On Tue, 5 Oct 2021 23:05:19 +0300 Jean Louis <bugs@gnu.support> wrote:
> * Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org> [2021-10-05 > 18:59]: > > On Tue, 5 Oct 2021 11:05:58 +0300 > > Jean Louis <bugs@gnu.support> wrote: > > > Let us say somebody provides Windows source under GPL on Internet, > > > that does not make Windows source legally licensed under GPL, > > > because author or copyright holders never licensed it so. It > > > should be very clear to businessmen, but is not clear to > > > programmers. > > As I understand it it all depends on who is this somebody. If this > > somebody is Microsoft, it would look legit. > > > > If not, it's crucial for most project to stay as away from leaked > > source code as much as possible, because as I understand, just > > reading it increases the legal risks too much when the person > > having read it contribute to project that are too similar. > > Maybe the example was not good enough. > > Imagine company ABC provides Windows source code under GPL. If the full source code of Windows was released, I would expect Microsoft to do it, and to have press releases about it and so on. So here I would stay away from the source code released by ABC unless it's some form of joke and that the GPL source code is legit source code that has nothing to do with Microsoft Windows. > Distributions don't conduct enough due diligence, and users or > downloaders even less. I guess it depends on the distributions. Do you have ideas to increase the quality of the checks in systemic ways? > We are just lucky due to large number of free software being on one > heap, it is not intentional that we don't get too many problems with > it. Though such court cases are there. > > > It's also up to the distributions to choose how they deal with legal > > issues. For instance different distributions dealt differently > > with software patents. > > And it is also up to the user to verify it. Or to trust or not trust distributions. It would also be a good idea to ask distributions how it's done. > > As with the DMCA, the issue is also how to verify the claims that > > are inside. For instance youtube-dl that as far as I know is fully > > free software also got a DMCA takedown notice. > > Personally I am unable to verify if software is free. Time does not > allow it. There is no mechanism to ensure it. It is all based on > trust to people that I by large don't even know. It is same type of > trust just as users of non-free software. It's mostly trust in systems. And in both cases the systems are different. And that's how huge societies can and do functions. You have to interact with many people that you don't know so you end up trusting systems instead. And here I'm not saying that it's necessarily a good thing in general as it also has a lot of extremely catastrophic consequences for big human societies but it would probably be way out of topic to discuss that here. The book Liars and Outliars[1] explores that in more details. In any case even if it's far from perfect I think that it works mostly fine for free software, and that for nonfree software it is mostly catastrophic (many builtin malware, spyware, backdoors, etc). > But what in case of allegation, you cannot anymore prove where you got > it from?! That's precisely why I'm advocating for archiving source code released by hardware vendors. Unfortunately in the case of Samsung, it's probably almost impossible to backup that code without writing code[2], so I hope that one day a volunteer would show up for doing that. Though all the source code that we rely on in Replicant is probably already gone from opensource.smasung.com. As for examples of known problematic software, the FreeCalypso[3] project was based on leaked source code that it rebranded as free software. So here I try to stay away as much as possible from that project and instead try to push people to work on porting osmocomBB[3] to some microcontroller OS instead, and port the layer 2 and 3 on the modem so that we would get a really free software equivalent. As they also manufactured hardware, FreeCalypso probably still has written code themselves that is in no way based on the leaked Calypso source code, and they might also have written from scratch some unrelated software (like tools for instance), so if I needed to package software like that I'd still try to verify that it has been written from scratch and/or by reusing known free software. The neat thing is also that the free software community usually has different coding style than the people working on nonfree software like Microsoft Windows. You see that code style a lot in legit free software source code releases from some hardware manufacturers (like the dhd driver from Broadcom for instance), from ReactOS, probably from Microsoft too, from TianoCore (a free software UEFI implementation), etc. So reading the source code (of the FreeCalypso tools for instance) will also gives you some clues, and enable you to ask questions if there are some suspicious code. Knowing the background also helps. For instance in Replicant I also ask how the source code was written, for contributions bigger than patches to existing code, and sometimes it enables us to track the origin to some other free software source code. And when it's written from scratch, it's also very useful as we can learn how to find the documentation needed to write similar source code in the future. And in cases like that even if we never meet the people physically, we tend to know them on IRC. And Linux also has a developer certificate of origin[5] that we also use in Replicant, not necessarily to track the origin of code, but rather to be compatible with upstream projects requirements. References: ----------- [1]https://en.wikipedia.org/wiki/Liars_and_Outliers [2]https://forge.softwareheritage.org/T2523 [3]https://www.freecalypso.org/ [4]https://osmocom.org/projects/baseband/wiki [5]https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst#n363 Denis.
pgpM3nLEOvCsy.pgp
Description: OpenPGP digital signature
