
Why I don't use the GPL - georgecmu
http://www.kaybee.org/~kirk/GPL.html
======
iuguy
While I respect the author's choice, I have to disagree over the point about
people contributing to the codebase.

I've spent the past two years reverse engineering products _built on Linux_
with no source code or build chain available. Last week I spent two days
breaking into an embedded Linux device that runs alongside entire families of
motherboards using an almost completely open stack with no attribution, no
contribution and no source code release. The authors (both the OEM and the
motherboard manufacturer) as far as I can tell do not contribute to any of the
projects I've identified on the board from their official email addresses or
in a professional capacity.

When you start looking at MiFi hotspots it's even worse. I did a talk last
year at BlackHat EU on one example[1] where I finally managed to get the
developers to fess up the source.

[1] - [http://media.blackhat.com/bh-eu-12/Lord/bh-eu-12-Lord-
Hotspo...](http://media.blackhat.com/bh-eu-12/Lord/bh-eu-12-Lord-Hotspot-
Slides.pdf)

~~~
jcr
For those interested in seeing the BlackHat video presentation by Steve Lord
(hn:iuguy):

[https://www.blackhat.com/html/bh-eu-12/bh-
eu-12-archives.htm...](https://www.blackhat.com/html/bh-eu-12/bh-
eu-12-archives.html#lord)

At the time the idea of "required sharing" was put forward by RMS (1985 or
so), it was a serious improvement over the status quo of proprietary software
protected by confusing licensing terms.

Trying to redefine the terms "free," "freedom," and "liberty" to mean
"restricted," "required," and "threat of legal harm" is dishonest rhetoric.
The GNU/FSF should be more honest and direct by clearly describing their
license as "sharing required."

The existence of a commonly used "sharing required" licenses like the GPL, and
LGPL, and LLGPL, and ... has been beneficial in a lot of different ways. The
primary way it has been beneficial over the years has been in how it very
successfully nudges reluctant industry players towards releasing source code.
The _requirement_ of sharing has shown industry the advantages of sharing code
when they were previously fixated on the competitive advantages of not
releasing code.

In the early days, the older BSD/MIT/ISC/PublicDomain licenses (well, public
domain is not formally a license but you get the point), were insufficient to
convince industry players to give up the competitive advantages of proprietary
licenses and closed source software for the competitive advantages of
collaboration through open source.

Times have changed, but not much. Licenses on open source code are still
violated constantly by closed source vendors. It's not just a GPL problem;
there's tons of proprietary closed source programs out there that fail to live
up to either the "attribution" clause or the old "advertising" clause of the
BSD-ish licenses. It really doesn't matter if your license of choice has an
inherited "sharing required" clause, since it will still get lifted and
incorporated into closed source, proprietary programs. Unless you have tons of
time and money to waste in chasing the violators, your preferred license terms
really don't matter.

The most interesting thing about violations of open source licenses is the
reverse engineering perspective. When you're able to identify the misused open
source code within an executable binary, you can then use fingerprinting of
the open source to better understand the closed source binaries. If you're
curious about this kind of identification and program understanding in reverse
engineering, you should look into the FLIRT and FLARE features of the IDA Pro
disassembler.

~~~
iuguy
> The most interesting thing about violations of open source licenses is the
> reverse engineering perspective. When you're able to identify the misused
> open source code within an executable binary, you can then use
> fingerprinting of the open source to better understand the closed source
> binaries. If you're curious about this kind of identification and program
> understanding in reverse engineering, you should look into the FLIRT and
> FLARE features of the IDA Pro disassembler.

For Linux-based devices more often than not they use a uImage loader with one
of 3 filesystems (JFFS2, Squashfs, CramFS), so once you've got around whatever
encryption or encapsulation's in the image (I typically generate a picture
graphing bytes to spot entropy, a technique I shamelessly stole from Don A.
Bailey) you can normally run something like binwalk[1] to identify the
filesystems and dd them out using a small shell script. I typically mount each
resulting image and extract the contents then unmount. You can usually spot
the open source bits by looking at binary names, strings and the way they're
linked.

Most Linux-based devices use common distros based on SBCs with uClibc and are
either ARM or MIPS based. I'm slightly biased towards ARM because of the
hotspot work but there's a lot of broadcom SBCs out there running *wrt
variants.

If anyone's interested, I'll be at #44Café[2] this tuesday talking about
breaking into onboard BMCs used for IPMI-based management. Again, GPL
violations ahoy.

