

Leaked Samsung exFat driver relicensed as GPL - synchronise
http://lists.gpl-violations.org/pipermail/legal/2013-July/004100.html

======
fpgeek
The github issue is amazing reading: [https://github.com/rxrz/exfat-
nofuse/issues/5](https://github.com/rxrz/exfat-nofuse/issues/5)

Normally you expect the copyright issues to be going in the other direction at
gpl-violations, but kudos to them for noticing the problem and dealing with it
quickly.

~~~
maaaats
> Basically, I did microsoft's job, they even owe me money for the time I've
> spent fixing the code to work on modern kernels and "throwing the GPL tag on
> it".

Wow.

~~~
skore
Oh it gets better. I had to stop reading the thread on Phoronix out of fear
that my brain would pop out of my head and leave for Portugal.

> People with emotional insecurities are trying to make up something
> depressing and horrible, point a finger and make lots of noise.

> For me it was just sad to see people complaining more often than being
> grateful or happy about something.

> I hope they will patent and release a license on negative thinking.[0]

Actually, the entire Phoronix thread is an amazing display of incompetence.

> Were do you assume "this source code is not under GPLv2"? Source of this
> please? This implementation (code) was on github, that says something to
> you? [1]

My mind is boggled so hard right now. This better be a conspiracy to discredit
FOSS, otherwise I'm losing yet another piece of trust in human sanity.

[0] [http://phoronix.com/forums/showthread.php?81642-Native-
Linux...](http://phoronix.com/forums/showthread.php?81642-Native-Linux-Kernel-
Module-Is-Out-For-Microsoft-exFAT&p=339638#post339638) [1]
[http://phoronix.com/forums/showthread.php?81642-Native-
Linux...](http://phoronix.com/forums/showthread.php?81642-Native-Linux-Kernel-
Module-Is-Out-For-Microsoft-exFAT&p=339294#post339294)

~~~
maaaats
Wow, again. Also found:

> Now, putting it publicly on github qualifies as distribution, and therefore
> this code is also under the GPLv2 license implicitly. The act has already
> been done, and even if it does contain copyrighted bits by MS, the released
> version is now forever GPL.

so, yeah.. by this logic I can take my company's code, put it on GitHub under
a GPL license and now everyone is free to use it under GPL. Doesn't matter
that I don't have the right to license it..

~~~
wisty
I can _sort of_ see is logic. If a company has a private stash of GPL code
(say, Google is running a special fork of Linux), and it gets leaked, even
though the leak was illegal the code might still be distributable under GPL.

But ... this code was never (afaik) legitimately GPL. Maybe Samsung had based
it on GPL code (in which case, it's GPL), but we'd need some proof.

~~~
coldpie
Here's a couple of related answers at the FSF GPL FAQ:
[http://www.gnu.org/licenses/gpl-
faq.html#InternalDistributio...](http://www.gnu.org/licenses/gpl-
faq.html#InternalDistribution)

Unfortunately, the question isn't really directly answered.

The most relevant passage seems to be, "If the [unwittingly distributed]
version in question is unpublished and considered by a company to be its trade
secret, then publishing it may be a violation of trade secret law, depending
on other circumstances. The GPL does not change that."

So I think a court would rule that the original leak does not qualify as
"distribution," and thus the company is not required to distribute the source
and everyone distributing the leaked code is under copyright violation.

~~~
Dylan16807
I was confused for a minute, then I remembered that you don't actually have to
accept the GPL as a user, only as an intentional distributor. So while the
base version is GPL, the private version isn't - by default it's a hybrid of
GPL and proprietary code.

~~~
read_again
Actually, you have to accept the license as a user to be able to use it.
However, you don't give up your right to keep any change for yourself if you
don't distribute it in a different format (e.g. binary). Whatever you do in
your house is your business. That's probably what you meant (in spirit so to
speak), though law wise it is very different.

~~~
Dylan16807
>Activities other than copying, distribution and modification are not covered
by this License; they are outside its scope.

