Brilliant Photo!
Love it:)
Linux kernel developer Christoph Hellwig has sued VMware in Hamburg, Germany, over alleged violations of the GNU General Public License. Hellwig's suit, which is backed by New York-based advocacy group the Software Freedom Conservancy, alleges that VMware's proprietary ESXi hypervisor products use portions of the code that …
If you want to donate to help Conservancy:
http://sfconservancy.org/linux-compliance/vmware-lawsuit-appeal.html
There's a $50k challenge match at the moment, plus donations are tax deductible (in the USA at least). Full disclosure - I'm on the Board of Directors of the Conservancy.
For the sake of people who don't recognize the name, if you're actually Jeremy Allison then you're also one of the main developers of SAMBA, which is the widely used software which allows other operating systems to work with Microsoft's proprietary network file system. it is extensively used for both server and client applications.
"Not sure what your comment is trying to say though"
I'm just trying to say that you're a well known software developer who has played an important role with a major software project used by many people, and therefore somewhat of a celebrity in the IT industry. In other words, you've got a bit more credibility than the rest of us here when it comes to these sorts of issues. Congratulations on the good work you do.
No, that's tridge :-). Andrew Tridgell wrote both rsync and Samba. I just wrote Samba (we're co-authors on that).
It's an easy mistake to make, him being Australian and me being from Sheffield and all. Most people think we sound and look *exactly* alike (except for the old accent thing and the fact I'm probably 100lbs heavier :-).
Very good question. One way is to guess or work out the version of the Linux kernel allegedly used by Vmware in its vmkernel, compile that Linux kernel for x86 and compare common blocks of code between the two binaries – looking for shared function signatures.
It's happened in the past with Linux: people who spend hours looking at compiler output can spot similarities in other code. Obviously, there will be some small blocks that are the same (start and end of similar functions, for example), but chunks of copied code are easy to spot.
That's just one way. But essentially, you don't always need the source code. Binary analysis is possible.
C.
That's what the discovery phase of a trial is for, assuming it passes whatever test the judge would use to determine whether the case can go forward. VMware would be compelled to make its source code for vmkernel available to a third party expert under NDA, who would compare it with the Linux kernel. The expert would be paid for by the plaintiff.
Basically, the same thing SCO did when it tried to prove Linux stole its code.
As mentioned, the binary is enough. Such strong allegations usually don't happen unless they have already compared the binary and have found proof positive evidence. If you're thinking "S.C.O. did!", well no they didn't. They just flat out claimed shit belong to them, like saying "Jupiter? Yeh that's mine."
But I posted because there is also not so legal eagle ways too. i.e. Do you know someone that can get you the source?. People shun this and really don't talk about it these days, but it still happens. A notable incident 15 years ago was the Windows 98 source, which did anyone ever examine that for infringement?
The diff from Hell but yes, it's doable. I've had to intervene in binary a time or two without benefit of source. [And to make the big bucks in Double Jeopardy, do it without benefit of source or documentation.] There are tools, oft used in the security field, that help with the job immensely.
He is alleging copy of the SCSI subsystem. That is easy to prove without code by behaviour only. Linux SCSI subsystem as it is now was influenced by a multi-year pissing contest between Helwig himself + Linus on one side and Jörg Schilling on the other side. It does not behave in a way which is similar to any other SCSI system out there in existence. BSD, Solaris, Irix, AIX and Windows all behave differently and have distinct behaviour quirks which allow you to identify the underlying code by behaviour alone.
So if ESXi behaves in a manner which is identical to Linux that is sufficient ground for major suspicion. In addition to that there are various quirks, bugs which are not bugs but features, etc across the board. So, if ESXi replicates at least some of them that would be sufficient to ask the lawyers to prepare a subpoena.
All in all, it is an illustration of the old adage: "In how many places do you terminate a SCSI cable? In three - one end, the other end and terminate a black goat with a silver knife at new moon in the middle. Then it may work".
"""All in all, it is an illustration of the old adage: "In how many places do you terminate a SCSI cable? In three - one end, the other end and terminate a black goat with a silver knife at new moon in the middle. Then it may work"."""
