uRandom

31 Aug 2004: Charging for GPL'd Software

A recent post on Slashdot discusses a project (X-Chat) which apparently uses GPL'd libraries, and is available under the GPL - binaries and all. So far, so fine. Apparently the author has decided to make the Windows binaries into 30-day trials. The GPL says that it's fine to charge for GPL'd software. The GPL simply requires that you make the source code available - Section 2b:

You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

The terms of the license require that all source be available - section 3a:

Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange

So, if this author is making a crippled version of GPL'd software available, but makes the crippled source-code also available, he is in full compliance with the GPL.
The only condition the GPL requires, is that he does not issue his (crippled, in this case) binaries, without source which can be used to build that his (crippled) binary. If he's so inclined, he's free to obfuscate his code enough to outwit every other C programmer in the world - that's not likely to be possible, so he can publish his crippled binaries, along with crippled source, from which anyone is free to derive un-crippled source, and (from that), uncrippled binaries.
There is a caveat to this - the GPL states that "The source code for a work means the preferred form of the work for making modifications to it" - so it could be argued that deliberately obfuscated code is not the preferred form.
If the exact source - including his "30-day" hack - is not available to the users of the software, then the author is in violation of the GPL - in such a case, he has no right to the GPL'd libraries used by the software, and has no right to distribute any of the software, as only the GPL gives him the right to distribute the GPL'd software, and the GPL requires these conditions.
He is, of course, free to distribute his crippled software - including the hack - under the GPL.
But he has to offer the source code to everyone he distributes the binaries to - so any of them can remove that crippleware, and redistribute the un-crippled version.
It's not rocket science. http://www.gnu.org/philosophy/selling.html is well worth reading, if you need clarification.
The author's site is currently slashdotted, so it is not posible to get the original source. However, an open letter by "xeon4life" has the appearance of better research than is available currently, and implies that the GPL-required offer of equivalent source-code (even for the "evaluation" version) is not available. If this is true, the author is in violation of the GPL. Of course, Slashdot has eased the author's situation, in that he's not making anything available whilst his site is slashdotted!

30 Aug 2004: I Want My MP3s

The Slashdot generation seem to assume that free MP3's of their favourite music a a right.
That the Recording Industry Association of America (RIAA) - one of the most vocal record-company lobbies - has screwed up the whole internet concept, is not really open to debate. They had the chance to adapt their sales model from the relatively costly "record music, press CDs, ship them to stores, hope they sell, enjoy the cash" method, to "record music, put it up for sale on the internet, enjoy the cash". They blew it, and attempts like iTunes, buying Napster, are shutting the stable door after the horse has bolted.
But it remains true, that the music industry's knackered business model is not a justification for taking the music without paying for it.
All sorts of information is available on the internet - multimap.com, nytimes.com (via bugmennot.com), wikipedia.org - all for no cost, through altruism, sponsorship, advertisement. The music business has no such model, even though almost every other type of information is available over the internet, and the music business has ways of making money from the hundreds of music channels available on TV and radio.
A band I was a college with, now called Moeker, offer music for download from their website. Please download some, it's good stuff.
The difference between downloading Moeker's music, and downloading Busted's latest single, (apart from the fact you're more likely to enjoy Moeker), is that Moeker's strategy is to play regular gigs, and promote their music via the web. Busted's strategy is to promote an image, and make money from selling music and merchandise.
You may have your own opinion about the quality of these strategies, but even the most libertarian attitude must respect that Busted have the right to their business model, even if it means that in 5 years' time they'll be up there with Wham!, New Kids on the Block, 911, Let Loose, and Five.
Moeker are doing what they enjoy, and have been going for a decade now. They're probably not as rich as Busted, but they're likely to be around for a much longer time.
(PS. If you like Moeker, they used to be called Slide Pheromone, and some more music is still available for download tehre).

