June 6, 2001

OpenBSD and ipfilter still fighting over license disagreement

Author: JT Smith

- by Tina Gasperson -
Maintaining the openness of OpenBSD got a little more complicated recently
when the project leader of what may be one of the most
popular modules in OpenBSD decided to re-word his home-grown license to
specifically disallow modifications to the source code without his permission.OpenBSD wants to stay true to its name. The project's published goal when it
comes to licensing is simply to strive "to maintain the spirit of the original
Berkeley Unix copyrights." The OpenBSD team works to maintain complete
openness of the source code, even allowing casual users to look at the source
tree and CVS changes via the Web. As a result, recent licensing changes to a
key firewall module integrated with OpenBSD have forced its removal from the
Unix-derived operating system.

The program in question is ipfilter, a firewall that is normally used as a
loadable kernel module in various Unixes. It ships as a part of FreeBSD and NetBSD, and up until May 30, as part of OpenBSD. But on that day, OpenBSD
head Theo de Raadt pulled ipfilter from the source tree, stating in part,
"Darren Reed has interpreted his license in a way that makes [ipfilter] not free according to the rules we established over 5 years ago, at www.openbsd.org/goals.html. Specifically, Darren says that modified versions
are not permitted. But software which OpenBSD uses and redistributes must be
free to all, for any purpose they wish to use it, including modification."

Ipfilter has had the same license for years, but without warning, Reed,
ipfilter creator and project leader, re-worded part of the license, taking it
out of the realm of the strict definition of Open Source software -- and
therefore making it technically ineligible for inclusion in any of the BSDs.

OpenBSD project leader worries about code

de Raadt considers it his responsibility to ensure the purity of the OpenBSD
code. "This is not a soft point," he told NewsForge. "The University of
California Berkeley CSRG spent years replacing AT&T code in the BSD Unix code
base, to try to release their free code. Then there was a lawsuit. It was all
[because of] this kind of stuff. It is our responsibility to keep our shoes

Here's what the ipfilter license originally stated:

 * The author accepts no responsibility for the use of this software and
 * provides it on an "as is" basis without express or implied warranty.
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of

A couple of weeks ago, downloaders noticed this change:

* The author accepts no responsibility for the use of this software and
* provides it on an "as is" basis without express or implied warranty.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* Yes, this means that derivative or modified works are not permitted 
* without the author's prior consent ...  

Reed, who did not respond to NewsForge's request for comments on the status of the license, was presumably
attempting to retain some control over the source code by implementing this
wording. But if that's what he was trying to do, even this re-wording may not
be enough, says Charles Fendell, an attorney who specializes in software
licensing issues and is an adjunct professor of law at Washington University
School of Law. "The word 'use' can be ambiguous. The right to use is not an
exclusive right owned by the owner of a copyright," he says. Not only that,
but there is more than one type of 'modification' in copyright law --
modifications which result in a derivative work, and slight modifications
which do not change the essential nature of the work.

Reed seems to waffle on license stance

However, in posts on the ipfilter mailing list and elsewhere, Reed has
maintained that his license has never granted anyone, including OpenBSD, the
right to make modifications to the source code. New York intellectual property
attorney Virginia Richard agrees with him. "The original license gives users a
non-exclusive right to use the software," says Richard. "No right to produce a
modification or derivation was granted. Such a right will not be implied in
the absence of an express grant." The second license is merely explicitly
stating what the first license "did not imply," if you will.

To confuse matters further, it appears that Reed may have dropped the most recent license, returning to the original. In a June 3 post to the ipfilter mailing list, he writes, "At this point I'm not that excited about making any changes to the license as that implies a deficiency in the old one, one way or the other with one way of reading it making a criminal out of too many people and who wants to do that? I expect further releases will continue to contain the same license notice."

And in another self-contradiction, Reed has also granted NetBSD and FreeBSD permission to modify the code in ipfilter, according to this excerpt from the same post: "The license is intended to mean that people can use (which includes modify or patch or tune, as seen fit) IPFilter as found within FreeBSD/NetBSD for whatever purpose they desire -- so long as the conditions (due credit and the notice) are met."

'Why are you picking on OpenBSD?'

As people on the ipfilter mailing list continue to ask Reed, "why OpenBSD?" it becomes clear that personal feelings have had some hand in all of the conflict. Some of Reed's statements in the past weeks concerning OpenBSD:

"You have Theo, the OpenBSD project leader, to thank for [ipfilter being removed from OpenBSD]. My advice: use FreeBSD or NetBSD -- similar projects with much more stable leadership."