You weren't one of those guys who confused the physical end of the bus with the last device by number in the chain were you?
Unremarked idiosyncracies can be a very powerful tool for proving ownership. Mapmakers have used this technique for at least 100 years, probably more. They will purposely insert 'mistakes', or extremely minor variations (possibly as small as a subtle shift in a pattern for swamps, or a street that ends 1/2 block short or has an extra bend in it), in several places around the map. Then if another map ever shows up with those glitches, it's proof that map was copied.
A software library could do that as well, without violating accuracy, numeric rigor, etc.
Discovery That is USA.
Not in other countries (Germany included) if memory serves me right - there the court usually appoints a mutually aggreable 3rd party to perform expert analysis.
Also, even in USA you are supposed to put on the table reasonable grounds for suspicion to trigger the discovery phase. It will be interesting to see what will be given in court for that part.
There is no problem. People are under the belief that a software license is a piece of the legal law, well it's not. I could write a license on underwear and it would be just as legal as one that is created by a private billion dollar company. BTW, I keep my perfectly valid software license written on my middle finger, want to read it?
VMWare flat out claiming that this allegation is "without merit" sounds suspiciously like stalling from the truth. Sadly, after reading VMWare's statement it looks like the fact is that VMWare is guilty and is running out of "Don't Be Evil" mantra. If you have a GNU kernel developer with strong accusations AND is willing to take you to court, that developer is more than likely to be correct.
What will be interesting to see is if that kernel developer is proven correct, then not only does the GNU show resilience, but it will also show that Linux kernel developers don't fuck around. That will help the entire GNU community grow stronger.
P.S. Don't wax the trolls, leave them streaky!
It's been tested in court and proven valid in the past. Just ask Cisco. They ended up paying when they realised the license isn't freebsd. You can't just take the code and do what you want with it.
You can also bet they won't be going the "a license isn't a legal document" route, as it would kind of kill the entire business if they did. A license is a private contract you agree to. It's not law, but a contract is enforceable. They do not respect the terms of the contract, you are allowed to sue. That's exactly what is going on here.
Just because you don't have to pay cash for the code, doesn't mean it doesn't come with obligations.
The thing with Cisco, IIRC, is that they were providing a version of GCC on their website as a binary. They themselves had received it from the chip vendor - who had not provided them with the source code. The developers can't sue the chip vendor (After all, they give no offer of the binary to developers) and Cisco isn't going to sue the chip vendor - they still want their chips.
Thus Cisco wanders off and decides not to donate engineering time to Linux.
I'm not saying the Cisco is whiter than white - but it's all shades of grey. I'm sure there are also companies who comply with the letter of the law on GPL that you wouldn't want developing for it.
(You are right, though - the licence does have obligations, (Just like the BSD licence - which most GPL developers seem to forget) just like any licence with Windriver or Microsoft or anybody else would)
"If you have a GNU kernel developer with strong accusations AND is willing to take you to court, that developer is more than likely to be correct."
Whilst not, wanting to appear pedantic Hellwig is a Linux dev. not a GNU one.
Apart from that I agree, Hellwig has better things to do than engage in litigation:
1) He's a senior Linux maintainer.
2) He isn't a lawyer.
3) Involving lawyers costs money, I know he is being funded but it still costs someone a lot to do this stuff.
This is an important case and I hope that sanity will prevail and that VMWare get what's coming to them. i.e. a kick in the arse and a bloody great bill for trying to taking the piss out of the GPL.
He's trolling. If he had something real to say, he would say it instead of just making vague,meaningless allusions
GPL is a source code license, VMWare (by the entire case's main objective) isn't redistributing source, they're distributing binaries - things like copyright come into play in those cases - not source code licenses. As somebody who regularly licenses stuff under BSD and GPLv2 from my perspective it's fairly nonsense. If VMWare can prove some sort of linkage to the original (kernel) source the entire case goes out the window - which is precisely why they're pan-handling rather than trying to get fast injunctive relief.
