Language Selection

English French German Italian Portuguese Spanish

Legal

Licensing in Mobile Devices (GPL Compliance)

Filed under
OSS
Legal
  • Asus Zenfone Max M2 update brings EIS to the front camera, Max Pro M2 gets an update too

    So far, there have been mixed feelings about these two phones as the specs and price are impressive, but then the company ended up releasing the kernel source code for them that was encrypted. It’s required for an Android OEM to release the kernel source for their devices but releasing an encrypted file without proper means of decryption is pointless. This still ends up with ASUS violating the GPL and it’s not a good sign for the enthusiast community that was starting to swell around these two devices.

  • Nokia 7.1 and Nokia 6.1 Plus kernel source code now available for download

    HMD’s source code for Nokia Android smartphones is licensed under GPL or LGPL which allows source code distribution. And by distributing the source code the company also contribute to the open source community which in turn is beneficial to the end users. Visit Nokia’s official download page where you can find the source code for both the smartphones, Nokia 6.1 Plus and Nokia 7.1.

The Linux Foundation decides to ACT on compliance

Filed under
OSS
Legal

Compliance is big… so big, in fact, that ‘they’ now have an Open Compliance Summit.

The last Open Compliance Summit was held in Yokohama in Japan at the tail end of last year — the The Linux Foundation used it as a chance to load up on sushi and also announce a new project to help improve open source compliance tooling called Automated Compliance Tooling (ACT).

ACT is an umbrella brand that will host various open source projects related to compliance tooling — so the initial four projects to fall under ACT are: FOSSology (existing LF project); QMSTR (being contributed by Endocode); SPDX tools (existing LF project); Tern (being contributed by VMware).

Read more

FOSS Legal Matters

Filed under
OSS
Legal
  • Top 10 FOSS legal developments in 2018

    The year 2018 was a year in which the FOSS business model demonstrated its success: IBM purchased Red Hat, Inc. for $34 billion. The FOSS ecosystem also celebrated its durability: OSI celebrated the 20th anniversary of the open source movement and Linux celebrated its 25th anniversary.

    Meanwhile, however, old legal problems returned. The year 2018 has also seen another significant increase in decisions in litigation involving FOSS issues, and several of these cases are very important. This increase in litigation is a reminder of the importance of an active compliance program for all corporations that use FOSS (which now means virtually all corporations). Continuing the tradition of looking back over the top ten legal developments in FOSS, my selection of the top ten issues for 2018 is as follows:

  • Legal Issues And Compliance Pertaining To Open Source Software

    An Open Source Software (OSS) is a kind of software with source code which can be modified, enhanced and inspected by ANYONE. In case of an OSS, a person may alter how the software works or improve it by adding features or fixing parts that do not work properly, by modifying the source code of the software program. This is different from a closed software, where only the person/organization that created the software has the capacity to alter it, OSS is preferable and is considered to be a better option for the users than the former, as it grants them more freedom in relation to a closed software. Some prime examples of OSS are the Apache HTTP Server, the e-commerce platform os Commerce, internet browsers like Mozilla Firefox and Chromium. Facebook, Google, and LinkedIn all release OSSs, so that developers may share knowledge, create solutions, and contribute towards the creation of stable and functional products. There are certain landmark judicial pronouncements in the field of OSS that hold paramount importance in deciding the future of OSS.

Licensing: 'Cloud' Trap, Substrate and Asus Kernel Code

Filed under
OSS
Legal
  • Stormy weather: To stop cloud giants, some open-source software firms limit licenses

    A heated debate has erupted in the open-source software world that’s pitting startups against cloud computing giants.

    The furor concerns, of all things, new licensing terms, which software companies are adopting to thwart what they believe is unfair competition from cloud provider in general and Amazon Web Services Inc. in particular.

    It’s the latest development in the ongoing struggle by open-source developers to come up with sustainable business models built upon software that is essentially free. Open source has transformed the software industry, but only a few companies such as Red Hat Inc. — itself likely to be acquired by IBM Corp. in a recently announced deal — are consistently profitable.

