From 7b1742695631770b7feb68bf93b55c3055d73f29 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Tue, 8 Mar 2016 04:13:54 +0700 Subject: first draft of asciidoc slides for Linaro Connect Bangkok 2015 --- 2016/linaroconnect/compliance.adoc | 201 +++++++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 2016/linaroconnect/compliance.adoc (limited to '2016/linaroconnect') diff --git a/2016/linaroconnect/compliance.adoc b/2016/linaroconnect/compliance.adoc new file mode 100644 index 0000000..ff8cf4a --- /dev/null +++ b/2016/linaroconnect/compliance.adoc @@ -0,0 +1,201 @@ +Linux, Community and License Compliance +======================================= +:author: Harald Welte +//:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA) +:backend: slidy +:max-width: 45em +//:data-uri: +//:icons: + + +== Who am i and why am I here? + +[role="incremental"] +* Former Linux kernel developer (mostly netfilter/iptables) +* Lover of network and communications protocols, particularly _obscure_ ones +* have had many, many other lives, including: +** helping an (ARM) SoC maker to understand mainline development process +** security research + ethical hacking @ German CCC +** Open Hardware + FOSS firmware/software RFID reader (OpenPCD) +** developing electronics + software for the first _100% FOSS_ Linux based Smartphone (OpenMoko, before Android...) +** 2008 onwards: OpenBSC, Osmocom: FOSS implementation of telecom protocol stacks for GSM/GPRS/EDGE/UMTS infrastructure +** 2011 onwards: running a small company in Berlin doing FOSS based cellular infrastructure +* but also: Legal enforcement of the GNU GPL on the Linux kernel +* I'm here to share my personal perspective on License compliance + + +== My personal journey into _the communities_ + +Every hacker is socialized differently, but in my case it was like +this: + +* BBS communities (FIDO, Z-Netz, ...) and UseNet @ age 12 +* programming DOS shareware in TurboPascal @ age 13 +** I was young and didn't know about Free Software yet. My apologies +* switched to GNU/Linux before Windows 95, never looked back +** learning about Free Software, GNU, copyleft, the GPL +* from 1994 on, helped building a non-for-profit ISP +** started to write + contribute patches against software we used there +* from 1999 onwards: netfilter/iptables, the Linux 2.3/2.4 packet filter + +[role="incremental"] +=> all of the above were communities of enthusiasts + +[role="incremental"] +* open to anyone +* information and code was shared freely, to mutual benefit + + +== Linux and license compliance + +* Until around 2000, Linux was still quite a small niche, the niche of the nerds +** the Long-bearded gurus used a *real* UNIX +** the rest of the world was trapped in Microsoft-land + +[role="incremental"] +* GPL violations on the Linux kernel were not known to me until about 2002 +* First news about GPL violations made me very upset +** the industry ignored our culture, rules and norms +** they took what we had created and did not give back +** as companies didn't react to friendly reminders, I started legal action +** gpl-violations.org was started, first legal case in 2003 +** enforcement in hundreds of cases, most of them out of court +** prevailed in several German court cases, 100% success rate + + +== Technical GPL enforcement + +In the active phase of gpl-violations.org, we would + +[role="incremental"] +* browse new product announcements, vendor web sites for suspicious-looking products +* go into electronics stores and make test purchases +* disassemble the hardware +* reverse-engineer serial console, JTAG +* dump flash via JTAG or hot-air-rework and offline flash dumping +* manually unpack the (often proprietary) firmware image formats +* search for strings/symbols of Linux kernel code that I hold copyright on +* As this is the technical part, it can actually be quite enjoyable. +* Buying new gadgets and probing test-points for UART/JTAG definitely + more enjoyable and rewarding than Sudoku for me ;) + + +== Legal GPL enforcement + +After technical analysis is complete, the legal battle starts + +[role="incremental"] +* explaining technical evidence to your lawyer +* reviewing legal briefs of both parties +* spending lots of time trying to teach corporate legal departments + what you have learned as a teenager growing up with FOSS +* makes you **even more frustrated/upset**, as this costs time +** not only do they insult the community and its culture +** they now also keep me from writing more code by being hostile or ignorant +** and they force me to take