This weekend's witch-hunt
Rob Landley
rob at landley.net
Tue Sep 19 20:31:55 UTC 2006
On Tuesday 19 September 2006 12:51 am, Bruce Perens wrote:
> Rob Landley wrote:
> > Ultimatum, actually.
> >
> My right, darn it, an entirely reasonable request, and it would not have
> done you the slightest bit of harm. Com'on, Rob, you're being stubborn.
All the new code I'm adding to BusyBox for the next release will be GPLv2
only. This is both the code I'm adding, and the license I'm accepting
patches under.
Some of this code is already available under other licenses elsewhere. That's
always been the case, and I couldn't change that even if I wanted to (which I
don't). For example, we've accepted BSD code into the project on many
occasions, but you've never been able to build a BSD-licensed version of
BusyBox. In the case of older BusyBox code, anything that may be cleanly
sourced from the existing 1.2.1 and earlier releases is under "GPLv2 or
later" and remains so. Any code that _cannot_ be sourced from those is
dubious at best, and was most likely added under the new license, so the easy
and safe thing to do is grab 1.2.1 if you're looking for code to add to a
GPLv3 project. That is the course of action I recommended in that case, back
in my first reply to you.
In addition, all of my contributions to BusyBox (code I myself wrote) since I
made the announcement have been licensed GPLv2 only, and my future
contributions will all be licensed GPLv2 only. My compliation copyright on
the next release will be licensed GPLv2 only, so I'm _adding_ code GPLv2, and
the license I'm accepting contributions under is GPLv2. An announcement to
this effect goes on the website in the next few days, I'm prettymuch waiting
until I have time to get together 1.2.2. (Which will still be "GPLv2 or
later", by the way. That was _always_ the plan, and despite your tantrum I'm
still doing it because I'm not petty. You being out of the loop with BusyBox
development is not my problem.)
I also plan to merge existing GPLv2 only code from outside the project (such
as from kernel developers). This is not "mere aggregation", this is part of
the project, the whole of which must be under the same license. I could not
merge things like DietHotplug (which Erik ported to BusyBox, not me) and
still keep the license on the project "GPLv2 or later". You cannot merge
GPLv2 only code into a project and then distribute the result as GPLv3.
I also talked to Erik, who said:
> Re: Going GPLv2 only for BusyBox.
> From: Erik Andersen <andersen at codepoet.org>
> To: Rob Landley <rob at landley.net>
>
> Message was signed on 2006-09-13 11:11 pm with unknown key
> 0x5F9B643E30D39057. The validity of the signature cannot be verified.
> Status: No public key to verify the signature
>
> On Wed Sep 13, 2006 at 11:07:51PM -0400, Rob Landley wrote:
> > I'm planning to simplify the BusyBox license to GPLv2 only tomorrow, so
> > that BusyBox 1.3.0 will be GPLv2 only when it ships.
> >
> > Are you ok with that?
>
> Sure, works for me.
>
> I, Erik Andersen, being of sound mind and body, do hereby declare
> that all code I have contributed to BusyBox that may at present
> be licensed GPLv2 or later, is hereby licensed GPLv2 only.
>
> -Erik
I.E. he was being a bit silly, but I'd call that a "yes" on the question of
marking all of his code GPLv2 in the next release. (This was not legally
required, since GPLv2 only is a valid subset of GPLv2 or later. This was a
courtesy to a man I greatly respect.)
I've been policing and simplifying the license terms ever since I became
maintainer. I'm the one who went out and found the SFLC (ok, I asked PJ of
Groklaw, who recommended a really cool group of guys) to enforce the license.
This is because the previous license enforcement mechanisms (the Hall of
Shame and spare time from Erik's Dad's lawfirm) did'n't scale. The current
license simplification is a logical extension of previous moves
like "http://busybox.net/downloads/patches/svn-15073.patch", and we discussed
it on the list on and off for nine months before acting on it.
