From 9c1bfa3198ca99c848415dbf8ff7cc1fced77211 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Fri, 27 May 2016 15:55:13 +0900 Subject: add slides from Blackduck Korea Open Source Conference --- 2016/blackduck_kr_2016/compliance.adoc | 200 ++ 2016/blackduck_kr_2016/compliance.html | 4464 ++++++++++++++++++++++++++++++++ 2 files changed, 4664 insertions(+) create mode 100644 2016/blackduck_kr_2016/compliance.adoc create mode 100644 2016/blackduck_kr_2016/compliance.html (limited to '2016') diff --git a/2016/blackduck_kr_2016/compliance.adoc b/2016/blackduck_kr_2016/compliance.adoc new file mode 100644 index 0000000..d470eab --- /dev/null +++ b/2016/blackduck_kr_2016/compliance.adoc @@ -0,0 +1,200 @@ +Linux, Community, License Compliance +==================================== +:author: Harald Welte +:copyright: Harald Welte (License: CC-BY-SA) +:backend: slidy +:max-width: 45em +//:data-uri: +//:icons: + + +== Who am I and why am I here? + +[role="incremental"] +* Former Linux kernel developer (mostly netfilter/iptables) +* as technical as it can get. Not a lawyer. +* have had many, many other lives, including: +** helping an (ARM) SoC maker to understand mainline development process +** security research + ethical hacking @ German CCC +** Open Hardware + FOSS firmware/software RFID reader +** electronics + software development for the first _100% FOSS_ smartphone Openmoko +** 2008 onwards: OpenBSC, Osmocom: FOSS implementation of telecom protocol stacks for GSM/GPRS/EDGE/UMTS infrastructure +** 2011 onwards: running a small company in Berlin doing FOSS based cellular infrastructure +* but also: Legal enforcement of the GNU GPL on the Linux kernel +* I'm here to share my personal perspective on License compliance + + +== My personal journey into _the communities_ + +The culture in which we grow up defines our values. For me: + +* BBS communities (FIDO, Z-Netz, ...) and UseNet @ age 12 +* programming DOS shareware in TurboPascal @ age 13 +** Didn't know about Free Software yet. My apologies! +* switched to GNU/Linux before Windows 95, never looked back +** learning about Free Software, GNU, copyleft, the GPL +* from 1994 on, helped building a non-for-profit ISP +** started to write + contribute patches against software we used there +* from 1999 onwards: netfilter/iptables, the Linux 2.3/2.4 packet filter + +[role="incremental"] +=> all of the above were communities of enthusiasts + +[role="incremental"] +* open to anyone +* information and code was shared freely, to mutual benefit + + +== Linux and license compliance + +* Until around 2000, Linux was still the niche of the nerds +** the Long-bearded gurus used a *real* UNIX instead +** the rest of the world was trapped in Microsoft-land + +[role="incremental"] +* GPL violations on the Linux kernel were not known to me until about 2002 +* First news about GPL violations made me very upset +** the industry ignored our culture, rules and norms +** they took what we had created and did not give back +** as companies didn't react to friendly reminders, I started legal action +** gpl-violations.org was started, first legal case in 2003 +** enforcement in hundreds of cases, most of them out of court +** prevailed in several German court cases, 100% success rate + + +== Technical GPL enforcement + +In the active phase of gpl-violations.org, we would + +[role="incremental"] +* browse new product announcements, vendor web sites for suspicious-looking products +* go into electronics stores and make test purchases +* disassemble the hardware +* reverse-engineer serial console, JTAG +* dump flash via JTAG or hot-air-rework and offline flash dumping +* manually unpack the (often proprietary) firmware image formats +* search for strings/symbols of Linux kernel code that I hold copyright on +* As this is the technical part, it can actually be quite enjoyable. +* Buying new gadgets and probing test-points for UART/JTAG definitely + more enjoyable and rewarding than Sudoku for me ;) + + +== Legal GPL enforcement + +After technical analysis is complete, the legal battle starts + +[role="incremental"] +* explaining technical evidence to your lawyer +* reviewing legal briefs of both parties +* spending lots of time trying to teach corporate legal departments + what you have learned as a teenager growing up with FOSS +* makes you **even more frustrated/upset**, as this costs time +** not only do they insult the community and its culture +** they now also keep me from writing more code by being hostile or ignorant +** and they force me to take legal risks + +[role="incremental"] +Starts all over again with each new vendor, department within +the vendor, or at least in every new market Linux