 Hi, I am Tom Calloway in case you don't know me for some reason. I am the Fedora legal lead The standard disclaimer when giving any sort of legal talk is required. So I'm not a lawyer I work with them, but I'm not one Nothing in this presentation written or spoken should be considered legal advice Which means if you go out and do something stupid because Tom told you so not only are you stupid, but I'm not liable Well, I work for Red Hat for a very long time and I am allowed occasionally to speak on behalf of Red Hat You should not assume that anything I say or present in this material reflects Red Hat's opinion stances or favorite dinosaurs Well, so that brings me to our next talk, which is all the legal changes that we've made as a result of the IBM acquisition So now that we're done with that No, IBM has not informed me that anything has changed in regards to what I'm saying and because Red Hat is acting as an independent entity That slide is still accurate So I want to go over a brief overview of the legal policies that exist today in Fedora So that we can have a baseline so when I'm talking about things we understand where we're moving from to and whatnot So the first one is that everything in Fedora needs to be free software There's one exception to that which is firmware that's needed to make free software work Content can sometimes be an exception to this they're carefully defined rules about when content is acceptable The rough rule on content is we really like it to be free, but if it's at least Distributable without restrictions then it is okay Software cannot have a hard dependency on non free software a hard dependency in RPM syntax is a requires so if you Link against something that is non free when you build and you hopefully wanted to shove that into Fedora then no, that's not okay It also needs to be safe for Red Hat to distribute. This is a little broader and yeah, go ahead. I'm sorry I don't have an answer for that one yet There's been a lot of discussion about whether we could have things in Fedora that have suggests and enhances that point to non free things That may exist in other repositories that we're aware of If you had some sort of a plug-in model where if it detected FFM peg It would deal open it and off you went and had that functionality automatically, but it was not linked against it That would be obviously something would be nice to include the question is whether we inherit any risk from Explicitly calling that out as if we are aware that these things exist in a broader context So that's a deeper discussion that has to be had with the lawyers about mitigating risk in those cases I think there's a reasonable argument to be made that it should be possible for us to do this But I haven't cleared it yet. So We'll talk about that at flock 2023 Yeah The lawyers love every time I come to them with these existential questions They say things like what's the business justification for that and why would anyone ever want to do that? But anyways So it needs to be safe for red hat distribute is a little vague. It's important to remember that red hat is a US Based company. We are still a US based company even after the acquisition So we have to be compliant with US laws We cannot infringe known US patents that is worded very carefully Everyone knows we should never ever infringe patents, but things we don't know about are less damaging than things we do And there's also cases where for things like DMCA which is the law in the United States that has specific restrictions on what software can and cannot do We need to honor that as well. And that's a little bit difficult. That's that usually involves Me looking at something and saying that very clearly violates the DMCA or I'm not sure So we probably will let it go until someone tells us via a court case that it does There's a very small list of things that meet that criteria currently so for most packages It's not something that people need to worry about Also respecting trademarks Respecting trademarks is not something that we are legally obligated to do However, it is something that we have as a policy of Fedora as a good citizen to the ecosystems So we don't carry things like I believe there is a game called Super Mario with a why That someone has made which is a clear Mario clone and does not honor the trademarks and There is no reason legally we could not distribute it other than that Nintendo would immediately give us a cease and desist if we ever did Anyway, so those are the legal policies that we have at that level We also have export restrictions because of US export laws We cannot export Fedora to sanctioned countries or individuals the list of individuals is long and Difficult to parse So but for the most part the terrorist warlords that are on this list do not have any real interest in contributing to Fedora as of today That we know of and if so, they're not using their real names anyway, so we're not sure about that Yes, also, and they never ever go through VPNs or proxies. So We can't send Fedora to Cuba Iran North Korea Sudan Syria or Crimea Specifically is the Crimea region of Ukraine which is confusing if you believe Russia's stance on the universe But anyways, that's the US stance on things. So we also cannot have Fedora contributors in these countries Now that phrasing is very specific. It's not nationality. It is contributors in these countries Which begs the question of how we know where they are or why that matters, but it doesn't mean that we can't have flock Cuba so We means not just Red Hat, but it also means every Fedora community member and anyone who downloads Fedora as well And we know this sucks because there are good people in these countries who wish to make meaningful contributions to Fedora and broader open source And there is nothing that