Licenses as a software

Andrew Savchenko, Moscow, Russian Federation

LVEE 2018

Free software licenses may be seen as software themselves: they are set of rules and algorithms of how to use software. As any software licenses are not perfect and have vulnerabilities which are exploited to limit our freedom. This talk is about how it happens and what mitigations are available.

As software licenses become more and more complex, one can see them as a software themselves as they define set of rules and algorithms of how to use software. Of course this statement applies for both commercial and FLOSS (free/libre/open source software) licenses, however this work will be focused on FLOSS ones only.

Like any software licenses are not perfect, they have design flaws and vulnerabilities, because it is impossible to account for all non-trivial cases and tiny details during license development.

One good example of such problem and its solution is Tivoisation issue¹. GPLv2 has a vulnerability allowing manufacturers to block on hardware level user’s freedom to update software, while keeping it for themselves, e.g. when hardware allows to run only manufacturer-signed software effectively blocking user from the freedom of using modified software. Formally such behaviour does not violate GPLv2.

So GPLv3 was created to address this and some other issues. But what is the price paid? GPLv2 is 340 lines, GPLv3 is 676 lines. We have more code to handle corner cases properly, but it is harder to understand it for common people. Complexity is the price and some users are repelled by it.

Some of open issues we are facing now:

Obfuscated patches, e.g. RedHat kernel patches shipped in already applied form². Since they contain hundreds of in- and interdependent changes; while formally in compliance with GPLv2, such distribution limits user’s freedom to reuse modifications made.
ZFS issue³: forcing redistribution and use of incompatible binaries (CDDL and GPLv2). A corner case where corporations try to loose copyleft restrictions and many users support it because they want cool features and don’t care much about licenses. The legal problem here is in what “derivative/combined work” means. Because the lack of clear definition, unfair entities try to violate GPLv2 by staying in formal compliance with it.
Grsecurity patches⁴: while Grsecurity is strictly based on GPLv2-licensed kernel code and has no meaning without it, code and binary redistribution is limited by additional subscription agreement. While it seems to be within legal boundaries in many jurisdictions, it violates the spirit of GPL.

How to handle these issues? Likely there is no good solution, since more precise and strict licenses will be much longer and harder to understand. Another possible solution will be to develop proper culture in society, but it looks like we’re far away from this possibly Utopian scenario.

¹ https://www.gnu.org/licenses/gpl-faq.html#Tivoization

² https://lwn.net/Articles/430098/

³ https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/

⁴ https://perens.com/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/

Abstract licensed under Creative Commons Attribution-ShareAlike 3.0 license