Why do you say you have to accept it?

~~~
anon1385
Because running software involves making copies of that software. This
requires you to have permission from the copyright holder. The GPL provides
you with that permission, without adding any further conditions if the copies
are just for the purpose of running the software.

[http://www.digital-law-
online.info/lpdi1.0/treatise20.html](http://www.digital-law-
online.info/lpdi1.0/treatise20.html)

 _It is now well-accepted that copyright protects computer programs and other
digital information, whether they are in readable source code form or are an
executable program that is intended to be understood only by a computer.
Copies are made whenever the program is transferred from floppy disk to hard
disk or is read into the computer’s memory for execution, and those copies
will infringe the copyright of the computer program if they are not permitted
by the copyright owner or by copyright law._

~~~
Dylan16807
1\. Even if that's the current legal theory it's bullshit, and I can run code
without having copies in ram if I need to.

2\. 'if they are permitted by copyright law' Fair Use is part of copyright
law, has that specific defense been challenged when it comes to software
execution and caches in RAM?

~~~
dllthomas
Regarding 1, I really don't believe you can run code without copies, or copies
of a derivitave work, being made in the process.

That said, I can't read a book without reflections in my eyes...

~~~
Dylan16807
I could run it directly out of a ramdisk, or maybe transfer it to an embedded
processor that can run it directly off the flash chip without even a processor
cache. There's a whole variety of ridiculous things I could do to avoid the
ridiculous restriction.

In practice I would trust fair use and try to use such as a defense if sued.

~~~
dllthomas
> I could run it directly out of a ramdisk

Hard to do when you were shipped a DVD.

------
rquirk
Isn't this is a general trend with Android/Cyanogenmod hackers? If you go on
something like xda-developers then there's a sticky saying "please don't post
GPL violations".

Early Cyanogen releases were fast and loose with redistribution of Google
proprietary apps, which got the author in a spot of trouble IIRC. Right now
the distribution of these ROMS is IMO pretty suspect - they include whole
swathes of binary blobs that they really shouldn't be redistributing willy
nilly. If you want the proprietary pieces that belong to the manufacturer of
your phone, you should have to pull them off yourself. The ROM creators
shouldn't be pulling these bits off of their phones and re-distributing them.

The fact that so many prebaked ROMs are distributed though megaupload-alikes
is a bit of a giveaway as to the general philosophy of that community.

~~~
bad_user
Cyanogenmod ROMs aren't distributed with Google's apps anymore. If you want
Google's Play store and Gmail, one needs to download and install a separate
archive (I just did that yesterday :))

Of course, the distribution of that archive is still suspect. The licensing of
those apps is the only leverage Google has for controlling the companies that
distribute Android, like Samsung. It is meant for the likes of Samsung and
HTC, not Cyanogenmod, which is why I think Google lets it be for now.

On the other hand if you want to use bare-bones Android, the biggest pain one
experiences is the lack of Google Play. I can live without Gmail, I can live
without Google Maps, but unfortunately most apps are only on Google Play,
which is awkward, given that as a publisher with Android it isn't a big effort
to publish apps on your own website, in addition to Google Play.

~~~
rst
Unfortunately, bare-bones Android may get barer and more awkward over time, if
they migrate more services from the core OS into "Google Play Services". As an
example, the new geofencing APIs that they announced at the last Google I/O
(intended to replace the buggy core "proximity alerts") are part of "Google
Play Services", not the core OS --- and therefore not available on devices
which aren't part of the Play borg.

(To be fair, their announced reason for this is that it gives them a way to
make these APIs available on devices that aren't getting regular manufacturer
updates. That said, I'm sure it hasn't escaped their attention that it also
adds a point of differentiation between Play-enabled devices and, say, the
Kindle Fire...)

cite:
[http://developer.android.com/training/location/geofencing.ht...](http://developer.android.com/training/location/geofencing.html)
(Note that step one in using this API is verifying that Play Services is
installed.)

~~~
taeric
Meh. Don't know how much this really sucks the usability out of things. On my
Android, I confess I'm already so bought in to the Amazon ecosystem that I
almost resent the room that Play and the likes are taking up. Is particularly
obnoxious when the phone complains that I need to make room, and the only crap
I can't move to an SD card is the Google stuff.

~~~
scott_karana
The real issue there is that Android partitions its internal storage into
System and "Internal SD" space.

So your 8GB phone will only have 2GB that can hold apps. It's awful.

(Apparently this depends on the phone and OS version to a degree. It's true on
GT-i9100s running Android 4.0 at least, and true on all 2.x OSes)

~~~
brokenparser
Nexus devices use one big data partition for everything, so you won't have
that problem.