gets introduced :( + +== Taking a step back + +[role="incremental"] +* companies start to work on/with Linux without following + collaborative development model. Their management is free to +** ignore the decades-old requests by the community +** ignore requests by their own engineers to contribute +* community upset, because management did *not* enable, allow or require +** FOSS development to be done in the regular, collaborative process +** their engineers to contribute +* gpl-violations.org uses the legal vehicle of copyright enforcement +** senior management cannot ignore legal threats, we got their attention! +* Result: they ask their lawyers what needs to be done to comply to + the absolute minimum _legally_ required to not get in trouble +** they do still not follow the collaborative development process + + +== The cultural impedance mis-match + +Surprise: FOSS is about collaborative development + +[role="incremental"] +* participation on mailing lists +* developing code in public repositories +* using fine grained commits +* to **jointly develop software** +* it is **not about procrastinating over legal issues** +* FOSS developers _really_ want **collaboration, not license compliance** +** GPL is just a legal hack to ensure the bare absolute minimum of adherence to the FOSS culture +** it suffers from impedance mismatch between what can be done under copyright law, and not what is _actually_ the goal in terms of a development model +** focusing _just_ on legal compliance with the license indicates a lack of understanding +* **GPL compliance should be driven by engineering, not legal!** + + +== Cultural Differences + +[role="incremental"] +* exist between every set of two cultures +* think of _Western_ vs. _Asian_ culture +* westerners (_farang/gaijin/laowei_) are considered rude, if they +[role="incremental"] +** stick chopsticks in a rice bowl anywhere in Asia +** have loud phone conversations on a Japanese train +** want to split a restaurant bill in China +** decline to accept Soju offered by their Korean host +** use a Buddha statues head as decoration in Thailand +* Being European and coming to Asia likely causes me to make mistakes +due to the _cultural differences_. +* those mistakes may cause people to be upset with me. _How could I +not know?_ Couldn't I at least inform myself before travelling? +* This is not so different from an electronics or proprietary software +company first engaging with FOSS + + +== License Compliance in 2016? + +[role="incremental"] +* those parts of the IT industry exposed to + (embedded) Linux for a longer time make more of an effort to comply + _with legal requirements only_ +** establishing the required release + business processes +** FOSS + proprietary tools for aiding license compliance +** Legal Network by FSFE with hundreds of legal experts +* license compliance is driven by fear of legal threats, not by + understanding + following collaborative development models :( +* Treated similar to compliance with environmental standards, regulatory requirements, etc. + +[role="incremental"] +=> Bringing back the Western vs. Asian cultural analogy: + +[role="incremental"] +* Our _farang/gaijin/laowei_ now complies with local laws by not + bringing restricted items (medication, too long pocket knives) into + Asia which might be legal at his home (legal compliance) +* He still often ignores the local culture and social norms, and is + perceived by some of the locals as disrespectful or rude at times + (doesn't cause legal risks) + + +== Summary + +[role="incremental"] +* legal-to-the-letter compliance has significantly improved over the + last 15 years +* awareness that license compliance is mandatory is widely present +* collaborative FOSS development model is becoming more frequent +* however, some industry players, particularly those doing FOSS for a shorter + time still think FOSS is a one-way road that enables them to profit + on the work of others while keeping their code private / out-of-tree +** Sure, you can have a marriage that caters exclusively to the needs of one of the people involved +*** But will it be a sustainable long-term relationship? +*** Or will it just be a short affair? +* we need to shift the focus from _legal-centric GPL compliance_ to + _engineering-centric collaborative development_ + + +== The End + +Thanks for your attention. + +* You have a license to raise questions now ! diff --git a/2016/blackduck_kr_2016/compliance.html b/2016/blackduck_kr_2016/compliance.html new file mode 100644 index 0000000..f337b38 --- /dev/null +++ b/2016/blackduck_kr_2016/compliance.html @@ -0,0 +1,4464 @@ + + + + +Linux, Community, License Compliance + + + + + + + + +
+

