lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 21 Oct 2017 22:16:12 +0300
From:   Pavel Nikulin <nikulinpi@...il.com>
To:     Alan Cox <gnomes@...rguk.ukuu.org.uk>
Cc:     gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] Documentation: Add a file explaining the requested
 Linux kernel license enforcement policy

If you say that your lawyers have comprehensively researched that,
I can't say they did a good job. Almost every line sounds close to
being a contractual agreement. If you say that this is only a personal
promise, you have to state that. Like writing "this is not a an addendum
to license terms and only a personal promise from people in the list
below"

In the language that is written there, that is not any much clear up until
you reach the statement at the very end:

>Except where noted below, we speak only for ourselves, and not for
>any company we might work for today, have in the past, or will in the
>future.

And even this last phrase does not states explicitly that the nature of the
document as non-legally binding.

Moreover, you put "additional permissions under our license" wording
there, if there were no "our" there, it would've opened a huge can of
worms. And even this way, that "our" there can be a problem.

As of now, the statement reads as if that the party making the statement
is the undefined "we", "our", and "our development community" until you
reach the very end of the document. You need to write that "we," "our,"
and the community are you and people in the list below at the start of
the statement.

I support the idea to denounce vexatious profit-seeking enforcement.
I don't like the prospect of violators being able to stall the enforcement
even further. Whatever new legal language will be put into the kernel,
it can't do anything with people doing vexatious enforcement today, but
it may weaken legitimate GPL enforcers.


The lengthy explanation for the last phrase, I'm sorry for bringing this to
lkml.


In not so few cases when GPL was successfully enforced, violators
were able to greatly delay the enforcement and stall for time at close
to no cost, all because they knew that they loose little even in the
worst case scenario.

If we go forward and open a can of worms on topic of how the
community should decide to run enforcement action, we should also
bring up principle that if contributors start with it, they should not settle
until they reach full compliance or do something that will weaken the
case for further enforcement by anybody else.

Companies release uncompilable modified kernel sources, simply
wrong sources, or kernels that can't run because a vital piece of code
needed for runtime functioning is is a "secret blob" with data and/or
functions. In all such cases, proving that such evasive maneuvers do
not constitute compliance is hard. They began to think that this is an
effective tactic against enforcement, especially if any of co-authors
accept any of above as a settlement.

If violators knew how high are the stakes, they will not do that. I want
that it became accepted that "a death sentence for a tech company" -
permanent license revocation for the Linux kernel should be the end
result of vexations defense tactics even if the company will show a
phony change of heart and finally becomes compliant at the end of
very long and costly legal battle.

We should also not throw out the idea of using expedited injunctions
in countries allowing them (besides Germany, I believe that includes
some US states) if doing so is needed to harm companies hiding
behind proxy entities, "clouds," ones persistent in using vexatious
deference tactics, or simply ones believing that they loose nothing
if they try to challenge every request for GPL compliance.

On 20 October 2017 at 21:25, Alan Cox <gnomes@...rguk.ukuu.org.uk> wrote:
> On Thu, 19 Oct 2017 18:28:12 +0300
> Pavel Nikulin <nikulinpi@...il.com> wrote:
>
>> Hold!
>>
>> Greg, are you trying to put a new addendum to the terms of GPL v2?
>
> In many parts of the world if you make a promise about not enforcing a
> right to take some action (sometimes even an implied one) you cannot then
> take that action.
>
> So if you say "I won't sue you just because you've got a tiny GPL
> compliance issue", then in much of the world if you attempt to do so
> you'll find you can't.
>
> I do think it's poorly drafted because it doesn't contain any "unless you
> sue us" caveat so you won't find my name on it.
>
> Alan

Powered by blists - more mailing lists