What Does Conservancy Do?

• Software Freedom Conservancy is a charity based in the USA.
  • That means we’re legally required to operate in the public good.
  • Contrast: a trade association, like LF, whose charge is to operate in a manner that advances common business interests of an industry.

• Conservancy provides essential non-software-development work that Open Source and Free Software projects need.

• This includes helping projects ensure their software licenses continue to benefit the public.
  • which, in concrete terms, means acting to verify projects’ FLOSS licenses meet goals their policy.

Background

• My first few slides’ points may be too remedial for some of you.
  • If so, take a 2 minute email break.

The Copyleft

• Linux and much Open Source and Free Software use copyleft licenses.
  • The GNU General Public License (GPL) is the most common one.
• Copyleft, simply, seeks to give downstream users the means and capacity to generate and utilize binaries in the same manner that upstream did.
  • Even after modifying sources.

Formal Definition of Copyleft

Copyleft is a strategy of utilizing copyright law to pursue the policy goal of fostering & encouraging the equal & inalienable right to copy, share, modify & improve creative works of authorship. Copyleft … describes any method that utilizes the copyright system to achieve the aforementioned goal. Copyleft as a concept is usually implemented in the details of a specific copyright license … Copyright holders of creative work can unilaterally implement these licenses for their own works to build communities that collaboratively share & improve those copylefted creative works.

What is GPL Enforcement?

• Broadly, GPL enforcement is the process of ensuring that redistributors grant the rights that copyleft assures.

• The primary goals are:
  • ensure that the users of a product containing copylefted works can participate upstream by testing, building, and enhancing the work on the actual device.
  • help distributor themselves join and contribute back to the upstream project.

• The Principles of Community-Oriented GPL Enforcement at sfconservancy.org/linux-compliance/principles.html.

But It’s Not Really About Upstream.

• Nevertheless, enforcement pursues that second goal only indirectly.

• GPL compliance is usually not about what to do upstream.

• GPL is a license made for the users, not the developers.
  • Who, of course, may be future developers.
• The main policy goal:
  • Ensure the user can exercise the freedom to modify the software …
  • … in a manner that’s real and concrete, not theoretical.

What’s a GPL Violation?

• GPL (both v2 and v3) require:
  • The whole work licensed under GPL.
  • (which means all copyrighted material added must be under GPL-compatible licenses.)
  • Complete, Corresponding Source (CCS) of that work provided, under GPL.
• The licenses terminate upon violation …
  • … thus failure to comply means lost distribution rights.
  • … enforcement uses this rights termination as leverage to restore compliance.

Enforcement is Technical

• Copyleft’s policy goals related to technical acts.
  • modifying, building, and installing software is a technical process.
• In embedded systems, this process is rarely straightforward.
  • Yet GPL requires that such be possible.
• In enforcement, we talk about “the CCS adequately meeting GPL’s requirements”

How GPLv3 says CCS.

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities.

— GPLv3§1

How GPLv2 says CCS.

You may copy and distribute the Program (or a work based on it, under § 2) in object code or executable form under the terms of § 1 & 2 above provided that you … [a]ccompany it with the complete corresponding machine-readable source code … The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.

— GPLv2§3

The 11 Words That Consumed My Life

• GPLv2 enforcement, for embedded products, is all about the these eleven words.

• I could give an entire talk on any one of these 11 words.
  • Yes, I can even give 20-30 minute treatises on each use of “the”.

• Yet, when enforcement processes are at their best, they’re about the spirit behind these words, not the words themselves.

the scripts used to control compilation and installation of the executable.

— GPLv2§3

The 11 Words That Consumed My Life

• Basic reference rule:
  • Can a developer reasonably skilled in the art of embedded software build your sources, take the (copylefted) executables and install them?
• Enforcement spends its most attention on testing CSS “candidates” to verify that.

the scripts used to control compilation and installation of the executable.

— GPLv2§3

A Pristine Example

• Enforcement must often use a “know it when I see it” standard.
  • i.e., can we take your CCS build it, and install it?
• We’ve reached compliant CCS with hundreds of companies:
  • but that didn’t mean the CCS was pretty.
• Thanks to ThinkPenguin, we finally have an example of beautiful embedded product compliance.

Lessons Learned from Pristine Example

• The full paper for this talk is available online:
  • compliance.guide/pristine-example

• It’s part of a larger tutorial called Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide at copyleft.org.

