resale of legally acquired software. Not supplying install media is a major limit in my book!
But the OEM version is licenced for use on that one PC only. You may resell the software by reselling the whole PC but that's it, and no media doesn't limit that case.
I don't know if that's in tune with the EU laws or not but IMO it's a fair licencing model so it should be - there are plenty of other things that have to be non-transferrable e.g. rail tickets.
I replaced my OEM preinstalled Windows XP with a pirated no-activation copy precisely because I didn't want to go through 'activation' if I change anything or need to reinstall it.
Why bother? It probably cost you more time replacing the version than you'd ever spend activating.
The lock-in argument: one day they might stop running the activation service? Sure, but one day they might release a service pack that detects your pirated version and stops it working. So the future isn't certain either way.
You send www.site2.com before you negotiate a secure connection so it'd be possible for a man-in-the-middle to read it and discover which site you're connecting to.
And to shore up my original scheme for the obvious man-in-the-middle attack: as part of negotiating the first connection, the client would have to verify that www.site1.com and www.site2.com resolve to the same IP. Otherwise a man-in-the-middle with a valid cert for www.site1.com could intercept everyone's SSL traffic and learn which site they're connecting to before forwarding the connections on.
Client: connect SSL www.site2.com Server: hi, I'm www.site2.com Client: OK
why bother with the default?
Because that way you're leaking information. You send www.site2.com before you negotiate a secure connection so it'd be possible for a man-in-the-middle to read it and discover which site you're connecting to.
OK, that's no different to the current mechanism - one site per port, they can see which port you're connecting to - but I couldn't bring myself to leave the leak in anyway:-)
any spammer can forge these messages to catch the unwary.
OK, this is FAQqed but it's a bit harsh to mod the guy down. This is a fair point, and the mechanisms on the site (pre-agreed token sent in plain, verify against non-SSL HTTP) aren't properly secure. Connecting to the site over SSL (https://www.itsafe.gov.uk/) doesn't work.
They should sign their messages (and use this as an opportunity to explain signing to non-techies?) and host bulletins over SSL.
This is the case if you want to use the default HTTPS port (443) since the hostname is encrypted.
More to the point, the certificate exchange identifying the server happens before you ever get to send the HTTP headers. You can only serve one SSL certificate on each port.
The protocol could be extended to support this, e.g.:
Client: connect SSL Server: hi, I'm www.site1.com Client: OK, that cert checks out, but I wanted www.site2.com Server: OK, here's the www.site2.com cert Client: OK
Generating a certificate/key-pair is trivial. You can do it yourself for free or have a 3rd party do it free or at mild to great expense.
Uh, just to clear this one up: you *must* generate the key-pair yourself. You want the CA's signature on your public key so you only need send them that. You shouldn't give the private key to anyone else or let them generate one for you.
This is not to say that the signing authority can't be free.
Why? The CA needs to verify your identity before issuing a cert else it's useless. Carrying out the verification takes time, so they need to pass on the cost of that time - and take a profit.
Granted once they've verified you once they don't really need to charge you for second and subsequent certs.
Slashdot Mirror
Second, how do you ssh in?
Certificate-based login. You could protect the cert with a hash from the biometric result or something.
Web browser based interfaces.
Again, SSL client certificates.
I'm no expert, and oliverthered's already addressed most of this, so I'll just pull a few points out:
6. UNICODE strings only: there's nothing wrong with that. Remember that the NT kernel is UNICODE-native. Step into any of the system's MBCS calls (except maybe not the lstrxxxA ones) and you'll see it convert your string to UNICODE and then call the UNICODE API. Keeping all your strings as UNICODE internally may save a few bytes memory overhead but you're adding memory and conversion overhead with every call.
And even if you're programming Windows in C++ you *should* be using UNICODE so everything just works internationally. Even if you're not writing a GUI - remember the filesystem is UNICODE based too.
10. Runtime not bundled with OSes: no - if this isn't mentioned in the article then it is on MS's site: the VB6 runtime comes with XP. That's relevant here because it means the runtime has XP's support life not VB6's. I'd be very surprised if the runtime wasn't in a default install of Windows 2000 too.
The employer is aware of it and I have a verbal agreement to do so.
So go back to them and ask (nicely!) for a written agreement, disclaiming their interest in the project. The FSF insist you do this if you want to contribute to GNU projects like GCC, binutils, etc.
That overrides the label's ownership, right?
No, you don't have rights to the original content, but under the same laws that let Red Hat et al copyright their ISOs full of GPL works you could probably copyright the encoding - just not do anything with it without the label's permission.
There are two issues here: does the company get the original GPL code (I'd say no) and does the company get the OP's changes to the GPL code (I'd say yes).
