From 82d46f8782fbcc526d8a22fa8d8be3bc2960b851 Mon Sep 17 00:00:00 2001 From: "Bradley M. Kuhn" Date: Tue, 9 May 2017 07:27:37 -0500 Subject: [PATCH] Reduce slides to only those introducing violations --- .../20min-violation-intro/violation-intro.md | 643 +----------------- 1 file changed, 2 insertions(+), 641 deletions(-) diff --git a/presentations/20min-violation-intro/violation-intro.md b/presentations/20min-violation-intro/violation-intro.md index 8a99469..1cbc270 100644 --- a/presentations/20min-violation-intro/violation-intro.md +++ b/presentations/20min-violation-intro/violation-intro.md @@ -1,337 +1,7 @@ -% A Practical Guide to Compliance with the GNU GPL -% Bradley M. Kuhn and Karen M. Sandler +% The What and How of GPL Violations +% Bradley M. Kuhn % Thursday 19 January 2016 - -# Audience - -+ Our goal here is to move faster or slower based on audience knowledge. - -+ There are folks in this audience who have worked with this stuff for years, - and those who are completely new. - -+ We want these presentations to be valuable to all of you. - -# Audience - -+ Please, don't be embarrassed: - + Ever GPL expert in the world, including us, started as a student who - knew none of this. - -+ This is a course; raise your hand if you are confused or have a question. - -+ We are glad to go "off-slides" and get your questions answered. - -# The Tutorial's Textbook - -+ This tutorial actually has a 125-page textbook. - -+ You can download it (PDF or online HTML browse, or the source code!) from - [copyleft.org/guide](https://copyleft.org/guide) - -+ The text is in integration and culmination of every freely licensed - material on copyleft (and GPL in particular) we could find. - -+ We don't mind if you read the text while we talk and raise your hand with questions. - -# How this Tutorial Go? - -+ Materials presented will mix the simple & complex. - -+ We cannot possibly cover the entire GPL and compliance procedures in merely - two hours. - + a full course could take a whole day or more. - + but we'll give you the key highlights. - -# Outline - -+ Discuss: motivations, origins, then a few of GPL's sections. - -+ Turn to focus to how it relates to meeting the requirements of the license - (aka compliance). - -+ If you haven't asked enough questions at that point, we'll then still have - lots of time at the end to take questions and answer them. - -# Why Listen To Us? - -+ Conservancy operates and practices license compliance activities extremely transparently. - -+ So you have access to drafters, interpreters, enforcers. - -+ Someday, we may (or already have) sit across the table from you. - -+ Our transparency does make your job easier. - -# The Mindset of GPL - -+ GPL protects software freedom. - -+ Ultimate goal: make sure every user has the four freedoms. - + Freedom to run the software. - + Freedom to study and modify the software. - + Freedom to share the software. - + Freedom to distribute modified versions. - -+ Every clause in GPL was designed to uphold one of these freedoms. - + Or, it's a compromise of drafting in adoption vs. freedom debate. - -# Using Copyright - -+ GPL is primarily a copyright license. - + Software is copyrighted. - + License grants key freedoms. - + Requirement prohibit activities that take away freedoms. - -+ General concept: copyleft. - -+ Specific implementation: GPL. - -# Conditional Permissions - -+ A copyleft license grants copyright permissions, conditionally. - -+ Think of the phrase: “provided that” - -+ “provided that”: appears (in some form) only - + 4 times in GPLv2 - + 9 times in GPLv3. - -# Compare To Proprietary Licenses - -+ Yes, the GPL has its requirements. - -+ But *none* of these activities are ever permitted under proprietary - licenses. - -+ If you don't like what the GPL requires you to do, then just use - proprietary software instead. - -+ That way, you know the answer to every “Am I allowed to?” question is “no” - -+ rather than: “yes, but only as long as you …” - -+ Many business advantages to copyleft... - -# The Technical Gap - -+ Understanding GPL well requires a some software expertise & legal - expertise. - -+ You don't have to be a professional on either side to grok it. - + but you're best off if you're a professional in one & an amateur - in the other. - -+ Most important technical concepts you need: - + source code, binaries, methods of distribution. - -# Modification As a Center Provision - -+ GPL's primary copyright hook is copyright controls on the right to modify. - -+ GPL's central tenant: - -+ You can make a modified version of various types privately as much as you'd like. - -+ When you distribute that modified version, you have requirements to meet. - -+ Technological considerations dictate necessity of more complex rules for -certain types of modifications. - -# GPLv2 § 2(a-b) - - -

[GPLv2§]2. You may modify your copy or copies of the Program or any -portion of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 above, -provided that you also meet all of these conditions: -
-
-a) You must cause the modified files to carry prominent notices stating -that you changed the files and the date of any change. -
-
-b) You must cause any work that you distribute or publish, that in -whole or in part contains or is derived from the Program or any -part thereof, to be licensed as a whole at no charge to all third -parties under the terms of this License. -