I said good luck the case doesn't pass the laugh test based both on reality and that I'm going to assume VMWare's lawyers are smarter than all of us.
It's been tested in court and proven valid in the past. Just ask Cisco.
In a US court - and they were sued over API copyright. The EU and the ECJ have been repeatedly clear that API copyrights block innovation and are not enforceable, even though it doesn't apply in this case.
GPL is a source code license, VMWare (by the entire case's main objective) isn't redistributing source, they're distributing binaries - things like copyright come into play in those cases - not source code licenses.
The issue isn't the distribution of the source, it is whether the binaries that VMware are distributing were created, at least in part, from source code which they acquired from somewhere else.
If they wrote the code themselves, they're in the clear. If they took source code from elsewhere and modified it then they are constrained by the terms of the license under which they obtained that source code.
Whether that code was open or closed source, and whether the license was BSD, GPLvx, CDDL or pretty much anything else apart from WTFPL, is irrelevant. If the code was supplied subject to a license, they must respect the terms of the license when they use it.
"GPL is a source code license, VMWare (by the entire case's main objective) isn't redistributing source, they're distributing binaries - things like copyright come into play in those cases - not source code licenses."
Ok, I'm curious. What do you think a "source code licence" is in this context?
As somebody who regularly licenses stuff under BSD and GPLv2 from my perspective it's fairly nonsense.
Hey Streaky, you might want to re-read the GPL, or you could well be the next one in court.
To sum up, if you include GPL source code in your work then your entire codebase becomes subject to the GPL, which means you have to make the source code available. So if they did copy something, no source from vmWare = GPL violation.
There can't be an IT company on the planet that isn't aware of this by now, we're always being asked to warrant we're GPL-clean to our customers.
> ... if you include GPL source code in your work then your entire codebase becomes subject to the GPL, which means you have to make the source code available.
Err no, that's one of the lies the anti-GPL brigade trot out.
You only need to provide the code to the part of your system that uses the GPL code.
Example, you have a big system but include a few utilities. One of those utilities (a separate executable binary) uses GPL code. Only the code to that utility must be made available on demand. The other utilities (which don't use or depend on the GPL code), and the bigger system (ditto) can still remain closed and secret.
Such distinctions are important. There are so many lies and misdirections used to discredit the GPL, we need to be accurate ourselves in defending it so as not to provide further ammunistion.
"Err no, that's one of the lies the anti-GPL brigade trot out.
You only need to provide the code to the part of your system that uses the GPL code."
Riiiight, the anti-GPL brigade trot out. Are they the same folks that assert that the whole source code has to be published if you statically link your code with some library released under GPL terms? You're aware of the fact that in this case the GPL expects you to release your own source code under GPL terms too, right?
"You only need to provide the code to the part of your system that uses the GPL code."
I appreciate the need for semantic accuracy on this topic, but my use of "entire codebase" here was intended to mean "the entire codebase (of everything that is linked to the GPL code)". I'm aware of the subtleties, but they're better covered elsewhere in depth. My back-of-envelope description is accurate enough, and certainly more accurate than Streaky's take on it, which is what I was getting at.
I appreciate the need for semantic accuracy on this topic, but my use of "entire codebase" here was intended to mean "the entire codebase (of everything that is linked to the GPL code)"
Is that the sound of all GNU/Linux's corporate benefactors/sponsors/commiters running away screaming that I can hear? Yep, that's what that'll be.
You use some GPL code that *links* non-statically to some GPLv2 code thereby all that code must be also GPLv2, and not only that - you must share it. That one must have them rolling in the aisles at OSS-Lawyer Con.
if you include GPL source code in your work then your entire codebase becomes subject to the GPL
No, it really doesn't.
Loving the downvotes, you're all confusing Stallman's "spirit" of the document with legal reality. If you want to donate feel free to go nuts, if they win it'll change the legal status quo. The entire GPLv3 exists is because v2 doesn't do what you think it does, and the entire reason not many projects (including the Linux kernel) don't use v3 is because nobody who is for all OSS, all the time, likes it - because it makes it extremely difficult for business to use OSS code and that doesn't help anybody.
