Javier Sancho jsancho@identi.ca

URL: https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/

February 25, 2016 by Bradley M. Kuhn and Karen M. Sandler

GPL Violations Related to Combining ZFS and Linux

This post discusses an atypical GPL violation. Unlike most GPL violations Conservancy faces, in this case, a third-party entity holds a magic wand that can instantly resolve the situation. Oracle is the primary copyright holder of ZFS, and, despite nearly eight years (going back to the days of Sun's control of the code) of the anti-license-proliferation community's urging, Oracle continues to license their code under their own, GPL-incompatible license. While this violation has many facets, and Oracle did not themselves violate GPL in this specific case, they hold the keys to this particular kingdom and they forbid the Linux community to enter. While there are complexities that we must address, in this context, Oracle could make everyone's life easier by waving their magic relicensing wand. Nevertheless, until they do, since GPL-incompatible licenses are the root of all GPL violations, combinations of GPL'd code with Oracle's GPL-incompatible code yield GPL violations, such as the ongoing violation by Canonical, Ltd.

The Basic Facts

Sun released the Z File System (ZFS) code under the Common Development and Distribution License, version 1 (CDDLv1) as part of OpenSolaris. Sun was ultimately acquired by Oracle. Community members, mostly acting non-commercially, have improved ZFS and adapted it to function with Linux, but unfortunately, CDDLv1 is incompatible with GPLv2, so distribution of binaries is not permitted (see below for details). Many community members have been frustrated for years that Oracle didn't simply relicense the code under a GPLv2-compatible license.

The situation escalated last week because Canonical, Ltd. announced their plans to commercially distribute, in Ubuntu 16.04, a binary distribution of ZFS as a Linux kernel module, which adapts ZFS natively for Linux. Conservancy contacted Canonical to inform them of their GPL violation, and Canonical encouraged us to speak publicly. We're glad to do so to clarify the differing views on this issue. As you'll read below, Conservancy disagrees with Canonical's decision, and Conservancy hopes to continue dialogue with Canonical regarding their violation. We do not give up on friendly resolution of a GPL violation easily and are glad Canonical seeks to transparently discuss both sides of this issue in public.

Summary of our Conclusion

We are sympathetic to Canonical's frustration in this desire to easily support more features for their users. However, as set out below, we have concluded that their distribution of zfs.ko violates the GPL. We have written this statement to answer, from the point of view of many key Linux copyright holders, the community questions that we've seen on this matter.

Specifically, we provide our detailed analysis of the incompatibility between CDDLv1 and GPLv2 — and its potential impact on the trajectory of free software development — below. However, our conclusion is simple: Conservancy and the Linux copyright holders in the GPL Compliance Project for Linux Developers believe that distribution of ZFS binaries is a GPL violation and infringes Linux's copyright. We are also concerned that it may infringe Oracle's copyrights in ZFS. As such, we again ask Oracle to respect community norms against license proliferation and simply relicense its copyrights in ZFS under a GPLv2-compatible license.

GPL Incompatibility

The license of Linux, the GNU General Public License, version 2 (GPLv2), is conceptually known as a strong copyleft license. A strong copyleft license extends software freedom policies as far as copyright law allows. As such, GPLv2 requires that, when combinations and/or derivatives are made under copyright law with GPLv2'd works, the license of the resulting combination and/or derivative is also GPLv2.

The Free Software Foundation (FSF) has long discussed the question of licenses incompatible with the GPL, pointing out that:

In order to combine two programs (or substantial parts of them) into a larger work, you need to have permission to use both programs in this way. If the two programs' licenses permit this, they are compatible. If there is no way to satisfy both licenses at once, they are incompatible.

License compatibility is not merely a question for Free Software licenses. We can analyze any two copyright licenses and consider whether they are compatible.

In the proprietary software world, rarely are two licenses ever compatible. You can't, by default, license a copy of Oracle's database, and then make a combination with Apple's iOS. To do so, you would need to negotiate (and pay for) a special license from both Apple and Oracle to make that combination.

Furthermore, with proprietary software, there is a practical problem somewhat unrelated to the legal permission: you must procure (again, likely for a rather expensive fee) a copy of the source code for Apple's and Oracle's proprietary software to have the practical ability to make the combination.