-
- -# GPLv3§5(a-c) - - -

-You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: -
-
-a) The work must carry prominent notices stating that you modified it, and -giving a relevant date. -
-
-b) The work must carry prominent notices stating that it is released under -this License and any conditions added under section 7. This requirement -modifies the requirement in section 4 to "keep intact all notices". -
-
-c) You must license the entire work, as a whole, under this License to anyone -who comes into possession of a copy. This License will therefore apply, -along with any applicable section 7 additional terms, to the whole of the -work, and all its parts, regardless of how they are packaged. This License -gives no permission to license the work in any other way, but it does not -invalidate such permission if you have separately received it. -

-
- -# GPLv2§2¶ penultimates - - -

-These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. -
-
-Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. -

- -
- -# GPLv3 §0 ¶1-5 - -

- "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. -
-
- "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. -
-
-To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. -
-
- A "covered work" means either the unmodified Program or a work based -on the Program. -

- -# Binaries (Object Code) are Modifications - -+ Software that the computer understands is different than software humans - read. - -+ There is often a process required to modify (and/or translate) the software - from human-readable - + This process can be done ahead of time. - -+ Separation of source and binary was the first way proprietary software - companies discovered to subjugate users. - + GPL uses the fact that binaries are modifications (which are often - distribution) to prevent that subjugation. - -# GPLv2 § 3(a-b) - - -

-

[GPLv2§]3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: -
-
-a) Accompany it with the complete corresponding machine-readable -source code, which must be distributed under the terms of Sections -1 and 2 above on a medium customarily used for software interchange; or, -
-
-b) Accompany it with a written offer, valid for at least three -years, to give any third party, for a charge no more than your -cost of physically performing source distribution, a complete -machine-readable copy of the corresponding source code, to be -distributed under the terms of Sections 1 and 2 above on a medium -customarily used for software interchange; -

-
- -# GPLv3 § 6(a-b) - - -

-[GPLv3 § ] 6. Conveying Non-Source Forms. -
-
-You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: -
-
-a) Convey the object code in, or embodied in, a physical product -(including a physical distribution medium), accompanied by the -Corresponding Source fixed on a durable physical medium -customarily used for software interchange. -
-
-b) Convey the object code in, or embodied in, a physical product -(including a physical distribution medium), accompanied by a -written offer, valid for at least three years and valid for as -long as you offer spare parts or customer support for that product -model, to give anyone who possesses the object code either (1) a -copy of the Corresponding Source for all the software in the -product that is covered by this License, on a durable physical -medium customarily used for software interchange, for a price no -more than your reasonable cost of physically performing this -conveying of source, or (2) access to copy the -Corresponding Source from a network server at no charge. -

-
- -# GPLv3 § 1 ¶ 1, 4-6 - - -

-The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. -
-
-The "Corresponding Source" for a work in object code form means all the -source code needed to generate, install, and (for an executable work) run the -object code and to modify the work, including scripts to control those -activities. However, it does not include the work's System Libraries, or -general-purpose tools or generally available free programs which are used -unmodified in performing those activities but which are not part of the work. -For example, Corresponding Source includes interface definition files -associated with source files for the work, and the source code for shared -libraries and dynamically linked subprograms that the work is specifically -designed to require, such as by intimate data communication or control flow -between those subprograms and other parts of the work. -
-
-The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. -
-
-The Corresponding Source for a work in source code form is that -same work. -

-
- # What's a GPL Violation? + GPL (both v2 and v3) require: @@ -447,319 +117,10 @@ same work. + The worst I've ever experienced is 22 rounds. + We send detailed reports. - -# No Build Instructions - -
- The primary issues we found were a dearth of build instructions as well - as a complete lack of installation instructions. There was no - information that mentioned how one might build each package so we had to - guess about which Makefile and/or build script to run for each package. - And in many cases it was not possible or straight-forward to build - this - must be resolved in the next source candidate. - -# Making General Recommendations - -
- We generally recommend that the source release be a single file (ie. one - tarball containing all packages required for the build) that includes a - README or similar in the main directory explaining exactly how to build - and install all of the packages. See section 21.2 of - http://compliance.guide/pristine-example for an excellent example. - -# Suspicious, But Not Captious. - -
- Also, we noticed that some packages mentioned in the "OPEN SOURCE - SOFTWARE NOTICE" included with the device (and also downloaded as part of - the source release; see - Open_Source_Software_Notice_and_Privacy_Policy.pdf ) could not be found - in the source release. For example, we found "Software: Samba 3.0.XX" in - the notice, but could not find any trace of Samba in the source release. - Please ensure that all the software included in the notice is included in - the source release as well. - -# Nesting Doll Packages - -
- - Once extracted, the 3 .rar files above produce the following output - files: - * busybox-1.21.1.rar - * AB_A0101.123.tar.gz - * source.rar - * a small text file that gives two-word descriptions of the above files - - -# Actual(ly Trying to) Build - -
- - This file included no instructions for how one might build it so we - tried to run "make" but received the following error: - - $ make - .../busybox-1.21.1/scripts/gcc-version.sh: line 11: - arm-none-linux-gnueabi-gcc: command not found - -# Toolchain? - -+ The toolchain is rarely considered mandatory as part of “the - scripts”. - -+ Admittedly, it doesn't *control* compilation, it *is* compilation. - -+ The script here is explaining precisely what type of toolchain is needed. - -+ Something like: “GCC vX built with the following ./configure - line” is usually adequate. - -+ But including the toolchain is a nice step to make it easy for your users. - -
-> the scripts used to **control compilation** and installation of the executable. - -

