US Copyright law provides no protection against ideas, methods, or functionality. It only protects expression. If I have a copy of your copyrighted work, you would need to have an EULA to protect against any usage of its functionality.
Put more simply, you cannot protect functionality with copyright. An additional contract is required, and this is the entire point of an EULA.
The GPL and LGPL and BSD license and artistic license have no contracts. Each grants the user more rights than those intrinsic to copyright, but each takes away NO rights. There are no intrinsic rights in copyright protecting usage. See US Copyright Law 102b.
In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.
Furthermore, the license of the GPL explicitly states if a program requires the GPL'd code to produce it's intended results then it is a derived work.
If dynamic linking does not make a program a derived work, then it matters for shiit what the GPL says. No license can apply to something that is not a derivative work of the licensed work.
Everyone needs to keep in mind that copyright does not protect functionality - it only protects expression. Copyright does not protect against reverse engineering. If I code against an API and make my binary, is my program a derivative work of the library providing the API ?? How about if there are multiple programs that could provide the API (such as Lesstif, Motif) ?? Is my program a derivative work of Lesstif when I link to its library, and a derivative work of Motif when I link to its library ?? How can that possibly be the case ?
How about if I use C function calls and change the LD_LIBRARY_PATH ? Does my program's licensing change ??
This is not even so difficult conceptually. APIs are NOT protected by copyright intrinsically - only the expression in the source code is. Inasmuch as library functionality can be legally reverse engineered, and the linking program doesn't need to know who wrote the dynamic link library in order to use it, these are independent in the copyright sense.
If you put a lot of work and time in your program, and all you want is that the program's source code remains available for everybody, and some company disrespect that wish and steals you code without releasing it, would you he happy about that?
This is not about placing GPL code in proprietary closed works.
This is about whether dynamic linking makes something a derived work.
Vidomi is providing source code to all programs that are GPL'd and is dynamically linking to them with their own code.
Does dynamic linking make something a derivative work in the copyright sense ?? I don't think it does.
Likewise, it's kind of obvious that this product pretty much relies on GPL code to be useful. Perhaps it offers some token functionality without the GPL code, but, that functionality is pretty irrelavent. A human can take a look at it, and make a value judgement on the situation.
They provide the source code to the GPL libraries. Anyone can take those for at most a copying fee. So the GPL programs do not form part of their intellectual property on which sales could be based.
This case is clear and simple, and it comes down to the question: If I make a program that dynamically links to another, is my program a derivative work of the linking program ?
Think in terms of component models and independence of components. If all linking programs are derivative works, then there is no intrinsic independence of copyright in computer systems at all. That is the statement upon which the defense will call upon human judgment to question the sanity of the FSF lawyers.
> whether dynamic linking to a library makes something a derivative work in the copyright sense.
I think it does since the libraries header files are used in the subsequent work. The courts will always take into account NON COURT precedent in the absence of previous similar findings and there they would run into the NeXT Object C compiler based on GCC (NeXT backed down, its GPL now!), the QT problem, the absence of linking to GPL libs on Linux/UNIX systems, the intent of the LGPL to specifically permit this (this alone should tell you the intent of the GPL is NOT to permit it)
Companies backing down do not set legal precedent. That is the entire point of backing down.
The QT problem has NEVER been addressed in court. They make the same assumptions RMS does - that dynamic linking makes something a derivative. In fact, I think RMS convinced them of it.
The interface between kernel and application is via an LGPL application and Linus specifically permits binary only drivers in Linux (basically making the header files required to use them effecticely LGPL)
When I create a binary and use system calls, I am dynamically linking to the kernel in exactly the same sense as I am linking to a dynamic library when I make a call to a function in that library. I have no necessity to use gcc to make the binary - there are other compilers available, and I can write the program in assembly and in theory create the same executable bit for bit. I don't NEED to include the header file - gcc may require it, but I can certainly code around it.
This has never made sense to me - that ANY dynamic link library makes ALL linking programs derivative works. It seems to me that the entire purpose of creating a dynamic link library is exporting a PUBLIC API and header file that allows someone to create reasonably separate programs that can access a function.
Functions, as even a cursory glance at copyright law will tell you, are not copyrightable. Only the source is. I have no need to use the source to use the API, with the exception of the header file.
If the FSF wins, it would be an almost unprecedented increase in copyright coverage.
This will be a test of the weakest portion of the GPL that is assumed to be defensible by the FSF - whether dynamic linking to a library makes something a derivative work in the copyright sense.
For EVERYONE's sake, let's hope that Vidomi is correct and that dynamic linking does NOT make something a derivative work. Consider that libraries are CREATED with the intent that someone else will use the API and header files.
I have never agreed with RMS (and Trolltech's) assumptions that dynamic linking makes something a derived work. It would certainly make ALL third party software vendors beholden to OS vendors, for example. Every program ever written under linux would be a derivative work of the kernel, which is GPL. Imagine if someday the kernel developers decided that all of a sudden ALL works ever developed under linux were actually GPL'd (not that this is a likely scenario, but it is a possible one if RMS is right).
Fortunately, RMS is wrong. GPL libraries do not make all dynamically linked programs derivative works, and I expect this lawsuit to uphold that point (and sanity in general).
The so-called viral aspect of the GPL is the one thing that Microsoft rarely regulates -- the ability to link (even dynamically) your application against their copyright protected library for free, whereas the GPL suggests that if you do this, your entire work must then be covered by the GPL. This is one aspect that has, in the past, been misunderstood by a number of developers and is important to recognise.
There is indeed much confusion over this one. I, for one, would argue that a library by definition defines an API, and that anything that uses that API is NOT a derivative work, since the entire purpose of a library is to define and export an API for other applications to use. RMS believes that something that dynamically links against a library IS a derivative work. This belief is absolutely critical to TrollTech's business plan. They provide QT under the GPL, or you can buy a more standard copyright arrangement if you wish to incorporate QT code with your proprietary apps.
