OSCON day two: GPL compliance and good hacking


Author: Jay Lyman

Day two of the OSCON open source conference in Portland treated some 1,900 paying attendees — up from an original estimate of 1,500 — to sessions on how programmers can comply with intellectual property law and the GPL, as well as talks on how programmers sometimes break the law with hacking attacks and countermeasures to prevent them.

David Turner, GPL compliance engineer with the Free Software Foundation, told a group of about 30 programmers to beware of violating the GPL, which reportedly happens a lot and can force companies to re-write code, scrap entire projects or die. Turner, who indicated U.S. courts have yet to offer any real guidance on public display and performance protections regarding software, did indicate the FSF gladly works with companies or groups that have lost GPL rights to get in compliance and get those rights back.

Turner explained that much of the teeth of the GPL is set in copyright law, which is part of the U.S. Constitution. Turner said the basis in copyright law works well internationally because of the existing framework. He also said the GPL both grants rights and places some restrictions on those who use the software license to distribute or protect their products.

“You can’t put restrictions on software other than what’s already in the GPL,” Turner said. “Any license that doesn’t have restrictions beyond the restrictions in the GPL is GPL compliant.”

Turner advised coders seeking to do right by the GPL to think about licensing — something the FSF representative said programmers do not usually do — and to create a solid foundation for products by planning source code offers carefully and using real build processes.

“You will save time and money with a real build process that’s out to users,” Turner said.

The GPL expert, who did cover the less cumbersome LGPL intended for libraries, also complained that there are a number of other open source licenses that are not compatible with the GPL, not necessary, or both.

“There are too many free software licenses and it’s a shame,” Turner said, referring to licensing efforts from Intel and IBM. “Unfortunately, most of these licenses are incompatible with the GPL and often with each other.”

Turner also referenced the next version of the GPL, which was last updated completely in the early ’90s, but may soon deal with issues of license compatibility in version 3. Although there is no release date for GPL3, Turner said he hopes to lose a bet with a FSF cohort that the new GPL is not out within three years.

“Version three is going to cover issues for a new millennium,” Turner said with a grin to a room full of chuckles. “We think people are going to want to upgrade because it’s so good,” he added seriously.

Frossie Economou of the Joint Astronomy Centre in Hawaii, said she had come to OSCON for learning, but also for fun.

“This is the most fun conference anyone knows about,” she said, adding that the vast number of programmers at OSCON represent progressive solutions to her organization’s problems.

“The chance of someone anticipating a need before you need it is really high,” Economou said.

In terms of the GPL, Economou said it was a very complex subject, but she expressed gratitude that organizations such as the FSF provide guidance on it.

Seth Raphael, who represents the Vermont-based educational nonprofit National Institute for Technology and Liberal Education (NITLE), said his organization works with GPL software and while it has not done so yet, the group is poised to start modifying GPL code.

“We just recently looked into it and we would redistribute it, so we want to make sure we don’t step on any toes,” Raphael said.

Stuart Yeates of UK-based OSS Watch, which encourages and advises on open source use, said one of the big problems with the GPL is fear.

“A lot of it is just general, ambient fear,” Yeates said upon exiting the GPL session. “The way to combat that is to turn the light on — and the lights came on in that room.”

The GPL was chief among arguments at the “SCO moot court” held at OSCON earlier in the week. While those in open source might consider SCO’s arguments moot already, the mock trial made for some pretty interesting fare, according to Syracuse University student James Howison, who said he did not pay “massive attention” to the fake court.

Howison said the would-be SCO attorney — a stand in, not a real representative of the Utah company — did a good job of balancing seriousness and sarcasm. The stand-in attorney reportedly offered several disclaimers before vigorously arguing SCO’s points, and obviously wanted to avoid being thrown into the Willamette River by open source community members in attendance.

“As soon as it finished, it turned into a discussion on how we can avoid these problems, which I think was very useful,” Howison said. “There was also a lot of ‘can’t give legal advice,’ so it’s going to be a lot of money for lawyers.”

The law, and breaking it, were also the focus of an afternoon session called “Hands-On Hacking: Attacks and Countermeasures” presented by CRCI President David Allen. Allen spent much of his presentation discussing hacker mentality and technique, then offering preventive solutions.

Beyond the usual social engineering avoidance — don’t give out the password to somebody who says he is the admin, the specialist or Linus Torvalds — Allen advised security minded attendees to do what hackers do and find out what they can about their companies, thereby finding the holes that exist in simple Web search results and other data that may be better kept under the cuff.

More technical sessions at OSCON’s second day included: a presentation of XML schema languages by Dyomedea CEO Eric van der Vlist; discussions of Perl, PHP, and Java programming; Apache sessions including lifecycle programming and content management with Apache Lenya.

Also highlighted: MySQL tools and Web development; a Jabber “bootcamp”; and getting started with Postfix, among others.


  • Open Source