28 Aug 2004: Philips WebCam support removed from Linux 2.6

Let's see what happened here... PWC (Philips WebCam) was a GPL'd Linux kernel module which included a hook to call some closed-source code (PWCX - written by the same developer - an individual known as Nemosoft - under NDA from Philips). The closed-source code used some Philips codecs to compress images, and therefore get better quality images than the GPL module alone was capable of.
So the vanilla Linux kernel could use the webcam at limited capabilities, but with an added binary module, could use the full capabilites of the webcam. It is Linus Torvalds' stated opinion that kernel modules shouldn't have plug-ins for closed-source software, and that closed-source shouldn't use GPL'd hooks: "anything that was written with Linux in mind [snip] is clearly partially a derived work."
He clearly states that syscalls and the like are exempt - applications are clearly not derived from the kernel, they just happen to work on top of it.
The PWCX module is written with Linux in mind - by the developer who wrote the GPL'd PWC module. So it's not as clear-cut as a closed-source module from Philips trying to work with an existing Linux kernel - it's a combination of GPL'd driver added to the kernel adding with the ability to load a closed-source module written alongside it to offer improved functionality.
Nvidia offer closed-source drivers which plug-in to existing kernel interfaces - one one level, Nvidia didn't write those interfaces in the first place; on another level, Philips never wrote the PWCX, but NDA'd the spec to a developer who wrote both the GPL'd interfaces and the closed software. Recently, the linux-usb-dev mailing list had a disagreement - Greg Kroah-Hartmann, the Linux USB maintainer, realised that PWC had a hook for PWCX to link into the kernel, which contravenes this Linus statement of policy, so he removed the hook - which was only used by the closed-source PWCX module (thus breaking the driver). It is (theoretically) possible that a GPL'd module could also use this hook, although no such module currently exists. Since his driver was now broken, the author of the module requested that the entire driver be removed from the Linux kernel. Grek KH resisted, as the code had already been contributed under the GPL, but Linus intervened, saying that "Yes and no. From a legal standpoint you're right. However, we should also be polite. If he's the sole author, and he asks for it, I think it's reasonable to honor his wishes."
So anybody is free to take the abandoned (but still GPL'd) PWC code, and continue to maintain it - maybe even work with Philips to make their webcams work out-of-the-box on Linux; they clearly have a spark of interest. But it's been removed from mainstream Linux for now, as the developer has requested that his code is no longer included.

It seems to me, that Linus has been incredibly level-headed on this contentious issue, once again asserting his right to head Linux kernel development.
Is Linus the new Solomon?

Long-term, c'mon Philips, users need a GPL'd driver for the cameras they've paid you good money for. You've ridden on the back of a volunteer for 5 years, it's time to cough up the code, or you're going to get a lot of returns in the next few weeks.

26 Aug 2004: My Toenail

I told work I can't drive this week... because I stubbed by toenail. Pathetic, huh? I suspect (despite a Doctor's note saying that I can't work) that work will think the same thing, so I took a photo of it. Only slightly swollen, but the nail is split in two - the right-hand side of the nail is pushed over to the side of the toe. Not the worst thing a medical student has ever seen, but that's it after 3 days of care. Pretty mashed-up for a little toe. You never notice these things until they're on the blink... Not a patch on an ingrown toenail though. Ugh.
I added to my online calendar that I'm available for work (we tend to do a lot of documentation, which can be done from home), but that I can't drive this week (and that I'm not just making it up - I've got a sick-note); my manager removed that comment, because "we don't want to look unwilling". Last time I read a dictionary, unwilling was not the same as unable.
So now I've got a week of unbillable work to explain - I could have taken the week off sick, but I asked the Doctor not to take me off sick, just to add a note that I can't drive. For my efforts to make myself availble, what do I get? Criticism for being under-utilised.
It's Thursday night (did the damage on Sunday) and I've finally worn a shoe! How, exactly, can I be expected to visit a customer site (assuming I can get there) without wearing shoes?

22 Aug 2004: JohnKerryIsDdoucheBagButImGotingForHimAnyway.Com

Not sure of the content of the site, but an address like that appeals to me (as a brit).
Update 25 Aug: On reading a bit more of the site, it looks like a cynical election site, presented to appeal to bloggers. Shame.

20 Aug 2004: Tell Mum and Dad

WinXP cracked in 20 minutes... takes hours to patch... "do the math" as they say in America.
Of course, older versions of Windows take longer to patch, and still aren't as secure.