But the GPL has a proviso that: If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. This proviso would seem to apply specifically to programs using an exported API. Others may argue that the linking program still must include the header files at compilation time, but again, it is the intent of a library to provide public headers and APIs.
And also consider, a program dynamically linking to a library is analogous to ANY program running under linux. All system calls dynamically link to the kernel, which is GPL licensed.
As far as I know, this aspect of the GPL has never been challenged legally, and it would seem to me that RMS is quite wrong in his assertion.
If you don't trust RedHat to make modifications then a) why are you using their distribution at all?, and b) what's to stop you fetching the "official" version from the author anyhow?
If all they do is add dependencies to their binary build, it is not worth so much. BIND has had a HORRIBLE security record in the past ten years. Sendmail was HORRIBLE in their security record from 1985-95.
Now, why would I want to use such a package instead of djb's packages ?? I wouldn't. I would take a secure package that provides me, the user, the source, over a GPL package that is a buggy piece of crap anyday.
The real question is, why would RedHat choose to distribute GPL packages with horrible security records, and suppress packages that provide source code that have not a single remote root compromise between them ??
The source to djb packages is open. Reverse engineering of cpoyrighted materials is totally legal. The fact that RedHat chooses to distribute buggy insecure server packages instead of DOING something about it says a lot.
And me, I will still use djbdns and qmail. I use them because I, as a user, have all the freedoms I desire. I use them because I don't have to worry about getting broken into. And that is the single biggest issue for admin'ing boxes. No one likes to reinstall and track down a cracker. And with djb programs, the likelihood that you will ever have to do so is reduced considerably.
You have no intrinsic rights to distribute derivative works of someone else's copyright. None. Nada. They do not exist.
The only circumstances under which you may make and distributge a derivative work is with the blessing of all authors of copyright.
The GPL provides this blessing as long as the works are licensed under the GPL. This means you have more rights than copyright law would allow, if you use GPL software.
The GPL also has the effect of making the distributed works the intellectual property of the community of free software users, in that they may be distributed only as free software. This thing that Microsoft claims is worth so much, the intellectual property, belongs to all free software users.
And that scares Microsoft to death, and leads them to a clever marketing campaign in which the GPL is called viral. It is not. The only perspective from which it may even SEEM viral is the perspective of a BSD license. And that could not be further from Microsoft's perspective.
The GPL license is not viral, and any sense in which you claim that it is becomes mere FUD and is just plain wrong. This is the height of Microsoft marketing trying to associate evil with the GPL.
Under copyright law you have no intrinsic rights to distribute anyone else's copyright. If you make a derivative work, you have no intrinsic right to distribute that derivative work. You may only distribute derivative works if all authors of copyright agree on terms.
Under the GPL, the situation is substantially improved. You can distribute someone else's copyright. You can make and distribute a derivative work, with the added proviso that all the work must be released under the same license.
Basically, Microsoft calls this viral because they would rather the author of a derivative work have ALL copyrights to the derivative and the original work. This is the BSD license. This is even more rights to the recipient of a copyrighted work.
But please remember that GPL programs still give you as a software user MORE rights than you have intrinsically. The GPL has some protection for the community that would prefer if everything were open source, because it restrains any open source (GPLd) program from becoming proprietary. It in effect assigns the intellectual property to the open source (or free software) community. This is what Microsoft is attacking.
The crown jewels for Microsoft are its intellectual property. It is fighting like mad because the GPL gives the free software community the same protection of its intellectual property that Microsoft has of its own. It is not a business model - it is a community software model.
Expect to hear the same announcement from Ximian in a few months. Any company that depends on ongoing funding to survive, is fundamentally broken.
I would think there is a serious future in packaging GNOME for Mandrake, RedHat, Sun, IBM, HP, and others. Most of them would be happy to have someone compile and test GNOME for their platform.
In the same light, RedHat will derive substantial income from packaging linux for Dell, Compaq, and others. It is not anything close to the revenue platform of Windows, but the game is changing. Packaging is support, and many companies would be happy to outsource such a task.
At the risk of appearing Troll-like, one has to ask -
Why don't they fix they damn holes before they kill another kid?!?
It can be summed up simply by my former Matrix Analysis professor on instructing us on how to use Matlab in the computer lab. At the end, he simply stated
"If you have problems getting the computers to work, do what I do. Look around the room for the youngest person, and ask them for help."
I like Linux a lot and use it at home and at work. (Mandrake at home and RedHat at work). In both cases I like Linux because it helps me get my work done, not because I like fucking around with it (which I do, but i can't let that get in the way of my work). So I rely on distributors to make my life easier. Anything that makes life harder for them makes life harder.
This shows a basic misunderstanding of the djb software.
Qmail build and configure: trivial.
Sendmail build: a reaosnable feat.
Sendmail configure: well - let's put it this way. Eric Allman invented his own language because the sendmail.conf syntax is so convoluted.
Djbdns build and configure: trivial
BIND build: pretty easy
BIND configure: Totally non-trivial. A royal pain.
The mean time between required sendmail or BIND upgrades for security issues in the last 20 years: I dunno, but I am guessing no more than a few months.
The mean time between security upgrades for qmail or djbdns: infinite. It has never happened.
I like free software as much as or more than the next guy. But I cannot tolerate monolithic buggy binaries that have the remote root compromise of the month. It is just plain silly. Djb's software provides more than enough basic freedoms for 99% of all users. As he states, netscape was not open source, and was shipped by nearly everyone. QT 1.0 has a more restrictive license than djbdns.