This makes no sense at all. The work he added IS inherently derivative of the GPL when he starts with GPL code. That's what derivative means.
It depends exactly how he derived. If he just linked a few new files to it then I don't see how that is.
As I just posted above (accidentally as an AC, bah) he's still the owner of the changes from a copyright point of view and free to relicence them as he sees fit. The GPL FAQ mentions that you *can* separate public domain code from GPL code and use it as public domain which seems applicable here - after all, he has full rights to his own code c.f. public domain. The FAQ also says you can release your own code both GPL and not free.
But the original clrealy stated, 'but the parts from the above sources were integral pieces and without them, my code wouldn't work'.
That could mean anything, though - from "my program relys on function foo from library bar", which clearly is separable, down to "I took their loop and added a dozen lines new logic", which maybe isn't.
Even if we were, we could not give useful advice without full details.
:-)
Who said he wanted legal advice? There are plenty of other routes out of this - subterfuge, extortion, blackmail
If your code is a derivative of GPLed code, then the derivative is under the GPL, regardless of any other agreements.
OK, but any work he added isn't. The summary reads as if his code should be protected because it was linked to GPL code? As I read it (IANAL) they *do* have rights to all the code he wrote, whether it came into the building with other GPL code or not, but not the ActiveState/IBM portions of the code.
Let's assume he linked MyNewFile.c with GPLFile.c to make MyApp which he distributed under the GPL. He remains the original author of MyNewFile.c so he's free to relicence it, e.g. he could link it with BSDFile.c and sell the resulting MyCommericalApp without opening the source. The problem is that his IP agreement with his company gives them rights to MyNewFile.c when he brought it into the building - realistically the verbal agreement isn't going to stand up.
So they do have rights to DayJob.c and MyNewFile.c, and can patent them, but not GPLFile.c. If MyApp is already out there in the world as GPL then they likely won't be able to stop it or enforce patents on it since the OP was the legit owner of the code when it was released; however, if MyNewFile.c was *never* previously released then they probably now can stop him distributing it independently because he's no longer free to call it GPL without their permission.
Even if he didn't add any new files, just added some new lines to an existing GPL file, I imagine this still stands: once you've ripped out the original GPLed lines then the company own the rest.
Why in the hell do you need an RSS aggregator in your web browser?
IE already supports scheduled downloads and pages to watch - it's just a logical extension of that, I guess. Integration would also let you grab RSS links from pages very easily.
Remember MS is now well on the RSS bandwagon - there are hundreds of employee blogs to give them a more friendly face and they offer feeds for new downloads, security bulletins, developer articles etc.
If it is a non-IE browser, it requires a round-trip to the server. How crappy is that? Like the people at MS could not write some simple standards compliant JavaScript to check if a freaking field is empty or not before a form post.
No, they're just being cautious. They can QA ASP.NET against IE. They aren't going to QA ASP.NET againat every browser under the sun. If Jox Sixpack gets a script error reading an ASP.NET hosted site, who's he going to blame - the browser or the site? The web dev can't force a new browser on Joe Sixpack - all they can do is complain to MS.
You can, so I've heard, convince it to serve complex javascript to mozilla and firefox by adding the user agent strings to web.config.
I don't recognise "multipart" so I can't see who you really are, but -
:-/
If you're with GOMP, do you know what Scott Robert Ladd (a.k.a. ChaoticCoyote) is up to? He hasn't been here, or his blog; his website's down and he's been missed on the GCC list a few times.
Obviously everyone'll wish him all the best if he's moved on but can only hope nothing terrible's happened instead
It's usually where you've assume that user input or decoded data won't exceed a certain length, and if the user deliberately enters too much data then they can scribble over the call stack and e.g. change the function return pointer and take control of the program. See Wikipedia.
XP stopped asking you to re-activate after hardware changes a long time ago.
It allows you three changes from a set of ten things it watches, IIRC, details here so you might not have pushed it that far yet.
It *did* ask me to reactivate when I replaced my motherboard last April - if it's changed since then then I haven't heard about it.
Have you read what you're answering to?
Yeah, I read the AC's interpretation of EU law. No, I haven't read the actual EU law statutes. I'd be surprised if it was as simple as that. And I went on to say I think permitting the one-PC-only restriction is fair.
Rail tickets in the EU are transferrable.
Oh? The (UK) one I have on my desk says "This ticket is not transferable" on the back.
I meant particularly things like underground travelcards in London - you're not supposed to be able to buy it, travel for a few hours then sell it to someone else. But I guess it's not enforcably illegal, you see tramps trading in them a lot.
The one PC thing - I don't know. You get three components without activation, after that you'll have to argue it with MS on the phone. Chances are you'll need a whole new PC by then anyway - changed RAM socket, changed motherboard power supply connector, etc.