we can actually do about it as far as licenses are concerned We do have this lovely URL with this license list. We have more than 350 free licenses tracked and labeled I'm proud to say that in 2019 to date. We have only added two new licenses to the good list Which is that which is the least we've done ever Which makes me all warm and fuzzy inside part of this We also added one bad license But I don't generally add bad licenses because most of the licenses I see that are bad I don't ever want anyone to ever see them again And so I don't add them unless they are commonly come across or they're making a lot of noise Yeah, SSPL But it's also worth noting that there are still 16 BSD variants and 34 MIT variants that we are tracking in Fedora We call all of these BSD and MIT the server side public license. I believe is the full name of that license SPDX SPDX categorizes some of these as separate licenses. They don't have all of our variants in SPDX because they copied our list and our list is incomplete because I stopped naming them after a while Well, I may but I didn't want at that point in time So the two new licenses that you did get added were the BSD plus patents License that was written. I believe by a lawyer at Intel and then the I'm not going to even Pretend to pronounce that second one. I'm gonna let someone who speaks. There you go. Thank you Speaks French as their native language. That is a content license that was created recently that something was shipping a large quantity of stuff It's free And then we just get my duplicate slide here Contributing to Fedora. We used to have a CLA once upon a time in a long long ago I was a pile of confusing legalese that lots of corporate entities were unwilling to agree to lots of individuals were I'm going to agree to it. It looked like a copyright assignment, although that was never the intent Although Terminating the intent of something that was written for lawyer teams ago is always fun We moved to the Fedora project contributor agreement Which were simplified terms with the goal of being able to assign a default free license to contributions If the owner doesn't specify or attach a license to that contribution Yes, again, it doesn't mean that they have to be a false license And it says in there if you put a license on there that we don't want to use we just won't use your contribution So if you contribute something under a non-free license, we go, thank you for your contribution We're not using it and we drop it on the floor No, not to my knowledge Please don't go out Legal corner cases. I appreciate that your your joy comes from the small things in life But mine no longer does So these are all of our basic legal policies that we have for Fedora simplified out now everything we do in Fedora in this space is very community powered despite the fact that I am the Fedora legal team By involving our community with these legal policies and concerns We are able to identify potential risks earlier and on a distributed scale and this benefits both upstreams and downstreams of Fedora if we are trusted to be doing a reasonably good job at Policing ourselves then other people are more comfortable using us as a base and Upstreams are more comfortable taking the changes back that they see us making because we are making them across the board if We were to exam for example just say we only care about enforcing GPL And nothing else in our distribution gets that level of attention Then everyone else would not be as trustworthy about what we're doing in the work that we have happened But we also want to make sure that I'm not the only person who has to do all legal reviews on every single package Right now I'm only examining cases where the community doesn't feel confident that this is obviously the right thing if something comes through that Is marked as GPL and includes a copy of copying and there's nothing suspicious in it The community should feel comfortable saying that's GPL and moving on with their lives without blocking me to go into a manual file-by-file audit on that Package and for the most part this is how things work today the community says I think this is okay Let's move on we don't have to even tell me about it Versus I think this is probably not okay, or I'm not sure I need someone to check and so There's a couple ways you can report legal issues one of them is to file a bug which is blocked against the FE legal tracker The second is you can email the legal mailing list, which is public and archived and the third is that you can email Legal at Fedora project org which is private I guess the fourth would technically be if you wanted to encrypt that for some reason you could send it directly to me my GPG key is all over the internet for about 20 years now Now one fun little thing to talk about is copers They have the same licensing and legal policies as Fedora packages now We do have relatively good community oversight on copers, but this is done by a very small number of people I think there are maybe three people who have ever filed a light have ever flagged something as questionably legal in copers not counting me and So it would be really nice if we had more people helping to look at obvious things that are not okay We are regularly seeing copers created with FFM peg inside of it We are regularly seeing copers created with obviously non-free items The Nvidia driver open cl all sorts of other things where Sometimes there are packages available from the vendor that they get shoved into a coper because I want to make it easy to install Them all at once Usually we see these where it's like somebody names the coper after themselves or the favorite name of my packages and all of those things are sitting together and I have to go through and delete that entire repo at once and then send them a nice