Linux Kernel Source

[Chris Hills]

[snips]

In fact ALL the commercial software I supply RTOS, stacks, file systems
etc comes in source code form.

Fortunately they don't have the highly restrictive GPL license.

A license which allows you to do virtually anything you want,

Except keep your code private. Something that is usually essential for
commercial code.

with
essentially the sole exception of keeping the relevant sources from the
users, is "highly restrictive"?

The users don't need the source code. They use the equipment not mess
around inside it. It does keep the source away from competitors and
terrorists

BTW I have discovered that a LOT of FOSS users take the code use it and
modify it but do not make it available again. They launch products
using it but you won't ever see the source for it. SO you can have your
cake and eat it.

Industry is pragmatic and just ignores the GPL when it feels like it.
After al who is going to sue them?

 

[Michal Nazarewicz]

[snips]

In fact ALL the commercial software I supply RTOS, stacks, file systems
etc comes in source code form.

Fortunately they don't have the highly restrictive GPL license.

A license which allows you to do virtually anything you want,

Except keep your code private. Something that is usually essential
for commercial code.

If company bought a closed source application it would have no access to
source code and no possibility to modify it anyway.

The users don't need the source code. They use the equipment not mess
around inside it. It does keep the source away from competitors and
terrorists

Yes they do. It reminds me of few times I needed a feature in some
application and quick patch was sufficient. With closed source software
I would never see that feature.

BTW I have discovered that a LOT of FOSS users take the code use it
and modify it but do not make it available again.

Yes, because they can do so (if they don't distribute binary of course).

They launch
products using it but you won't ever see the source for it. SO you
can have your cake and eat it.

One company producing hardware firewalls did that in German -- they lost
in court and now distribute source code with their firewalls.

Industry is pragmatic and just ignores the GPL when it feels like
it. After al who is going to sue them?

Don't worry -- some one will. Eventually.

 

[Chris Hills]

[snips]

On Thu, 24 Jan 2008 10:43:19 +0000, Chris Hills wrote:

In fact ALL the commercial software I supply RTOS, stacks, file systems
etc comes in source code form.

Fortunately they don't have the highly restrictive GPL license.

A license which allows you to do virtually anything you want,

Except keep your code private. Something that is usually essential
for commercial code.

If company bought a closed source application it would have no access to
source code and no possibility to modify it anyway.

BTW there are many commercial applications where the source code IS
available and can be modified. You just cant release the source. The
majority of the users of this software (normally OEM's) would not want
to release the source or their system anyway.

You want the source code for industrial security and fire systems or
avionics systems to be let loose?

Yes they do. It reminds me of few times I needed a feature in some
application and quick patch was sufficient. With closed source software
I would never see that feature.

CRAP. Quite often the feature is added by the supplier. Why should you
be able to alter an application?

You keep saying "closed source" and as I KEPP TELLING YOU Just because
it isn't FOSS doesn't mean you don't get the source.

I know some compilers where you get the complete source code of the
libraries. Though not the compiler as it contains their IP they don't
want to release and why should they? .

Yes, because they can do so (if they don't distribute binary of course).

The point is they DO distribute the binary in the system and no one
cares. Actually in some market sectors it is quite common. Open source
is a one way street.

One company producing hardware firewalls did that in German -- they
lost
in court and now distribute source code with their firewalls.

But many, and the number is increasing, get away with it.

Don't worry -- some one will. Eventually.

The odds are good that it will never happen.

 

[Syren Baran]

Industry is pragmatic and just ignores the GPL when it feels like it.
After al who is going to sue them?

Among others www.gpl-violations.org and the netfilter team.

 

[Chris Hills]

Among others www.gpl-violations.org and the netfilter team.

A lot of people seem to be doing (ignoring GPL) it though.

The question is that if the GPL-violations team get good at this will it
kill the use of GPL software in the commercial space?

Most companies don't want to release their software to competitors. And
in some cases releasing it will open the system to serious security
problems.

 

[Ben Pfaff]

The question is that if the GPL-violations team get good at this will
it kill the use of GPL software in the commercial space?

Most companies don't want to release their software to
competitors. And in some cases releasing it will open the system to
serious security problems.

Those companies can choose not to distribute the binaries, then.
Distributing the source of a program under the GPL is only
required if you distribute the binaries.

