Overview of License Compliance in the Network Attached Storage Market

Bradley M. Kuhn

SNIA SDC 2018

Monday 24 September 2018

Interactive Online Version available.

FLOSS Is Now Everywhere

15 years ago, Free, Libre and Open Source Software (FLOSS) advocates would come to an event like this to convince you to adopt such software.

FLOSS Is Now Everywhere

FLOSS is probably already in most of your products (if you a product seller) or in your data center (if you build your own).

FLOSS Is Now Everywhere

On balance, it's a good thing that FLOSS is everywhere.

… but any fad has its downsides.

Downsides to FLOSS Popularity?

The secondary FLOSS service market, ostensibly available to help companies “manage” (inexplicably called “governance” by such service providers) FLOSS intake and output.

I've dubbed this industry the compliance industrial complex.

You Deserve Such Education both FaiP &FaiF

People who really are dedicated to FLOSS do want to get paid for their work…

… but none of us think you should have to buy an expensive third-party “code scan” just to figure out your own FLOSS usage.

What's the Real Goal?

Copyleft licenses, in particular (while sometimes admittedly abused by a few) are not intended nor designed to be “gotcha” licenses.

One-Slide Introduction to FLOSS Licensing

(roughly) 2 forms of FLOSS licensing: highly permissive & copyleft.

all forms are much more permissive than any proprietary license.

FLOSS licenses encourage code reuse…

copyleft licensors additionally have a policy goal of maximizing software freedom.

Ye Olde Fower Fredoms

• to use.

• to learn and modify for yourself.

• to copy and share.

• to modify and share modified versions.

A Constitution Isn't Principles

A Constitution, and the laws that operate under it, are detailed, enforceable implementation of Principles behind a society.

The GPL As a Constitution

Compare and contrast

Constitution and Law

So, I used to say: “copyleft is the Constitution of software development community”.

But, GPL (specifically) is a detailed legal statute and Constitution rolled into one.

Copyleft suffers from the same problems any legal statue (including but not limited to): how is it enforced, and who can enforce it?

How GPL Is Enforced?

As a copyright license, copyright holders are those with the right to enforce.

Modulo single-copyright-holder “gotcha” licensors (e.g., Oracle with MySQL), generally speaking, copyright holders work on their own or with a charity to seek compliance.

The Principles

Most follow the Principles of Community-Oriented GPL Enforcement, as published by Conservancy, to ensure the policy goals of copyleft are paramount to anything else.

How Does this Relate To NAS?

First, many (not all, obviously) NAS devices run Linux, which is licensed primarily under GPLv2-only.

Second, many NAS devices run Samba, which is widely used in the NAS community for SMB.

How Does this Relate To Conservancy?

Conservancy is the primary organization doing GPL enforcement for both Linux and Samba, through coalitions of copyright holders who have formally asked Conservancy to act on their behalf in enforcement actions.

The High-End Success Story

If you are a high-end NAS vendor, you probably have very little to worry about.

You likely employ (or want to employ) upstream developers.

They're going to tell you what you need to do to stay in compliance.

The High-End Success Story

It's not that high end vendors never violate GPL.

It's that it's a small community, where developers talk to each other.

High-end vendors are also sophisticated; as organizations, they learn fast (have to, to stay competitive), and are around for the long haul.

If I violate?

If you violate in the high end market, frankly, you'll likely just get a friendly call from Jeremy Allison, and he'll help you find someone to help you upstream your code.

Why Is It Easy There?

Both customer and vendor are highly sophisticated.

In particular, customers often have engineers on staff who will ask the right question during product evaluation.

A Very Different Situation

There are of course middle & low-end vendors who do the right thing.

My sad news to them: your competitors are undercutting you by getting away with massive GPL violations on a regular basis.

What I've Gleaned

Sitting at the bottom of the supply chain, receiving reports from the general public of GPL violations, I sometimes have to reverse-engineer what's happening, but here's what I've gleaned:

I've Gleaned:

The low-end vendors who would actually send someone to SNIA SDC probably have engineering teams and hold System-on-Chip (SoC) vendors accountable on firmwares (or have your own firmwares, just like the high-end market).

Your Competition Is Cheating

Shenzhen manufacturers (obviously) mass-produce these SoC, and because FLOSS is easy to integrate and incorporate …

… they're able to cut costs by ignoring compliance requirements entirely.

IMO, it's in the interest of folks who actually invest in NAS technologies to stop these people who are free-riding on the licenses that keep the communities going.

A Few Bits About Compliance

Just in case you're not in compliance, I'll spend a few minutes about copyleft compliance requirements.

My first piece of advice remains: ask your engineers first, not your lawyers!

A Legal Mechanism for Technical Details

While hearing it's a copyright license might indicate the lawyer is your first call…

…in fact, most of the most violated terms of copyleft are more technology-focused than legally-focused.

Indeed, the most important requirement is complete, corresponding source (CCS).

(Don't believe the compliance industrial complex hype!)

Copyleft at its Core

At its core, copyleft's primary goal is to give downstream users the means and capacity to generate and utilize binaries in the same manner that upstream did.

Testing CCS

Enforcement must often use a “know it when I see it” standard. (i.e., can we take your CCS build it, and install it?)

We’ve reached compliant CCS with hundreds of companies: but that didn’t mean the CCS was pretty.

Best Way to Test CCS?

Find an embedded engineer who didn't work on the product and ask that engineer to build from sources a new firmware and install it on the device.

Lessons Learned from Examining A Pristine Example

There's a full paper available online on building CCS:

compliance.guide/pristine-example

It’s part of a larger tutorial called Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide at copyleft.org.

The Guide contains over 150 pages of tutorials materials about how copyleft works & how copyleft works.