@streaky - "GPL is a source code license, VMWare (by the entire case's main objective) isn't redistributing source, they're distributing binaries - things like copyright come into play in those cases - not source code licenses."
GPL is a copyright license for both source code and binaries. One of it's more well known features is that if you redistribute the binaries, you must also redistribute (or make available) the corresponding source code. What constitutes "redistribution" is well established under copyright law world wide.
@streaky - "In a US court"
There have been a number of successful lawsuits involving the GPL in German courts, probably more there than anywhere else in the world. Indeed the first lawsuit was in Germany. This record of success in Germany may have played a part in the SFC's decision to ask Hellwig to be their plaintiff so they could sue in a German court.
Lawsuits involving the GPL are relatively rare because when the company violating the copyright sits down with their lawyers, those lawyers read over the facts of the case and tell their clients they haven't a leg to stand on. On the other hand, the requirements for compliance with the terms of the license are generally pretty easy - just make the source code available. The people doing the suing generally aren't looking for a pound of flesh, they're just asking the court to make you comply with the terms of the licence or to stop redistributing the software.
For people who just want to use the software and not redistribute it, they don't even have to do that much. The terms of the license only kick in when you redistribute it to other parties. Using it yourself or within your company doesn't bring the redistribution clauses into play. El Reg for example can copy, mix, and match GPL source code and binaries with other software in the same way that VMWare did all they want so long as they don't redistribute it to users outside their own company.
Most use cases are much simpler. If you simply want to install copies of Debian Linux on 10 servers in your company's server rooms and use them to run web servers, SAMBA, or whatever, the GPL lets you do that without having to comply with the redistribution clauses. There's no need for your company to offer the source code to another party, even if you are using it to run a publicly accessible web site. However, your supplier of that software, Debian in this example, is required to offer the corresponding source code to you. However, they do that. Note that the GPL is a lot more lenient in this regards that most proprietary software licenses, since most proprietary licenses won't let you redistribute within your company (or even your household) without buying more licenses.
VMWare on the other hand is allegedly mixing Hellwig's software in with their own and redistributing that combination to their customers. This is where they are running into trouble.
This makes no sense whatsoever. Read your own statement and think about it.
Are you saying that one can legally loophole around the GPL by not distributing source code, while one of the key intents of the GPL is to force distribution, rather than dissimulation, of that very source code? Indeed if VMWare is actually re-using GPLed code, by distributing their source code then they would not be in breach.
Whether one likes the GPL or not, one can't fail to be unimpressed by what's sitting between your two ears.
>>".. Is patently (no pun intended) absurd. Open Source has real issues, legal and otherwise, be nice if ambulance chasers did something useful."
Sure, because you with your better knowledge of the law than the legal departments of all these corporations have spotted that the GPL has legal flaws that no-one else has been able to pin down.
"Linux kernel developer Christoph Hellwig has sued VMware in Hamburg, Germany, over alleged violations of the GNU General Public License."
It would be more technically correct to say that they are suing VMWare over violations of copyright laws on the grounds that VMWare having refused the terms of the GPL does not possess a valid software license for the code they are allegedly using.
You don't violate the license, you violate copyright law if you don't have a valid license. The GPL (any version) is just a straightforward software license with terms that are pretty easy to comply with.
I suspect that the details of this case will revolve around what constitutes a derived work and whether or not VMWare's product falls in that category.
This is similar to the situation which Microsoft faced over their Hyper-V para-virtualization drivers. These drivers were derived from Linux kernel code and thus violated the copyrights of those developers. In that case, Microsoft backed down once they realized they didn't have a leg to stand on in court and released the source code for the drivers. Rather interestingly, I read the source code after release and found that they seemed to also be derived from Xen, with the comments and variable names made extensive references to Xen.
According to the linked blog post, the issue kicked off over copyrights associated with Busybox, not with Linux. Busybox is a compact shell widely used in embedded systems. Hellwig was helping with this. While investigating this, they claim to have discovered that VMWare was allegedly violating some of Hellwig's own copyrights in Linux.