Downside is, no more offline backups or increasing the storage capacity by a
quick swap of the card.

~~~
scott_karana
Awesome. Thanks for clarifying that! :)

------
codgercoder
GPL, and probably other licenses, were constructed to work with copyright law.
Such cavalier dismissal (by rxrz) is disrespecting those who created the
licenses, the legal system, and the open source community, at large. We live
in the real world, not "The Matrix".

~~~
yareally
Sadly, this is a typical thing that goes on in the Android User development
community. Lots of casual attitudes by hobbyists that modify the Linux Kernel
and rattle off some sort of excuse for not posting their sources while
distributing binary copies.

Others end up "relicensing" similar to the guy on github, thinking that
because they changed a few lines of code, they can claim to own the license to
the software now. I'd say that is probably much more prevalent since there's a
general assumption by many that the license most Android based software uses,
Apache 2.0 means "do whatever you want".

Even worse is the fact that many users in the community are also quick to
defend them blindly because they know little of development and why following
licenses matter (even after all the facts are laid out and explained).

~~~
Svip
> _Others end up "relicensing" similar to the guy on github, [...]_

Hmmm...

[https://github.com/rxrz/exfat-
nofuse/issues/5#issuecomment-2...](https://github.com/rxrz/exfat-
nofuse/issues/5#issuecomment-21393678) :

> _And I don 't need any permissions from anybody, I'm a big girl._

Fun fact: Females also do stupid stuff.

~~~
vog
Among all aspects of that discussion, the author's gender is about the most
uninteresting detail. "Hackers should be judged by their hacking, not criteria
such as degrees, age, race, sex, or position."

~~~
yareally
Agreed. I didn't even take the time to find out what their gender was since
it's not any related issue. "Guy" was just used in a generic sense[1].

[1]
[http://www.quickanddirtytips.com/education/grammar/generic-s...](http://www.quickanddirtytips.com/education/grammar/generic-
singular-pronouns?page=all)

~~~
Svip
I apologise, I am not familiar enough with the usage of 'guy' to know it is
generic in singular (I know it is in plural).

~~~
yareally
No worries :). I just think of it as another way of saying "dude".

~~~
ars
Bad example because officially dude is also male. The female is dudine,
dudette, or dudess.

But like like guy, dude because gender neutral in common speech.

~~~
king_jester
Just to nitpick, guy and dude are not gender neutral, they just happened to be
heavily used by the community in general, mostly because people assume users
are men by default.

~~~
Dylan16807
Speak for yourself. A lot of people use it as a real gender neutral.

~~~
brewski
For a different point of view see
[http://www.cs.virginia.edu/~evans/cs655/readings/purity.html](http://www.cs.virginia.edu/~evans/cs655/readings/purity.html)

~~~
Dylan16807
There are two related but subtly different uses here. A word like 'he' is a
_default_ , which can lead to problematic implications. A word like 'guy', to
some people, is a true neutral, implying gender no more than the word
'somebody'.

Even if we were talking about 'he', your link would be out of place. Calling
out the use of a gendered default as bad is not in fact another point of view
on whether it _is_ the default.

~~~
brewski
I have never heard of a female being addressed as "guy". Phrases such as "hey
guy", "what's up guy" and so on have always been directed to a male.

~~~
yareally
Sometimes I will use it in a conversation when referring to a third party
unknown to the person I am talking to and the subject's gender has no bearing
(like in my first comment).

For example, "Oh, I know a guy that knows X," "I know a guy that is a fan of
X" or in a less positive manner "That guy just cut me off [on the freeway]!"
(since you rarely see who it might be and their gender doesn't matter)

I could say "dude" as well, but sometimes dude might be too informal. I could
reword it with a number of other pronouns, but it depends on context and whom
one is talking to.

------
ckozlowski
There's a severe fault in rxrz's logic here, if I'm following this correctly:

"This code was originally under a Samsung proprietary license" Wrong.

exfat_version.h:/* - 2012.04.02 : P1 : Change Module License to Samsung
Proprietary _/

this is version p2. I could've technically stripped those comments and changed
the version number to /_ \- 2012.02.10 : Release Version 1.1.0 */ But I
didn't. Originally, it was either public domain or GPL.