But the thing I appreciate most about qmail and djbdns is not the license or the security. The programs just keep running. They have never needed checking, ever. They have never failed, never required a HUP, nothing. It is unbelievable to me that they work so well.
In particular the "DJB license" does not provide "freedom 3": "The freedom to improve the program, and release your improvements to the public, so that the whole community benefits", therefore DJB's license is not a free software license by the FSF's standards. For the same reason it doesn't conform to the OSI definition either.
You are quite free to distribute patches to the djb source, so long as they are distributed separately. The FSF freedoms do not include re-distributing under the same terms as those you received. That is part of OSI and DFSG. With DJB software, you have the source, you can use it, you can modify it, you can re-distribute the original as source or binary (provided the binary does not change the directory structure and works "as intended" from the original tarball). You can also distribute patches. This qualifies as improving the software and distributing your improvements. These are the FSF essential freedoms. It doesn't make a specific point about distributing modified binaries, except in the long text after stating the basic freedoms. Note that QT 1.0 came under a more restrictive license than this...
Now then, I do not feel as a user that I am so inclined to avoid software when I am given a copy that I own. A copy that I can hack, modify, and a copy that I can distribute, as I received it, to others.
If distributions as so concerned about holes that they will not distribute djb software because they cannot distribute a modified binary - then they ought to take a good long hard look in the mirror and repeat the words "sendmail, BIND, wu-ftp, oh my" over and over again until they get it.
Crappy remote root compromisable software that is GPL'd is not worth the bits used to ship it. That has included at times wu-ftp, sendmail, and BIND multiple times each. That RedHat is free to distribute a modified binary is little solace to me as I re-install a machine. Heck, they do not even do a security review, or if they do, they are not very good at it. The cost of a single remote root compromise is well over $1000 to the admin. The cost of using qmail and djbdns is free. The cost of sleeping better at night - priceless.
Near as I could tell from looking at Bernstein's web site you are not allowed to distribute modified binaries or source!
You are, of course, allowed to distribute modified sources as patches separate from the original source.
Even if it is true that there has never been a qmail or djbdns exploit, that does not prove there never will be one. Even OpenBSD has had exploits, and those guys are DAMN careful!
DJB redefines damn careful. Look. Is it better to have distributed sendmail and BIND for the last 20 years, or DJB's software ?? In one case you have remote root exploit after remote root exploit, and you can distribute modified binaries. In the other case, you have secure software that is open source, but does not allow distribution of modifications.
Which case do you think is easier to admin ???
It is impossible to guarentee that a non-trivial piece of software does not have vulnerabilities. Not allowing distributors, or hell just concerned sys-admins from distributing sources or binaries that with any kind of improvements is just plain fucking rediculous. IMHO Bernstein is just being a jackass. His "Free software" is about as free as Microsoft's "Shared Source" bullshit.
DJB's software provides all the GNU essential freedoms to the user. The only issue is that modifications can only be distributed as source patches.
As I recall, QT 1.0 was issued with more restrictions than that, and was WIDELY distributed by SuSE, Mandrake, et al. With QT there was the additional restriction that anything linking to the software had to be open source or buy a license from Trolltech. In fact, QT STILL has that restriction.
What is more free then - the GPL'd QT or DJB's programs ? On what high moral ground should someone stand to distribute crappy exploitable but GPL programs compared to DJB licensed programs ? Who is really doing a service to the Free Software community ?
djbdns and qmail are both under the DJB license, a license of their creator. You arent as free to do what you want with them as GNU applications.
You get the source. You can re-distribute it. You can modify it for your needs. You can distribute binaries if and only if the binary installation works and maintains the intended directory structure of the source build.
You can modify and distribute patches SEPARATELY from the original.
If you read the GNU free software page, all freedoms are assured to the user of the software. Just not to the distributors, since they cannot distribute a modified binary.
Of course, qmail and djbdns have no holes. Guaranteed. So there is no need to distribute a modified binary. Anyone who claims otherwise has not dealt with sendmail and BIND over the years. These djb programs are a blessing, and the user is assured of all essential GNU freedoms. That ought to be enough. Heck, on my redhat boxes I consider them the least buggy pieces of software on the machine, and I will gladly build them from source whenever I need a dns or mta.
You are a hypocrite. djbdns and qmail are Free Software in the GNU sense of the word. You say
Read the licenses of djbdns and qmail, and you'll see why we can't ship them: If a hole is discovered, we're not allowed to distribute a fixed version in binary form.
This belies the point that holes are NEVER discovered in Bernstein's software. Besides that, you can provide the source. You can modify it for personal use. You can freely re-distribute the source. You can distribute source patches SEPARATELY from the djb source.
GNU freedoms are
The freedom to run the program, for any purpose (freedom 0).
Clearly djb's programs meet this.
The freedom to study how the program works, and adapt it to your needs (freedom 1). Access to the source code is a precondition for this.
Clearly this one is met as well.
The freedom to redistribute copies so you can help your neighbor (freedom 2).
This one is true also.
The freedom to improve the program, and release your improvements to the public, so that the whole community benefits. (freedom 3). Access to the source code is a precondition for this.
Of course, you have to distribute patches separately, and cannot distribute modified binaries.
Look, you guys at RedHat have shipped more BIND installations that have resulted in remote root compromises than anyone else. I have personally had to re-install two machines for this reason. (and no, I didn't do the original install). Bernstein writes good free software. You can safely distribute a binary and NEVER worry about finding holes in it. Of course, any improvements in the source would have to be approved by Bernstein before being broadly distributed.
But some of us consider that a good thing.
Why don't you just come out and admit that marketing ploys are your only reasons for including or not including something in the dist.