The post says "Hellwig is an extensive copyright holder in the portions of Linux that VMware misappropriated and used together in a single, new work without permission." In other words, it's software for which Hellwig holds the copyrights, and for which VMWare allegedly does not hold a valid license.
Hellwig is a contractor and consultant working in the storage business as well as doing storage related work on the Linux kernel. I rather imagine that if someone wants to use his expertise in a proprietary product, then he will expect to get paid for it. This is why a lot of software developers favour a GPL type license. If you want to either just use the software or jointly contribute to it, then they have no problem. If however you want to take someone's work for free and use it in a proprietary product, then it's no deal.
That doesn't meant however that Hellwig will settle for a pay-off from VMWare to settle the suit. Even if he were inclined to do so, there are likely so many other developers whose copyrights are also involved that it is unlikely that any agreement other than VMWare complying with the original license terms will satisfy them.
I should perhaps have picked a better title, since I really intended to add details, not disagree with you. The phrasing you used is a common short hand for these issues, and you do have to keep the pace up so our eyes don't glaze over.
I was mainly trying to inject some detail regarding the legal basis for these types of lawsuits, since some commentards (look up a few comments for an example) tend to get themselves twisted up in knots over what "violate the GPL" means and think that invalidating the license would be a successful defence strategy. Rather it's copyright law that VMWare are getting sued over, and claiming that the GPL is both a legally valid license and that they are fully in compliance with the terms of that license would be part of VMWare's defence (assuming any such code was indeed copied).
"the article doesn't mention Busybox"
The original blog post made me think that Hellwig originally got involved by helping them with the Busybox investigation, but upon re-reading it, I'm not so sure now. However, they do say in their FAQ that it was the during the Busybox investigation that SCF discovered the alleged copyright violations involving the Linux kernel.
"It's about Linux kernel source code (drivers, specifically)."
I'm not 100% sure that it's simply only "drivers". There's a good diagram on their FAQ page which shows the connection between VMWare's "vmkernel" and "vmklinux" which is derived from the Linux kernel. Hellwig has copyrights in the SCSI subsystem, SCSI drivers, and something called "radixtree", which is in another part of the kernel. It''s not just Hellwig's copyrights involved, but the SFC only needs one copyright holder to give legal standing, and bringing in too many people could cause problems with deciding jurisdiction.
http://sfconservancy.org/linux-compliance/linux-vs-vmkernel_en.png
The "vmklinux" is supposedly VMWare's "shim" layer between their own "vmkernel" and the parts of the Linux kernel which they copied. They may think that having a shim layer legally insulates their proprietary code from the Linux code they copied.The lawsuit, if it proceeds to court, will likely revolve around whether that is true or not.
VMWare's latest product by the way is bypassing the "vmklinux" shim to use their own native drivers directly. However, they have a big problem of lack of drivers, so they still use the "vmklinux" shim to use Linux drivers for hardware they don't support natively.
Don't take the above as me lecturing you. I've simply gone beyond what is needed for a simple reply to you to avoid splitting this up into two posts.
Thank you for your informative posts.
> The "vmklinux" is supposedly VMWare's "shim" layer between their own
> "vmkernel" and the parts of the Linux kernel which they copied. They
> may think that having a shim layer legally insulates their proprietary code
> from the Linux code they copied.The lawsuit, if it proceeds to court, will
> likely revolve around whether that is true or not.
This is where my speculation differs from yours. My understandig is that VMWare provides the source code for the yellow vmklinux part plus drivers. The lawsuit probably then hinges on the question whether the red vmkernel part makes "use" of the code in the yellow vmklinux.