• The Guide, as we call it, contains over 150 pages of tutorials materials about how copyleft works and why copyleft licenses are written the way they are.

• For the remainder of this talk, I’ll give you the highlights of good compliance lessons the pristine example shows.

Avoid the offer for source.

• Lawyers love the offer for source.
  • I don’t think they are good lawyers if they do.
• The offer creates ongoing obligations.

Accompany [executable form] with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code … on a medium customarily used for software interchange

— GPLv2§3

Avoid the offer for source.

• Often, an offer for sources telegraphs that compliance wasn’t done.

• If you must use the offer, assume it’ll be requested on product launch day.

Accompany [executable form] with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code … on a medium customarily used for software interchange

— GPLv2§3

Give a roadmap in a README

• Scripts doesn’t only mean shell scripts and Makefiles.

• Think of the script of a play or movie.

• If your build process includes human intervention …

• … then the script are a written explanation of what the human must do.

the scripts used to control compilation and installation of the executable.

— GPLv2§3

ThinkPengiun’s README

A file called “README” at the top-level directory said:

In order to build firmware images for your router, the following needs to be installed:

gcc, binutils, bzip2, flex, python, perl, make, find, grep, diff, unzip,
gawk, getopt, libz-dev and libc headers.

Please use “make menuconfig” to configure your appreciated configuration
for the toolchain and firmware. Please note that the default configuration
is what was used to build the firmware image for your router. It is advised
that you use this configuration.

Simply running “make” will build your firmware. The build system will
download all sources, build the cross-compile toolchain, the kernel and all
chosen applications.

 To build your own firmware you need to have access to a GNU/Linux system
 (case-sensitive filesystem required).

Make Sure It Builds

• Can your CCS pass this test?
  • Give you source release to another developer from another department.
  • Ask them to follow the instructions you wrote.
  • They should get the equivalent binaries you get in building.

• Very few organizations bother to do this.

• It’s probably the most useful step to verify compliance, yet no compliance process recommendations I’ve ever seen include this.

the scripts used to control compilation and installation of the executable.

— GPLv2§3

Toolchain?

• The toolchain is rarely considered mandatory as part of “the scripts”.

• Admittedly, it doesn’t control compilation, it is compilation.

• The script here is explaining precisely what type of toolchain is needed.

• Something like: “GCC vX built with the following ./configure line” is usually adequate.

• But including toolchain is nice for users’ easy.

the scripts used to control compilation and installation of the executable.

— GPLv2§3

It’s not “make install”

• Server system software can offer a “make install” that reasonable works to meet installation requirements.

• Embedded products are admittedly difficult to install.

• To comply here, you’ll usually just have write out the instructions.

• It is required; don’t skip this part.

the scripts used to control compilation and installation of the executable.

— GPLv2§3

Missing hardware components

• Inclusion of specialized installation hardware is not a “script”.

• In our ThinkPenguin example, we had to go buy a USB serial adapter to install the modified firmware.

• Just tell the user what they have to go buy for the install to work.

Summary

• The GPL requires that the users can replace the copylefted binaries in your embedded product with binaries they build.

• The host system matters; just tell everyone what host system you use. (& don’t be ashamed at how old it is.)

• Explain details of the toolchain used. Including it would be nice, but ensure its compliance too.

• Have a colleague not working on the project test the build and installation.

Future Work

• The Reproducible Builds project is the first initiative in history to actually propose a clear path that can yield more and easier compliance.
  • That wasn’t their intent …
  • but ultimately good CCS is a reproducible build problem.
• Please come to Karen’s keynote tomorrow morning to hear more about what Conservancy does and thinks about software freedom generally.

More Info / Talk License

• URLs / Social Networking / Email:
  • Pls. support Conservancy: sfconservancy.org/supporter/
  • If you hold copyrights in Linux, Debian, Samba, or BusyBox, you can join our enforcement coalition. Contact us!
  • The Guide is available & welcomes contributions at copyleft.org.
  • Conservancy: sfconservancy.org & @conservancy.
  • Me: faif.us & ebb.org/bkuhn
  • Slides: ebb.org/bkuhn/talks.

Device Lock Down (Since you asked)

• The only core difference between GPLv2 and GPLv3 with regard to Installation Information is cryptographic lock-down.

• If you didn’t use cryptography to required signed binaries on installation, then the user has a right under GPLv2 to install updated binaries.

• If you did use cryptographic lock-down, then you need to provide all installation information except the signing key.