As part of my license policing, I've already found instances where we merged
kernel code into BusyBox (for example, in libbb/loop.c), and instances of
entire applets written by kernel developers (like Linus Torvalds) where we
just assumed their license and our license was the same. Linus announced six
years ago (the Linux 2.4.0-pre8 announcement I linked to in a previous
message was from 2000) that they were not the same, that his code was (and
always had been) GPLv2 only. Where does that leave our Torvalds-written
applets? In legal limbo, possibly. GPL clause 9 vs the author's stated
intentions, 6 years after the fact... Tough call, ask a judge. Recently,
Erik stripped down diethotplug and submitted it to me for inclusion in
BusyBox without ever noticing that it was GPLv2 only (I'm the one who spotted
that, and only because I was looking). It's a very, very easy mistake to
make, because "GPLv2" vs "GPLv2 or later" is just too darn subtle a
distinction to notice unless you're explicitly looking for it. Did anything
else slip in on his watch? Did anything else slip in on my watch? I
honestly don't know.
In order to be sure that we haven't _already_ sucked in GPLv2 only code (and
remove it if we did), I would have to audit the codebase. You're complaining
about me auditing an old version of BusyBox with 87 files totalling 322,259
bytes (over half of which is in the two files "gzip.c" and "zcat.c", which I
could simply compare with the old external version they came from). The
current version of BusyBox has 889 files totalling 5,543,620 bytes. That's
an order of magnitude more work, and I ain't doin' it.
Working on BusyBox requires a strong drive to simplify and remove unnecessary
duplication. We spend more time cleaning up and optimizing existing code
than writing new code, and most of the new code we write is _rewrites_ to
replace stuff we've already got with smaller versions. After a while, this
naturally extends itself to things like the license. I realize that you
don't have this drive. You also haven't touched BusyBox in a decade. I
believe these to be related.
After you explicitly objected to "your code" being licensed GPLv2 only, I
started doing some checking. And I found two things:
The first thing I found is that the license statement in BusyBox 0.25 said
only (at the end of LICENSE):
> This program suite may be distributed under the GNU General Public License.
No version number. The GPL itself says this about permission grants with no
version number:
> 9. The Free Software Foundation may publish revised and/or new versions
> of the General Public License from time to time. Such new versions will
> be similar in spirit to the present version, but may differ in detail to
> address new problems or concerns.
>
> Each version is given a distinguishing version number. If the Program
> specifies a version number of this License which applies to it and "any
> later version", you have the option of following the terms and conditions
> either of that version or of any later version published by the Free
> Software Foundation. If the Program does not specify a version number of
> this License, you may choose any version ever published by the Free
> Software Foundation.
The last sentence is relevant here. I may choose the version. And I'm
choosing GPLv2. Now according to the _original_ permission grant (on a
project where you weren't the only copyright holder), we could technically
have choosen GPLv1. Erik dropped GPLv1 when he moved the project to an
explicit GPLv2 or later (http://busybox.net/downloads/svn-49.patch), and you
haven't expressed outrage over that yet. I am now performing the
corresponding action of dropping versions _after_ GPLv2 (which don't even
_exist_ yet), and sticking with the only version of the license that has ever
mattered for this project.
The second thing I found when I started checking is that there's very little
code left from 0.25. In the course of writing the email I didn't send on
friday, I did what are now phases 1 and 2 of the still incomplete forensic
analysis. (It took about 15 minutes, most of which was doing something else
while "svn annotate" ran on each file.)
The initial reason I did this was to find out exactly what we were arguing
about. If I _did_ put in a sheepdip.txt, what specific code would I list
as "once touched by Bruce"? When the answer came back "almost nothing", it
turned into a deeper investigation to see if I'd missed anything.
Initially, I started looking at the gzip and gunzip files (far and away the
biggest source of old code) since I've had a todo item to do a security audit
of that stuff for ages. The zlib code has had a dozen bugfix releases in the
past decade, some of which I thought might apply to BusyBox. In June of last
last year I asked Mark Adler to put up the old zlib versions so I could do
this comparison, and he was nice enough to do so (it's got a big "do not use
this old code, it has security problems" warning but it's
up "http://zlib.net/fossils/"), and I've been too busy to actually do the
comparison ever since. Seemed like a good opportunity, but imagine my
surprise when I find out we're not even _using_ the zlib code, but a fork off
a version of gzip released in _1993_. And that the only modifications in the
0.25 version was for the purpose of code removal. That was something I
needed to know anyway, as maintainer of the project, not just for license
compliance reasons but potentially for security auditing.
