[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On the definition of source [Was: Re: generated source files, GPL and DFSG]

On 7/21/05, Don Armstrong <don@debian.org> wrote:
[snip stuff where I agree with Don 100%]
> ITYM Freedom 1 (the second) or possibly Freedom 3 (the last). In
> either case, in this situation, you've got everything that the
> original author has to be able to modify the work. You're not being
> restrained by information that the author could theoretically convey,
> but hasn't. [If you are, then I submit that you haven't been given the
> prefered form for modification.]
> To me, the FOSS movement is about giving everyone the same information
> that the author has; in this way everyone has the same ability to
> modify the work. When that is the case, the prefered form of
> modification has really been distributed.

"Giving everyone the same information that the author has" is a lovely
ideal, but applying it too strictly can lead to Pyrrhic victories.  If
you read the primary literature in any scientific field, you will find
that people do not write a textbook every time they publish a result,
and that very frequently reproducing an author's result would require
a degree of ingenuity and an amount of labor comparable to the

Since I've got legal lingo on the brain lately, let me suggest a
"rebuttable presumption" that the author has tried to provide enough
of a public record for later authors to work with.  I can think of
several pieces of software, nominally released as open source, for
which that presumption wouldn't be hard to rebut; but GFingerPoken
certainly isn't one of them.  In any case, I think the ftpmasters, in
consultation with the security team, are perfectly capable of
rejecting uploads because they are in their opinion unmaintainable for
lack of adequate disclosure of how the damn thing works.

> So you're saying that commented assembly output, which is modifiable
> in a smaller number of ways than the actual C source would also be
> source?
> Or that the ogg file that is the output of a Lilypond file run through
> timidity would also be source?
> I'm frankly at a loss to reconcile these examples with your statements
> above about modifiability. Since modification is so important, why
> should we accept as source forms that capriciously limit the
> modifications we can perform, merely because we are not the original
> author?

I think it's important to make a distinction between an intent to
obfuscate and an intent to enable recipients to make a large class of
changes without needing fiddly-to-configure or hard-to-obtain tools. 
If the truth of the matter is that a given fragment of C code, only
needed on a couple of processor families, broke the GCC optimizer in
every other point release, then why shouldn't it be OK for the author
to supply assembly output from a "known good" compiler snapshot and
call it source pending a stabler compiler?  If the ogg file is
supplied as input data for a music recognition regression test, how
much do we care whether it can be regenerated from Lilypond input?

If you're going to accept programs for inclusion in main that are
written and maintained by people with an agenda -- which includes but
is not limited to corporate backers who profit from the sale of tied
produces and services -- you have to recognize that not everything
about their design goals and inner wokings is fully disclosed.  The
classic example is DES; the S-boxes were designed to be resistant to
differential cryptanalysis, which was unknown in the public literature
at the time (see
http://en.wikipedia.org/wiki/Differential_cryptanalysis ).  Commercial
users just had to take the NSA's (i. e., MITRE's) word for it that
S-box tweaking was motivated by a desire to strengthen DES rather than
to Trojan it.

We trust people all the time not to offer us excessively Faustian
bargains.  Will the folks at Xiph.org spring a submarine patent
covering Ogg Vorbis on the free software world someday?  I think
that's extraordinarily unlikely, unless they are forced to the
conclusion that there is no way to defend against other patent holders
without having some proprietary rights of their own to countersue on;
and if it came to that, they would doubtless offer no-fee licenses to
open source decoder implementations.  I am confident in these
statements, not for any legalistic reason, but because their public
conduct inspires my trust and because I have some sense of the
foreseeable consequences to them of doing otherwise.

Should we accept just anybody's word about whether we are getting the
means of maintaining a program along with its nominal "source code"? 
Of course not!  Nor should we take their uncorroborated word for its
authorship or patent-free-ness.  In short:  Trust, but verify.  (Often
attributed to Ronald Reagan, but AFAICTWALHFG translated from a
Russian proverb "Doveryay, no proveryay" of unknown provenance that
was a favorite of both Lenin's and Gorbachev's.  I will credit Reagan
for popularizing it in the US.  :-)

- Michael

Reply to: