There are many facets to the Sony BMG Rootkit situation that are worth pondering, but I have to admit that I’ve been intrigued by one particular facet of the recent fracas: Sony’s apparent use of open source application code in its digital rights management “worm”. As far as I can glean, part of the Sony Rootkit code comes from Mike Cheng’s Open Source project LAME, which is a “GPL’d” MP3 encoder. (GPL used to be “GNU Public License” but now means “General Public License”, as explained at Wikipedia)
Sony’s partner that built the rootkit is clearly in the wrong and violated the GPL license agreement under which LAME is released to the general public. That’s been implied in various articles (for example, Did Sony Rootkit Pluck from Open Source) but no-one that I’ve seen has come out and said that Sony was wrong, that its violated the license, and that Sony needs to make amends of some sort.
And so we come to another company, a smaller firm that also says that it misunderstood the General Public License to mean that the software was freely available to modify and alter as needed for a freeware product: Vbuzzer. If you pay attention to this weblog, you’ll have already read about my positive experiences with Vbuzzer, a VOIP solution for home and office (see VOIP for Small Business).
When Vbuzzer first made its free VOIP and instant messenger client available for download, part of the IM code apparently came from the Open Source Miranda IM project. You might think that it shouldn’t be a big deal to have a company distribute freeware based partially on an Open Source application, but you’d be wrong. The GPL license terms explicitly prohibit this use, as detailed in an exhaustive posting on the Miranda IM Developers Journal:
“You may copy and distribute verbatim copies of the Program�s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.”
As is documented in the Miranda article, Vbuzzer didn’t do any of this, and quite frankly did some pretty dumb things instead, including stripping out the Miranda copyright and replacing it with their own. Violating the terms of the GPL mean that you cannot use the Open Source code in your product, as is also clearly stated in the GPL terms.
It’s worth pointing out that the GPL itself is quite long (I calculate it has just under 3000 words) and that companies violate the terms of the GPL all the time, sometimes through malice but mostly through misunderstandings. There are also a staggering number of different Open Source licenses too, each with its own nuances.
Sidenote: Years ago, when I contributed some software to the Open Source community, I rejected the GPL because I felt it was too complex and I didn’t like the uses it proscribed, feeling them unrealistic and a barrier to innovation. My opinion remains the same, though that’s a slightly different topic.
Still, companies are responsible for understanding the license terms of any software they co-opt for their own products, so regardless of how easy or confusing the GPL may be, and regardless of the terms of use, the fact is that they are the terms under which programs like Miranda IM and LAME are released, so they are legally binding.
Which leads to my question: what does a company have to do to get back into the good graces of the Open Source community?
Consider Vbuzzer. The day after one of the Miranda IM Project team posted a note about Vbuzzer GPL violations, the team at Vbuzzer mailed the Miranda team the following message:
“As a first step, we have disabled the download link from vbuzzer website, so no new download will happen from now on. In the next few days we will remove Miranda from vbuzzer, then post the new version, then force every user to upgrade to the new version. We expect to finish all the steps in several days.”
The message from the Vbuzzer team continued with:
“Just to clarify the �new version� on my above text, it means the version without any Miranda codes. I’ve explained we had our own Internet Telephony client that can work independently, this is what I mean by “new version”. We understand that the we are voided the Miranda�s source and we will cease using it.”
I was impressed. The company, upon learning that it had violated the license terms of the Miranda IM software, turned on a dime, immediately stopping the distribution of the software in violation of the license terms and recoding the Vbuzzer program to sidestep the problem completely.
But Open Source people are unforgiving as a general rule, and rather than offer an olive branch to a company that so clearly was trying to correct its error and do the right thing, the response from the Miranda team was short and to the point:
“Hey, I�m sorry but that has voided your rights to Miranda�s source.”
It’s this intractability that I believe makes so much of the Open Source development problematic for the greater community of software developers and computer users.
This is all relatively old news, having happened a few months ago. At this point, I can only presume that the latest version of the Vbuzzer software is completely void of any Miranda IM code.
Just yesterday, however, the folk at Vbuzzer posted a note on the Miranda IM discussion boards explaining exactly what they’d done back in July of this year and ending with what seems like another attempt at establishing a healthy working relationship with the Miranda IM team:
“We are sorry for what has happened, we would contribute to Miranda’s further development in any ways we can. We have proposed to Miranda administrators a few possible to contribution, as well as [sent them] a draft file of the changes we’ve made to the software.”
Sony was out of line with its Rootkit DRM and its inclusion of some of the LAME code. Sony hasn’t demonstrated that it’s even aware of the problem and certainly there’s no indication I’ve seen that Sony realizes it committed a legal blunder or that it’s going to try and make the situation right.
Vbuzzer, on the other hand, is doing everything right. It made a mistake — a not-uncommon mistake — in how it interpreted the GPL license terms, and since then has made extraordinary efforts to remedy the situation, rewriting its code, changing the very nature of its software solution, and even offering to contribute to the further development of Miranda IM.