Microsoft is losing money. Well, not really. Really Gates has so much money he wipes his butt with $100s. However, the company profit margins are not what they were 3-4 years ago. The primary reason is that people are not buying new computers. Windows ME and 2000 are not meeting sales expectations.
In general, people are reasonably happy with Windows 98, Word, and IE. And a reasonably happy consumer is not going to give you more money.
So enter reason one for subscriptipn service. A revenue stream. The Microsoft OS has matured, and regular upgrades are unnecessary. So Microsoft will force them on you, but making subscription services much less expensive than stand-alone software.
Reason number two is that they will get to have an install disk or program on your computer every few years. This install program will comb your computer, find your default settings, and change all computers to using IE as the browser, and Windows Media Player as the Media Player, and make life very difficult if you want to use anything but MSN for an ISP. The more often Microsoft can override default settings, the more network traffic they will control.
Re:Why i'm still not switching...
on
Mozilla 0.9 Out
·
· Score: 2
So get off your soap box, I value freedom more than the security garuntee of 1 man who can write decent applications, but has no sense of freedom. And I've used that word alot, More than I like to, but price is not the issue, Thats not what the GPL is all about. If DJB would put his stuff under the GPL, I might just use it. But whatever you do, regardless, Dont get on the soapbox saying sendmail and bind are bad, and we should take away our current freedoms to use it. Theres a reason sendmail handles an estimated 80% of all email traffic. Its good, Its popular, And its free (as in speech)
Sendmail is responsible for the majority of remote root exploits in the 80s. Some of us didn't forget all the pleasant re-installs.
Sendmail is a bloated slow pig of a piece of software. It is so difficult to configure that Allman wrote another program just to write sendmail.conf files - creating the m4 format.
Qmail is small, fast, and easy to configure.
But let us consider whether djb produces free software. Quoting from the Debian Free Software Guidelines.
1) Free distribution - djb passes
2) Provide source - djb passes
3) Derived works - djb passes - he allows anyone to distribute patches - the same as QT 1.0.
4) Allowing distribution of modified source or patches. djb fails. Patches should be distributed separately,
5-9) Discrimination, contamination... djb passes.
So when you say it is not Free Software, and if we consider the Debian sense of free software, the argument is really about allowing patches to be distributed with the source.
And if you go to GNU, and make the same arguments, you find it has ALL of the freedoms associated with free software. GNU lists those freedoms as
1) The freedom to run the program, for any purpose
2) The freedom to study how the program works, and adapt it to your needs. Access to the source code is a precondition for this.
3) The freedom to redistribute copies so you can help your neighbor
4) The freedom to improve the program, and release your improvements to the public, so that the whole community benefits.
Again, the only potential stopping point is that you may not distribute patches with the source - they must be distributed separately. And if you are going to get on some moral soapbox about distribution of patches separately for someone whose principal concern is preserving directory structure of his software across distributions, maybe you should take a long hard look in the mirror and see who is concerned about freedom. I am MUCH more concerned about licensing issues surrounding QT, where they require you to pay if you incorporate QT in commercial software. DJB software is ALWAYS free as in free beer, and the only way in which it is not Free Software is that patches must be distributely separately.
Besides, you gotta love a programmer who offers his own money for anyone finding a security bug in his program. If Allman offered $500 for each security bug in Sendmail, he would have declared bankruptcy in 1985.
Re:Why i'm still not switching...
on
Mozilla 0.9 Out
·
· Score: 2
1. You will never see qmail included as the default MTA in any free OS. Whoever is doing the packaging/migration into the distribution is going to want to make patches at some point or perhaps change the directory layout. Not to mention that it interferes with certain goals of some projects to provide completely free as in speech software.
DJB absolutely does not want any changes made to the directory structure. That is the principal reason he gives for being so anal about distribution. The packagers WANT to change the directory layout - it provides additional support for them. Having a package install in exactly the same place everywhere makes it easy to admin everywhere.
2. I can't use his libraries for my own projects. One point that he raises on his web page is that he's got a much more efficient dns resolver than the one that ships in BIND. Great, he gets to use that in qmail and his programs, but if I want to use it, I have to ensure the user has a copy of djbdns installed just so that I can make use of a small part of the program. Is linking against his libraries even allowed under his license?
Sure it is. You can link against any software on your machine. He states quite explicitly "So I promise I won't sue you for copyright violation for downloading documents from my server. " You should also read his statements that you own the copy of the software you download, and read
http://cr.yp.to/softwarelaw.html
The other thing that really peaves me is that he ships what I consider incomplete versions. djbdns does not include installation instructions or man pages in the tarball (the latest from his webpage). Instead, he expects you to read them off his website.
The rationale is that there are frequency upgrades to documentation, and the website will always be up to date.
OK. Bernstein is a little quirky. It often comes with being an academic. However, he has done a lot for free software even in just considering his cryptography court battle. And he has written a lot of software as free as QT 1.0 if not free-er
http://cr.yp.to/software.html
In a perfect world, it would be nice if his license loosened up a little. But he who writes the software gets to choose the license, and DJB makes things as free as his own sense of what is right in software allows. If he were to GPL his programs, then all the distributors would alter directory structures. And he thinks that is bad. So he allows unrestricted binary distribution with the exception that the distribution has to occur EXACTLY as the tarball build would make it.
Heck, I run a box at home, and I sleep a little better knowing I am running djbdns and qmail instead of sendmail and BIND. And I find his licensing free enough and rational enough for me.
Slashdot Mirror
US Copyright law provides no protection against ideas, methods, or functionality. It only protects expression. If I have a copy of your copyrighted work, you would need to have an EULA to protect against any usage of its functionality.
Put more simply, you cannot protect functionality with copyright. An additional contract is required, and this is the entire point of an EULA.