By the time I was done comparing gzip.c and zlib.c, I'd already worked through
about 2/5 of the old tree. Doing the rest seemed like the obvious move
(although it's still a to-do item rather than something I've actually
bothered to finish yet), and since I hadn't yet found any significant code
tracing back to Bruce a possible way to permanently end Bruce's nagging
suggested itself.
By the way, trying out comparator is something I've been meaning to do since
Eric (not Erik) wrote it, since he consulted me on its development (I was
hanging out in pennsylvania at the time; my father and brother live less than
an hour away from his house) but I'd never actually had an opportunity to try
out the finished product.
Yes, this isn't too far from the kind of thing I do for fun anyway. I believe
I mentioned the whole "computer historian" thing?
http://landley.net/history/mirror
Putting it all together, by the time I got to a good stopping point I had a
pretty good idea that your leverage over the code is purely a matter of
reputation, and that the number of lines of your old code that we're actually
still _using_ was at the very least small enough we wouldn't miss it, and
quite possibly nonexistent.
The approach I take to any code in the tree that has sufficient license
concerns is to rip it out and write a new one. If you'd been following the
list, you'd know this. This isn't anything _new_. Now that you've
explicitly said "However, it's free software, and Rob has the right to do
what he did." I consider that part of it resolved, although I may complete
the forensic analysis just because we have everything else in the svn
history, and it's good for future license enforcement efforts to know where
everything we're still using but which we _don't_ have in the SVN history
came from. (Again, part of the reason I was motivated to do it. You merely
annoyed me into doing it _now_, rather than putting it on the endless todo
list.)
> > However, I take objection to being treated like hired help.
> I do not think of you as hired help. But before you cast that stone,
> think of how you're treating other folks on this project.
I'm treating everybody equally. You're mad I'm not treating you specially.
> > How'd the presidency of Linux Capital Group work out for you?
> OK. If you insist. It's your mailing list.
I'm sorry, I shouldn't have gone there. I should have held my tongue, the way
I did on Friday.
This isn't about you or me, it's about BusyBox. We differ on what's best for
the project. The only reason our difference of opinion matters is that I'm
maintaining a version undergoing a lot of volunteer development and regular
releases. You are not. I have repeatedly and consistently encouraged you to
start your own fork (from any current release version, or any svn version up
through 16112) if you disagree with me that strongly. Instead, you want to
change what I'm doing with the new versions I'm releasing, despite having
failed to convince me through rational debate. You want to direct my work.
I will, however, warn you that maintaining BusyBox requires a huge amount of
work. Enough so that Erik didn't have time to keep up with it, and I spend
most evenings and weekends working on it even though I selected my current
job because they were cool enough to let me spend half my time working on
BusyBox. Half-time is not enough. I've been doing this "a lot" (not
necessarily full time but a very prominent hobby) for three years already,
and A) my to-do list for the project is longer than ever, and still growing,
B) I find myself regularly cleaning up my own past mistakes as I learn more
and figure out better ways to do stuff, C) I feel I could do a better job if
I had more time and energy.
> >> However, it's free software, and Rob has
> >> the right to do what he did.
> >>
> >
> > Then why the public melodrama, on a list you have never previously been a
> > member of?
> >
> It takes both fuel and oxidizer to make a flame.
You're the one who came here. I didn't go to you. You're also the one who
chose to do this on a public mailing list instead of in private email.
> Thanks
>
> Bruce
Thank you for expressing your opinion. I continue to disagree with you.
The next major version of BusyBox that I package and ship will be licensed
GPLv2 only, because I believe it to be in the best interests of the project's
future development and I'm the one maintaining it. The older versions remain
licensed under "GPLv2 or later", which are the licenses they were released
under. I plan to release one more bugfix release to the existing code
(1.2.2) which will also be licensed "GPLv2 or later", but that's probably it
under the old dual license.
Now that we've recapitulated phylogeny for this argument, I'm going to go do
something else now.
Rob
--
Never bet against the cheap plastic solution.
More information about the busybox
mailing list