-— GPLv2§3 -

-
- -# We Guess at Compiler Anyway - -
- So we searched for an arm-none-linux-gnueabi- cross-compiler in the - other files but could not find one. We then tried to use our own (be - editing the PATH appropriately), which did get us past this error. Note - that this is not acceptable in a source release - the cross-compiler - that a user must use needs to be clearly indicated (name, version, etc.) - and/or included with the source release. - -# Feedback on Small Problems - -
- - Once we had the custom cross-compiler configured, we then ran into these - errors: - - $ make - .../busybox-1.21.1/scripts/gen_build_files.sh: Permission denied - make: *** [gen_build_files] Error 127 - - $ make - .../busybox-1.21.1/scripts/mkconfigs: Permission denied - make: *** [include/config/MARKER] Error 126 - - $ make - /bin/sh: applets/usage_compressed: Permission denied - make[1]: *** [include/usage_compressed.h] Error 126 - make: *** [applets_dir] Error 2 - - $ make - .../busybox-1.21.1/scripts/trylink: Permission denied - make: *** [busybox_unstripped] Error 126 - - In each case, we found the mentioned file and then added executable - permissions to it (ie. "chmod u+x scripts/gen_build_files.sh"). This - must be fixed in the next source release - please set the executable - bits on the above files appropriately in the archive file you - distribute. - -# Install Instructions missing - -
- After fixing the above, a "busybox" binary was generated. However, - there were no instructions to indicate how one might install this binary - on the device. Such instructions are required by GPLv2, under which - BusyBox is licensed. Please include the instructions in your next - source release. - -# Build "Only Seems" To build - -
- For the AAB_A0101.123.tar.gz package, we ran "./build.sh", the build - took about 140 seconds, which is less than one would expect for building - all of the programs listed in the "OPEN SOURCE SOFTWARE NOTICE". The - only files we could immediately find that were clearly the result of - this "./build.sh" invocation were some kernel image binaries, found in - path/path/path/path/path/KERNEL_OBJ . This path was not mentioned at - all and we had to guess at where they might be. - -# Maybe Proprietary Kernel Modules? - -
- Furthermore, there were no .ko files generated, which is abnormal for a - build of the kernel, Linux. Please ensure that all .ko files which are - used on the system are generated with "./build.sh" or a similar script. - -# Weird versioning - -
- - * The following libraries have different versions in the firmware than - is built from the candidate CCS. Specifically, your candidate CCS - contains version "1800", and the firmware has version "2400". Since - most of these libraries are licensed under the LGPL, you are required - to have the complete, corresponding source present for the correct - version as distributed in the firmware. You also must include the - "scripts to control compilation and installation of the executable". - - * lib/libgio-2.0.so.0.2400.2 - * lib/libglib-2.0.so.0.2400.2 - * lib/libgmodule-2.0.so.0.2400.2 - * lib/libgobject-2.0.so.0.2400.2 - * lib/libgthread-2.0.so.0.2400.2 - * lib/libz.so.1.2.5 (version 1.2.2 is provided in the sources) - -# Weird Build Issues Over Many Candidates - -
- You mentioned in your Round 6 commentary that you have corrected the - thatlib issues. However, we are unable to see what you mean. There are - now two copies of thatlib, one in 2624.7_524/uclinux-rootfs/lib/thatlib/, - as well as the one in yourlibs. We aren't sure which one you intend to - be built to generate the binaries on the firmware. When we try to build - the yourlibs one from scratch, by cleaning the whole area, we get the - following build issues. Here's what we did: - -# Getting Really build-technical - -
- - We ran: - - make -C libsrc/thatlib install - - which did not work because of a missing Makefile error. We read the - build source and discovered that the Makefile, etc, for that directory - is generated by running: - - cd libsrc/thatlib/thatlib-0.9.22_mipsel-uclibc; sh configure_thatlib_mipsel-uclibc - - Once we did that - - make -C libsrc/thatlib install - - worked correctly. The only remaining binaries were in build source and - discovered that the Makefile, etc, for that directory is generated by - running: - - cd libsrc/thatlib/thatlib-0.9.22_mipsel-uclibc; sh configure_thatlib_mipsel-uclibc - -# Getting Really build-technical - -