The GPL and LGPL and BSD license and artistic license have no contracts. Each grants the user more rights than those intrinsic to copyright, but each takes away NO rights. There are no intrinsic rights in copyright protecting usage. See US Copyright Law 102b.
In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.
Furthermore, the license of the GPL explicitly states if a program requires the GPL'd code to produce it's intended results then it is a derived work.
If dynamic linking does not make a program a derived work, then it matters for shiit what the GPL says. No license can apply to something that is not a derivative work of the licensed work.
Everyone needs to keep in mind that copyright does not protect functionality - it only protects expression. Copyright does not protect against reverse engineering. If I code against an API and make my binary, is my program a derivative work of the library providing the API ?? How about if there are multiple programs that could provide the API (such as Lesstif, Motif) ?? Is my program a derivative work of Lesstif when I link to its library, and a derivative work of Motif when I link to its library ?? How can that possibly be the case ?
How about if I use C function calls and change the LD_LIBRARY_PATH ? Does my program's licensing change ??
This is not even so difficult conceptually. APIs are NOT protected by copyright intrinsically - only the expression in the source code is. Inasmuch as library functionality can be legally reverse engineered, and the linking program doesn't need to know who wrote the dynamic link library in order to use it, these are independent in the copyright sense.
If you put a lot of work and time in your program, and all you want is that the program's source code remains available for everybody, and some company disrespect that wish and steals you code without releasing it, would you he happy about that?
This is not about placing GPL code in proprietary closed works.
This is about whether dynamic linking makes something a derived work.
Vidomi is providing source code to all programs that are GPL'd and is dynamically linking to them with their own code.
Does dynamic linking make something a derivative work in the copyright sense ?? I don't think it does.
Likewise, it's kind of obvious that this product pretty much relies on GPL code to be useful. Perhaps it offers some token functionality without the GPL code, but, that functionality is pretty irrelavent. A human can take a look at it, and make a value judgement on the situation.
They provide the source code to the GPL libraries. Anyone can take those for at most a copying fee. So the GPL programs do not form part of their intellectual property on which sales could be based.
This case is clear and simple, and it comes down to the question: If I make a program that dynamically links to another, is my program a derivative work of the linking program ?
Think in terms of component models and independence of components. If all linking programs are derivative works, then there is no intrinsic independence of copyright in computer systems at all. That is the statement upon which the defense will call upon human judgment to question the sanity of the FSF lawyers.
Programs under GNU/Linux are not linked against the kernel.
...
System calls are not in libc, they are exported directly from the kernel. Things like select, open,
And if the FSF loses, it won't be that big a deal... GPL 3 would just have to include a clause saying "no dynamic linking with a non-GPL program"
Actually, that would not help at all.
If something is not a derivative work, then the license of some other program is irrelevant,.
> whether dynamic linking to a library makes something a derivative work in the copyright sense.
I think it does since the libraries header files are used in the subsequent work. The courts will always take into account NON COURT precedent in the absence of previous similar findings and there they would run into the NeXT Object C compiler based on GCC (NeXT backed down, its GPL now!), the QT problem, the absence of linking to GPL libs on Linux/UNIX systems, the intent of the LGPL to specifically permit this (this alone should tell you the intent of the GPL is NOT to permit it)
Companies backing down do not set legal precedent. That is the entire point of backing down.
The QT problem has NEVER been addressed in court. They make the same assumptions RMS does - that dynamic linking makes something a derivative. In fact, I think RMS convinced them of it.
The interface between kernel and application is via an LGPL application and Linus specifically permits binary only drivers in Linux (basically making the header files required to use them effecticely LGPL)
When I create a binary and use system calls, I am dynamically linking to the kernel in exactly the same sense as I am linking to a dynamic library when I make a call to a function in that library. I have no necessity to use gcc to make the binary - there are other compilers available, and I can write the program in assembly and in theory create the same executable bit for bit. I don't NEED to include the header file - gcc may require it, but I can certainly code around it.
This has never made sense to me - that ANY dynamic link library makes ALL linking programs derivative works. It seems to me that the entire purpose of creating a dynamic link library is exporting a PUBLIC API and header file that allows someone to create reasonably separate programs that can access a function.
Functions, as even a cursory glance at copyright law will tell you, are not copyrightable. Only the source is. I have no need to use the source to use the API, with the exception of the header file.
If the FSF wins, it would be an almost unprecedented increase in copyright coverage.
This will be a test of the weakest portion of the GPL that is assumed to be defensible by the FSF - whether dynamic linking to a library makes something a derivative work in the copyright sense.
For EVERYONE's sake, let's hope that Vidomi is correct and that dynamic linking does NOT make something a derivative work. Consider that libraries are CREATED with the intent that someone else will use the API and header files.
I have never agreed with RMS (and Trolltech's) assumptions that dynamic linking makes something a derived work. It would certainly make ALL third party software vendors beholden to OS vendors, for example. Every program ever written under linux would be a derivative work of the kernel, which is GPL. Imagine if someday the kernel developers decided that all of a sudden ALL works ever developed under linux were actually GPL'd (not that this is a likely scenario, but it is a possible one if RMS is right).
Fortunately, RMS is wrong. GPL libraries do not make all dynamically linked programs derivative works, and I expect this lawsuit to uphold that point (and sanity in general).
The so-called viral aspect of the GPL is the one thing that Microsoft rarely regulates -- the ability to link (even dynamically) your application against their copyright protected library for free, whereas the GPL suggests that if you do this, your entire work must then be covered by the GPL. This is one aspect that has, in the past, been misunderstood by a number of developers and is important to recognise.