  • Parity Introduces Substrate, a Blockchain Building Tool Suite

    The beta version of Substrate is authorized under the GNU General Public License, but the safe storage of the system will be transferred to an Apache 2.0 license to provide utmost developer independence. Parity will also offer professional help to organizations in view of the development of apps with a substratum.

  • Asus to release encrypted kernel sources for their ZenFone Max Pro M1, Max Pro M2 and Max M2

    The Asus ZenFone Max Pro M1 has been one of the more interesting smartphones from the company, especially in the budget segment in the past few years. The phone ticked a lot of boxes in terms of offering probably the best performance in its segment at that time along with a cleaner look with the stock Android. The Asus ZenFone Max Pro M2 follows the path set down by their predecessor and goes on to compete against the Xiaomi Redmi Note 6 Pro overcoming its predecessor’s shortcomings.

Free Software Licensing and Legal Challenges

Filed under
OSS
Legal
  • Parity Launches Beta Version of Tool Stack for Building Blockchains

    The beta version of Substrate is licensed under the GNU General Public License, but in order to provide maximum developer freedom, the tool’s repository will be moved to an Apache 2.0 license.

  • The Cyclical Theory of Open Source

    But in a world in which appetites for open source software commercially are under threat from – among other areas – proprietary cloud based offerings, it is certainly possible that industry appetites and support for open source could be slowed if public models give way to private alternatives.

    Many of those that have resorted to problematic licenses, however, feel as if they’ve been left with little choice. In their view, they foot the bill for the majority of development on an open source asset, only to see a cloud provider pick up that code and offer it as a competitive service – often without so much as an acknowledgement of the open source codebase it’s derived from.

    The question facing these providers, and the market as a whole, is not whether or not the typical commercial open source vs cloud provider dynamic is optimal – it is clear that, while improving, it is not. The question rather is whether or not a license is an appropriate remedy for the issue.

  • Automated Compliance Tooling project announced, Code California launches, Tor funding, and more news

    When you think of open source projects, the first thing that comes to mind is probably code. There's more to it than that. One vital aspect of open source that doesn't get a lot of attention is license compliance. That could change, thanks to the ACT project that the Linux Foundation is launching.

    Short for Automated Compliance Tooling, ACT brings together four compliance projects: FOSSology, QMSTR, SPDX Tools, and Tern. The goal of ACT, according to the Linux Foundation, is to "consolidate investment in, and increase interoperability and usability of, open source compliance tooling." In the end, this will help users and companies more easily "find up-to-date and current compliance documentation."

  • Startups are taking on Amazon's cloud with a controversial new plan, but experts warn it could undermine the foundations of open source

    In response, three smaller software companies behind some of the open-source software that Amazon and others rely on — Confluent, Redis Labs, and MongoDB — have gone on the defensive. In recent months, they've made changes to their licensing that prevent cloud platforms from profiting from the open-source code that they develop. Open source can't be "free and unsustainable" research and development for tech giants, Confluent CEO Jay Kreps said last week.

  • Radio Gets Ridiculous

    Of course, he’s leveraging the analog conversion in the microcontroller as well as the ability to generate signals in software. You might think that’s going to be an anemic receiver. Granted, it won’t be a high fidelity long-range receiver, but it does interface with GNU Radio!

Freeriders in FOSS

Filed under
GNU
OSS
Legal
  • Confluent joins Redis and MongoDB in restricting its open source licensing for competitors
  • Confluent Creates New 'Open Source' License to Stop Cloud Poaching

    The problem is that such restrictions run afoul of the Open Source Definition used by the Open Source Initiative, the standards organization that decides which licenses qualify as open source. The restriction also means that any code covered by the license probably can't be used within any other open source project.

  • John Sullivan - "Who wants you to think nobody uses the AGPL and why" (FOSDEM, Brussels, Belgium)

    The GNU Affero General Public License (AGPL) is an important tool for protecting user freedom on the network. Detractors have criticized it for being both too weak and too strong/demanding. In 2018, it was in the news more than ever. Are the interests of corporations that are afraid of their free code being turned into network services run by competitors starting to align with users losing their freedom to such services?