Five minutes on google to start a download for a no-activation ISO, vs. at least that much time per activation?
:-p But if you install an official one and it breaks your machine can you install the hacked one over the top to fix it or will you have to reinstall?
OK, I read it ("I replaced") as you reinstalled your OS for the sake of it. I guess you might have meant "when I reinstalled my PC". But activation's never taken me five minutes anyway.
In all the years MS has been in business they have consistently tried to increase their anti-piracy attempts, therefore it is inconsistant to assume they will suddenly reverse that policy.
Now you've misread me. I didn't say that at all, I was saying that MS increasing their anti-piracy attempts will be precisely your problem. By the "lock-in argument" I meant that you have to trust MS to continue providing an activation service or your software won't work, along the lines of the usual slashdot argument "I won't use XYZ proprietry file format because I have to trust the vendor if I can't extract all the data myself".
Furthermore any attempts thus far that MS has made to negate pirated versions have been quickly and easily circumvented, in all releases and service packs of every Windows OS ever released.
OK, fair enough, I'm up on warez
If you have a license for my software I have no "right" to degrade the license you paid for...
They're not degrading the license. You had to activate it before, you have to activate it now. The activation mechanism's changed, that's all.
OK, the XP w/SP2 OEM EULA says: "You can activate the Product through the use of the Internet or telephone; toll charges may apply." but (IANAL) that doesn't sound strong enough to mandate Microsoft to provide Internet activation - the EULA's largely what *you* agree to do/not do, not them.
EU software law requires that no limits be placed on resale of legally acquired software. Not supplying install media is a major limit in my book!
But the OEM version is licenced for use on that one PC only. You may resell the software by reselling the whole PC but that's it, and no media doesn't limit that case.
I don't know if that's in tune with the EU laws or not but IMO it's a fair licencing model so it should be - there are plenty of other things that have to be non-transferrable e.g. rail tickets.
I replaced my OEM preinstalled Windows XP with a pirated no-activation copy precisely because I didn't want to go through 'activation' if I change anything or need to reinstall it.
Why bother? It probably cost you more time replacing the version than you'd ever spend activating.
The lock-in argument: one day they might stop running the activation service? Sure, but one day they might release a service pack that detects your pirated version and stops it working. So the future isn't certain either way.
So why bother?
You send www.site2.com before you negotiate a secure connection so it'd be possible for a man-in-the-middle to read it and discover which site you're connecting to.
And to shore up my original scheme for the obvious man-in-the-middle attack: as part of negotiating the first connection, the client would have to verify that www.site1.com and www.site2.com resolve to the same IP. Otherwise a man-in-the-middle with a valid cert for www.site1.com could intercept everyone's SSL traffic and learn which site they're connecting to before forwarding the connections on.
Client: connect SSL www.site2.com
:-)
Server: hi, I'm www.site2.com
Client: OK
why bother with the default?
Because that way you're leaking information. You send www.site2.com before you negotiate a secure connection so it'd be possible for a man-in-the-middle to read it and discover which site you're connecting to.
OK, that's no different to the current mechanism - one site per port, they can see which port you're connecting to - but I couldn't bring myself to leave the leak in anyway
any spammer can forge these messages to catch the unwary.
OK, this is FAQqed but it's a bit harsh to mod the guy down. This is a fair point, and the mechanisms on the site (pre-agreed token sent in plain, verify against non-SSL HTTP) aren't properly secure. Connecting to the site over SSL (https://www.itsafe.gov.uk/) doesn't work.
They should sign their messages (and use this as an opportunity to explain signing to non-techies?) and host bulletins over SSL.
This is the case if you want to use the default HTTPS port (443) since the hostname is encrypted.
More to the point, the certificate exchange identifying the server happens before you ever get to send the HTTP headers. You can only serve one SSL certificate on each port.
The protocol could be extended to support this, e.g.:
Client: connect SSL
Server: hi, I'm www.site1.com
Client: OK, that cert checks out, but I wanted www.site2.com
Server: OK, here's the www.site2.com cert
Client: OK
but it doesn't currently.
Generating a certificate/key-pair is trivial. You can do it yourself for free or have a 3rd party do it free or at mild to great expense.
Uh, just to clear this one up: you *must* generate the key-pair yourself. You want the CA's signature on your public key so you only need send them that. You shouldn't give the private key to anyone else or let them generate one for you.
This is not to say that the signing authority can't be free.
Why? The CA needs to verify your identity before issuing a cert else it's useless. Carrying out the verification takes time, so they need to pass on the cost of that time - and take a profit.
Granted once they've verified you once they don't really need to charge you for second and subsequent certs.