 

[Chris Hills]

Those companies can choose not to distribute the binaries, then.
Distributing the source of a program under the GPL is only
required if you distribute the binaries.

They usually distribute the binaries as part of their equipment. Not as
a stand alone application eg a router or set top box.

 

[Syren Baran]

A lot of people seem to be doing (ignoring GPL) it though.

The question is that if the GPL-violations team get good at this will it
kill the use of GPL software in the commercial space?

Why should that be the case?
By distributing the source code a potential competitor would know no
more or less than by opening the "box" (router, phone, printer
whatsoever) and checking which chips are soldered on.
Such a "product vendor" would not even have to gpl new drivers (kernel
modules), so that would of course be encouraged.

Most companies don't want to release their software to competitors. And
in some cases releasing it will open the system to serious security
problems.

Most uses of linux nowadays are in embeded systems, not pc´s.
While that does empower users its not a big advantage for a competitor.

BTW, quite a few softwareprojects are dual-licensed,e.g. QT. Pay if you
wish to sell software, no need to otherwise.

 

[CBFalconer]

Except keep your code private. Something that is usually
essential for commercial code.


The users don't need the source code. They use the equipment not
mess around inside it. It does keep the source away from
competitors and terrorists

BTW I have discovered that a LOT of FOSS users take the code use
it and modify it but do not make it available again. They launch
products using it but you won't ever see the source for it. SO
you can have your cake and eat it.

I think I already pointed out that you should expose such thieves,
and asked whether or not the UK had laws insisting on exposing
thievery.

 

[CBFalconer]

The odds are good that it will never happen.

If you continue your (apparent) practice of concealing thievery it
will increase the chance of not getting caught.

 

[CBFalconer]

A lot of people seem to be doing (ignoring GPL) it though.

The question is that if the GPL-violations team get good at this
will it kill the use of GPL software in the commercial space?

Most companies don't want to release their software to
competitors. And in some cases releasing it will open the
system to serious security problems.

The solution is extremely simple. Don't try to steal and sell
other peoples property.

 

[Kelsey Bjarnason]

[snips]

In fact ALL the commercial software I supply RTOS, stacks, file
systems etc comes in source code form.

Fortunately they don't have the highly restrictive GPL license.

A license which allows you to do virtually anything you want,

Except keep your code private.

Really? Imagine, someone letting you use their code for free, but
expecting you to actually follow that sense of sharing. How horrible of
them. Sorry, where was the restrictive licensing? I missed it. I saw
something about you wanting someone to hand you stuff on a silver platter
*and* give you the rights to ignore the very reason they'd give it to you
in the first place, but that's your failing, not the license's. So,
again, where's this restrictive license?

The users don't need the source code.

Sorry, Chuckles, but a lot of us *do* want the sources. If you want to
be Microsoft, go work for them. I've absolutely no interest in closed
source apps and becoming beholden to yet another company who can hold me
hostage to their whims.

They use the equipment not mess
around inside it. It does keep the source away from competitors and
terrorists

Terrorists? Oh, good goat, you're not actually serious.

BTW I have discovered that a LOT of FOSS users take the code use it and
modify it but do not make it available again.

So report them - if they're violating the terms of the license. Not all
OSS licenses require this.

Industry is pragmatic and just ignores the GPL when it feels like it.
After al who is going to sue them?

I take it you're blissfully unaware of the cases where exactly that has
happened. Just FYI, there's this nifty new technology for following news
relevant to the IT sector (among others): it's called the "internet".
You should look into it sometime.

 

[Kelsey Bjarnason]

[snips]

BTW there are many commercial applications where the source code IS
available and can be modified. You just cant release the source. The
majority of the users of this software (normally OEM's) would not want
to release the source or their system anyway.

You want the source code for industrial security and fire systems or
avionics systems to be let loose?

Absolutely.

I repeat: absolutely.

I'm quite certain you cannot come up with a good argument *not* to do
so. The usual bullcrap, such as "then the black hats can see it, exploit
it" is readily shown to be a steaming load of hooey by the fact that
Windows and Windows apps are regularly exploited *without source* so
keeping it closed is *not* an actual protection - whereas opening it
exposes it to wider scrutiny, a wider group of bug fixers and security
hole spotters.

CRAP. Quite often the feature is added by the supplier. Why should you
be able to alter an application?

