Language Selection

English French German Italian Portuguese Spanish

Legal

Java License Fallout Continues Impacting IBM i Shops

Filed under
Development
Legal

Oracle’s decision to restrict the previously free distribution of Java version 8 tools and runtimes is impacting the entire IT industry. In our little neck of the woods, the decision to charge businesses for using Oracle’s Java has forced IBM i shops to take a hard look at the technology platform, and in some cases look for alternative solutions.

Oracle ruffled feathers in the Java community in 2017, when it made substantial changes to its Java roadmap. The company announced that Java Standard Edition (SE) version 8, which is a legacy version of Java but is still in widespread use, “will not be available for business, commercial or production use without a commercial license” after January 2019. Licenses for Java SE 8 could be purchased for $30 per desktop per year or $300 per processor for server licenses.

Oracle’s stated plan for the move was to accelerate the development and release cycle for Java in a bid to keep up today’s fast-paced DevOps environments (and perhaps part of its unstated plan, which was to squeeze Java users for revenue). The tech giant and the Java community hammered out Java SE versions 9 and 10 in quick fashion, in late 2017 and early 2018, respectively.

Read more

Graphics and Standards

Filed under
Graphics/Benchmarks
Web
Legal
  • SHADERed 1.2.3 Released With Support For 3D Textures & Audio Shaders

    SHADERed is the open-source, cross-platform project for creating and testing HLSL/GLSL shaders. While a version number of 1.2.3 may not seem like a big update, some notable additions can be found within this new SHADERed release.

  • Vulkan 1.1.125 Released With SPIR-V 1.4 Support

    Succeeding Vulkan 1.1.124 one week later is now Vulkan 1.1.125 with a lone new extension.

    Vulkan 1.1.125 has its usual clarifications and corrections to this graphics API specification. Meanwhile the new extension introduced in the overnight v1.1.125 release is VK_KHR_spirv_1_4.

  • Making Movies Accessible for Everyone

    For the first time, people who are deaf or hard of hearing will be able to enjoy the Nairobi leg of the Human Rights Watch Film Festival, opening on October 15.

Contributor License Agreement and Developer Certificate of Origin references

Filed under
OSS
Legal

In the last few years I have come across the CLA topic several times. It is and will be a popular topic in automotive the coming years, like in any industry that moves from being an Open Source Producer towards becoming an Open Source Contributor.

In my experience, many organizations take the CLA as a given by looking at the google, microsoft or intels of the world and replicate their model. But more and more organizations are learning about alternatives, even if they do not adopt them.

What I find interesting about discussing the alternatives is that it brings to the discussion the contributor perspective and not just the company one. This enrichs the debate and, in some cases, leads to a more balanced framework between any organization behind a project and the contriibutor base, which benefits both.

Throughout these years I have read a lot about it but I have never written anything. It is one of those topics I do not feel comfortable enough to write about in public probably because I know lots of people more qualified than I am to do so. What I can do is to provide some articles and links that I like or that have been recommended to me in the past.

Read more

Invasion of The Ethical Licenses

Filed under
OSS
Legal

About 23 years ago, I created the Debian Free Software Guidelines to help the Debian developers decide what software was permissible to include in Debian, which aspired to be 100% Free Software, and what should be consigned to a “non-free” repository upon which Debian would never depend. Nine months later, those guidelines became the Open Source Definition, and I announced Open Source to the world.

                        
                        [...]
                        
                        Despite the seeming impossibility of its enforcement, the Vaccine License is the most professionally constructed of this pack, carefully targeting the approval process of the Open Source Initiative – and IMO missing it. But all three licenses appear to be unlikely to obtain the agreement of a court in enforcement, and scaling their requirements would be a sort of full-employment act for lawyers.

Let’s work through how these licenses would be enforced.

When these licenses are enforced, the copyright holder is the plaintiff, a fancy word for someone who makes a complaint. Their complaint is that the defendant, the licensee, committed a tort, a violation of civil law. The tort is copyright infringement.

The important point here is that the complaint isn’t that the license was violated, the complaint is that the defendant did not have a license at all, and is infringing copyright. The defendant then has to prove that they did have a license, and that they were obeying the license’s terms, or that the court should for some reason not honor those terms.

Licenses are also contracts, and thus the tort can be breach of contract. But contracts require the consent of both parties – the copyright holder, and the licensee. Real consent is indicated by signing the contract, but that doesn’t ever happen with this sort of license. Instead, there is a lesser indication of consent by the action of using, distributing, or modifying the software.

