Topics

OpenChain Webinar #11 - Open Source Issues Remediation + Community Bridge and SPDX Online Tools + CII Best Practices - Full Recording


McCoy Smith
 

Well, there is this: “A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) *anything designed or sold for incorporation into a dwelling.*

I don’t think that’s what the author meant by the language you quote below about “consumer premises.” [I haven’t looked at the slides]

 

FWIW, the language above was adapted from the Magnuson-Moss warranty act from the USA: https://www.law.cornell.edu/uscode/text/15/2301

 

Andy Wilson and I did a preso, quite some time ago, about the Installation Information requirement and how one should think about compliance with it, which I have posted to my website for those who really want to delve into this little-remarked upon provision. Bradley Kuhn also did a preso about it for the Linux Foundation more recently: https://events19.linuxfoundation.org/wp-content/uploads/2017/11/Safely-Copylefted-Cars-Reexamining-GPLv3-Installation-Information-Requirements-ALS-Bradley-Kuhn-Behan-Webster-1.pdf directed to the automotive industry

 

https://www.lexpan.law/post/gplv3-s-installation-information-requirement

 

From: main@... <main@...> On Behalf Of Jeremiah C. Foster
Sent: Friday, September 11, 2020 10:11 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] OpenChain Webinar #11 – Open Source Issues Remediation + Community Bridge and SPDX Online Tools + CII Best Practices – Full Recording

 

Hi OpenChainers!

 

Thanks Shane and everyone for the webinar. After reading the slides from the "Open Source Issues Remediation" I have a small nit to pick.

 

On slide 10 the author writes "the goal of the [GPL] v3 license is to prevent Tivoization". While that is clearly the goal of Section 6 of the GPL v3, that is not the goal of the entire license. The goal of the license, at least from what I understand from those who were involved in its creation, was to be more GPL-like. That means it is meant to be modified by the copyright holder just as source code licensed under the GPL v2 is meant to modified. This can create an extremely flexible license should the copyright holder need that. The GPLv3 also makes explicit some implicit elements of the previous versions of the GPL, like how to cure violations effectively and how software patents are treated. The overall goal was to make a better GPL license.

 

The author also writes "this [the GPLv3 anti-tivoization clause] is a problem, especially if the product is a consumer premises product." I would disagree with the idea that this is a "problem", the anti-tivoization clause actually is a solution to a host of problems where companies comply with the letter of the GPLv2 but prevent modification of a user's device through deliberate use of encryption or obfuscation. I don't think this comports with the spirit of the GPL family of licenses which is designed to give users control over the Free Software on their devices.

 

Lastly, there's no real notion of "premises" in the GPL though there certainly is a notion of a consumer product. A car might be an example of a consumer product that may contain GPLv3 source code but is not limited to "premises", thus the wording of the problem statement is somewhat misleading.

 

Regards,


Jeremiah

 

 

 


From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Sent: Friday, September 11, 2020 6:11:41 AM
To: OpenChain Main
Subject: [openchain] OpenChain Webinar #11 – Open Source Issues Remediation + Community Bridge and SPDX Online Tools + CII Best Practices – Full Recording

 

*** THIS IS AN EXTERNAL EMAIL: Please do not reply, click on any links, or open any attachments unless you trust the sender and know that the content is safe. ***


In our biggest webinar to date, Jari Koivisto talked about Open Source Issues Remediation, Gary O’Neall talked about Community Bridge and SPDX Online Tools and David Wheeler talked about CII Best Practices (the project equivalent of the OpenChain standard). Check out the full recording and the slides below.
https://www.openchainproject.org/news/2020/09/11/openchain-webinar-11-open-source-issues-remediation-community-bridge-and-spdx-online-tools-cii-best-practices-full-recording

 



This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.


Jeremiah C. Foster
 

Thanks McCoy.


I suppose I oughtn't have said "there's no real notion of "premises" in the GPL", perhaps that was too broad a statement. I still think it is largely true as the example you've included seems to be referring to attributes that indicate a "consumer product" even if it has commercial uses or is installed via a licensed professional. It's my assumption that this type of attribute is meant to demonstrate that a smart thermostat running GNU/Linux (for example) still has to comply with the GPL even if it is installed in an office by an electrician. From GPLv3; "A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product."