email that says due to all the things You did not read. I have to take your coper out. I'm very very sorry There's probably significant room for tooling improvement here in the coper infrastructure because most offenders that I email If they reply at all they reply and say I had no idea. I wasn't allowed to do this And it's true that the place where our licensing policies is in the coper docks Buried inside of it in one paragraph in a non-standard section as opposed to something where when you access copers for the first time Some sort of pop-up that says hey by the way or even when you instantiate a new coper reminding you that You shouldn't put any you shouldn't put anything so it doesn't have to be like a significant overhaul But just something that Minimizes the risk of I had no idea I could do that and having that be a legitimate argument. I Realized that it's not stopping me. I didn't read this because it wasn't in a language I normally parse but anything we can do to help people understand why their coper might be at risk is helpful Sometimes people get really agitated when they've shoved 400 source RPMs into one coper and I go and delete that because one of them is non-free Because right now I have no way of just taking out the FFM peg builds from their environment Nor should I really be able to because a lot of times they end up being linked time dependencies against other stuff in there And there's no sane way for me to say this and this and this and this and this and this and this and this even though They're fine because they were built against that All right, so let's talk about a specific case, which is ECC. This comes up from time to time ECC stands for elliptic curve cryptography I've created a new wiki page on here legal ECC This lists all of the curves that are permitted in fedora. This is something that was People have sort of had an idea about what this was in a vague sense But we're now at a point where there's no reason not to document what this is So this this page exists most but not all ECC curves are permitted and enabled in fedora at this point Clearing additional curves is difficult and time-consuming The last time I had to do one it took nine months and That was because I knew at the beginning of the process that I had a good chance of being able to clear it Most of the curves that haven't been cleared. I know they won't And that's why I haven't gone down a nine-month process to determine that they won't So you're just gonna have to take my word for it If you decide you want to be a pretend patent attorney and do the research yourself and come and bring me nine months worth of research I will happily consider that and then start the same nine-month process over inside Red Hat But if you can convince me first, I'm willing to do the additional steps That said I do not recommend any of you ever look at patents because that makes you patent tainted And then it makes it very difficult for you to do unique software development That is not advice that is just my recommendation you do what you do Questions on this No because it means that I'm aware that those curves may exist and if they happen to slip into fedora it makes me It's triply liable for patent infringement. Oh, that's cool. So no I can't do that Some other curves may exist, but I'm not listing them. Yes Probably, yeah, it's not written down though. So I never said it Audio So The noteworthy things in audio. I'm not talking about MP3 anymore because we haven't figured out that's patent clear Then welcome to the land of tomorrow AAC the licensing on AAC is not ideal We did a lot of work with the specific license around that package and determines that in that very specific scenario In which we are using that license. It is indeed GPL compatible Basically, there's a patent section in the license that if it was in play would make it GPL incompatible But because we happen to have a high degree of confidence that that situation is not in play We can treat it as a no op and thus are acting in the case where it is GPL compatible You should never use this license for anything else ever Please and in fact if someone happened to write a proper AAC Implementation that met that specific revision of the spec that we're carrying It would make a lot of people very very happy that we wouldn't have to use that license We asked the upstream if they would consider not using that license or amending that license because they have effectively abandoned that code base And their answer after almost a year was no But the good news is is that AAC as implemented in Fedora today is more feature rich than initially implemented because we argued about it So long that several more patents expired G729 audio is something that I keep meaning to enable and forgetting It's been ready for us to include without legal boundaries since 2017, but no one's mentioned it to me since 2017 So it hadn't gotten done. So if anybody wants to go and implement G729 audio codecs in Fedora, you can go right ahead You don't have to clear that through me. It's all fine Otherwise, I'll get to it when I get to it, which will be sometime before the sun explodes Video we can now ship mpeg 1 and mpeg 2 video completely This took a lot longer than it should have due to internal review, but it is now done and it is now all in the clear Fun fact mpeg 2 is the document standard for DB for DVD video, which made things really complicated H.264 we ship or technically Cisco ships Open H.264 as a library and a plug-in for various things which enables us to have an open source H.264 implementation. We're not going to be able to get a native H.264 implementation for a very long time. So I strongly recommend that you love this thing if you can So some stuff that's forbidden for now, it's worth talking about because he keeps coming up