Read more

Digital Restrictions (DRM) Watch

Filed under
Security
Web
Legal
  • One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair

    How can a single, ill-conceived law wreak havoc in so many ways? It prevents you from making remix videos. It blocks computer security research. It keeps those with print disabilities from reading ebooks. It makes it illegal to repair people's cars. It makes it harder to compete with tech companies by designing interoperable products. It's even been used in an attempt to block third-party ink cartridges for printers.

    It's hard to believe, but these are just some of the consequences of Section 1201 of the Digital Millennium Copyright Act, which gives legal teeth to "access controls" (like DRM). Courts have mostly interpreted the law as abandoning the traditional limitations on copyright's scope, such as fair use, in favor of a strict regime that penalizes any bypassing of access controls (such as DRM) on a copyrighted work regardless of your noninfringing purpose, regardless of the fact that you own that copy of the work.  

  • One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair
  • Spotify is Defective by Design

    I never used Spotify, since it contains DRM. Instead I still buy DRM-free CDs. Most of my audio collection is stored in free formats such as FLAC and Ogg Vorbis, or Red Book in the case of CDs, everything can be played by free players such as VLC or mpd.

    Spotify, which uses a central server, also spies on the listener. Everytime you listen a song, Spotify knows which song you have listened and when and where. By contrast free embedded operating systems such as Rockbox do not phone home. CDs can be baught anonymously and ripped using free software, there is no need for an internet commection.

Trademark Law Against Amazon's (Mis)Use of Elasticsearch

Filed under
OSS
Legal
  • AWS faces Elasticsearch lawsuit for trademark infringement

    Elasticsearch has sued AWS for trademark infringement and false advertising in connection with the cloud giant's recently released version of the widely used Elasticsearch distributed analytics and search engine.

    Elasticsearch Inc., or Elastic, is based on the open-source Lucene project and Elastic serves as originator and primary maintainer. Tensions flared in March when AWS, along with Expedia and Netflix, launched Open Distro for Elasticsearch. The release is fully open source compared with Elastic's version and was actually prompted by Elastic's weaving too much proprietary code into the main line over time, according to AWS.

  • Open Source Search Firm Accuses Amazon of Trademark Infringement

    O'Melveny & Myers is representing search engine Elasticsearch in a complaint that alleges Amazon is willfully infringing its mark by promoting competing search and analytics products.

Oracle demands $12K from network biz that doesn't use its software

Filed under
GNU
Linux
Software
Legal

Merula Limited, a UK-based network service provider, recently received a bill from Oracle for $12,200 for using the company's proprietary VirtualBox Extension Pack, which provides extra capabilities for the free GPL-licensed VirtualBox hypervisor.

For Richard Palmer, director of the company, this was a perplexing demand. As he explained to The Register, "Merula does not operate or manage any computer using VirtualBox or any Oracle software."

Oracle provided the company with a range of IP addresses, more than 100, that it claimed had been using its proprietary VirtualBox Extension Pack in conjunction with VirtualBox installations.

It's claimed that Oracle's software phones home to report where it's being used, though the company may be repurposing VirtualBox telemetry for its audits. Or it may simply be checking the IP addresses associated with downloads of the software and contacting address registrants to seek payment.

Read more

GNU: GIMP, FSF Licensing and Compliance Lab, Xiaomi Compliance

Filed under
GNU
Legal
  • Photoshop too expensive? Use these free alternatives instead

    GIMP (GNU Image Manipulation Program) is a downloadable, professional-grade photo editor with an extensive Photoshop-like collection of essential editing tools. In addition, GIMP boasts advanced filters and layer masks. Whether you want to add text, erase background or add texture to a photo, this no-cost editing software will meet your needs.

  • FSF Continuing Legal Education Seminar on GPL Enforcement and Legal Ethics

    The FSF Licensing and Compliance Lab will work with experienced lawyers and professionals to provide a full day continuing legal education (CLE) seminar on GPL Enforcement and Legal Ethics for legal professionals, law students, free software developers, and anyone interested in licensing issues.

  • Xiaomi Releases Android Pie Kernel Sources for Redmi Note 8, Note 8 Pro

    Xiaomi has often been criticized by FOSS proponents and developers for its failure to abide by the GNU General Public License v2 license, which governs open source software such as Android. The company has often either completely failed to release kernel sources for its smartphones and tablets, or released them long after the launch of the device, both of which are an outright violation of the GNU GPL license.

Introducing Craig Topham, FSF copyright and licensing associate

Filed under
GNU
Legal

My name is Craig Topham, and I’m the latest to have the honor of being a copyright and licensing associate for the Free Software Foundation (FSF). I started work in November, and the delay in assembling my introductory blog post is a testament to how busy I have been. Although my post feels late, it gives me a chance to share my experience here at the FSF, along with sharing a little bit more about myself.