Since the GPL, and all copyleft licenses, are fundamentally copyright licenses, the analysis is similar. However, GPL requires that all software distributions include complete corresponding source code to any binaries, so the practical problem never presents itself. Nevertheless, when you wish to combine GPL'd software with some other software and distribute the resulting combination, both the copyright holders of the GPL'd software and the copyright holders of the other software must provide a license that allows distribution of the combination.

Most prefer to discuss the issue of combining truly proprietary, no-source-available copyrighted material with GPL'd software, as it creates the most stark practical contrast, and is the most offensive fact pattern. Proprietary software gives the users no freedom to even examine, let alone modify, rebuild, and reinstall the software. The proprietary license doesn't allow nor even give the practical ability to redistribute source code, and the GPL mandates source distribution when binary distribution occurs. The incompatibility is intuitively obvious. Few consider the fact that proprietary software licensing is just one (rather egregious) example of a GPL-incompatible license.

In that context, we can imagine licenses that are GPL-incompatible, but do give some interesting permissions to users. An example is source-code-available systems that prohibit commercial distribution and forbid modification to the source code. The GPL has terms that permit modification and allow commercial distribution of GPL'd software, and as such, even though source code is available for non-commercial, non-modifiable software, the license is nonetheless GPL-incompatible.

Finally, we can consider the most subtle class of GPL-incompatibility, in which we find ZFS's license, the Common Development and Distribution License, version 1 (CDDLv1). The CDDLv1 is considered both a Free Software and an Open Source license, and is a weak copyleft license. Nevertheless, neither CDDLv1 nor GPLv2 permits combination of copyrighted material under the other license.

To understand this non-intuitive incompatibility, we can analyze in detail the requirements of both licenses. First, GPLv2 requires:

[§2](b) You must cause any work that you distribute … that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole … under the terms of this License.…

[§]3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also…

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above…

[§]6. …You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

According to these provisions of GPLv2, if you create a binary work that incorporates components from the GPLv2'd program, you must provide the complete corresponding source for that entire work with the binary, and the terms of the GPLv2 apply to that source. If the sources as a whole cannot be outbound-licensed under GPLv2, you have no permission under copyright law to distribute the binary work, since GPLv2 didn't grant you that permission.

GPLv2-compatible licenses do not contradict the requirements of GPLv2, which is what makes them compatible. For example, highly permissive licenses like the ISC license allow imposition of additional licensing requirements (even proprietary ones), and so combining ISC-licensed source and GPLv2'd source into a binary work is permitted; compliance with GPLv2 is possible when distributing binaries based on the combined sources.

CDDLv1, however, contains various provisions that are incompatible with that outcome. Specifically, CDDLv1 requires (emphasis ours):

[§]3.1 … Any Covered Software that You distribute or otherwise make available in Executable form must also be made available in Source Code form and that Source Code form must be distributed only under the terms of this License. …

[§] 3.4 … You may not offer or impose any terms on any Covered Software in Source Code form that alters or restricts the applicable version of this License

CDDLv1 is a weak copyleft license in that it allows you create a binary work with components under different terms (see CDDLv1§3.6). However, as seen in the text above, with regard to the specific copyrighted material already under CDDLv1, that material must remain only licensed under the terms of the CDDLv1. Furthermore, when redistributing the source code, you cannot alter the terms of the license on that copyrighted material.

GPLv2, as shown above, requires that you alter those terms for the source code — namely, as a strong copyleft, the terms of GPLv2 apply to the entire complete corresponding source for any binary work. Furthermore, downstream users must have to permission make GPLv2'd modifications to that source. This creates a contradiction; you cannot simultaneously satisfy that obligation of GPLv2 and also avoid alter[ing] the terms of CDDLv1-licensed source. Thus, the licenses are incompatible, and redistributing a binary work incorporating CDDLv1'd and GPLv2'd copyrighted portions constitutes copyright infringement in both directions. (In addition to this big incompatibility, there are also other smaller incompatibilities throughout CDDLv1.)

We believe Sun was aware when drafting CDDLv1 of the incompatibilities; in fact, our research into its history indicates the GPLv2-incompatibility was Sun's design choice. At the time, Sun's apparent goal was to draw developers away from GNU and Linux development into Solaris. Not only did Sun not want code from GNU and Linux in Solaris, more importantly, Sun did not want technological advantages from Solaris' kernel to appear in Linux.