ex fat is Still forbidden until 2024 So so flock 2024 will be an exciting one We will finally be able to support the most common Common standard for large file Interconnectivity what most USB sticks are starting to move to and things like camera SD cards want to start to use Yeah, our good friends at Microsoft who love open source Apparently don't love it enough to permit a patent grant on ex fat They really like the royalties they're getting from that and their concern rightfully so from their perspective is that if they did grant that then Every single implementer of the ex fat standard would simply use the open source implementation and stop paying them patent royalties So it sucks, but they they the department at Microsoft that collects patent revenue hates open source Yep DVD playback again, we still can't do this because of the DMCA in the US This will probably be forbidden long long after the last DVD media has rotted away That is correct, however, almost no one legitimately sells Unencrypted DVD media there are some but it's very few so if you are watching Richard Stallman sing the free software song on a DVD then you have deeper problems But that I believe that media is sold unencrypted to specifically Yes, and so that that playback is supported in for the word today Yeah Yeah, so we have a list of forbidden items this is not maintained by me This is maintained by the community and I from time to time go through and correct it when someone adds something that's an Improperator incorrect. There's no real changes to that list for a while It includes some lovely entries which date back to the beginning of fedora including discussing where we cannot ship real player So if you're looking for a blast from the past you can go through and read that If there's something that you think should be in there go ahead and add it I get notified every time somebody touches that wiki page and I go through and correct it So if you want to add something that you think is obvious then go ahead and so now we get to cupcakes So this is one of the few pictures in the slide deck, so these are the only cupcakes that will appear in this presentation unfortunately So one of the things that has been a byproduct of all the work that I've done for fedora is that I've been happy to work with Upstreams and downstreams to assist them in a non-lawyer capacity to attempt to understand and address the legal concerns They may be dealing with In theory there are organizations that have lawyers that should be providing this as a community service to Entities but for a variety of reasons which are not worth discussing on video or in presentation text They are not serving that purpose effectively So it falls on to well-meaning and well-intentioned and generally correct volunteers to fill the gap So if you People watching this video or people in this room Need to understand something or you see a problem that I could help with upstream or downstream Please feel free to reach out to me and I will do my best to help out and as much as I can Obviously if I say this is not okay You shouldn't ship this and upstream says f you I'm doing it. Anyways, then there's that gap where we're not gonna Agree, but most of the cases are things like we had no idea. This was inappropriate How do we fix this and working with them to identify the fix example being? I noticed while auditing something completely unrelated to my normal legal work that there was a section of cute that Was shipping under a license where the license required that you Include a copy of the license in the work when you distributed it and the best of my knowledge cute has been violating this since 2004 I opened a bug which they a year ago, which they closed on Tuesday So they've now come into compliance and again, it's a small thing, but the small things Eventually add up when people copy code and it moves around so You may have noticed that there has been some legal drama going on in the broader open-source community now There is a thread with pictures here, but I'm going to talk through this because I thought it was useful to sort of take this Request that came in from someone who will not be named To try and make sense of all of this so I sort of did this in an explain like I'm five sort of way To sort of talk this through and then I'm gonna talk about why it's relevant for fedora That I'm talking about this here. So This is all analogies. So if these analogies don't make sense just bear with it. I will explain it at the end I realize this is very English-centric and sometimes these things may not apply in other languages But basically a company started making cupcakes and was giving away the recipe lots of other people ate them and thought they were Tasty so they made more cupcakes and gave them away for free now the company who made the cupcakes first didn't like that They weren't making any money from the other people who were making those cupcakes and giving them away for free So they paid a lawyer to try to stop it because that is clearly the best way to deal with your community is to pay a lawyer to try To stop something Now giving away the recipe for the cupcakes made it easy for other people to make the cupcakes and the company couldn't pay all of Those people so the lawyer tried to be sneaky and clever and this is usually a bad idea when the lawyers try to be sneaky and clever Even if they're well-intentioned I made a new rule that said that you could keep giving away their cupcakes But you also had to give away everything that you used to make the cupcakes Including the kitchen utensils the kitchen the house and anyone who ever looked at the house But in reality they just wanted to scare people so that they would come and pay the money to be able to ignore that rule We'll need cupcakes and have this as a revenue