Who am I and why am I here?

+
+
    +
  • + +Former Linux kernel developer (mostly netfilter/iptables) + +
  • +
  • + +as technical as it can get. Not a lawyer. + +
  • +
  • + +have had many, many other lives, including: + +
      +
    • + +helping an (ARM) SoC maker to understand mainline development process + +
    • +
    • + +security research + ethical hacking @ German CCC + +
    • +
    • + +Open Hardware + FOSS firmware/software RFID reader + +
    • +
    • + +electronics + software development for the first 100% FOSS smartphone Openmoko + +
    • +
    • + +2008 onwards: OpenBSC, Osmocom: FOSS implementation of telecom protocol stacks for GSM/GPRS/EDGE/UMTS infrastructure + +
    • +
    • + +2011 onwards: running a small company in Berlin doing FOSS based cellular infrastructure + +
    • +
    +
  • +
  • + +but also: Legal enforcement of the GNU GPL on the Linux kernel + +
  • +
  • + +I’m here to share my personal perspective on License compliance + +
  • +
+
+
+
+

My personal journey into the communities

+
+

The culture in which we grow up defines our values. For me:

+
    +
  • + +BBS communities (FIDO, Z-Netz, …) and UseNet @ age 12 + +
  • +
  • + +programming DOS shareware in TurboPascal @ age 13 + +
      +
    • + +Didn’t know about Free Software yet. My apologies! + +
    • +
    +
  • +
  • + +switched to GNU/Linux before Windows 95, never looked back + +
      +
    • + +learning about Free Software, GNU, copyleft, the GPL + +
    • +
    +
  • +
  • + +from 1994 on, helped building a non-for-profit ISP + +
      +
    • + +started to write + contribute patches against software we used there + +
    • +
    +
  • +
  • + +from 1999 onwards: netfilter/iptables, the Linux 2.3/2.4 packet filter + +
  • +
+

⇒ all of the above were communities of enthusiasts

+
    +
  • + +open to anyone + +
  • +
  • + +information and code was shared freely, to mutual benefit + +
  • +
+
+
+
+

Linux and license compliance

+
+
    +
  • + +Until around 2000, Linux was still the niche of the nerds + +
      +
    • + +the Long-bearded gurus used a real UNIX instead + +
    • +
    • + +the rest of the world was trapped in Microsoft-land + +
    • +
    +
  • +
  • + +GPL violations on the Linux kernel were not known to me until about 2002 + +
  • +
  • + +First news about GPL violations made me very upset + +
      +
    • + +the industry ignored our culture, rules and norms + +
    • +
    • + +they took what we had created and did not give back + +
    • +
    • + +as companies didn’t react to friendly reminders, I started legal action + +
    • +
    • + +gpl-violations.org was started, first legal case in 2003 + +
    • +
    • + +enforcement in hundreds of cases, most of them out of court + +
    • +
    • + +prevailed in several German court cases, 100% success rate + +
    • +
    +
  • +
+
+
+
+

Technical GPL enforcement

+
+

In the active phase of gpl-violations.org, we would

+
    +
  • + +browse new product announcements, vendor web sites for suspicious-looking products + +
  • +
  • + +go into electronics stores and make test purchases + +
  • +
  • + +disassemble the hardware + +
  • +
  • + +reverse-engineer serial console, JTAG + +
  • +
  • + +dump flash via JTAG or hot-air-rework and offline flash dumping + +
  • +
  • + +manually unpack the (often proprietary) firmware image formats + +
  • +
  • + +search for strings/symbols of Linux kernel code that I hold copyright on + +
  • +
  • + +As this is the technical part, it can actually be quite enjoyable. + +
  • +
  • + +Buying new gadgets and probing test-points for UART/JTAG definitely + more enjoyable and rewarding than Sudoku for me ;) + +
  • +
+
+
+
+

Legal GPL enforcement

+
+

After technical analysis is complete, the legal battle starts

+
    +
  • + +explaining technical evidence to your lawyer + +
  • +
  • + +reviewing legal briefs of both parties + +
  • +
  • + +spending lots of time trying to teach corporate legal departments + what you have learned as a teenager growing up with FOSS + +
  • +
  • + +makes you even more frustrated/upset, as this costs time + +
      +
    • + +not only do they insult the community and its culture + +
    • +
    • + +they now also keep me from writing more code by being hostile or ignorant + +
    • +
    • + +and they force me to take legal risks + +
    • +
    +
  • +
+

Starts all over again with each new vendor, department within +the vendor, or at least in every new market Linux gets introduced :(