My assumption is that VMWare is going to argue that
a) the red vmkernel part does not "use" the yellow vmklinux. "Use" under German copyright law is essentially copying, redistribution and modification of a piece of software. "Copying" is understood broadly and usually comprises the execution of code in a processor. Since vmkernel apparently loads vmklinux, Mr. Hellwig might claim copying.
b) that copying vmklinux was permissible under the GPL-2 because VMWare apparently provides the source code of this part of software. Mr. Hellwig might argue that clause 3 of the GPL-2 (requiring avaliablity of the source code) extends to derivative works under clause 2 of the GPL-2 and thus also to vmkernel. He would then need to show that vmkernel is a derivative work under clause 2 and as defined in the GPL-2.
c) if Mr. Hellwig succeeds under b), VMWare might be able to claim the exception in section 24 of the German copyright code: A work that stands on its own while relying on another work may be independently copied and distributed by the creator of the new work. VMWare would still need to comply with the GPL-2 with regard to distributing vmklinux but would be free to distribute vmkernel under its own terms. Whether vmkernel stands on its according to the exception would mainly depend on how original vmkernel is and is a question of law (as opposed to a question of fact). Questions of law are determined by the court, not by an expert but the court may chose to hear facts from an expert regarding software technology.
My speculation is that if Mr. Hellwig succeeds with a) through c), the court most likely will award him a claim to require VMWare to cease and desist from copying and distribution. I can not quite see that an award for damages in the form of publication of vmkernel might be awarded (and I have no idea whether it was even claimed).
Please note: This is - of course - pure speculation.
@Radbruch1929 - "He would then need to show that vmkernel is a derivative work under clause 2 and as defined in the GPL-2"
As a minor point, what constitutes a "derivative work" is actually defined by copyright law. What clause 2 is doing is saying that you are allowed to make derivative works, and then clarifies the terms that derivative works must comply with under the terms of the license. Generally, it's that the distribution terms of derivative works must be compatible with the original license (GPL). Most proprietary licenses simply state that no derivative works are allowed, period, which is why this question doesn't come up in those cases.
VMWare's case will however indeed hinge upon whether "vmkernel" is a derivative work. Their problem will be that vmkernel is not, so far as I am away, a pre-existing work, but rather one which originally always used parts of Linux.
Nvidia's proprietary binary graphics driver also uses a shim layer. However, in their case they took their existing Windows driver and used the shim layer to adapt it to the Linux kernel. Furthermore, the main use of that driver is for use with Windows, not Linux. These two reasons taken together are why most people believe it isn't a derivative of the Linux kernel (although a few people disagree with that).
VMWare has recently added the ability to use their own drivers, but that won't change history and thus won't suffice to turn their existing software into "non derivative" status (if it was a derivative). Furthermore, there is the question of past copyright violations which aren't cured by simply stopping now.
@thames:
Thank you for your answer. We violently agree: The license can not extend the copyright of the original copyright holder to other works. It can limit the reach though and this is what IMHO section 2 of the GPL might have done. It may be possible to read section 2 in a way that it restricts the copyright claims for the original work to a derivative work that resulted from a modification of the original software. This might exclude derivative works that consists of code only calling the original code in an obvious and trivial manner.
Everyone knows the best way to subvert the GPL is with DBus in kernel space (kdbus). At least if they have been paying attention to RedHat for the last few years they do. Why link in GPL code when you can call it nearly as fast (or at least fast enough for most purposes) with DBus and not have to share your code.
Of course in this case the accusation is that VMWare are doing a lot more than just linking in GPL code but wanted to point out a perfectly legally if morally bankrupt way to subvert the GPL which people will be waking up to very soon which the lawyers won't be able to fix.
This post has been deleted by its author
This post has been deleted by its author
and publish that bloody source code! Heck, it's nothing but some SCSI module. They made huge amounts of money piggy-backing on Linux and all the community is asking them now is to pay minimal respect to that copyright like anybody else is doing. Even Microsoft did it and they're still well and alive.
Will VMWare get away with simply saying "oops sorry" and rushing out a patch that uses the scsi routines from FreeBSD or simply publish the code to that small module.
So sending a message to every other corporation that you can rip off GPL and even if you are caught, and even if the other side do sue, and even if you don't manage to simply drag on the case until the developer's legal bills bankrupt him - there is no real penalty.
Or will they be fined the $20,000 / copy that a teenager would get for downloading MP3s