There is indeed much confusion over this one. I, for one, would argue that a library by definition defines an API, and that anything that uses that API is NOT a derivative work, since the entire purpose of a library is to define and export an API for other applications to use. RMS believes that something that dynamically links against a library IS a derivative work. This belief is absolutely critical to TrollTech's business plan. They provide QT under the GPL, or you can buy a more standard copyright arrangement if you wish to incorporate QT code with your proprietary apps.
But the GPL has a proviso that: If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. This proviso would seem to apply specifically to programs using an exported API. Others may argue that the linking program still must include the header files at compilation time, but again, it is the intent of a library to provide public headers and APIs.
And also consider, a program dynamically linking to a library is analogous to ANY program running under linux. All system calls dynamically link to the kernel, which is GPL licensed.
As far as I know, this aspect of the GPL has never been challenged legally, and it would seem to me that RMS is quite wrong in his assertion.
If you don't trust RedHat to make modifications then a) why are you using their distribution at all?, and b) what's to stop you fetching the "official" version from the author anyhow?
If all they do is add dependencies to their binary build, it is not worth so much. BIND has had a HORRIBLE security record in the past ten years. Sendmail was HORRIBLE in their security record from 1985-95.
Now, why would I want to use such a package instead of djb's packages ?? I wouldn't. I would take a secure package that provides me, the user, the source, over a GPL package that is a buggy piece of crap anyday.
The real question is, why would RedHat choose to distribute GPL packages with horrible security records, and suppress packages that provide source code that have not a single remote root compromise between them ??
The source to djb packages is open. Reverse engineering of cpoyrighted materials is totally legal. The fact that RedHat chooses to distribute buggy insecure server packages instead of DOING something about it says a lot.
And me, I will still use djbdns and qmail. I use them because I, as a user, have all the freedoms I desire. I use them because I don't have to worry about getting broken into. And that is the single biggest issue for admin'ing boxes. No one likes to reinstall and track down a cracker. And with djb programs, the likelihood that you will ever have to do so is reduced considerably.
And that is worth A LOT.
You have no intrinsic rights to distribute derivative works of someone else's copyright. None. Nada. They do not exist.
The only circumstances under which you may make and distributge a derivative work is with the blessing of all authors of copyright.
The GPL provides this blessing as long as the works are licensed under the GPL. This means you have more rights than copyright law would allow, if you use GPL software.
The GPL also has the effect of making the distributed works the intellectual property of the community of free software users, in that they may be distributed only as free software. This thing that Microsoft claims is worth so much, the intellectual property, belongs to all free software users.
And that scares Microsoft to death, and leads them to a clever marketing campaign in which the GPL is called viral. It is not. The only perspective from which it may even SEEM viral is the perspective of a BSD license. And that could not be further from Microsoft's perspective.
The GPL license is not viral, and any sense in which you claim that it is becomes mere FUD and is just plain wrong. This is the height of Microsoft marketing trying to associate evil with the GPL.
Under copyright law you have no intrinsic rights to distribute anyone else's copyright. If you make a derivative work, you have no intrinsic right to distribute that derivative work. You may only distribute derivative works if all authors of copyright agree on terms.
Under the GPL, the situation is substantially improved. You can distribute someone else's copyright. You can make and distribute a derivative work, with the added proviso that all the work must be released under the same license.
Basically, Microsoft calls this viral because they would rather the author of a derivative work have ALL copyrights to the derivative and the original work. This is the BSD license. This is even more rights to the recipient of a copyrighted work.
But please remember that GPL programs still give you as a software user MORE rights than you have intrinsically. The GPL has some protection for the community that would prefer if everything were open source, because it restrains any open source (GPLd) program from becoming proprietary. It in effect assigns the intellectual property to the open source (or free software) community. This is what Microsoft is attacking.
The crown jewels for Microsoft are its intellectual property. It is fighting like mad because the GPL gives the free software community the same protection of its intellectual property that Microsoft has of its own. It is not a business model - it is a community software model.
I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.
Obviously. If you KNEW you were compromised, you would reinstall if you had half a brain.
However, if you did not KNOW you were compromised, it might be nice to have the "white" virus remove the holes before more malice comes to your box.
I think that is the entire point.
Expect to hear the same announcement from Ximian in a few months. Any company that depends on ongoing funding to survive, is fundamentally broken.
I would think there is a serious future in packaging GNOME for Mandrake, RedHat, Sun, IBM, HP, and others. Most of them would be happy to have someone compile and test GNOME for their platform.
In the same light, RedHat will derive substantial income from packaging linux for Dell, Compaq, and others. It is not anything close to the revenue platform of Windows, but the game is changing. Packaging is support, and many companies would be happy to outsource such a task.
At the risk of appearing Troll-like, one has to ask -
Why don't they fix they damn holes before they kill another kid?!?
It can be summed up simply by my former Matrix Analysis professor on instructing us on how to use Matlab in the computer lab. At the end, he simply stated
"If you have problems getting the computers to work, do what I do. Look around the room for the youngest person, and ask them for help."
He was right.
I like Linux a lot and use it at home and at work. (Mandrake at home and RedHat at work). In both cases I like Linux because it helps me get my work done, not because I like fucking around with it (which I do, but i can't let that get in the way of my work). So I rely on distributors to make my life easier. Anything that makes life harder for them makes life harder.
This shows a basic misunderstanding of the djb software.
Qmail build and configure: trivial.
Sendmail build: a reaosnable feat.
Sendmail configure: well - let's put it this way. Eric Allman invented his own language because the sendmail.conf syntax is so convoluted.
Djbdns build and configure: trivial
BIND build: pretty easy
BIND configure: Totally non-trivial. A royal pain.
The mean time between required sendmail or BIND upgrades for security issues in the last 20 years: I dunno, but I am guessing no more than a few months.
The mean time between security upgrades for qmail or djbdns: infinite. It has never happened.