Much has changed in the seven and a half years since CDDLv1's publication and promulgation. OpenSolaris has been discontinued; CDDLv1 codebases never became an active area of Free Software development like GNU and Linux. Oracle could now easily indicate that combination of ZFS with Linux into binary works is permitted, (e.g., as the overwhelming majority copyright holder0, Oracle could make a decree like the one University of California did to fix a similar incompatibility). Until Oracle takes an action like that, it remains a license violation of both CDDLv1 and GPLv2 to distribute binary works that combine together and/or derive from both GPLv2 and CDDLv1 sources.

What Constitutes a Combined/Derivative Work?

Once license incompatibility is established, the remaining question is solely whether or not combining ZFS with Linux creates a combined and/or derivative work under copyright law (which then would, in turn, trigger the GPLv2 obligations on the ZFS code).

Conservancy has helped put similar questions (still pending) before a Court, in Hellwig's VMware case that Conservancy currently funds. In fact, the same questions come up with all sorts of GPL-incompatible Linux modules and reuses of Linux code.

Courts have not spoken specifically on this question; precedents that exist are not perfectly on-topic. Citing an opinion of a lawyer is often not helpful in this context, because lawyers advise clients, and argue zealously for their clients' views. When Courts are unclear on a matter, it generates disputes, and only Courts (or possibly new legislation) can ultimately resolve those disputes.

Nevertheless, our lawyers have analyzed these situations with the assistance of our license compliance and software forensics staff for many years, and we have yet to encounter a Linux module that — when distributed in binary form — did not, in our view, yield combined work with Linux. The FSF, stewards of the GPL, have stated many times over the past decades that they believe there is no legal distinction between dynamic and static linking of a C program and we agree. Accordingly, the analysis is quite obvious to us1: if ZFS were statically linked with Linux and shipped as a single work, few would argue it was not a “work based on the Program” under GPLv2. And, if we believe there is no legal difference when we change that linking from static to dynamic, we conclude easily that binary distribution of ZFS plus Linux — even with ZFS in a .ko file — constitutes distribution of a combined work, which we name Linux+ZFS.

Canonical has found some lawyers who disagree — a minority position, from our understanding of community norms. But Canonical's public position on the matter contributes to license uncertainty, and opponents of Free Software may use this as an opportunity to marginalize copyleft enforcement generally. Canonical can resolve the situation by ceasing the infringing distribution, but Oracle can also unilaterally resolve this trivially with a simple relicense of ZFS to a GPL-compatible license.

Thus, all parties currently stand at an impasse. Conservancy (as a Linux copyright holder ourselves), along with the members of our coalition in the GPL Compliance Project for Linux Developers, all agree that Canonical and others infringe Linux copyrights when they distribute zfs.ko. Canonical's lawyers disagree. Oracle refuses to relicense their ZFS copyrights under a GPL-compatible license.

Ultimately, various Courts in the world will have to rule on the more general question of Linux combinations. Conservancy is committed to working towards achieving clarity on these questions in the long term. That work began in earnest last year with the VMware lawsuit, and our work in this area will continue indefinitely, as resources permit. We must do so, because, too often, companies are complacent about compliance. While we and other community-driven organizations have historically avoided lawsuits at any cost in the past, the absence of litigation on these questions caused many companies to treat the GPL as a weaker copyleft than it actually is.

Why Conservancy Does Not Use Litigation Immediately

As discussed in our principles, Conservancy, while willing to litigate, uses litigation only as a last resort. Compliance actions are primarily education and assistance processes to aid those who are not following the license. We completely exhaust every other diplomatic option for compliance before seeking resolution from the Courts.

“Almost There” is More Painful Than Proprietary

Conservancy and our GPL Compliance Project for Linux Developers are quite sympathetic to the feeling of “almost there” that exists with ZFS for Linux. CDDL is a Free Software license, but sadly a GPL-incompatible one. Like a partial fix for a problematic bug, a GPL-incompatible Free Software license feels like a solution that's “oh-so-close”. Everyone wants to try to tweak that incomplete solution into a full one. We hope this explanation helps bring clarity that the seemingly “almost there” of combining CDDL'd and GPL'd code is a mirage. The community must seek together a better solution.