"de Raadt entered the fray and decided that I should do as he says or he'll take it to the press. Why he even thought that'd make any difference, I don't know ... To those who say that de Raadt should have used more diplomacy, you're damn straight he should. At least then discussion might have been possible."

"If OpenBSD had a more reasonable leadership as do FreeBSD/NetBSD, then maybe this would never have happened. This is not a vendetta thing, it is just how I'm dealing with Theo being obnoxious."

de Raadt says that he doesn't know what prompted Reed to make these statements. "Considering he changed his license and went hardline before I even talked to him, this is a lie," he says of the last comment above. But some of the animosity may be related to a brief email exchange between Reed and de Raadt that happened after news of the license change broke. "I don't believe in your license changes (or your interpretation)," de Raadt wrote to Reed on May 21. "As a result of this and other actions, it appears pretty clear that we are going to be splitting our ipf off. We're tired of you not buying back changes that we mail in, and thus requiring us to ship bugs."

Reed's response via email to de Raadt and copied to several other developers: "One of the very first changes that was
made is the use of interface names in otherwise unsupported positions in
ipnat.conf. That change is an example of one which I didn't feel was
warranted in IPFilter so never merged it back. Any other changes for OpenBSD, I've had to take time, myself, to get patches off the web or other means and integrate them myself. So as for the 'not buying back' part, there has been very little effort from the OpenBSD people to do any work on this or even enter into a discussion about whether this change or that change is appropriate. Somewhat like how their illustrious leader works."

Final decision on license remains a secret

The license text file in the latest release of ipfilter, downloaded June 5, contains the old version of the license. Reed did not respond to our emails asking about his plans for this and future releases of ipfilter -- but judging by a page recently added to his Web site, it sounds like he's a little overwhelmed by the furor surrounding his homegrown license, and perhaps regretful that things "happened too fast" and have been "blown way out of proportion."

In Reed's one direct communication with NewsForge about this issue, he says, "The wording of the license found in any release has been the same since day 0, except for copyright date changes and a recent fix for a spelling error." This statement may be referring to a sub-thread on the ipfilter mailing list which inferred that the license change was only intended for beta releases of the program.

Regardless of whether or not Reed accomplished what he set out to do with the license, he has created a new awareness on the part of the OpenBSD team, sparking a thorough license audit. de Raadt says he's contacted many authors of other code with licensing issues.

OpenBSD begins rigorous license audit

In fact, he posted a list of project leaders he's been in touch with, including University of California Berkeley, Wietse Venema, Sun, and others. Ipfilter isn't the only module he's removed; a test subdirectory of yacc (yet another compiler-compiler) that de Raadt says was littled-used is also gone now because of modification restrictions. Most other projects have been flexible in changing their terms to accommodate OpenBSDs requirements. "I have contacted many other authors of code with licensing issues," says de Raadt. "Of particular interest is the ppp daemons that the *bsd's use, tcpdump, and the family of multicast tools originally written by Stanford."

Wietse Venema, the owner of the tcpwrappers project, changed the wording of
the project's license after a single request from de Raadt. The original license was almost identical to the original ipfilter
license. The new tcpwrappers license, with the addition of the phrase "with or
without modification," makes it clear that changing the code is completely
legal. "The license has been the same for ten years," says Venema, "but it can be changed."

Both the ipfilter and the tcpwrappers licenses have language that is very close to the BSD copyright license. When asked how he came up with the license for tcpwrappers, Wietse says, "Like everyone does, by cutting and pasting text from someone else."

Many software developers borrow an already established, if not proven, license, like the Berkeley-style license or the GPL -- and that's probably the best course to take, unless coders have extra money laying around to hire a lawyer and draft a custom agreement. A look at the BSD license makes it appear that Reed, in creating his ipfilter license, pulled several phrases out and patched them together without the help of a professional. Attorney Fendell says that the best way to avoid license misinterpretations is to draft an appropriate agreement in the first place.

From the other side, anyone who plans to use programs that someone else has written would do well to be vigilant about clarifying license terms before adopting and adapting the code.

Finding something to fill the gap

OpenBSD is also now in the process of locating a replacement for ipfilter. de Raadt says, "There are about 3 choices right now which we can start from, and in a few days there might be a 4th. Or we could start from scratch. The ipfw packet filter, for instance, is only 2300 lines of kernel code. There seems to be an assumption that a kernel packet filter is rocket science. It's not. It is just a little bit of work. All told, what we removed accounts for less than 1% of our source tree -- all the rest of which was free -- except for the few other licenses I am now clarifying."


  • Unix
Click Here!