I like free software as much as or more than the next guy. But I cannot tolerate monolithic buggy binaries that have the remote root compromise of the month. It is just plain silly. Djb's software provides more than enough basic freedoms for 99% of all users. As he states, netscape was not open source, and was shipped by nearly everyone. QT 1.0 has a more restrictive license than djbdns.
But the thing I appreciate most about qmail and djbdns is not the license or the security. The programs just keep running. They have never needed checking, ever. They have never failed, never required a HUP, nothing. It is unbelievable to me that they work so well.
In particular the "DJB license" does not provide "freedom 3": "The freedom to improve the program, and release your improvements to the public, so that the whole community benefits", therefore DJB's license is not a free software license by the FSF's standards. For the same reason it doesn't conform to the OSI definition either.
You are quite free to distribute patches to the djb source, so long as they are distributed separately. The FSF freedoms do not include re-distributing under the same terms as those you received. That is part of OSI and DFSG. With DJB software, you have the source, you can use it, you can modify it, you can re-distribute the original as source or binary (provided the binary does not change the directory structure and works "as intended" from the original tarball). You can also distribute patches. This qualifies as improving the software and distributing your improvements. These are the FSF essential freedoms. It doesn't make a specific point about distributing modified binaries, except in the long text after stating the basic freedoms. Note that QT 1.0 came under a more restrictive license than this...
Now then, I do not feel as a user that I am so inclined to avoid software when I am given a copy that I own. A copy that I can hack, modify, and a copy that I can distribute, as I received it, to others.
If distributions as so concerned about holes that they will not distribute djb software because they cannot distribute a modified binary - then they ought to take a good long hard look in the mirror and repeat the words "sendmail, BIND, wu-ftp, oh my" over and over again until they get it.
Crappy remote root compromisable software that is GPL'd is not worth the bits used to ship it. That has included at times wu-ftp, sendmail, and BIND multiple times each. That RedHat is free to distribute a modified binary is little solace to me as I re-install a machine. Heck, they do not even do a security review, or if they do, they are not very good at it. The cost of a single remote root compromise is well over $1000 to the admin. The cost of using qmail and djbdns is free. The cost of sleeping better at night - priceless.
Of course, qmail and djbdns have no holes. Guaranteed.
:)
You realize that good security practice dictates that we can now never accept anything you ever say on the subject of security again, right?
My security advice will forever be limited to being no better than the security of djb's software.
Now that is a real limitation
Near as I could tell from looking at Bernstein's web site you are not allowed to distribute modified binaries or source!
You are, of course, allowed to distribute modified sources as patches separate from the original source.
Even if it is true that there has never been a qmail or djbdns exploit, that does not prove there never will be one. Even OpenBSD has had exploits, and those guys are DAMN careful!
DJB redefines damn careful. Look. Is it better to have distributed sendmail and BIND for the last 20 years, or DJB's software ?? In one case you have remote root exploit after remote root exploit, and you can distribute modified binaries. In the other case, you have secure software that is open source, but does not allow distribution of modifications.
Which case do you think is easier to admin ???
It is impossible to guarentee that a non-trivial piece of software does not have vulnerabilities. Not allowing distributors, or hell just concerned sys-admins from distributing sources or binaries that with any kind of improvements is just plain fucking rediculous. IMHO Bernstein is just being a jackass. His "Free software" is about as free as Microsoft's "Shared Source" bullshit.
DJB's software provides all the GNU essential freedoms to the user. The only issue is that modifications can only be distributed as source patches.
As I recall, QT 1.0 was issued with more restrictions than that, and was WIDELY distributed by SuSE, Mandrake, et al. With QT there was the additional restriction that anything linking to the software had to be open source or buy a license from Trolltech. In fact, QT STILL has that restriction.
What is more free then - the GPL'd QT or DJB's programs ? On what high moral ground should someone stand to distribute crappy exploitable but GPL programs compared to DJB licensed programs ? Who is really doing a service to the Free Software community ?
djbdns and qmail are both under the DJB license, a license of their creator. You arent as free to do what you want with them as GNU applications.
You get the source. You can re-distribute it. You can modify it for your needs. You can distribute binaries if and only if the binary installation works and maintains the intended directory structure of the source build.
You can modify and distribute patches SEPARATELY from the original.
If you read the GNU free software page, all freedoms are assured to the user of the software. Just not to the distributors, since they cannot distribute a modified binary.
Of course, qmail and djbdns have no holes. Guaranteed. So there is no need to distribute a modified binary. Anyone who claims otherwise has not dealt with sendmail and BIND over the years. These djb programs are a blessing, and the user is assured of all essential GNU freedoms. That ought to be enough. Heck, on my redhat boxes I consider them the least buggy pieces of software on the machine, and I will gladly build them from source whenever I need a dns or mta.
You are a hypocrite. djbdns and qmail are Free Software in the GNU sense of the word. You say
Read the licenses of djbdns and qmail, and you'll see why we can't ship them: If a hole is discovered, we're not allowed to distribute a fixed version in binary form.
This belies the point that holes are NEVER discovered in Bernstein's software. Besides that, you can provide the source. You can modify it for personal use. You can freely re-distribute the source. You can distribute source patches SEPARATELY from the djb source.
GNU freedoms are
The freedom to run the program, for any purpose (freedom 0).
Clearly djb's programs meet this.
The freedom to study how the program works, and adapt it to your needs (freedom 1). Access to the source code is a precondition for this.
Clearly this one is met as well.
The freedom to redistribute copies so you can help your neighbor (freedom 2).
This one is true also.
The freedom to improve the program, and release your improvements to the public, so that the whole community benefits. (freedom 3). Access to the source code is a precondition for this.
Of course, you have to distribute patches separately, and cannot distribute modified binaries.