Oracle holds the better solution in their hands; like waving a magic wand, they can take any of a myriad of actions to communicate permission to relicense ZFS under GPL. Conservancy encourages Free Software enthusiasts and for-profit companies alike to lobby Oracle to relicense their ZFS copyrights. While this change by Oracle cannot resolve Canonical's violation, Oracle's relicensing would create a path for Canonical that might ultimately yield a compliant binary distribution of Linux+ZFS. As such, we've asked Canonical to commit to lobbying Oracle for this change.

Is The Analysis Different With Source-Only Distribution?

We cannot close discussion without considering one final unique aspect to this situation. CDDLv1 does allow for free redistribution of ZFS source code. We can also therefore consider the requirements when distributing Linux and ZFS in source code form only.

Pure distribution of source with no binaries is undeniably different. When distributing source code and no binaries, requirements in those sections of GPLv2 and CDDLv1 that cover modification and/or binary (or “Executable”, as CDDLv1 calls it) distribution do not activate. Therefore, the analysis is simpler, and we find no specific clause in either license that prohibits source-only redistribution of Linux and ZFS, even on the same distribution media.

Nevertheless, there may be arguments for contributory and/or indirect copyright infringement in many jurisdictions. We present no specific analysis ourselves on the efficacy of a contributory infringement claim regarding source-only distributions of ZFS and Linux. However, in our GPL litigation experience, we have noticed that judges are savvy at sniffing out attempts to circumvent legal requirements, and they are skeptical about attempts to exploit loopholes. Furthermore, we cannot predict Oracle's view — given its past willingness to enforce copyleft licenses, and Oracle's recent attempts to adjudicate the limits of copyright in Court. Downstream users should consider carefully before engaging in even source-only distribution.

We note that Debian's decision to place source-only ZFS in a relegated area of their archive called contrib, is an innovative solution. Debian fortunately had a long-standing policy that contrib was specifically designed for source code that, while licensed under an acceptable license for Debian's Free Software Guidelines, also has a default use that can cause licensing problems for downstream Debian users. Therefore, Debian communicates clearly to their users that this code is problematic by keeping it out of their main archive. Furthermore, Debian does not distribute any binary form of zfs.ko.

(Full disclosure: Conservancy has a services agreement with Debian in which Conservancy occasionally gives its opinions, in a non-legal capacity, to Debian on topics of Free Software licensing, and gave Debian advice on this matter under that agreement. Conservancy is not Debian's legal counsel.)

Do Not Rely On This Document As Legal Advice

You cannot and should not rely on this document as legal advice. Our lawyers, in conjunction with our GPL compliance and software forensics experts, have analyzed the Linux+ZFS that Canonical includes in their Ubuntu 16.04 prereleases. Conservancy has determined, with the advice of both inside and outside law firm legal counsel, that the binary distribution constitutes a derivative and/or combined work of ZFS and Linux together, and therefore violates the GPL, as explained above. We also know from Canonical's blog post that they have found other lawyers to give them contradictory advice. Such situations are common on groundbreaking legal issues, and, after all, copyleft is perhaps the most novel legal construction for copyright in its history. Lawyers and their clients who oppose copyleft will attempt to limit copyleft's scope (with litigation, FUD, and moxie), and those of us who use copyleft as a tool for software freedom will diametrically seek to uphold its scope to achieve the license drafter's and licensors' intended broad impact for software freedom.

Indeed, Conservancy believes this situation is one battle in a larger proxy war by those who seek to limit the scope of strong copyleft generally. Yet, the GPL not only benefits charitable community organizations like Conservancy, but also for-profit companies, since GPL ensures your competitors cannot circumvent the license and gain an unfair advantage. We therefore urge charities, trade associations and companies who care about Linux to stand with us in opposition of GPL violations like this one.

0 More work might be required to relicense all modern ZFS code, since others have contributed, but we expect that those contributors would gladly relicense in the same manner if Oracle does first.

1 More discussion on these issues can be found in this section of Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide, which is part of copyleft.org, a project co-sponsored by the FSF and Software Freedom Conservancy.

Posted by Bradley M. Kuhn and Karen M. Sandler on February 25, 2016. Please email any comments on this entry to info@sfconservancy.org.

My project 8sync, an asynchronous programming library for Guile, is now a GNU project officially!