20 Aug 2004: IBM Threatens SCO with GPL Hearing

Sounds like a clever move by IBM - neither side would really benefit from this going all the way, but it could shut up SCO quite quickly.
Smart thinking, without getting the GPL tested in court (so no change there).
As ever, groklaw has it covered in detail.
From Greene's writeup on The Register, though, it seems that, whilst SCO claimed that the GPL was invalid for its "take it so long as you comply by the terms of the GPL" stance, SCO have still been distributing IBM's contributed Linux code until 4th August 2004 (they started this case in March 2003).
So IBM are simply pointing out that SCO are distributing IBM-written code under a license (GPL) which SCO themselves claim is invalid - so SCO, by their own claims, have no right to the IBM code.

11 Aug 2004: Solaris 10

I wish I was allowed to talk more about Solaris 10 here... Linux compatability is public; ZFS is a bit public, though I'm not sure all the cool stuff has really come across. Dtrace is public. There's zoning, FireEngine, and tons of other stuff, which I think is pretty much public, too. S10 is not a maintenance update.
I've been a Linux user since RedHat 5.1 got me off Windows 3.1; Solaris fan since 1997 (well, 1995 really, via DRS/NX). Linux has been my main desktop, firewall, webserver, etc since 1998. For serious (datacentre) work, I have to say that Solaris beats Linux feature-wise - partly because Solaris implies Sun's excellent (though not cheap) hardware - but Solaris makes the best of that kit - the E25K wouldn't exist without Solaris, and Solaris wouldn't need its high-end features without hardware like this to work on.
Solaris 10 looks like it's going to make a move on Linux's "cheap-x86" space - not just the hype around 64-bit and Opteron, but cheap Dells and even white boxes.
Frankly, Solaris (or anything Unixy, including Linux) on x86 is interesting from a "sysadmins / developers can have a desktop which is the same OS as the production platform" level, but a developer can't have an E25K on their desk.
Solaris 9 was the first release of Solaris to really offer the same (or nearly - as the hardware allows) on the x86 platform as on SPARC; that's a good thing for sysadmins and developers, but it doesn't answer the question we all have:
In 5 years time, will we all really be doing everything on cheap, unreliable x86 boxes? It's cheaper, but I suspect I'd prefer to have two powerful and stable machines in a tightly-coupled 2-node cluster, than 128 unstable but cheap machines in a loosely-coupled 128-node cluster.
Just MHO.

11 Aug 2004: Mozilla Security Issue

For the sake of balance, since all we hear about is constant security issues in Internet Explorer, I just want to make sure that everyone is aware of a recently-published (and, for the record, quickly-fixed) security problem in Mozilla.
It's an interesting one, in a way - Mozilla includes an XUL (eXtended User-interface Language) which allows third parties to easily write plugins, which enhance the browser, typically by adding buttons, menu items, etc - a "Googlebar", ad-blocker, Amazon-search in the sidebar, bypassing web registration sites (like the New York Times), and hundreds of other features.
It is very easy for someone to set up a website, say, "http://bad-guys.example.com/", which looks just like "http://your-bank.example.com/", which would prompt you for your login information. But hopefully people are smart enough, these days, not to fall for that - you check the Location bar, and realise that you've gone to "bad-guys.example.com", and it would not be a good idea to tell them your bank details.
This technique is known as "phishing", and is typically done by spamming the bad-guys.example.com link to as many email accounts as possible.
A not-so-recent Internet Explorer bug, meant that a link formatted as "http://your-bank.example.com/%00@http://bad-guys.example.com/" would look like "your-bank.example.com" but actually take you to "bad-guys.example.com". Microsoft, fairly, received a lot of abuse for this flaw, because users could not know what site they were visiting, unless they entered every URL by hand (i.e., never click on a link - which is the entire point of the Web!)
Because most Mozilla plugins alter the browser's user interface, and Mozilla allows this as a feature, it was pointed out that the real "Location" bar could be hidden, and a false one inserted. This is worse than the IE bug, because the IE bug was simply that - an incorrect working, which could be fixed. This attack was based on a deliberate feature - that people can redesign the look of the browser itself. A fix has been published, in FireFox 0.9.3, but it's worth being aware that all software has flaws, not only bloated spaghetti-code like Internet Explorer.