Because I *use* the application to do *my* job, or meet *my*
requirements. Thus it needs to work the way *I* need it to. What,
you're going to drop everything and write up a new feature every time I
decide your app doesn't work quite the way I want it to? Not blinkin'
likely. Now, with the source, *I* can make it work the way I need. I
don't have to be held hostage to whatever *you* happen to think should be
worked on next - if at all.

You keep saying "closed source" and as I KEPP TELLING YOU Just because
it isn't FOSS doesn't mean you don't get the source.

You did, however, mention the inability to distribute, which makes such
source useless. Sure, I can modify it, but I can't publish the modified
version out to the others in the office who need the mods. Yeah, how
wonderfully useless.

The point is they DO distribute the binary in the system and no one
cares.

Actually, a lot of people care.

But many, and the number is increasing, get away with it.

And several, and the number is increasing, are getting nailed for it. No
human system is perfect, what's your point? It has to be absolute
perfection or it isn't worth using at all?

The odds are good that it will never happen.

The odds are it will happen, as it's happening now *and* is likely to
increase in frequency, as OSS is moving into ever larger segments of the
software world, meaning everything from more eyes peeking to more money
available for such pursuits.

 

[Chris Hills]

I think I already pointed out that you should expose such thieves,
and asked whether or not the UK had laws insisting on exposing
thievery.

I assume you have private income and don't need to work? As usual you
are over simplistic. I know the US invasion of Iraq is illegal and
civilians have been murdered but what should/can I do about it?

BTW who said it was anyone in the UK? The cases suggested to me were all
foreign.

I have no real evidence what would stand up in caught and the people
talked to me certainly would not stand up in court either. They want to
continue working and their views on the FOSS devotees is that they are
"turkeys voting for Christmas". There are a lot of programmers who
don't share the FOSS ideal

Also for some parts of the world (possibly where more violations occur)
you are more likely to be chucked out on a visa irregularity than
actually make it in to a courtroom for a case like this. Even if they
let you in the country in the first place. Winning your case is not an
option.

Apparently using FOSS and not releasing the source is getting common
place. The problem is the world is not into these utopian ideals the
second money gets involved. In an ideal world it would but it's not like
that. Most don't really care and those making the money certainly
don't.

I wondered if that by prosecuting the users of illegal use of FOSS if
the use of FOSS would drop. Very few in the commercial world want to
release the source. SO if the FOSS community start chasing GPL
violations the amount of FOSS will decline in the commercial world. That
would for the FOSS community be counter productive. Not prosecuting
would help FOSS.

For example MS with their FAT file system only prosecuted a couple of
people to set the precedent and then did not chase. Therefore the whole
world uses the FAT file system for most embedded systems (obviously UNIX
still uses it's own system) It was a way of gaining market dominance.

Once it is the only option and it is too much hassle to change I expect
they will flex their muscles again pointing back to the cases of
precedence they won. Then a very low charge to each user world wide
would be a large global revenue.

The other alternative is to change the GPL so that the source does not
have to be released. It thought that was where the GPLL came in for the
libraries. Also I thought that the new GPL 3 permitted licensed SW to be
integrated into Linux without the source being made public?

It is an interesting problem where idealism meets hard nosed
commercialism. Usually money wins. You will always have people who put
money over ideals. Hence the mess the world is in with global warming.
Several industrial nations would rather destroy the planet than change
their economies. You think they are going to change for the GPL?
Unlikely. Generally humans are not nice people as soon as money,
survival or comfort get involved.

 

[Kelsey Bjarnason]

[snips]

Yes.. But not everyone releases their modified versions. Nor do they
feed the fixes back to others.

"Not everybody" who, exactly?

You can take something like, oh, Xandros as an example. Portions of
their distro are strictly closed source, as I understand it - and there's
absolutely nothing wrong with that. Other parts are open source, due to
GPL, LGPL and other license restrictions.

But they do. That is the point

Then they're releasing the software to anyone who wants to buy it, or who
can convince someone to make them a copy. If you don't want the
competitors to get it, the only way is to not release it.

What closed source? You seem to think things are either FOSS or closed
source.

If the license doesn't let me modify the sources and redistribute - say
to the workstations or servers in my company, at least - then to all
intents and purposes it *is* CSS.

SO you are happy to release source code of your security system to the
enemy?

Of course. Security by obscurity is the mark of the rank incompetent.
If your software is so bad it can't keep a system secure even when the
bad guys have the source, then your software isn't worth having.

