On at 2024-12-02 00:08 -0500, Jerome Shidel via Freedos-devel wrote:
Hi All,
I figure I will through in my 2 cents worth of interpretation for their
License, Restrictions and my Conclusions in regards to UPX.
UPX and UCL are copyrighted software distributed under the terms of
the GNU General Public License (hereinafter the "GPL").
Good, the program and compression library are distributed under the GPL
(version 2 or later).
UPX-UCL yes, UPX-NRV no. (Because the NRV library is used, none of the
remaining part of the build binary can be assumed to be under the GPL in
this case. Although the other parts may be identical to what the free
sources would compile to given the missing NRV sources.)
The stub which is imbedded in each UPX compressed program is part of
UPX and UCL, and contains code that is under our copyright.
Okay, the stub that gets embedded into the program being compressed is
under the GPL.
Yes, but as I mentioned I don't care much about the stub linking question.
The terms of the GNU General Public License still apply as
compressing a program is a special form of linking with our stub.
Hmmm, whatever. They are just making up a definition for the interaction
between the stub and the program that is
being compressed. A little weird but that is fine. They can define
things however they want as long as they are clear
about it. I could define the process used in my programs to perform
buffered file I/O as pizza dough kneading. That
would be fine as long as I am consistent. But it would not actually make
it any sort of dough kneading. Only what I
would be calling it in a license and documentation. So, they can call it
a “special form of linking”. However, it does not
make it any form of linking as understood by the rest of the world.
I don't think it's wrong to consider the stub insertion a form of
linking. Hell, I my self have argued that loading .SYS or .EXE device
drivers from FDCONFIG.SYS could be counted as linking. (I mean device
drivers, loaded using DEVICE=, not INSTALL=. DOS allows to load MZ
executables as device drivers.) It is well known that "compiler" type
applications which insert part of themselves into their output can
affect the usage conditions of the resulting "data" / output. And that's
exactly what UPX does.
As a special exception we grant the free usage of UPX for all
executables, including commercial programs.
See below for details and restrictions.
Yippie. You can use UPX with any program regardless of the license for
that program. But, they are some
exceptions and restrictions.
The stub which is imbedded in each UPX compressed program is part of
UPX and UCL, and contains code that is under our copyright. The
terms of the GNU General Public License still apply as compressing a
program is a special form of linking with our stub. Hereby Markus
F.X.J. Oberhumer and Laszlo Molnar grant you special permission to
freely use and distribute all UPX compressed programs (including
commercial ones), subject to the following restrictions:
Okay, I think this “special form of linking” is to establish the fact
that it is not “traditional linking” and your program
and the stub used for decompression are two separate programs with two
different licenses. You program can have
whatever license you want. But, the little stub that is embed into your
program is a separate entity and has its own
license that is not changed by the license used by the program compressed.
1. You must compress your program with a completely unmodified UPX
version; either with our precompiled version, or (at your option)
with a self compiled version of the unmodified UPX sources as
distributed by us.
So, if you are using UPX to compress a program that is not open source,
you cannot use a modified version of UPX.
This implies that if your program is open source, you can change UPX
however you want.
Correct.
(The FreeDOS original kernel compression does, I think, in fact modify
the UPX stub. Or at least it used to? Not sure after the exeflat updates
I contributed a while ago. In my fddepack contribution [1] I noted that
we "technically do not [modify their depacker stub], just prepend our
stub stub". So I guess it could be argued either way.)
2. This also implies that the UPX stub must be completely unmodfied,
i.e. the stub imbedded in your compressed program must be
byte-identical to the stub that is produced by the official
unmodified UPX version.
Hmmm, this implies that programs which are not open source must use a
version of the UPX stub that is identical to
the officially released version. Therefore, any changes or compile time
options which may result in changes to the
binary code of the stub cannot be used with programs that are not open
source.
Not quite. I think compile time options would be fine as we'd still be
using "a self compiled version of the unmodified UPX sources as
distributed by [them]". Besides, as for the UPX-UCL vs UPX-NRV problem,
consider that the depack stubs are likely not changed between the two.
UPX-NRV simply uses a better compression library, but it produces
compatible output that the UPX-UCL library can depack as well.
3. The decompressor and any other code from the stub must
exclusively get used by the unmodified UPX stub for decompressing
your program at program startup. No portion of the stub may get
read, copied, called or otherwise get used or accessed by your program.
Alright, if your program is not open source, you can use the UPX stub.
But, that’s it.
Fine, nobody does anything with the stub directly anyway. Although this
clause would
technically exclude any commercial operating system from executing a
program that
had been compressed with UPX, that is not what is meant. There is what
is known as
“the letter of the law" and "the intent of the law.” Anyone reasonable
would conclude, since
they provide versions of UPX for Windows, they do not intend it not to
be usable on a
commercial operating system. Furthermore, they would not be
excluding “normal use” of
any program compressed with UPX.
The License is dated 2/25/2000 making it almost a 1/4 of a century since
it was last modified.
Now looking at the README.SRC file, we find some additional information…
The precompiled UPX versions are linked against the NRV compression
library instead of the UCL library. Using the same compression
algorithms, NRV achieves a better compression ratio. NRV is not
publicly available, though, and probably never will be. While you
may be disappointed that you don't have access to the latest
state-of-the-art compression technology this is actually a safe
guard for all of us. The UPX source code release makes it very easy
for any evil-minded person to do all sort of bad things. By not
providing the very best compression ratio it is much more difficult
to create fake or otherwise disguised UPX versions (or similar
trojans), as any end user will notice when the compression has
gotten worse with a new "version" or "product". Finally please be
aware that you now have your hands on the source code of the most
sophisticated executable packer ever. Let's join our forces to make
it even better :-)
Hmmm. So, the official UPX binaries are not linked to the UCL library
which is GPL. The reason
for using a different library is “security through obscurity” which does
not work. However, this also
means that the official build of UPX is not open source. It is freeware.
However, this freeware
version can be used to compress any program, regardless of the license
for that program.
Yes, exactly. And that's my problem, I want our toolchain to be free,
not make use of proprietary parts. (This is in fact what I am doing to
core parts of the 2024 April free software release of MS-DOS v4 now,
porting them to build with NASM (2-clause BSD license) and WarpLink and
x2b2 (both public domain).)
This also means that it is possible that the open source version of UPX
using the UCL may not be
used to compress any program that is not open source. Because, the stub
might not be byte identical
to the stub created by the NRV library. If so, it would be
in violation of the License agreement.
As mentioned I think UPX-UCL still counts as a build of the original if
you don't modify the shipped sources, so the exception could still apply.
Obviously, I am not a lawyer. But, what I gather from all of this
nonsense is the following…
For the FreeDOS distribution, it really does not matter if we use the
official build of UPX with NRV
or the strictly GPL version with UCL compression. Any of the programs we
might compress will be
open source and can use either version.
For the end users of our release, it could matter. If those users decide
to provide freeware or commercial
software compressed with UPX they must use the byte identical stub that
is provided with the official
build of UPX. If the stub that is stapled into their executables is
different with the UCL version, they
would be in violation of the UPX License.
This is something to consider when determining which version of UPX is
provided with the FreeDOS
distribution.
:-)
Jerome
Regards,
ecm
[1]: https://github.com/FDOS/kernel/issues/75
_______________________________________________
Freedos-devel mailing list
Freedos-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freedos-devel