Nobody would've ever found out by the code alone, which version this actually
is."

Let me pull out the key statement here:

"Originally, it was either public domain or GPL."

That's an assumption. Samsung placed a license on it, and rxrz assumes that
prior to that, it must have been GPL or public domain. However, the driver was
unknown and didn't exist prior to rxrz's release. It seems likely something
could be classified as public domain when it was kept under lock and key.

My guess is, this was given a license when the code was finished and bundled
for distribution. Assuming otherwise seems dangerous, in my opinion.

------
thomasjames
The title makes it sound as though this has been accepted into the Linux
kernel when in fact it has not been. It is designed to work with the Linux
kernel but it is in no way associated with Linux. FUD much?

~~~
gngeal
Did Samsung, in fact, distribute the code in Android devices? If the answer is
"yes", wouldn't that make it GPLd?

~~~
Nursie
Not necessarily, no. There is a long history of people releasing closed source
drivers, particularly on embedded platforms.

So far as I can tell the kernel devs think it's harmful and A Bad Thing (TM),
but not a violation.

Also as has been pointed out below, it wouldn't automatically make it GPL. It
would make it in violation of GPL and releasing under GPL would fix the
violation, but it wouldn't make it GPL.

~~~
regularfry
There's a 10-year-old post to LKML from Linus saying the GPL nature of kernel
modules is a huge grey area. I don't think it's been resolved since then.

~~~
susi22
Correct. Link:

[http://lkml.indiana.edu/hypermail/linux/kernel/0312.0/0670.h...](http://lkml.indiana.edu/hypermail/linux/kernel/0312.0/0670.html)

------
kristofferR
Samsung may not have intended it as such, but aren't all derivatives of GPL-
licenced code also GPL by definition?

~~~
effn
No. The authors of GPL-licensed code has no say in how other people license
their code they don't own the copyright on.

Derivatives of GPL-licensed code is either: 1\. GPL-licensed 2\. Illegal

If it's not explicitly 1 by the license on the derived work, it becomes 2. It
is not automatically "forced" into category 1.

~~~
andreasvc
By illegal you mean illegal to distribute. If Samsung used this code
internally and it was leaked accidentally, they are not in violation of the
GPL.

~~~
dmytrish
If Samsung ships binaries produced from this code to customers and this code
is derivative from GPL code, they _are_ in violation of the GPL.

------
ars
"Originally, it was either public domain or GPL."

He's claiming that this is actually GPL code that Samsung claimed as
proprietary (which they can't do). Is he wrong?

~~~
Nursie
It's hard to tell - there doesn't seem to be any proof of this and in the case
of leaked code I'd be wanting proof.

~~~
scotty79
I think judge should force Samsung to release all the information they have on
history of this code. After all Samsung is suspected of violating the license.
Shouldn't they be able to prove copyright before they can claim it?

~~~
Nursie
The only reference I've seen to suspected license violations is the assertion
in the git history that it was at one time under GPL or maybe public domain.
There's no provenance here.

I doubt this will ever get before a judge, more likely a combination of DMCA
takedowns and exclusion from the mainline kernel.

------
bjornsing
This is a quite interesting case from a legal standpoint. IANAL but my 5 cents
are:

* If it's true that Samsung distributed this driver as part of the Linux kernel source code tree then it is arguably a derivative work of the Linux kernel.

* If so then these two sections of the GPL seem relevant:

> 4\. You may not copy, modify, sublicense, or distribute the Program except
> as expressly provided under this License. Any attempt otherwise to copy,
> modify, sublicense or distribute the Program is void, and will automatically
> terminate your rights under this License. However, parties who have received
> copies, or rights, from you under this License will not have their licenses
> terminated so long as such parties remain in full compliance.

> 6\. Each time you redistribute the Program (or any work based on the
> Program), the recipient automatically receives a license from the original
> licensor to copy, distribute or modify the Program subject to these terms
> and conditions. You may not impose any further restrictions on the
> recipients' exercise of the rights granted herein. You are not responsible
> for enforcing compliance by third parties to this License.