I point out that Linux is fairly widely used in a security context,
providing everything from firewalls to large-scale financial transactions
and more - and is open source. The reason this works is simple enough:
the code is, on the whole, well written and continues to keep things safe
*whether the bad guys have the code or not*.

The same principle applies to cryptography software: if it's not secure
when the attacker has the code, it's not secure, period. It's junk,
scrap it, get something written by a developer with a clue.

Anyone who thinks "closed source" has any serious impact on improving
security should not be allowed to work in a security field; they're
demonstrably incompetent to do so, as they don't even understand the
issues involved.

 

[Kelsey Bjarnason]

[snips]

No. Why would they want to?

Anyone who wants modifications that you can't, or won't provide, or won't
provide in a timely manner, might want to. So, does handing out the
sources, or portions thereof, to development houses for competitive bids
qualify as "redistribution"? How about handing it to them for the
development phase?

What I have discovered over the last few months is a LOT of places get
FOSS, use it, improve it and don't release any source either the
application it is used in or the Open Source they started with.

So report 'em.

 

[Kelsey Bjarnason]

[snips]

Many people are paid to work on Linux and some love working on it
because then they get an operating system they like free of charge.

I've never understood this "you get better results if you pay 'em"
nonsense.

Commercial software, generally, is done to some sort of schedule, and in
far too many cases, the schedule, not the quality of the code, determines
when it gets released.

One could point to the most obvious example out recently: Vista. Despite
a massive development budget and some 6-7 years' development time, what
was released was big, bloated and buggy - enough so that many users who
get it actually switch back to XP.

Given this, we must conclude that the Vista developers were *not* paid
for their work. Or we must conclude that Vista somehow incorporates these
"better results", which explains the people madly migrating away from it,
or simply not buying in the first place.

 

[Kelsey Bjarnason]

[snips]

Er, most closed source software has mechanisms through which you can
complain about problems. If everthing else fails, you can always
actively stop buying, or using, the product in question.

Not necessarily.

There's a local company who is still using an old DOS app. They hate it,
but they use it. Why?

The company who made it either closed up shop or dropped the product,
don't recall which. In either case, no new versions, no support - and no
sources. Also no file format descriptions.

They're stuck using it because they have, literally, tens of thousands of
documents stored in its opaque file format, which they cannot convert to
another app's format except manually - a process they expect will cost at
_least_ five million, probably closer to ten.

Thanks to their use of closed source, they are *screwed*. They can't use
newer OSen with the app. If/when DOS becomes non-viable on newer
machines (as new hardware designs move to the point DOS can't cope with),
they won't be able to replace the machines it runs on as they wear out.
They can't get bug fixes. They can't get new features.

The app is sufficiently large and complex that reverse engineering it is
likely not a viable option, even to determining file structures from the
process: while a DOS app, it is a very extensive DOS app. Think a cross
between AutoCAD and a mapping application.

They only have one option in the end: use a different app and pay the
costs of migrating the data. Will the new app also leave them stranded?
If it's another typical CSS app, quite possibly.

Nor is this a unique situation by any means. Any piece of software which
uses both undocumented formats and closed source runs this sort of risk
for the user.

Nor is this the only threat. Sure, that's a case where the software is
no longer viable, but what if the software *is* still viable - but the
developer won't make the mods you need *and* won't offer a means to
migrate away from their app?

After all, it's not exactly in the vendor's best interests to help you go
use someone else's app. If they keep the formats closed, the sources
closed, the methods for extracting the data opaque, they are effectively
holding the user hostage: keep paying us, or all your data is rendered
useless, unless you want to face a painful and expensive migration cost.

It's cheaper, generally, to just keep paying for the app, but that
doesn't mean you're doing so by choice; you're doing so because the
vendor effectively controls your data. You simply can't afford to switch.

As another aspect, consider one of the apps I'm using. I'm probably
legally prevented from naming it, specifically, but it's a commonly used
tool in many areas - including being bundled into several major
applications, at least two of which our business relies upon.

We bought a developer edition of the software, only to find that the
documentation is broken beyond repair. Worse, they freely admit the
documentation _assumes_ you already know how to use the product, meaning
if you're new to using it, as I am, you *cannot* use the documentation to
learn how to use the software; there's insufficient information included
to figure out how to do even basic things.