stream They took this new cupcake license to the people who determine if a license is okay or not We'll call these people the Justice League The Justice League has a book that tells them if a cupcake license is okay or not okay And they look at the book very closely to determine this Their book is old and was written before cupcakes could be eaten on cloudy days or in containers Now the lawyer who did this thought they were very clever and had made the cupcake license do everything the book said it must But it was clear to everybody reading the cupcake license in the book that it violated the spirit of What was intended with the book so at this point everybody started to take sides in this community Some people thought that a very strict reading of the book was all that mattered other people felt that the intent of the book applied To modern times and needed to be considered and so other people just basically started complaining that the Justice League was being too Secretive in how they were deciding these things or generally too slow And then some of the Justice League members are just plain old jerks And it makes it really hard for anybody to try and deal with the process because somebody just keeps opening their mouth and yelling Jerky noises and everyone hates it Now some people think that the book should be changed But no one is able to agree on how it should be changed or even what the process to change It should be and it hasn't been changed in a long time as a result So in the middle of all of this another clever lawyer comes along with a new cupcake license And this lawyer is trying very hard to create a cupcake license that extends protections to modern situations But still honoring the letter and the spirit of the book Now they say that eating a cupcake in a cloud is the same as a public performance Which is an obscure protection in the field of cupcake rules aka copyright No one has ever tried to apply this concept to cupcakes or any baked goods or anything Before and this is super controversial because some people feel like this is stretching things too far to fit the book and should not be done It's like saying that's not a shoe. It's a banana Some people argue that cupcake licenses are not the place to make these sorts of new changes And we should wait for the law to catch up in the law to find what a public performance of software is Or that maybe the Justice League is not the right place to consider them again remembering that the Justice League is sometimes composed of jerks Still other people feel that this change is unnecessary and the existing cupcake licenses in the book are just fine as they are But ultimately it all boils down to this one simple thing Change is scary and it's really really scary for lawyers because change means uncertainty and risk and 100% of what lawyers do day in day out is mitigate uncertainty and risk and so they really don't like it when you come to them and say Hey, everything has changed So this is not helped in any way in our open-source communities by the lack of any sort of method of changing the book to reflect the modern realities of our universe So because cloud computing is not going away and we probably need new licenses that better apply the spirit of Foss to it. It's not easy to do this. It's really really tricky People have very strong opinions about this lawyers enjoy nothing more than arguing with each other in their language that only they speak And the majority of the fine points are super complicated You find a lot of people you look at the one example of a license in this space that is widely used or at least widely accepted to be okay, which is the AGPL and Yeah, people make that face So half the people are like this is perfect and brilliant and solves all the problems and the rest of the people are like Why in the world do I have to jump through all these flaming hoops just to make everybody happy? So why do we care in Fedora about all of this exploding around us? One of these things is that there are a lot of companies that are using licensing in place of a valid business model And this is resulting in an increase of generation new licenses And there's a lot of people even who aren't companies who are trying to write new licenses As a result of all of this noise And that means that in theory a lot of things that might be coming into Fedora in the near future Are going to be coming in with these new weird or just unacceptable licenses And it's helpful for us to be aware that this is happening and to understand the motivations behind these licenses Because Fedora is a flag carrier for best practices in FOS in a lot of ways This is one of the reasons why we spoke out as a community Against the SSPL which was the license that MongoDB wrote specifically in my analogies about cupcakes to Try to prevent people from being able to reasonably Honoring it. They said this is open source because if you do all of these Awful and obscure and difficult and complicated things then you're still in compliance and everything is fine and what's the problem with that and In practice they made it impossible for anyone to reasonably comply with the license But that's okay because you can just pay them and all those payments go away and you can get a different license We thought that was obviously a really bad idea It's nice and helpful for the FOS communities to be able to have a very clear understanding of what is open and what isn't and Helping everyone to understand that we stand up and say this is not free. This is not open. This is not open source Also Fedora is innovating on the cutting edge of cloud and containers And if we're going to be in these spaces then we need to be aware of the legal issues that are happening in those spaces So that we can participate meaningfully in them when the