From 2005 to 2017, I worked as a PC/Network Technician for the City of Eugene, Oregon. The role had the inherent reward of allowing me to be a part of something much larger than myself. I was helping local government function. From the mayor and city council all the way to the summer staff that worked the front desk at the recreation department's swimming pools, I was one of many making it all work. It was even a part of my job to support some free software the city used! Sadly, a vast majority of the software that we used was proprietary, but despite the painful duty of supporting nonfree software, the overall experience felt pretty great. As I close that chapter of my life with all the wonderful memories and marks made, I am beset with a wild sense of relief. Like finding a rock in my shoe after twelve years, the alleviation is palatable: I never have to labor to master proprietary software again!

For unknown reasons (which I contemplate often), I did not learn about the free software movement until 2004, despite a lifetime of using computers. Like so many before me, my initial education on the movement came via Free Software, Free Society: Selected Essays of Richard M. Stallman. What so instantaneously drew me to free software was the simplicity of the four freedoms: run, edit, share, contribute. These freedoms, coupled with the ethical nature of the movement, made it a natural fit for me. It did not take me long to realize that this is what I needed to soothe my “How can I make the world a better place?” angst. Inevitably, I became an FSF associate member on October 28, 2007 because it was (and still is) the easiest way to help out. If you are reading this and you are not a member, I encourage you to change that and help make the world a better place.

Read more

After Red Hat, Homebrew removes MongoDB from core formulas due to its Server Side Public License adoption

Filed under
OSS
Legal

In October, last year MongoDB announced that it’s switching to Server Side Public License (SSPL). Since then, Redhat dropped support for MongoDB in January from its Red Hat Enterprise Linux and Fedora. Now, Homebrew, a popular package manager for macOS has removed MongoDB from the Homebrew core formulas since MongoDB was migrated to a non open-source license.

[...]

In January this year, MongoDB received its first major blow when Red Hat dropped MongoDB over concerns related to its SSPL. Tom Callaway, the University outreach Team lead at Red Hat had said that SSPL is “intentionally crafted to be aggressively discriminatory towards a specific class of users. To consider the SSPL to be “Free” or “Open Source” causes that shadow to be cast across all other licenses in the FOSS ecosystem, even though none of them carry that risk.”

Subsequently, in February, Red Hat Satellite also decided to drop MongoDB and support PostgreSQL backend only. The Red Hat development team stated that PostgreSQL is a better solution in terms of the types of data and usage that Satellite requires.

In March, following all these changes, MongoDB withdrew the SSPL from the Open Source Initiative’s approval process. It was finally decided that SSPL will only require commercial users to open source their modified code, which means that any other user can still modify and use MongoDB code for free.

Read more

Syndicate content

More in Tux Machines

Android Leftovers

Kernel Articles at LWN (Paywall Just Expired)

  • Filesystem sandboxing with eBPF

    Bijlani is focused on a specific type of sandbox: a filesystem sandbox. The idea is to restrict access to sensitive data when running these untrusted programs. The rules would need to be dynamic as the restrictions might need to change based on the program being run. Some examples he gave were to restrict access to the ~/.ssh/id_rsa* files or to only allow access to files of a specific type (e.g. only *.pdf for a PDF reader). He went through some of the existing solutions to show why they did not solve his problem, comparing them on five attributes: allowing dynamic policies, usable by unprivileged users, providing fine-grained control, meeting the security needs for running untrusted code, and avoiding excessive performance overhead. Unix discretionary access control (DAC)—file permissions, essentially—is available to unprivileged users, but fails most of the other measures. Most importantly, it does not suffice to keep untrusted code from accessing files owned by the user running the code. SELinux mandatory access control (MAC) does check most of the boxes (as can be seen in the talk slides [PDF]), but is not available to unprivileged users. Namespaces (or chroot()) can be used to isolate filesystems and parts of filesystems, but cannot enforce security policies, he said. Using LD_PRELOAD to intercept calls to filesystem operations (e.g. open() or write()) is a way for unprivileged users to enforce dynamic policies, but it can be bypassed fairly easily. System calls can be invoked directly, rather than going through the library calls, or files can be mapped with mmap(), which will allow I/O to the files without making system calls. Similarly, ptrace() can be used, but it suffers from time-of-check-to-time-of-use (TOCTTOU) races, which would allow the security protections to be bypassed.

