Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code.

[Jean Louis]

* Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> [2021-10-06 14:57]:
> > Imagine company ABC provides Windows source code under GPL.
> If the full source code of Windows was released, I would expect
> Microsoft to do it, and to have press releases about it and so on. So
> here I would stay away from the source code released by ABC unless it's
> some form of joke and that the GPL source code is legit source code that
> has nothing to do with Microsoft Windows.

Then instead of popular company "Microsoft" use any other company, it
is hypothetical example.

In business, in which I am, we have to verify each other company's
documents. That is number one, that is meeting one legal person to
other legal person.

Let us say somebody is receiving 200,000 dollars to account, the bank
will ask you about the agreement you have with other company, they
want to make sure of legalities.

Or company is making agreement with other company to represent them or
provide some services, they have to ensure by verification that other
company indeed exists, as if they don't ensure, they become, in case
of legal problems, liable in the court of law.

Companies do those verifications every day, every minute, though not
as good. 

Example: Company ABC is in Zambia and wishes to include GNU Readline
library which is published on the fraudulent company's server XYZ,
with the MIT-similar license and sold for 5,000 dollars. We know it is
GNU software, but they don't. Any occurences of GPL can be
removed. Company ABC decides now, because it purchased "all rights to
software", to sell GNU Readline for 200 dollars each copy, and makes
it binary only, as allowed by MIT-similar license.

Then comes FSF and fights the company ABC in court of
law. Hypothetically. FSF will say "it is our software, GPL licensed,
it was not MIT licensed" and their purchase was illegal as it was
purchased from copyright infringer company XYZ.

Court will ask company ABC, did you meet anybody from company XYZ?
No. Did you see that company? No. Visited? No. Did you ask for papers
and documents? No. Is there any statement or history of their
experience as software developer? Maybe no. Did you do Internet seach
for "GNU Readline"? No.

Court would not believe the good intentions of company ABC. It would
be simple to find what is "GNU" and "GNU Readline" and who are
authors, where is software mainly distributed.

If just no due diligence was conducted by company ABC which purchased
the software from fraudulent distributor XYZ, then company ABC may pay
damages to FSF and their software maybe become also free software. 

If due diligence was conducted by company ABC, then this may release
company ABC of fraudulent allegations, as themselves they were
deceived. 

> > Distributions don't conduct enough due diligence, and users or
> > downloaders even less.
> I guess it depends on the distributions. Do you have ideas to increase
> the quality of the checks in systemic ways?

My idea is that software directory and similar projects should provide
digital, parsable database of software with their authors and original
servers of software distributions, then all distributions could access
such centralized database and choose by category and other tags and
facts, which software they wish to include in their
distribution. Information should be there which provides more
authenticity of the origin of software. PGP keys are really not enough
there. Like you said, if software comes from Samsung and from Samsung
website, that is pretty authentic, not absolute, but it becomes
reasonable.

All of the GNU software that I have seen directly from GNU servers,
apart from Guix and distributions, as distributed from GNU servers
seem to have this chain and GNU servers keep almost all historical
versions as well, like the license says "for long as needed". Great
work.

Information about "upstream" becomes important. Though sometimes
upstream is not any more from original servers and authors, in that
case more information shall be provided in the package descriptions to
describe the chain of relations. 

This is not really GPLv2/v3 requirement. But it would help
distributions and also end users to be more sure of authenticity of
software.

We also know of GNU/Linux distribution cracks and intruders who placed
backdoor in distributions and similar problems.

Guix way of automated verifications is not bad, but users will not
learn much about it. At least package managers shall be verifying the
upstream packages to the secondary web servers.

> > We are just lucky due to large number of free software being on one
> > heap, it is not intentional that we don't get too many problems with
> > it. Though such court cases are there.
> > 
> > > It's also up to the distributions to choose how they deal with legal
> > > issues. For instance different distributions dealt differently
> > > with software patents.   
> > 
> > And it is also up to the user to verify it.
> Or to trust or not trust distributions. It would also be a good idea to
> ask distributions how it's done.

Question is here again on the table, and I guess before few years, I
have drawn same question and it did not become transparent to
me. 

I wish there would be one person to enlighten me and that I am
mistaken in my statements about GPLv2/v3 compliance in this thread. 

> > But what in case of allegation, you cannot anymore prove where you got
> > it from?!
> That's precisely why I'm advocating for archiving source code released
> by hardware vendors. 

Good idea, and I also see some good software disappearing slowly,
sometimes only due to lack of small maintenance. The archive shall
have some chain and historical information of where was it obtained,
when, which authors, which checksum, etc. in their package
descriptions, and it should be parsable and re-usable by others. This
is more archiving issue.

> As for examples of known problematic software, the FreeCalypso[3]
> project was based on leaked source code that it rebranded as free
> software.

There are you are, thanks for real world example.


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/