Look, you guys at RedHat have shipped more BIND installations that have resulted in remote root compromises than anyone else. I have personally had to re-install two machines for this reason. (and no, I didn't do the original install). Bernstein writes good free software. You can safely distribute a binary and NEVER worry about finding holes in it. Of course, any improvements in the source would have to be approved by Bernstein before being broadly distributed.
But some of us consider that a good thing.
Why don't you just come out and admit that marketing ploys are your only reasons for including or not including something in the dist.
Microsoft is losing money. Well, not really. Really Gates has so much money he wipes his butt with $100s. However, the company profit margins are not what they were 3-4 years ago. The primary reason is that people are not buying new computers. Windows ME and 2000 are not meeting sales expectations.
In general, people are reasonably happy with Windows 98, Word, and IE. And a reasonably happy consumer is not going to give you more money.
So enter reason one for subscriptipn service. A revenue stream. The Microsoft OS has matured, and regular upgrades are unnecessary. So Microsoft will force them on you, but making subscription services much less expensive than stand-alone software.
Reason number two is that they will get to have an install disk or program on your computer every few years. This install program will comb your computer, find your default settings, and change all computers to using IE as the browser, and Windows Media Player as the Media Player, and make life very difficult if you want to use anything but MSN for an ISP. The more often Microsoft can override default settings, the more network traffic they will control.
So get off your soap box, I value freedom more than the security garuntee of 1 man who can write decent applications, but has no sense of freedom. And I've used that word alot, More than I like to, but price is not the issue, Thats not what the GPL is all about. If DJB would put his stuff under the GPL, I might just use it. But whatever you do, regardless, Dont get on the soapbox saying sendmail and bind are bad, and we should take away our current freedoms to use it. Theres a reason sendmail handles an estimated 80% of all email traffic. Its good, Its popular, And its free (as in speech)
Sendmail is responsible for the majority of remote root exploits in the 80s. Some of us didn't forget all the pleasant re-installs.
Sendmail is a bloated slow pig of a piece of software. It is so difficult to configure that Allman wrote another program just to write sendmail.conf files - creating the m4 format.
Qmail is small, fast, and easy to configure.
But let us consider whether djb produces free software. Quoting from the Debian Free Software Guidelines.
1) Free distribution - djb passes
2) Provide source - djb passes
3) Derived works - djb passes - he allows anyone to distribute patches - the same as QT 1.0.
4) Allowing distribution of modified source or patches. djb fails. Patches should be distributed separately,
5-9) Discrimination, contamination... djb passes.
So when you say it is not Free Software, and if we consider the Debian sense of free software, the argument is really about allowing patches to be distributed with the source.
And if you go to GNU, and make the same arguments, you find it has ALL of the freedoms associated with free software. GNU lists those freedoms as
1) The freedom to run the program, for any purpose
2) The freedom to study how the program works, and adapt it to your needs. Access to the source code is a precondition for this.
3) The freedom to redistribute copies so you can help your neighbor
4) The freedom to improve the program, and release your improvements to the public, so that the whole community benefits.
Again, the only potential stopping point is that you may not distribute patches with the source - they must be distributed separately. And if you are going to get on some moral soapbox about distribution of patches separately for someone whose principal concern is preserving directory structure of his software across distributions, maybe you should take a long hard look in the mirror and see who is concerned about freedom. I am MUCH more concerned about licensing issues surrounding QT, where they require you to pay if you incorporate QT in commercial software. DJB software is ALWAYS free as in free beer, and the only way in which it is not Free Software is that patches must be distributely separately.
Besides, you gotta love a programmer who offers his own money for anyone finding a security bug in his program. If Allman offered $500 for each security bug in Sendmail, he would have declared bankruptcy in 1985.
1. You will never see qmail included as the default MTA in any free OS. Whoever is doing the packaging/migration into the distribution is going to want to make patches at some point or perhaps change the directory layout. Not to mention that it interferes with certain goals of some projects to provide completely free as in speech software.
DJB absolutely does not want any changes made to the directory structure. That is the principal reason he gives for being so anal about distribution. The packagers WANT to change the directory layout - it provides additional support for them. Having a package install in exactly the same place everywhere makes it easy to admin everywhere.
2. I can't use his libraries for my own projects. One point that he raises on his web page is that he's got a much more efficient dns resolver than the one that ships in BIND. Great, he gets to use that in qmail and his programs, but if I want to use it, I have to ensure the user has a copy of djbdns installed just so that I can make use of a small part of the program. Is linking against his libraries even allowed under his license?
Sure it is. You can link against any software on your machine. He states quite explicitly "So I promise I won't sue you for copyright violation for downloading documents from my server. " You should also read his statements that you own the copy of the software you download, and read
http://cr.yp.to/softwarelaw.html
The other thing that really peaves me is that he ships what I consider incomplete versions. djbdns does not include installation instructions or man pages in the tarball (the latest from his webpage). Instead, he expects you to read them off his website.
The rationale is that there are frequency upgrades to documentation, and the website will always be up to date.
OK. Bernstein is a little quirky. It often comes with being an academic. However, he has done a lot for free software even in just considering his cryptography court battle. And he has written a lot of software as free as QT 1.0 if not free-er
http://cr.yp.to/software.html
In a perfect world, it would be nice if his license loosened up a little. But he who writes the software gets to choose the license, and DJB makes things as free as his own sense of what is right in software allows. If he were to GPL his programs, then all the distributors would alter directory structures. And he thinks that is bad. So he allows unrestricted binary distribution with the exception that the distribution has to occur EXACTLY as the tarball build would make it.
Heck, I run a box at home, and I sleep a little better knowing I am running djbdns and qmail instead of sendmail and BIND. And I find his licensing free enough and rational enough for me.