legal risks + +[role="incremental"] +Starts all over again with each new vendor, department within +the vendor, or at least in every new market Linux gets introduced :( + +== Taking a step back + +[role="incremental"] +* companies start to work on/with Linux without following + collaborative development model. Their management is free to +** ignore the decades-old requests by the community +** ignore requests by their own engineers to contribute +* community upset, because management did *not* enable, allow or require +** FOSS development to be done in the regular, collaborative process +** their engineers to contribute +* gpl-violations.org uses the legal vehicle of copyright enforcement +** senior management cannot ignore legal threats, we got their attention! +* Result: they ask their lawyers what needs to be done to comply to + the absolute minimum _legally_ required to not get in trouble +** they do still not follow the collaborative development process + + +== The cultural impedance mis-match + +Surprise: FOSS is about collaborative development + +[role="incremental"] +* participation on mailing lists +* developing code in public repositories +* using fine grained commits +* to **jointly develop software** +* it is **not about procrastinating over legal issues** +* FOSS developers _really_ want **collaboration, not license compliance** +** GPL is just a legal hack to ensure the bare absolute minimum of adherence to the FOSS culture +** it suffers from impedance mismatch between what can be done under copyright law, and not what is _actually_ the goal in terms of a development model +** focusing _just_ on legal compliance with the license indicates a lack of understanding +* **GPL compliance should be driven by engineering, not legal!** + + +== Cultural Differences + +[role="incremental"] +* exist between every set of two cultures +* think of _Western_ vs. _Asian_ culture +* westerners (_farang/gaijin/laowei_) are considered rude, if they +[role="incremental"] +** stick chopsticks in a rice bowl anywhere in Asia +** have loud phone conversations on a Japanese train +** want to split a restaurant bill in China +** decline to accept Soju offered by their Korean host +** use a Buddha statues head as decoration in Thailand +* Being European and coming to Asia likely causes me to make mistakes +due to the _cultural differences_. +* those mistakes may cause people to be upset with me. _How could I +not know?_ Couldn't I at least inform myself before travelling? +* This is not so different from an electronics or proprietary software +company first engaging with FOSS + + +== License Compliance in 2016? + +[role="incremental"] +* those parts of the IT industry exposed to + (embedded) Linux for a longer time make more of an effort to comply + _with legal requirements only_ +** establishing the required release + business processes +** FOSS + proprietary tools for aiding license compliance +** world-wide Legal Network by FSFE with hundreds of legal experts +* license compliance is driven by fear of legal threats, not by + understanding + following collaborative development models :( +* Treated similar to compliance with environmental standards, regulatory requirements, etc. + +[role="incremental"] +=> Bringing back the Western vs. Asian cultural analogy: + +[role="incremental"] +* Our _farang/gaijin/laowei_ now complies with local laws by not + bringing illegal drugs into Asia that might be legal at his home + (legal compliance) +* He still often ignores the local culture and social norms, and is + perceived by some of the locals as disrespectful or rude at times + (doesn't cause legal risks) + + +== Summary + +[role="incremental"] +* legal-to-the-letter compliance has significantly improved over the + last 15 years +* awareness that license compliance is mandatory is widely present +* collaborative FOSS development model is becoming more frequent +* however, some industry players, particularly those doing FOSS for a shorter + time still think FOSS is a one-way road that enables them to profit + on the work of others while keeping their code private / out-of-tree +** Sure, you can have a marriage that caters exclusively to the needs of one of the people involved +*** But will it be sustainable _till death do us part_? +*** Or will it just be a short affair? +* we need to shift the focus from _legal-centric GPL compliance_ to + _engineering-centric collaborative development_ + + +== The End + +Thanks for your attention. + +* You have a license to raise questions now ! -- cgit v1.2.3