  • Generalizing address-space isolation

    Linux systems have traditionally run with a single address space that is shared by user and kernel space. That changed with the advent of the Meltdown vulnerability, which forced the merging of kernel page-table isolation (KPTI) at the end of 2017. But, Mike Rapoport said during his 2019 Open Source Summit Europe talk, that may not be the end of the story for address-space isolation. There is a good case to be made for increasing the separation of address spaces, but implementing that may require some fundamental changes in how kernel memory management works. Currently, Linux systems still use a single address space, at least when they are running in kernel mode. It is efficient and convenient to have everything visible, but there are security benefits to be had from splitting the address space apart. Memory that is not actually mapped is a lot harder for an attacker to get at. The first step in that direction was KPTI. It has performance costs, especially around transitions between user and kernel space, but there was no other option that would address the Meltdown problem. For many, that's all the address-space isolation they would like to see, but that hasn't stopped Rapoport from working to expand its use.

  • Identifying buggy patches with machine learning

    The stable kernel releases are meant to contain as many important fixes as possible; to that end, the stable maintainers have been making use of a machine-learning system to identify patches that should be considered for a stable update. This exercise has had some success but, at the 2019 Open Source Summit Europe, Sasha Levin asked whether this process could be improved further. Might it be possible for a machine-learning system to identify patches that create bugs and intercept them, so that the fixes never become necessary? Any kernel patch that fixes a bug, Levin began, should include a tag marking it for the stable updates. Relying on that tag turns out to miss a lot of important fixes, though. About 3-4% of the mainline patch stream was being marked, but the number of patches that should be put into the stable releases is closer to 20% of the total. Rather than try to get developers to mark more patches, he developed his machine-learning system to identify fixes in the mainline patch stream automatically and queue them for manual review. This system uses a number of heuristics, he said. If the changelog contains language like "fixes" or "causes a panic", it's likely to be an important fix. Shorter patches tend to be candidates.

  • Next steps for kernel workflow improvement

    The kernel project's email-based development process is well established and has some strong defenders, but it is also showing its age. At the 2019 Kernel Maintainers Summit, it became clear that the kernel's processes are much in need of updating, and that the maintainers are beginning to understand that. It is one thing, though, to establish goals for an improved process; it is another to actually implement that process and convince developers to use it. At the 2019 Open Source Summit Europe, a group of 20 or so maintainers and developers met in the corner of a noisy exhibition hall to try to work out what some of the first steps in that direction might be. The meeting was organized and led by Konstantin Ryabitsev, who is in charge of kernel.org (among other responsibilities) at the Linux Foundation (LF). Developing the kernel by emailing patches is suboptimal, he said, especially when it comes to dovetailing with continuous-integration (CI) processes, but it still works well for many kernel developers. Any new processes will have to coexist with the old, or they will not be adopted. There are, it seems, some resources at the LF that can be directed toward improving the kernel's development processes, especially if it is clear that this work is something that the community wants.

Server Leftovers

  • Knative at 1: New Changes, New Opportunities

    This summer marked the one-year anniversary of Knative, an open-source project that provides the fundamental building blocks for serverless workloads in Kubernetes. In its relatively short life (so far), Knative is already delivering on its promise to boost organizations’ ability to leverage serverless and FaaS (functions as a service). Knative isn’t the only serverless offering for Kubernetes, but it has become a de-facto standard because it arguably has a richer set of features and can be integrated more smoothly than the competition. And the Knative project continues to evolve to address businesses’ changing needs. In the last year alone, the platform has seen many improvements, giving organizations looking to expand their use of Kubernetes through serverless new choices, new considerations and new opportunities.

  • Redis Labs Leverages Kubernetes to Automate Database Recovery

    Redis Labs today announced it has enhanced the Operator software for deploying its database on Kubernetes clusters to include an automatic cluster recovery that enables customers to manage a stateful service as if it were stateless. Announced at Redis Day, the latest version of Kubernetes Operator for Redis Enterprise makes it possible to spin up a new instance of a Redis database in minutes. Howard Ting, chief marketing officer for Redis Labs, says as Kubernetes has continued to gain traction, it became apparent that IT organizations need tools to provision Redis Enterprise for Kubernetes clusters. That requirement led Redis Labs to embrace Operator software for Kubernetes developed by CoreOS, which has since been acquired by Red Hat. IT teams can either opt to recover databases manually using Kubernetes Operator or configure the tool to recover databases automatically anytime a database goes offline. In either case, he says, all datasets are loaded and balanced across the cluster without any need for manual workflows.

  • Dare to Transform IT with SUSE Global Services

Audiocasts/Shows: FLOSS Weekly and Linux Headlines

  • FLOSS Weekly 555: Emissions API

    Emissions API is easy to access satellite-based emission data for everyone. The project strives to create an application interface that lowers the barrier to use the data for visualization and/or analysis.

  • 2019-11-13 | Linux Headlines

    It’s time to update your kernel again as yet more Intel security issues come to light, good news for container management and self-hosted collaboration, and Brave is finally ready for production.