    Historically, the AGPL has been the target of criticism from entities that want to extinguish it. Some companies have banned it from their premises, sowed fear about how it operates, and propagated a myth that nobody is using it.

    Others claim that the AGPL is being used primarily by companies seeking to strong-arm downstream users into purchasing a proprietary version of the covered software -- by catching those users being out of compliance with the AGPL, and telling them that they must buy the software under a proprietary license to avoid being taken to court for copyright infringement.

    A third group of companies is now claiming that the AGPL doesn't go far enough to protect their software against being turned into services that deny users freedom -- though freedom may not be their primary concern.

    In fact, the AGPL is being used today by a variety of interesting and important projects, including ones started by governments, nonprofits, and even businesses. I'll highlight some illustrative examples. I'll also do my best to separate understandable concerns that people have about using the AGPL from attacks on user freedom masquerading as concerns, and see if there is any synergy between the concerns of the third group above and those of individual users.

    While not a full solution to the problems raised when users replace software running on their own machines with software running on someone else's machine, the AGPL is a tool that is being embraced and should be embraced even more.

Openwashing and FUD

Filed under
Microsoft
Legal

Confluent 'Closing Down' in the Face of 'Cloud' Exploitation

Filed under
OSS
Legal
  • After Amazon’s cloud encroaches on its turf, a startup is taking a stand: Open source can’t be ‘free and unsustainable R&D’ for tech giants

    In late November, Amazon Web Services announced it would sell a new service on its market-leading cloud called Amazon Managed Streaming for Kafka — a service that provides software that Amazon didn't create itself.

    This new service is based on Apache Kafka, an open source software project for handling large amounts of streaming data. AWS took Kafka and repackaged it as a paid cloud service — something completely legal, as open source software is free for anyone to use as they wish.

    Originally created at LinkedIn, the engineers who started Kafka made their own company around the software, called Confluent. At the time the service was revealed, Confluent CEO Jay Kreps told Business Insider that it wasn't worried about Amazon's move, saying "I don't think this announcement will impact our business."

  • Concerned about cloud providers, Confluent becomes latest open-source company to set new restrictions on usage

    Another open-source enterprise technology company is walling off parts of its software from cloud infrastructure providers.

    Confluent announced Friday morning that it is changing the terms of the licenses around several of the real-time data streaming open-source projects it has developed. Several components will no longer be available under the widely used and very permissible Apache 2.0 license: instead, they will be offered under a new license called Confluent Community License that is very similar to the Apache 2.0 license except for a clear restriction on providing KSQL and several other components as cloud services.

FSF Licensing and Compliance Lab: 2018 and the future

Filed under
GNU
OSS
Legal

I am the current licensing and compliance manager for the FSF, though I've had several roles in my time here. The Lab handles all the free software licensing work for the FSF. Copyleft is the best legal tool we have for protecting the rights of users, and the Lab makes sure that tool is at full power by providing fundamental licensing education. From publishing articles and resources on free software licensing, to doing license compliance work for the GNU Project, to handling our certification programs like Respects Your Freedom, if there is a license involved, the Lab is on the case.

When I started working at the FSF part-time in 2008, the GNU General Public License version 3 (GPLv3) was only a year old. Our Respects Your Freedom certification program didn't yet exist. The Free Software Directory wasn't yet a wiki that could be updated by the community at large. Things have changed a lot over the years, as has our ability to help users to understand and share freely licensed works. I'd like to take just a moment as 2018 draws to a close to look back on some of the great work we accomplished.

Read more

Linux Foundation on Compliance and Openwashing Examples

Filed under
OSS
Legal
  • A new ACT for open source compliance from The Linux Foundation

    What’s new in the world of open source? The Linux Foundation announced that they are launching a new tooling project for improving open source compliance. This new project’s goal is to ensure that when using open source projects, users understand what they are complying with.