* I'm not absolutely sure what that means for rxrz. Section 6 seems to imply that rxrz may have a license to the driver, and that that license is indeed the GPL. On the other hand section 4 seems to imply that the redistribution to rxrz was "void". Does that mean rxrz does not have the rights under section 6?

If I where rxrz I would at least toy with this idea: a) wait for the DMCA take
down notice, b) challenge it claiming to have a license under section 6 of the
GPL and c) hope that Samsung does not have the nerve to go to court and risk a
decision that would clarify that their license to the Linux kernel has been
irreversibly revoked. :)

But where does that leave us concerning legality? Is it clear that what rxrz
has done is illegal?

~~~
Nursie
>> If it's true that Samsung distributed this driver as part of the Linux
kernel source code tree then it is arguably a derivative work of the Linux
kernel.

Did Samsung really distribute the source if it was published by accident by
one employee?

Even if they did, it's under a proprietary license and it's not clear that
proprietary kernel modules are necessarily derivative works, they are
commonplace.

Even if they are derivative that may make Samsung in violation of the GPL but
not actually make their code covered (these are be separate issues).

And even if they are in violation, this usually has to be challenged by a
copyright holder, not simply by a recipient of the binaries. And that's if
rxrv even received any binaries...

Section 6 is interesting there - "Each time you redistribute the Program (or
any work based on the Program), the recipient automatically receives a license
from the original licensor to copy, distribute or modify the Program subject
to these terms and conditions."

I could see a lawyer arguing that the "Program" in clause 1 and 2 are the
same, but if you distribute a work based on the Program the recipient
automatically receives a license from the original licensor to copy,
distribute or modify the Program itself but _not_ the work based on the
Program, as that is not enumerated in clause 2.

And this is before we even get into the patent violations that any use of such
code involves.

~~~
bjornsing
> Even if they did, it's under a proprietary license and it's not clear that
> proprietary kernel modules are necessarily derivative works, they are
> commonplace.

True, proprietary kernel _modules_ are commonplace, and not necessarily
derivative works. But you very rarely see proprietary drivers "in-tree" (that
is where the source code file is placed into the Linux kernel source code tree
and built as part of the kernel build process). I remember reading an argument
by Torvalds that any driver built in that way is a derivative work of the
kernel (even if it is built into a module) but unfortunately I can't find it
now.

> Even if they are derivative that may make Samsung in violation of the GPL
> but not actually make their code covered (these are be separate issues).

Mmm... I'm not entirely sure... Normally I'm a "separate issues" kind of guy,
but here I'm hesitating...

To make this interesting let's say Samsung has distributed to rxrz in binary
form and that the driver is a derivative work. Then the driver is part of the
Program distributed to rxrz under the GPL and Samsung has granted rxrz this
right (as per section 1 of the GPLv2):

"You may copy and distribute verbatim copies of the Program's source code as
you receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice and
disclaimer of warranty; keep intact all the notices that refer to this License
and to the absence of any warranty; and give any other recipients of the
Program a copy of this License along with the Program."

Isn't that exactly what rxrz has done? :) Why would rxrz not be allowed to
argue that in court? I agree that normally the issues are separate, but in my
mind the GPL ties them together in this case. I'm not saying that rxrz is
right, but it's not entirely clear-cut to me.

------
foxhill
you know, it'd be interesting to see what the open source community could
produce if we all took his approach to licences for a little while.

~~~
Nursie
A mess of lawsuits, withdrawn devices and shut down code repos most likely.

~~~
foxhill
i didn't necessarily mean for practical use, i just meant, what sort of
finished (hah) product could come out at the end!

~~~
Nursie
We might have better interop with proprietary software. Maybe. It's possible
that the BSDs would have more hardware support as they could just borrow it
from Linux.

Companies would probably keep an even tighter guard on their code. They may
stop contributing to FOSS completely without the protection of the GPL.

We'd probably find all sorts of weird binaries being thrown around the place,
as seems to happen in the android scene, where people just splice stuff
together without considering any of this stuff. Support and consistency would
be a nightmare. People would be less able to build on each others work as
there would be no necessity for anyone to publish anything if they didn't want
to or couldn't be bothered.

I don't think it would be any sort of utopia.

------
crististm
If it's a derivative work of the Linux kernel (links to internal kernel API)
it should be GPL. If Samsung distribute it to users then it should do that
under GPL.

Samsung should be the first to relicense it.