And yet I bet that the Miranda IM project team will spurn these offers and either completely ignore the Vbuzzer posting or reject their offer with a curt response.
I just don’t understand why.
It’s time for the Open Source community to recognize that the partnership with commercial software is what’s going to drive innovation and help us all reap the benefit of more sophisticated software and solutions.
One of the things your missing here is that you are dealing with a zealot, who by definition is an extremist in there chosen religion. They aren’t representative of the greater portion of the population, but rather represent an exagerated view of one viewpoint. It’s pretty harsh to generalize all open source projects based on what’s happened with one team.
It’s too bad the Miranda team isn’t more forgiving, but as you point out in the article, as often as not, companies knowingly violate the GPL. So it’s not too surprising to find a developement team that’s hypersensitive on the subject. I’m willing to bet that if you look you could find a number of GPL projects who are willing to let anyone use their code for anything. It just depends on the individual developer.
I just don’t think the case you’ve chosen to put under the microscope is a representative sample. That’s be like saying Sony is a representative of the entire recording industry. Yes, they are pretty similar to the huge labels, but there’s a lot more small labels out there that are nothing like Sony.
If I hadn’t heard for years from open source and FSF types about how inherently evil commercial software developers were and how the crass capitalist desire for money was at the root of all evils in the world, I might be willing to just agree with you, Martin, that the developers of Miranda IM were atypical, but in my experience they’re not. For every pragmatic realist in the open source movement there seems to be at least one more who believes that companies like Microsoft are inherently allied with Satan and even the strategy of selling applications built upon open source (think Red Hat) is darn dubious, if not subverting the underlying ethical foundation of the entire movement.
Maybe that’s a bit strong, but still, I don’t believe the situation I outlined is extraordinarily atypical. I really don’t.
If I may nitpick, the FSF refers to the license as the GNU GPL — see http://www.fsf.org/licensing/licenses/gpl.html — so I suppose that’s its official name. OTOH, the “official name” of the office suite is OpenOffice.org but many refer to it simply as OpenOffice or Open Office. My math professors used to call it “abuse of language” which, despite the apparent truculence isn’t necessarily a bad thing.
Why would you assume that just becuase it is Open Source, it shoul be “nice”? Free Software and Open Source exist becuase of the greediness of commercial software companies to begin with. When companies started restricting access to software that was before that distributed freely, someone, namely Richard Stalman, had to make sure some code will allways remain free. I’m not sure how the world would have looked with closed source only, but I’m sure it would have been far less exciting and usefull.
The company that developes Vbuzzer use open source code. It saves them tons of money on R&D. The only “pay” required is to return the code back to the open source community. If you can’t, don’t use it.
Any private person violating comercial companies IP woul dhave been dragged to court. So why the double standrds?
p.s.
Doubt it if anyone in the industry today does not know what Open Source/GPL is, and it’s worrying to think how many cases like this go unnoticed.
First, I’d like to say that I would probably would have almost the same reaction as the Miranda developers, for the reasons explained below. However, neither the Miranda developers nor myself are necessarily representative of the entire open source community. To imply otherwise is to commit a serious logical fallacy.
Also, do not think “open source” equates with GNU and the GPL. As a license, the GPL may have the lion’s share of visible open source projects, but it’s not by any stretch the only choice. There are hundreds or thousands of ways that you can license open source software and almost as many open source licenses exist to cover them. The BSD license, for example, is much less restrictive than the GPL license and any developer who uses it expressly allows commercial usage without redistribution of the modified source. (Though the copyright snafu is still verboten, more on that later.)
I don’t agree that the GPL is complicated or complex. I read and understood its entirety when I was in the 8th grade. The license may be long, but the idea is quite simple and is even summarized in the beginning in plain English. Something to the tune of, “This software and its source code are distributed freely, and you may modify and/or distribute them freely, but you are then required to give everyone else the same rights or you yourself forfeit all rights.”
Based on your own account, it doesn’t seem to me that the actions of Vbuzzer were a simple mistake. I can understand copying and modifying the source code. That’s what open source is all about. I can almost understand not releasing the source to your product or the modifications as it may have been due to a miscommunication or accidental negligence. (Not that either are any excuse.) But rebranding the copyright of the original code is really difficult to forgive. That’s plagarism. Stealing. The Miranda folks were probably deeply offended by this more than anything else. I know I would be and I surely wouldn’t see any particular reason to trust Vbuzzer after an incident like that.
Interesting comments so far. I think that there are a couple of fallacies being presented here, however, that are worth addressing.