[1] - <https://code.google.com/p/binwalk/> [2] - <http://44con.com/44cafe>

~~~
jcr
Thanks for the 44con invite. It looks like fun, but I'm nowhere near there.
Also, your BlackHat presentation was excellent, and surprisingly, I'm actually
planing on watching it again to lift the details.

I'm curious if you've touched any of the Verizon "MiFi" devices?

I've started mildly poking at a MiFi4620LE (4G LTE "jetpack") recently, but
not very seriously --It's not mine personally and its on a corporate account
so I've been promised (read: threatened) to not mess with it too much. ;-)

It's extremely fast but the double (p)NAT'ing is annoying i.e. it provides
access to client devices via NAT to priv address space, but it's upstream
interface is also NAT'ed by the carrier and in priv address space.

So far I've figured out how to talk to it over USB, but I want to get it into
"stupid" mode and talk directly to its internal modem. I want it to just be a
dumb modem with a public address(es). I'm fairly sure there's a way to do it,
but I just need to figure out how to do it. If I can get at the serial port,
then it's game over.

~~~
iuguy
The MiFi4620LE is actually from the Novatel 4620L family and looks similar
from what I can discern to the Novatel 3352 that I have.

Novatel are horrible to deal with. They close their platform, don't release
any firmware updates whatsoever and ship broken kit based almost entirely on
open source software while never releasing the source they're legally obliged
to provide. You need to avoid these guys if possible.

The double NATing might be the 4G network. It's not uncommon to go from
RFC1918 (you to device) to P2P device - mobile infrastructure to RFC1918 to
boundary and onto the Internet.

If you take the case apart you should find a set of 5 blobs or holes usually
in a row that might indicate a JTAG interface, and with a bit of kit you
should be able to get your serial port. I've not looked at my 3352 yet because
the case doesn't come apart easily and I've mainly been playing with a much
more hackable TP-Link device (the WR-703N).

If it's like the 3352 it'll run a custom 'MifiOS' that has a ton of useless
little api calls to feed javascript widgets on the web interface for things
like geolocation and other pointless things.

------
kostya-kow
In a sense, GPL is not free. It is free as in "freedom for society," but it is
not free in a selfish, individualistic way. It does _not_ give you freedom to
not respect other people's freedom.

By using GPL, you sacrifice some of your personal freedom for the good of
society.

But this is sometimes necessary for progress.

>A majority of companies have already decided that their product will be
closed-source before they even started designing it.

Such a close-minded company does not deserve to benefit from FLOSS Software.
If more organizations release their code under GPL, it will give this group of
organizations an advantage over the once who prefer closed source license.

You can also just dual-license it, and give the companies that want to use
your software in closed-source programs a chance to pay you money.

>If a closed-source company decides it could use some open-source code in its
product, it will do one of two things (if the code is licensed under the GPL):

>1\. Use the open-source code and not tell anybody

>2\. Write their own code from scratch

If an essential library/framework this company wants to use is licensed under
GPL, they may reconsider their decision to release software under closed-
source license. And if they are so stubborn as to not even consider using
FLOSS Software, then they do not deserve to exist. Newer, more innovative
companies will take their place, leveraging the benefits of FLOSS.

I also think Linux's popularity over BSD kernels is a great example of why GPL
is far better than all the permissive OSS licenses.

~~~
jiggy2011
They might reconsider the licensing, OTOH it would be just as likely that this
would create a market for companies to sell proprietary friendly libraries for
the sorts of things that are typically available under MIT/BSD etc today.

The risk would be that such a market would tempt talent away from the open
source ecosystem.

------
icebraining
_I have, however, come to the conclusion that software licensed under the GPL
is far from "free software"._

Not to take on OP himself, but this kind of semantic argument gets tiring.

Free Software is a name for a concept that essentially means, "all software
that gives the user the four freedoms state in its definition." The whole
discussion around what it means for software to really be Free is a pointless
red herring.

------
jeffdavis
I have thought for a while that the FSF made a miscalculation with the GPL.
The focus of the GPL is very much on the source code itself, as though having
it was everything. I think that was a reasonable assumption to make at the
time, but I don't think it reflects the current reality.

In reality, the code itself is somewhat of a liability -- a source of bugs and
a time sink when you try to make modifications. What you really want is the
end product and the flexibility to modify and improve it. To have the end
product you don't need the source at all, and to modify and improve it the
source is (nearly) necessary but not sufficient.

That has a few implications. One is that companies don't want to be burdened
with source code. They would prefer to share the burden with other users, as
long as they aren't giving away any competitive advantage they have. Win-win:
they keep the ability to improve and modify it as they need, but unload much
of the maintenance cost.

The GPL avoids a problem where people take an open source project and try to
drive it away with a closed-source product that is a little better. But that
doesn't really happen as far as I can see -- usually, releasing a closed-
source product based on an open source project is good for both.

------
ysapir
"The company is much more likely to work with the open-source developers"

This is an understatement. When you work with an open-source third-party
library/module in a commercial company, it is much easier for the company to
submit bugfix patches to the open source developers. The company probably has
access to a wider range of data (including proprietary client data that can't
be released) but which will highlight hard to find bugs. The code is open
source so it can debug the problem itself. But even if it is
MIT/BSD/Apache/etc, it makes more sense for the company to send back the
patches to be integrated. Otherwise, it has to maintain an unreleased patch-
list and re-apply it with every version update. If it does not apply cleanly,
it has to spend resources to update the patch to the changes in the new
version. It's developer time the company can use for better things.

Knowing this is one more reason I am also more likely to choose code released
under a permissive license than under GPL. I figure all things being equal, it
is probably better tested, better code.