    The Linux Foundation continues to be a leading beacon in the FOSS world, with worldwide events and over one million professionals enrolled in their free training courses. Just some of the successful projects that the Linux Foundation hosts include Rook, Node.js, Kubernetes, and Linkerd (which just got a fancy new UI makeover). You don’t have to look far to see names and noteworthy tools that you’re familiar with!

  • The Linux Foundation forms new Automated Compliance Tooling project

    “There are numerous open source compliance tooling projects but the majority are unfunded and have limited scope to build out robust usability or advanced features,” said Kate Stewart, senior director of strategic programs at The Linux Foundation. “We have also heard from many organizations that the tools that do exist do not meet their current needs. Forming a neutral body under The Linux Foundation to work on these issues will allow us to increase funding and support for the compliance tooling development community.”

    As part of the announcement, ACT is also welcoming two new projects that will be hosted at the Linux Foundation: OpenChain, a project that identifies key recommended processes for open-source management; and the Open Compliance Project, which will educate and help developers and companies better understand license requirements.

  • A Closer Look At Tesla's Open-Source Patent Pledge
  • Why Amazon's customer obsession should make it more open source friendly [Ed: What "customer obsession"? Amazon is a surveillance company whose biggest AWS customer is the CIA (with which it shares tons of data from all around the world).]
Syndicate content

More in Tux Machines

Android Leftovers

Kernel Articles at LWN (Paywall Just Expired)

  • Filesystem sandboxing with eBPF

    Bijlani is focused on a specific type of sandbox: a filesystem sandbox. The idea is to restrict access to sensitive data when running these untrusted programs. The rules would need to be dynamic as the restrictions might need to change based on the program being run. Some examples he gave were to restrict access to the ~/.ssh/id_rsa* files or to only allow access to files of a specific type (e.g. only *.pdf for a PDF reader). He went through some of the existing solutions to show why they did not solve his problem, comparing them on five attributes: allowing dynamic policies, usable by unprivileged users, providing fine-grained control, meeting the security needs for running untrusted code, and avoiding excessive performance overhead. Unix discretionary access control (DAC)—file permissions, essentially—is available to unprivileged users, but fails most of the other measures. Most importantly, it does not suffice to keep untrusted code from accessing files owned by the user running the code. SELinux mandatory access control (MAC) does check most of the boxes (as can be seen in the talk slides [PDF]), but is not available to unprivileged users. Namespaces (or chroot()) can be used to isolate filesystems and parts of filesystems, but cannot enforce security policies, he said. Using LD_PRELOAD to intercept calls to filesystem operations (e.g. open() or write()) is a way for unprivileged users to enforce dynamic policies, but it can be bypassed fairly easily. System calls can be invoked directly, rather than going through the library calls, or files can be mapped with mmap(), which will allow I/O to the files without making system calls. Similarly, ptrace() can be used, but it suffers from time-of-check-to-time-of-use (TOCTTOU) races, which would allow the security protections to be bypassed.

  • Generalizing address-space isolation

    Linux systems have traditionally run with a single address space that is shared by user and kernel space. That changed with the advent of the Meltdown vulnerability, which forced the merging of kernel page-table isolation (KPTI) at the end of 2017. But, Mike Rapoport said during his 2019 Open Source Summit Europe talk, that may not be the end of the story for address-space isolation. There is a good case to be made for increasing the separation of address spaces, but implementing that may require some fundamental changes in how kernel memory management works. Currently, Linux systems still use a single address space, at least when they are running in kernel mode. It is efficient and convenient to have everything visible, but there are security benefits to be had from splitting the address space apart. Memory that is not actually mapped is a lot harder for an attacker to get at. The first step in that direction was KPTI. It has performance costs, especially around transitions between user and kernel space, but there was no other option that would address the Meltdown problem. For many, that's all the address-space isolation they would like to see, but that hasn't stopped Rapoport from working to expand its use.

