Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code.

[Denis 'GNUtoo' Carikli]

On Tue, 5 Oct 2021 11:05:58 +0300
Jean Louis <bugs@gnu.support> wrote:
> Let us say somebody provides Windows source under GPL on Internet,
> that does not make Windows source legally licensed under GPL, because
> author or copyright holders never licensed it so. It should be very
> clear to businessmen, but is not clear to programmers.
As I understand it it all depends on who is this somebody. If this
somebody is Microsoft, it would look legit. 

If not, it's crucial for most project to stay as away from leaked
source code as much as possible, because as I understand, just reading
it increases the legal risks too much when the person having read it
contribute to project that are too similar.

There are some exceptions though[1] but in general most software
projects that deal with reverse engineering or replacing nonfree
software stay away from leaks and would prefer the leaks not to have
happened in the first place as it makes their work much more
complicated.

And there are practical consequences, for instance ReactOS lost years
of development[2] because of that.

> Though the DMCA repository of Github demonstrates that there are
> hundreds if not thousands of cases where people make such gravid
> mistakes. 
> 
> Distributions don't have legal divisions, not that I know, and none of
> distributions truly verifies full legalities, they blindly believe the
> licenses offered online.
It's also up to the distributions to choose how they deal with legal
issues. For instance different distributions dealt differently
with software patents. 

Here illegally leaking software and adding free software licenses on it
doesn't magically make that software free, and the FSDG insist on the
fact that distributions must distribute only free software, so we're
covered on that.

As with the DMCA, the issue is also how to verify the claims that are
inside. For instance youtube-dl that as far as I know is fully free
software also got a DMCA takedown notice. 

And with patents in a lot of cases the companies that sued people
didn't even had the patents rights in the first place. And there is
even a well known practice of copyfraud[3].

So everything is not always that clear in practice, and it's also up to
the contributors to try to understand all that and act the best they
can to deal with these issues.

> > On Sun, 3 Oct 2021 20:01:19 +0200 Denis wrote: 
> > > So in cases like that it would also be a good idea to archive that
> > > source release somewhere, ideally in projects like Archive.org or
> > > Software Heritage
> 
> That would not establish chain of legalities. That would mean if you
> find software anywhere, you would just believe that it is licensed
> under free license Z, just because you find it.
Not really. If a manufacturer like Samsung releases source code on
opensource.samsung.com, I can reasonably believe that it was released
by Samsung. And archiving that will gives even more assurance to people
that it's the case once Samsung removes the files[4].

> How do you ensure that third party Archive.org did not tamper
> information? 
If a legal court do use archive.org/web I think it gives us a pretty
good standard, even if it's probably not perfect.

> > but only the copyright holder could publish proprietary code,
> 
> Anybody could tamper software packages and include proprietary code.
> 
> That is why authors digitally sign their software packages.
I didn't find any source code release from hardware manufacturer that
was signed. And note that the whole software infrastructure depend on
such source release as Linux drivers are often made from source
releases like that.

And in a lot of cases, you don't really know who wrote the code, as you
have copyright <year> <company> + a license, but you can still expect
that to be ok as many big companies can only release source code if it
goes through the legal department.

So here we can either adapt to the reality (with help from lawyers if
necessary) or try to change it. If we change it we also must
foresee as much consequences as possible, and for that we would
probably need to bring as much parties as possible to discuss it in
order to avoid bad side effects.

Especially because we might not be able to influence laws directly that
easily (it could take a lot of time) and that in the meantime our
practices also have consequences, and that not everybody agrees with
every laws.

With patent laws for instance, if the court can prove that you knew
that you were infringing a patent, in some jurisdiction it doubles the
fines.

So making sure that people don't violates patents by reading patents and
notifying them might be an extremely bad idea in some cases for instance.

References:
-----------
[1]https://osmocom.org/projects/baseband/wiki/LegalAspects
[2]https://en.wikipedia.org/wiki/ReactOS#Internal_audit
[3]https://en.wikipedia.org/wiki/Copyfraud
[4]https://forge.softwareheritage.org/T2523

Denis.

pgpHRijTe1TiZ.pgp
Description: OpenPGP digital signature