- - Once we did that - - make -C libsrc/thatlib install - - worked correctly. The only remaining binaries were in - ./libsrc/thatlib/\{YOURLIB_ROOT_DIR\}/ which looks like a build with a - misconfigured environment somehow, so we simply removed that - directory. - - Then, after running make clean, thatlib failed with the following - errors. Random .o/.so files laying around in the thatlib source - directory, and then it failing to build correctly after they are - removed. If there some set of .so files you claim are not required - as part of the C&CS since thatlib is LGPL'd, we understand that, but - the rest of the sources must build and install those other .so's. - Here's the build error we get in the bdvdlibs version: - -# Getting Really build-technical - -
- - mkdir .libs/libthatlibwm_default.a.tmp - (cd .libs/libthatlibwm_default.a.tmp && ar x ../../.libs/libthatlibwm_default.a) - mkdir .libs/libthatlibwm_default.a.tmp - (cd .libs/libthatlibwm_default.a.tmp && ar x ../../.libs/libthatlibwm_default.a) - /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- - ld -o libthatlibwm_default.o -r .libs/libthatlibwm_default.a.tmp/*.o - /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- - ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) - /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- - ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) - /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- - ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) - /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- - ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) - .libs/libthatlibwm_default.a.tmp/default.o: could not read symbols: File in wrong format - make[4]: *** [libthatlibwm_default.o] Error 1 - -# Proprietary Linux Modules Are Everywhere - -
- We did find one .ko file that was already included in the package, but - wasn't built when we ran "./build.sh". This is - path/path/android_X.X/device/device-type/mydevice.ko , which notes that - its license is "GPL v2" in the modinfo, but for which we could find no - source code in the source release. Please ensure that the source code - for mydevice.ko is included in the next source candidate. - -# Proprietary Linux Modules Are Everywhere - -
- - * The following files are derivative of the kernel named Linux and - therefore covered by the GPL. However, no source code, scripts to - control compilation nor installation are included in your CCS - candidate: - lib/modules/myfilesystem.ko - lib/modules/mydevicecontroller.ko - lib/modules/myblockdevice.ko - lib/modules/mypcicard.ko - -# Non-Technical GPL Compliance Issues - -
- Regarding over the air updates: we'd like to see a screenshot or other - details documenting what has now been implemented by BestBuy to make - sure the offer for source appears to users appropriately after - upgrade. There was a consensus reached on the last conference call - how this would be done, so we only need follow up and implementation - on that. - - -# Binary Comparison. - -
- - Note that we did not receive a firmware image to compare this with - (though we do have the device). Company's website did not appear to - have any firmware images available for download. It would be helpful to - have such an image for the next CCS check. - - The above source candidate was downloaded from - http:///sourcez.company.com/en/search/index.htm?keywords=X1234Y, which - was alluded to in Company's 2017-01-18 email to us that said: - - "You can check this website - http://sourcez.company.com/en/search/index.htm " - - The email did not mention how to use that website, but we found that by - entering "X1234Y" into the top right search box that we could find the - source file list. - - Note that the offer for source included in the web UI of the device said - to email NAME@COMPANY.com , which is how the above instructions for - downloading the source were received. - - - - # More Info / Talk License -+ URLs / Social Networking / Email: - - Pls. support Conservancy: [sfconservancy.org/supporter/](https://sfconservancy.org/supporter/) - - If you hold copyrights in Linux, Debian, Samba, or BusyBox, you can - join our enforcement coalition. [Contact us!](https://sfconservancy.org/linux-compliance/about.html) - - [*The Guide*](https://copyleft.org/guide) is available & [welcomes contributions at copyleft.org](https://copyleft.org). - - Conservancy: [sfconservancy.org](https://sfconservancy.org/) & [@conservancy](https://twitter.com/conservancy/). - - Me: [faif.us](http://faif.us) & [ebb.org/bkuhn](http://ebb.org/bkuhn) - - Slides: [ebb.org/bkuhn/talks](http://ebb.org/bkuhn/talks/ELC-2015/pristine-example.html).

Presentation and slides are: Copyright © Bradley M. Kuhn (2008–2011, 2015, 2017), Karen M. Sandler (2017), and are licensed under the Creative Commons Attribution-Share Alike 4.0 International License.