Free Software Foundation Files Suit Against Cisco For GPL Violations

John Gilmore gnu at toad.com
Fri Dec 12 19:53:29 EST 2008 

> Some of us are new to one or another part of this issue, and need a bit more background.

> o Can you list the offending binaries and explain their faults?

Sure.  For example, "ls" is part of the Coreutils.  In 8.2.0, it's
licensed under GPLv3+ (try "ls --version"); in earlier releases, it's
licensed under GPLv2+.  In both cases, OLPC is shipping binary copies
of "ls" on the flash media of laptops.  This means that it must ensure
that every recipient has either the actual source code of "ls", or has
both a written offer of such source code and ready access to redeem that
offer for the actual code.

One of the original ideas at OLPC was that all the source code would be
put on the school servers and every school would have a server and so
the kids would all have access to the sources.  See
http://dev.laptop.org/ticket/4286#comment:8 .  That didn't work in
practice, because many laptops go to places that have no school
servers.  It didn't work for G1G1 either.  See also
http://dev.laptop.org/ticket/4417 .

There are also some packages for which OLPC doesn't seem to have
SRPM's that match its RPM's:  http://dev.laptop.org/ticket/4835 .

In addition, there's a bigger problem with the packages that are
licensed under GPLv3 (24 packages in 8.2.0, and growing).  GPLv3 bans
"TiVoization" which is the way that the TiVo company figured out how
to cheat the GPLv2.  They used a ton of GPL software to build a
product, flashed the binaries into a physical product, and provide all
the matching source code -- but the firmware in the physical product
will never let you reflash the binaries.  This means you are "free" to
modify the source code and recompile it, but you can never actually
modify it IN THE PRODUCT.

GPLv3 bans this, for products designed for household or consumer use.
If the vendor themselves has the power to reflash the binaries, then the
consumer must be provided the keys and instructions required to do so.

OLPC follows exactly the TiVo model.  It comes with DRM that prevents
the kids from reflashing their own laptops, even though OLPC can
reflash them with new versions.  The DRM directly affects modified
versions of the kernel and initrd, which do not contain software
licensed under GPLv3.  Coreutils ("ls") is GPLv3 though.  Normally, to
modify "ls" you wouldn't need to reflash; you could just log in as
root and install the new version on top of the old version (with "rpm"
or "yum" or "cp").  But some of the countries who distribute OLPC
laptops want even more control -- they have disabled root access
completely for the kids.  This means the kids can't just login as
root; they'd need to reflash to install a modified version of "ls",
and they can't.  This violates GPLv3.

In addition, one of the key deliverables for the 9.1 release is
limited-time "leases" that would make the laptop refuse to boot, if
some third party who has OLPC connections doesn't issue it a new lease
periodically.  Part of the implementation strategy was/is to avoid
cheating by denying every laptop user the ability to reset the
laptop's clock.  This can only be enforced if root access is removed.
Thus Uruguay's mistake is scheduled to be spread into every country as
of the 9.1 release.  This violates GPLv3.

OLPC has a complicated process for getting the keys that would enable
you to reflash your laptop, get past the lease crap, (or merely to
boot software, such as the Fedora 10 release, that isn't signed by
OLPC's secret keys).  This is the "developer key" process, which
requires Internet access, a 24-hour arbitrary delay imposed by OLPC,
and a lot of hand-holding and instructions.  Many kids in the
mountains of Peru and Uruguay do not have Internet access.  There's
supposedly a way to send a postcard to OLPC, but I think it has never
been tried (it neglects to tell the kids to include their serial
number and UUID, which are required; and it would require that the
kids correctly type in a long string of random letters and digits.
The Support Gang has had lots of trouble with *adults* with email and
telephones being unable to do such things.)

It may also be that the rootless Uruguayan laptops have also removed
the instructions on how to get a developer key (I haven't seen their
distro; is there a copy of it anywhere publicly accessible?).  Even in
OLPC's mainstream software releases, it is never clearly explained
what restrictions are built into the product, what a developer key is,
why OLPC is required to offer you one, why you might want it, why your
laptop won't boot a Fedora SD card or an Ubuntu release, etc.  That
info is scattered around the wiki.

The last suggestion I heard from OLPC along these lines was that the
kids aren't actually the owners of the XO laptops, so it doesn't
matter what we do to the kids.  The *schools* own the laptops and we
can give *them* the keys to the DRM.  This kind of legal sophistry,
besides being exactly opposite the OLPC party line ("the kids own the
laptops, they take them home every night, they teach them to their
family, etc"), just left me disgusted.  I'm sure OLPC can carefully
structure its operations and its paperwork and its customers to deny
freedom to as many kids as it wants -- but why does it want to?  Every
white-box PC in existence, every other laptop in existence, comes with
freedom.  Freedom to run any Linux distro on it, or Windows, or
anything -- without permission from the manufacturer.  The OLPC comes
with DRM, like the TiVo, the iPhone, and the Google G1 phone.  While I
think it's important to teach our kids just how to jailbreak the
restricted gadgets that greedy corporations throw at them, I don't
think OLPC should be one of those vendors throwing DRM at kids.  GPLv3
agrees with that sentiment.

	John

More information about the Devel mailing list