~~~
regularfry
Morally you might be right. Legally it's a grey area, and practically it's
almost certainly a no-go.

~~~
scotty79
So basically company can take your gpld code, extend it, slap their license on
the whole thing it and redistiribute binaries without the source code and
nobody can slap the gpl back on where it should be because it's a gray area?

~~~
siddboots
You can't, in general, do that.

The kernel developers and the FSF have always claimed that loadable modules
(like the exFat driver) are "derived works", which has a specific meaning in
copyright law. In particular, the GPL very clearly says that derived works
must be re-licensed under GPL.

The vendors claim that "derived works" doesn't include linked code, or plug-in
patterns. They say that they aren't really releasing their own kernel, just
releasing the stock kernel with a bunch of proprietary applications on top,
along with their proprietary kernel module.

Like that guy said, it's a gray area.

~~~
bjornsing
> The kernel developers and the FSF have always claimed that loadable modules
> (like the exFat driver) are "derived works"...

Not true [1].

1\. See e.g. [http://linuxmafia.com/faq/Kernel/proprietary-kernel-
modules....](http://linuxmafia.com/faq/Kernel/proprietary-kernel-
modules.html).

~~~
siddboots
Ah, sorry. I should not have been so blanket.

------
kawsper
When the code is out there, is it possible that a third-party will modify the
existing exFAT projects based on this "leak", and get them to work properly
and out of userspace?

~~~
drrotmos
It would be very bad if they do, since that would open the existing exFAT
projects up to legal action.

Anyone who has read the Samsung code is "tainted" with the knowledge of
Samsung's proprietary techniques which may be copyrighted, so those people may
well introduce copyright violations into the code.

In clean-room reverse engineering projects, the people who are examining the
system to be reverse engineered are never the same people that actually write
the new clean code, thus avoiding the taint of proprietary knowledge.

~~~
ordinary
Not just copyrighted. Microsoft claims a whole bunch of _patents_ related to
exFAT. This means you can't legally implement exFAT without a license to those
patents, even if you've never even seen the Samsung code. This is the reason
why exfat-fuse is not part of any large Linux distributions.

~~~
thwarted
It's also most likely one of the reasons exfat even exists: so Microsoft can
exercise some control and have licensing income from a filesystem format being
in common use, which they don't have/lost with FAT.

------
giis
latest commit says "Change Module License to Samsung Proprietary"

[https://github.com/rxrz/exfat-
nofuse/commit/dbf695748ab5e90a...](https://github.com/rxrz/exfat-
nofuse/commit/dbf695748ab5e90a48cf9987d84c3d8a3177491f)

------
mtgx
Why not just use this?

[http://linux.slashdot.org/story/13/01/23/2142213/open-
source...](http://linux.slashdot.org/story/13/01/23/2142213/open-source-exfat-
file-system-reaches-10-status)

~~~
exDM69
Apparently the Fuse-based driver hasn't got very good performance and is not
quite production quality yet (according to the Phoronix article).

In addition, the person who put the leaked driver on GitHub seems to have a
negative opinion on Fuse (in some of the forum threads where he's ranting),
which does not seem to be based on facts.

------
kbar13
the ways of the tin foil is strong with the repo's maintainer.

~~~
jezfromfuture
Do you really think its worth saying this considering how much of the tinfoil
conspiracy shit has become reality.....

------
bxc89
I agree with the actions of the repo maintainer.

Why should we play along with unjust copyright laws? GPL sheep are just part
of the problem, creating their own nest of licensing woes everytime you touch
their code.

~~~
icebraining
Even if you don't want to play along with copyright laws - and I can perfectly
understand why one wouldn't - that's not a reason to deceive people by
claiming the code to be GPL licensed and make them liable if they redistribute
it.

If one wants to say "fuck copyright", putting a copyright license in the code
is not the really the most appropriate way.

~~~
scotty79
I think deception is a valid tool for creating chaos and chaos is a valid tool
for bringing down systems.