  • Identifying buggy patches with machine learning

    The stable kernel releases are meant to contain as many important fixes as possible; to that end, the stable maintainers have been making use of a machine-learning system to identify patches that should be considered for a stable update. This exercise has had some success but, at the 2019 Open Source Summit Europe, Sasha Levin asked whether this process could be improved further. Might it be possible for a machine-learning system to identify patches that create bugs and intercept them, so that the fixes never become necessary? Any kernel patch that fixes a bug, Levin began, should include a tag marking it for the stable updates. Relying on that tag turns out to miss a lot of important fixes, though. About 3-4% of the mainline patch stream was being marked, but the number of patches that should be put into the stable releases is closer to 20% of the total. Rather than try to get developers to mark more patches, he developed his machine-learning system to identify fixes in the mainline patch stream automatically and queue them for manual review. This system uses a number of heuristics, he said. If the changelog contains language like "fixes" or "causes a panic", it's likely to be an important fix. Shorter patches tend to be candidates.

  • Next steps for kernel workflow improvement

    The kernel project's email-based development process is well established and has some strong defenders, but it is also showing its age. At the 2019 Kernel Maintainers Summit, it became clear that the kernel's processes are much in need of updating, and that the maintainers are beginning to understand that. It is one thing, though, to establish goals for an improved process; it is another to actually implement that process and convince developers to use it. At the 2019 Open Source Summit Europe, a group of 20 or so maintainers and developers met in the corner of a noisy exhibition hall to try to work out what some of the first steps in that direction might be. The meeting was organized and led by Konstantin Ryabitsev, who is in charge of kernel.org (among other responsibilities) at the Linux Foundation (LF). Developing the kernel by emailing patches is suboptimal, he said, especially when it comes to dovetailing with continuous-integration (CI) processes, but it still works well for many kernel developers. Any new processes will have to coexist with the old, or they will not be adopted. There are, it seems, some resources at the LF that can be directed toward improving the kernel's development processes, especially if it is clear that this work is something that the community wants.

Server Leftovers

  • Knative at 1: New Changes, New Opportunities

    This summer marked the one-year anniversary of Knative, an open-source project that provides the fundamental building blocks for serverless workloads in Kubernetes. In its relatively short life (so far), Knative is already delivering on its promise to boost organizations’ ability to leverage serverless and FaaS (functions as a service). Knative isn’t the only serverless offering for Kubernetes, but it has become a de-facto standard because it arguably has a richer set of features and can be integrated more smoothly than the competition. And the Knative project continues to evolve to address businesses’ changing needs. In the last year alone, the platform has seen many improvements, giving organizations looking to expand their use of Kubernetes through serverless new choices, new considerations and new opportunities.

  • Redis Labs Leverages Kubernetes to Automate Database Recovery

    Redis Labs today announced it has enhanced the Operator software for deploying its database on Kubernetes clusters to include an automatic cluster recovery that enables customers to manage a stateful service as if it were stateless. Announced at Redis Day, the latest version of Kubernetes Operator for Redis Enterprise makes it possible to spin up a new instance of a Redis database in minutes. Howard Ting, chief marketing officer for Redis Labs, says as Kubernetes has continued to gain traction, it became apparent that IT organizations need tools to provision Redis Enterprise for Kubernetes clusters. That requirement led Redis Labs to embrace Operator software for Kubernetes developed by CoreOS, which has since been acquired by Red Hat. IT teams can either opt to recover databases manually using Kubernetes Operator or configure the tool to recover databases automatically anytime a database goes offline. In either case, he says, all datasets are loaded and balanced across the cluster without any need for manual workflows.

  • Dare to Transform IT with SUSE Global Services

Audiocasts/Shows: FLOSS Weekly and Linux Headlines

  • FLOSS Weekly 555: Emissions API

    Emissions API is easy to access satellite-based emission data for everyone. The project strives to create an application interface that lowers the barrier to use the data for visualization and/or analysis.

  • 2019-11-13 | Linux Headlines

    It’s time to update your kernel again as yet more Intel security issues come to light, good news for container management and self-hosted collaboration, and Brave is finally ready for production.