If it were just me, I'd say scrap it, we'll use something else.
Unfortunately, it's not just me. It's me, the others in the company who
use packages which bundle and require the tool. I'm quite certain I
could come up with a replacement package, but I doubt I'm going to get
the vendors of the other apps we use to switch, either just for us or for
their entire customer base.

We are, in short, stuck using something I *really* don't want to use,
because the cost of migrating all the apps we use which include it, plus
the retraining costs involved, are prohibitive. We're again held hostage
to a piece of software, to a vendor and their policies.

As a business, we are moving steadily towards an OSS operating
environment. This isn't a matter of costs - sure, we save some using OSS
as a rule, but not enough to be a compelling case for switching - but
simply because with OSS, the control is in our hands, we are never
beholden to a piece of software or a vendor. We have the source, we can
modify it as we need, to suit our needs and - if necessary - we can
fairly easily migrate to a different application.

Putting your data in a situation where it is effectively under the
control of some third party just doesn't strike me as a good idea. Yeah,
maybe they'll expose the formats. Maybe they'll add the features you
need. Maybe they'll keep supporting the app forever. Maybe they'll
still be in business 20 years from now. And maybe they won't. Just how
much are *you* willing to pay if the assumption they'll always be there,
doing what you need, the way you need it and when you need it, turns out
to be false?

 

[Kelsey Bjarnason]

[snips]

[1] A good question is ... do Linux Kernel developers in specific, or
open source developers in general, follow a documented software
development process? Or is it all ad hoc?

They follow an incompletely documented development process. Which isn't
the same thing ad-hoc. False dichotomy.

Frankly, the *development process* strikes me as something of a red
herring.

You say you work on kernel code. You presumably use whatever methods and
processes work for you. Suppose I started working on another part of the
kernel; I might choose to use a completely different process.

Does this matter? No. What matters is the results. Does the stuff I
produce work? Does the stuff you produce work? Does it work in the
general case - i.e. is it suitable for inclusion into kernel.2.x.next?

If so, the only part where there really needs to be any sort of process
is when new code is submitted for inclusion: it needs to be reviewed by
(ideally many) competent kernel developers, then included and tested or
rejected as the case may be.

How it's developed is irrelevant; how it's incorporated matters.

 

[Michal Nazarewicz]

[snips]

On Thu, 24 Jan 2008 10:43:19 +0000, Chris Hills wrote:

In fact ALL the commercial software I supply RTOS, stacks, file systems
etc comes in source code form.

Fortunately they don't have the highly restrictive GPL license.

A license which allows you to do virtually anything you want,

Except keep your code private. Something that is usually essential
for commercial code.

If company bought a closed source application it would have no access to
source code and no possibility to modify it anyway.

BTW there are many commercial applications where the source code IS
available and can be modified. You just cant release the source. The
majority of the users of this software (normally OEM's) would not want
to release the source or their system anyway.

Guess what. You can do that with Open Source software. You can use
application in your company and modify it's source code providing that
you don't redistribute the modified version.

You want the source code for industrial security and fire systems or
avionics systems to be let loose?

Yes. Lack of source code is not source of security.

CRAP. Quite often the feature is added by the supplier. Why should
you be able to alter an application?

Because quite often supplier do not care about each individual user
especially user such as I am and even if she/he considered my feature
request it would have a low priority and I'd have to wait for ages for
one tiny feature which requires 50 lines of code I could write by myself
if I had the source code.

You keep saying "closed source" and as I KEPP TELLING YOU Just because
it isn't FOSS doesn't mean you don't get the source.

I consider everything that is not "open source" to be "closed source"
the same way that doors that are not "open" are "closed".

I know some compilers where you get the complete source code of the
libraries. Though not the compiler as it contains their IP they
don't want to release and why should they? .

If they don't want to they don't have to. Fortunately, there's a choice
nowadays (at least as far as compilers are considered).

The point is they DO distribute the binary in the system and no one
cares. Actually in some market sectors it is quite common. Open
source is a one way street.


But many, and the number is increasing, get away with it.

Even if that's true (I wonder where you get that information from), then
what does it prove? That such companies are not to be trusted because
they steal something that they get for free?

It also reminds me of a some IM communicator which was based on
Miranda. They didn't get sued but discontinued after they fact they
stole Miranda's source code was discovered (and it didn't take long).

The odds are good that it will never happen.

They odds are good that I won't get caught when I steal a candy from
a store. Again what does it prove?