At the risk of beating a dead horse I think that "premises" is alluding to the bit of popular jargon "on-prem" which I take to mean an on premises installation of a server or a SaaS product. If that's the case it can potentially be confusing for those who don't have a clear picture of the GPL's notion of "distribution". If you're created a "derived work" with the GPL it doesn't matter which premises it runs at, rather it matters how you've distributed it. It's a rather small point but it is mine and a I made it. 😊


Regards,


Jeremiah 


From: main@... <main@...> on behalf of McCoy Smith <mccoy@...>
Sent: Friday, September 11, 2020 1:37:52 PM
To: main@...
Subject: Re: [openchain] OpenChain Webinar #11 - Open Source Issues Remediation + Community Bridge and SPDX Online Tools + CII Best Practices - Full Recording
 
*** THIS IS AN EXTERNAL EMAIL: Please do not reply, click on any links, or open any attachments unless you trust the sender and know that the content is safe. ***

Well, there is this: “A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) *anything designed or sold for incorporation into a dwelling.*

I don’t think that’s what the author meant by the language you quote below about “consumer premises.” [I haven’t looked at the slides]

 

FWIW, the language above was adapted from the Magnuson-Moss warranty act from the USA: https://www.law.cornell.edu/uscode/text/15/2301

 

Andy Wilson and I did a preso, quite some time ago, about the Installation Information requirement and how one should think about compliance with it, which I have posted to my website for those who really want to delve into this little-remarked upon provision. Bradley Kuhn also did a preso about it for the Linux Foundation more recently: https://events19.linuxfoundation.org/wp-content/uploads/2017/11/Safely-Copylefted-Cars-Reexamining-GPLv3-Installation-Information-Requirements-ALS-Bradley-Kuhn-Behan-Webster-1.pdf directed to the automotive industry

 

https://www.lexpan.law/post/gplv3-s-installation-information-requirement

 

From: main@... <main@...> On Behalf Of Jeremiah C. Foster
Sent: Friday, September 11, 2020 10:11 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] OpenChain Webinar #11 – Open Source Issues Remediation + Community Bridge and SPDX Online Tools + CII Best Practices – Full Recording

 

Hi OpenChainers!

 

Thanks Shane and everyone for the webinar. After reading the slides from the "Open Source Issues Remediation" I have a small nit to pick.

 

On slide 10 the author writes "the goal of the [GPL] v3 license is to prevent Tivoization". While that is clearly the goal of Section 6 of the GPL v3, that is not the goal of the entire license. The goal of the license, at least from what I understand from those who were involved in its creation, was to be more GPL-like. That means it is meant to be modified by the copyright holder just as source code licensed under the GPL v2 is meant to modified. This can create an extremely flexible license should the copyright holder need that. The GPLv3 also makes explicit some implicit elements of the previous versions of the GPL, like how to cure violations effectively and how software patents are treated. The overall goal was to make a better GPL license.

 

The author also writes "this [the GPLv3 anti-tivoization clause] is a problem, especially if the product is a consumer premises product." I would disagree with the idea that this is a "problem", the anti-tivoization clause actually is a solution to a host of problems where companies comply with the letter of the GPLv2 but prevent modification of a user's device through deliberate use of encryption or obfuscation. I don't think this comports with the spirit of the GPL family of licenses which is designed to give users control over the Free Software on their devices.

 

Lastly, there's no real notion of "premises" in the GPL though there certainly is a notion of a consumer product. A car might be an example of a consumer product that may contain GPLv3 source code but is not limited to "premises", thus the wording of the problem statement is somewhat misleading.

 

Regards,


Jeremiah

 

 

 


From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Sent: Friday, September 11, 2020 6:11:41 AM
To: OpenChain Main
Subject: [openchain] OpenChain Webinar #11 – Open Source Issues Remediation + Community Bridge and SPDX Online Tools + CII Best Practices – Full Recording

 

*** THIS IS AN EXTERNAL EMAIL: Please do not reply, click on any links, or open any attachments unless you trust the sender and know that the content is safe. ***


In our biggest webinar to date, Jari Koivisto talked about Open Source Issues Remediation, Gary O’Neall talked about Community Bridge and SPDX Online Tools and David Wheeler talked about CII Best Practices (the project equivalent of the OpenChain standard). Check out the full recording and the slides below.
https://www.openchainproject.org/news/2020/09/11/openchain-webinar-11-open-source-issues-remediation-community-bridge-and-spdx-online-tools-cii-best-practices-full-recording

 



This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.




This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.