More on 8sync and how it could be useful to you soon!

There's a new Guile beta out! This is a speed-focused release! A lot of cool compiler stuff in there!

Does working on Guile's compiler sound interesting to you? Andy Wingo has a new blogpost on getting involved in Guile compiler tasks!

If you ever wanted to dig in to compiler work, now's a great time to stretch your wings!

This is huge: the opening keynote for LibrePlanet 2016: Fork the System is a conversation with National Security Agency (NSA) whistleblower Edward Snowden and American Civil Liberties Union (ACLU) Technologist Daniel Kahn Gillmor.

https://www.fsf.org/blogs/community/edward-snowden-will-kick-off-libreplanet-2016-will-you-be-there

In the Stripe office for their Open Source Retreat, day 1.

The office is super posh. I'm not used to this much luxury. For-profit tech companies are weird!

Sitting at my desk. They're mostly like: here's your desk, use whatever stuff you want, make cool stuff happen.

Time to make cool things happen! The next few months are targeting towards MediaGoblin 1.0.

Google/Alphabet planning on a total surveillance approach to replacing your password.

Yikes!

I am concerned. In the past years, it has become clear that real privacy has become harder to come by. Our society is quickly heading into a situation where an unknown number of entities and people can follow my every single step, and it’s not possible to keep to myself what I don’t want others to know. With every step into that direction, there’s less and less things about my life of which I don’t control who knows about it.

Replicant at FOSDEM 2016 

Extremely thoughtful writeup by @Thadeu Lima de Souza Cascardo, partly following recent conversations.

NUEVO artículo en mi blog:

Tan importante como la necesidad de poder disponer de software libre es disponer de hardware libre que respete la libertad y privacidad del usuario.

https://victorhckinthefreeworld.wordpress.com/2016/01/08/la-free-software-foundation-certifica-hardware-que-respeta-tu-libertad/ 

>> trinux:

Replicant se basa en CyanogenMod. Al no meter blobs, su suporte es muy limitado. Y como dices, meter blobs a Replicant y usar CyanogenMod apenas hay diferencia a efectos de libertad como usuario de móviles.”

Para mí, como usuario de Replicant (con blobs), la diferencia entre Replicant y CM está en que Replicant tiene como propósito el hacer un verdadero sistema operativo libre. Mientras no lo logran, uso bajo mi responsabilidad blobs privativos para wifi, gps y bluetooth.

Congrats to the Guix team for getting out the 0.9.0 release of Guix! This is a big release, including 543 new packages, container suppport, a new service composition system (important for future deployability work!), and much more.

Guix is a functional package manager built on top of GNU Guile, and GuixSD is a purely free software GNU/Linux distribution built on top of Guix.

Great work, Guix folks!

GNU Guile has a new site design by @sirgazil and it's absolutely glorious!

Outreach and presentation are really important! I hope we see more and more of this.

Btw, @sirgazil also did the amazing Guix website design too!

Well, much of http://wingolog.org/ is on the future of Guile's VM, but this post especially! If terms like "AOT optimization", "adaptive optimization" and "Just In Time compilation" are your jam, this post is for you.

Also, we can't leave without this quote:

The usual strategy for this kind of implementation is to write it all in C++. The latency requirements are too strict to do otherwise. Once you start down this road, you never stop: your life as an implementor is that of a powerful, bitter C++ wizard.

Busy morning! Guile 2.1.1 has been released!

Lots of improvements, including lots of rewrites to the VM bringing performance improvements, improvements on the Emacs Lisp layer, GOOPS reimplemented in Scheme, and more!

This is fresh on the heels of our new site design landing (which we announced here just earlier this morning), so when we say it's been a busy morning, we really aren't kidding! :)

Why would you use OpenStreetMap if there is Google Maps ?

http://geoawesomeness.com/why-would-you-use-openstreetmap-if-there-is-google-maps/

via https://diasp.eu/posts/3657764 

http://ring.cx/ looks cool as hell. P2P videochat with a nice interface? Time to package for Guix.

1. Linus and other kernel developers do it.
2. You have self-diagnosed as having Asperger's.
3. You value code quality over other people's feelings.
4. You get angry a lot.
5. You think other people are just wrong about everything.
6. You thought of a funny insult.
7. You're uneasy having people in the project who're unlike you.