~~~
kostya-kow
>The code is open source so it can debug the problem itself. But even if it is
MIT/BSD/Apache/etc, it makes more sense for the company to send back the
patches to be integrated. Otherwise, it has to maintain an unreleased patch-
list and re-apply it with every version update. If it does not apply cleanly,
it has to spend resources to update the patch to the changes in the new
version. It's developer time the company can use for better things.

It would be much easier for those companies to contribute upstream, instead of
abusing loopholes in GPL.

------
fein
The reasons cited in the article are exactly why I release software under
wtfpl using a moniker.

Any of my code that I deem worthy of ridicule by the software community should
be as easy to use and modify as possible. The only way that I've found for the
purist in me to be satisfied is to allow complete freedom in the usage of code
that I produce.

------
mhogomchungu
As a copyright owner of source code,its important to know there are two kind
of users of your code,"end users" and "distributors".

Any person who get the restrictions of the GPL is,by definition,"a
distributor" and GPL does not exist to protect and serve their interests and
that is why "distributors" complain about it.

If you are primary customer is "end users",then GPL is the right license for
you,if your primary customer is "distributors",then BSD type of a license is a
proper license.There is a reason why both licenses exist,they serve different
purposes.

You changing from GPL to BSD type license could be an indication of you
changing who your primary audience is.

------
t_hozumi
What I don't like about GPL is that nobody can define "link" without
implementation detail.

I think there is no difference between linked modules and modules which are
connected by TCP/IP.

~~~
dalke
While you may think so, GPL is based on copyright, and it's what the copyright
law and courts say which count. Linked modules contain code covered under
copyright and hence is regulated by the GPL. A connection via TCP/IP does not.

It would be odd indeed to connect to Facebook's web site via TCP/IP, and claim
that the Facebook system and my TCP client code are all part of one system, so
Facebook has violated my copyright.

~~~
jcr
If you're curious about the legal side of linking in non-C languages, the
following legal analysis of the LLGPL (Lisp Lesser GNU Public License) is an
interesting read:

<http://www.ifosslr.org/ifosslr/article/view/75/146>

------
profquail
There was an good discussion on this topic earlier today, but somehow it
disappeared from the front page of HN:

<https://news.ycombinator.com/item?id=5580972>

------
mehrzad
I learned not much new from this. People have made this claim for years. The
author isn't some visionary for figuring this out, and I assume he doesn't
think he is. The point about financial benefit was interesting, however.

~~~
jkldotio
> People have made this claim for years.

Indeed, and this was published in the Linux Journal in 2002. It is an old
boring argument, it even includes the words "I'm not just trying to start a
holy war here", echoing the famous cut and paste Slashdot troll. Georgecmu,
who has over 6500 karma and who's been here quite a few years, knows exactly
what he's doing: trolling (and I have flagged this submission as it's so
obvious).

The Free Software Foundation is not half as dogmatic as people think either.
They have released software under MIT, and have a huge list of licences they
consider to be free. Pick the one that works for you.

~~~
icebraining
Stallman himself has advocated for non-copyleft free licenses when he
considered they would increase the total user freedom (particularly, by
helping Ogg take on MP3).

<https://lwn.net/2001/0301/a/rms-ov-license.php3>

------
PaulHoule
People have different viewpoints of what freedom means.

I am not against the GPL but I haven't used it on anything for 11 years and
would be less inclined to use a product if it is GPL and I'm thinking about
modifying it.

------
gillianseed
3\. Offer proprietary licences to companies who wants to use it in a
proprietary product. The x264 devs makes money on their GPL licenced code this
way for example.