+
+
+
+

Taking a step back

+
+
    +
  • + +companies start to work on/with Linux without following + collaborative development model. Their management is free to + +
      +
    • + +ignore the decades-old requests by the community + +
    • +
    • + +ignore requests by their own engineers to contribute + +
    • +
    +
  • +
  • + +community upset, because management did not enable, allow or require + +
      +
    • + +FOSS development to be done in the regular, collaborative process + +
    • +
    • + +their engineers to contribute + +
    • +
    +
  • +
  • + +gpl-violations.org uses the legal vehicle of copyright enforcement + +
      +
    • + +senior management cannot ignore legal threats, we got their attention! + +
    • +
    +
  • +
  • + +Result: they ask their lawyers what needs to be done to comply to + the absolute minimum legally required to not get in trouble + +
      +
    • + +they do still not follow the collaborative development process + +
    • +
    +
  • +
+
+
+
+

The cultural impedance mis-match

+
+

Surprise: FOSS is about collaborative development

+
    +
  • + +participation on mailing lists + +
  • +
  • + +developing code in public repositories + +
  • +
  • + +using fine grained commits + +
  • +
  • + +to jointly develop software + +
  • +
  • + +it is not about procrastinating over legal issues + +
  • +
  • + +FOSS developers really want collaboration, not license compliance + +
      +
    • + +GPL is just a legal hack to ensure the bare absolute minimum of adherence to the FOSS culture + +
    • +
    • + +it suffers from impedance mismatch between what can be done under copyright law, and not what is actually the goal in terms of a development model + +
    • +
    • + +focusing just on legal compliance with the license indicates a lack of understanding + +
    • +
    +
  • +
  • + +GPL compliance should be driven by engineering, not legal! + +
  • +
+
+
+
+

Cultural Differences

+
+
    +
  • + +exist between every set of two cultures + +
  • +
  • + +think of Western vs. Asian culture + +
  • +
  • + +westerners (farang/gaijin/laowei) are considered rude, if they + +
      +
    • + +stick chopsticks in a rice bowl anywhere in Asia + +
    • +
    • + +have loud phone conversations on a Japanese train + +
    • +
    • + +want to split a restaurant bill in China + +
    • +
    • + +decline to accept Soju offered by their Korean host + +
    • +
    • + +use a Buddha statues head as decoration in Thailand + +
    • +
    +
  • +
  • + +Being European and coming to Asia likely causes me to make mistakes +due to the cultural differences. + +
  • +
  • + +those mistakes may cause people to be upset with me. How could I +not know? Couldn’t I at least inform myself before travelling? + +
  • +
  • + +This is not so different from an electronics or proprietary software +company first engaging with FOSS + +
  • +
+
+
+
+

License Compliance in 2016?

+
+
    +
  • + +those parts of the IT industry exposed to + (embedded) Linux for a longer time make more of an effort to comply + with legal requirements only + +
      +
    • + +establishing the required release + business processes + +
    • +
    • + +FOSS + proprietary tools for aiding license compliance + +
    • +
    • + +Legal Network by FSFE with hundreds of legal experts + +
    • +
    +
  • +
  • + +license compliance is driven by fear of legal threats, not by + understanding + following collaborative development models :( + +
  • +
  • + +Treated similar to compliance with environmental standards, regulatory requirements, etc. + +
  • +
+

⇒ Bringing back the Western vs. Asian cultural analogy:

+
    +
  • + +Our farang/gaijin/laowei now complies with local laws by not + bringing restricted items (medication, too long pocket knives) into + Asia which might be legal at his home (legal compliance) + +
  • +
  • + +He still often ignores the local culture and social norms, and is + perceived by some of the locals as disrespectful or rude at times + (doesn’t cause legal risks) + +
  • +
+
+
+
+

Summary

+
+
    +
  • + +legal-to-the-letter compliance has significantly improved over the + last 15 years + +
  • +
  • + +awareness that license compliance is mandatory is widely present + +
  • +
  • + +collaborative FOSS development model is becoming more frequent + +
  • +
  • + +however, some industry players, particularly those doing FOSS for a shorter + time still think FOSS is a one-way road that enables them to profit + on the work of others while keeping their code private / out-of-tree + +
      +
    • + +Sure, you can have a marriage that caters exclusively to the needs of one of the people involved + +
        +
      • + +But will it be a sustainable long-term relationship? + +
      • +
      • + +Or will it just be a short affair? + +
      • +
      +
    • +
    +
  • +
  • + +we need to shift the focus from legal-centric GPL compliance to + engineering-centric collaborative development + +
  • +
+
+
+
+

The End

+
+

Thanks for your attention.

+
    +
  • + +You have a license to raise questions now ! + +
  • +
+
+
+ + -- cgit v1.2.3