• http://www.mozilla.org/projects/security/known-vulnerabilities.html
• http://www.mozilla.org/security/
• http://www.mozilla.org/security/shell.html
• http://bugzilla.mozilla.org/show_bug.cgi?id=22183

11 Aug 2004: What is a Blog?

I mentioned the word "Blog" to my manager the other day, and he asked me, "what is a 'blog'"?. It's a question I've struggled with for a long time - when you hear all the hype about them over the past few years, you want to know what they are - the New New-Media, or a bunch of self-indulgent morons? Some people love them - even Microsoft and Sun have started posting blogs by their employees, as a way of communicating with customers on a less formal level than press releases. Others hate them for filling the internet with incoherent ramblings, and making searches for useful information on the net more difficult.
One "friend" (i.e., person I know via the internet, but will never meet in real life), for example, has a blog, but this post links to her friend's blog, which is an outright ramble. She, in turn, links to another blog, which is simply abysmal.
On the other hand, Seth Finkelstein and Bruce Schneier produce excellent regular computer security updates in blog format.
Slashdot is probably the best-known single blog, and it's large enough to employ a few staff and make a profit. It takes its content from its readers, avoiding the awkward "actually write some content" part of publishing.
So, what is a blog? Etymologically, "Blog" is short for "Web Log". It's the logging of "something,", and it's specifically done on web pages.
I think the simple definition, is that it's:

• Regularly updated (at least a few times per week)
• Updated on a page with the most recent entry at the top - scroll down for older entries
• Anything from an individual's online Diary/Journal, to their personal attempt at Journalism. (Note the repitition of "Journal" here)
• Not professional journalism (so The Register, and (possibly) The Guardian are not Blogs)

This item is deliberately written in a "Bloggy" style - lots of links, half of them to Google, half of them to random bloggers of whom you've never heard, whose credibility you know nothing about, and who you'll never hear of again, and a mention of somebody I know but who you don't know. Still, it's a way of finding possibly-interesting sites when you're bored with only an internet connection for company.

10 Aug 2004: Fussball

533 my 31337 5k11z @ ... err ... table football.
Imaginiatively, I'm "Parker's Rangers". Neil (Kwic Kic Utd) clearly has a more badly misspent youth than myself, so I'm sure he'll win, but I'm optimistic about getting second place.
Update 11 Aug 2004: I pointed out to "neilo" that a script in his webspace could give out some info we didn't really want on the net, and he wisely hid the footy page, too, so it's password protected now. Neil's now won 6 of 6 games; I'm still second with 2 wins from 3 games. Must get into the office soon, and (somehow) crush Neil's 100% record.

10 Aug 2004: Katie.COM: Individual beats BigCorp

And the BigCorp backs down, without the victim having to spend a fortune on taking them to court.
If you haven't been following the story, here's a brief summary:

• In 1996, Katie Jones gets katie.com, and has used it ever since.
• In 2000, Penguin Books publish a book called "katie.com", and have publicised it widely and regularly ever since.
  This caused a deluge of email into her inbox, and web hits on her web server.
• In 2004, Penguin rename their book "A Girl's Life Online" - why didn't they do this before they first published?

An individual, whose only crime was to own a good domain name, has had 5 years of grief because of this decision made by a BigCorp.
It appears that the reason for this is the increased coverage by sites like The Register, Slashdot, and various Blogs.
Power To The People ... or ... er ... something.

09 Aug 2004: Internet Explorer Blog

Blog of an IE developer. It's really nice to get some glimpse of how these guys think:

Frankly, I tend to agree with a lot of the criticism that has accumulated over the past several years and is being voiced on this blog. The opportunity to make this better is exactly why I love (or is it lust?) to work on the IE team.

It's also nice that he's able to be (a little bit) open about the process.
Of course, the bravery to use the phrase "Internet Explorer Security" begs a response of "oxymoron."
ObPLUG: Sun have blogs, too