First off, I believe that there are indeed lots of people in the software industry who believe that Open Source = Free Code. They’re wrong, but I think that’s the basis of a lot of situations where open source code ends up in commercial products without proper credit or without meeting the terms of the license. To simply say “everyone knows” is to be at least a bit ethnocentric: do you really think that programmers in China, for example, are just as plugged into the Open Source community as we are here in the United States? It’s our cultural value that programming ostensibly equates to sharing with the developer community, not something that’s inherently part of software development per se.
Secondly, I’m troubled – but unsurprised – by the implication that companies can’t make errors and recover. Perhaps it’s a bit of idealism on my part, but I thought we lived in a society where one of our basic tenets was the belief in redemption? I agree that what Vbuzzer did with its initial software was stupid, but I want to know how open source fans like yourself, C. Ulrich, believe companies can credibly say “Oops. We were wrong and we want to get back into the good graces of the open source developers”?
I mean the company immediately responded in what I see as a highly credible manner to notification that it had violated the Miranda license terms and has now come back with an offer to share its code modifications with the community AND an offer to contribute financially to the further development of the Miranda IM code base.
But you believe that’s not enough? What else could a company in this situation do to become realigned with the open source community?
If your answer is “nothing, their crime was too heinous”, then I believe you’re demonstrating exactly my point here, that the lack of pragmatism, the lack of working with commercial software developers as allies is indeed hindering the level of collective innovation that can occur in the software industry.
Perhaps the answer is not “nothing”, but “fire the criminal who edited out the copyright notice, or give us the information we need to charge THEM with the crime, not the company.”
Another reasonable answer is “wait a year, and see if they can keep out of trouble on parole that long.”
There’s a DIFFERENCE between a MISTAKE and a DELIBERATE, CONSCIOUS THEFT. Sure, you can say you “borrowed” your neighbor’s car, but not after you’ve stuck a phony VIN on it. Why SHOULD such behavior deserve instant forgiveness? Because it’s currently common? YOU try that one with a judge.
We may not know all the facts in the case as to why the creators are being “so harsh” with Vbuzzer, so more may be going on here than meets the eye.
I also find it hard to chalk off deletion and replacement of a legal statement in code with someone else’s legal statement as a simple mistake or oversight.
As to whether this situation shows a lack of “pragmatism:” in the real world of copyright litigation the word “pragmatic” sometimes translates into “I agree to pay you for my transgressions.” Maybe that has not happened here either because the legal underpinning of the licensing is in question or because the parties’ attorneys have not reached that point in negotiation yet.
One positive thing about this situation is that it points out very clearly that “there ain’t no such thing as ‘the open source community'” when it comes the finer points of payment, licensing, copying, plagiarism, and theft. Which is another way of saying, “Welcome to the real world, Neo.”
I think the problem is inherent in the various Open Source licensing. If the main benefit of Open Source is so that a variety of very skilled people can continue to improve code without all of the “proprietaryness” causing legal problems, there are three main problems:
1) Open Source code can only progress so far. No recompense also equals no liability. So, if code doesn’t work, nobody really cares too much. The next guy will fix it.
There *is* pride involved. But, as we’ve all experienced, lack-of-time and a full-time job trumps pride every time.
2) Commercial software development entities (and the programmers they employ) will avoid the Open Source code base for anything that they want to sell (which, other than adware, would be all code).
3) Enterprise organizations won’t adopt Open Source software on a major scale because they can’t get support and they don’t (and shouldn’t) want to be dependent on one employee who understands how the code has been implemented.
I don’t think a lot of the Open Source community would go for it, but the only way I see everyone working off of the same page is through a Open Source Commercial Licensing Clearinghouse (other, non-commercial uses are handled as they are today).
That is, as code mods are made, the author makes it available as normal, but the clearinghouse manages commercial licensing. I don’t know exactly how it’d work, but I could see each author setting a rate for their work (X cents per user, or some similar rate).
The clearinghouse then charges the licensing fee plus some fee to cover their costs to any commercial or enterprise organization that wants to use the code. They then pay out the “micro-payments” to the authors.
This way, any organization can take advantage of advanced code without penalties, with appropriate payments to the several developers. There is also incentive for commercial organizations to participate in Open Source.
Maybe it’s a pipe dream, but it’s *my* pipe dream!
I teach an intro to Unix course through the University of Phoenix Online sporadically, and I’m in the midst of a course right now. On a discussion of Linux versus Unix, one of my students made a fascinating comment that I believe is quite germane to our discussion:
“Maybe the “confusion” of ownership is the actual “beauty” of the system. You’re not locked into using anything that you don’t want to, but I think you don’t “have” to buy UNIX, because the source code is free. What are they going to do, start selling air? Not a totally bad idea, but it lacks some obvious observations.”
It’s exactly what I’ve been saying: people equate “downloadable” with “free”. You can argue that they’re wrong, that they don’t get it, and that’s true, but there are still plenty of people who believe that open source, that anything with downloadable source code, is in fact completely free and in the public domain, available for them to do anything they’d like.