time is right and that's pretty much it You know, this is that this is just the overview of where we are in legal land without going super deep into any one topic Now normally I leave lots of time here at the end because people want to go super deep into one topic but I Have some bonus topics if you want to bring up specific topics I know these things likely come up So I went ahead made a slide with them But if you don't want to ask a question about one of these things that is also fine We can talk about whatever is interesting to talk about Do you want me to move the slide? One of the things that I've encountered as I've done more complex package reviews is understanding like how to look for them and that has become harder largely because people have now come around full circle and now vendor in the school again and That has made it considerably more difficult for figuring that kind of stuff out So the question summarized is how how is it how do I determine the effective license of a work when I'm doing this sort of thing? So that other people can attempt to copy that methodology It really is sort of a case-by-case basis understanding how things interdepend upon each other Obviously things are going to be different in a in a linked environment versus a interpreted environment So that's the first cases. So I try to understand is this code that I'm looking at the license for How does it interoperate with the rest of the code inside of the immediate? Boundary that I've defined usually I'm working on the boundary of a specific package So it is taking this package looking at its source code in isolation Not looking at it in a broader context not saying well How does this interact with glibc because I know it links against that but looking at it inside that box of itself only and Then helping to understand the first thing you want to do when you're doing that sort of Review is making sure that you have a good understanding of what the license is on all of the files that are contained within it With the exception of files that do not matter things that do not matter are things like make files build files Unless they are doing something incredibly unique and Innovative and that happens so rarely that you can safely assume they are not Auto tools may be giant and painful to look at but nothing in there is innovative Make files also the same thing now if you run make and it starts playing Tetris Then maybe we should have a conversation Well, yes But and then and then I mean once you've gotten that understanding Some things I do is there are some open tools that are out there that do some basic license scraping If you're not comfortable using one of those tools that are out there Using grep is a really good way to start Grep space dash IR space copyright is a really good way to start looking for licenses in a source space But also looking at the readme's usually not always, but usually the readme's are correct With regards to licensing they may be missing things But if it says all of the files in this work are under this license and I come across files that Aren't licensed, but clearly we're generated by the same author or same community Then you can safely assume they are under that license even though they may not be that is the way that almost Everyone operates on these things it would be great if every file was always Accompanied by its assigned license, but and again if there's evidence to the contrary like if I look at a file And it was very clearly copied from deck VMS then I don't believe that it's likely to be under the same license because the copyright holder is not the same if The styling of the file is completely different from the rest of the works inside the package Like if it's the one pearl file in the giant package of ball python Then it probably wasn't written by the same people and is not necessarily under the same license Sometimes what I'll do in those cases is I will actually put chunks of that code which appear to be Unique and original and and search them either through Google or GitHub or both and see if I can find other examples of this to Determine where it came from Sometimes I will look in the revision control history for those sorts of files Where I can't determine who did it and look at the commit and figure out how it ended up in there If we can do that then we can trace hierarchy and then we can usually figure out what the license is supposed to be on those works sure You know I maintain that so he's allowed to go there so Well, so as the person who did the tech live audit in order to make sure that it would come properly into fedora It was a lengthy process. It took extremely long time to track down all the licenses tech live does a On a on a score from One where you don't do any legal work whatsoever and ten where you do everything perfectly they come in around a seven as After the audit and me giving them a laundry list of all the things that were wrong with their distribution and their licensing model They fixed most of them They do continue to add non-free items to their release and then refer to their release is completely free and open source Which is annoying, but I haven't I haven't figured out how to solve that problem yet because me screaming at them Doesn't seem to solve it and they have no bug tracker. So there's no way for me to file bugs against their stuff Sort of it sort of does but it's a mailing list and it's not really a bug tracker And they don't answer things I send to the mailing list anymore when their mailing list is working, which is rare Mm-hmm. It used to I'd I'd gutted that it was massively broken. Yes it well tech live contains More than 10,000 individual components all of which are individually licensed. They effectively would be unique packages in a Different universe, but we don't do that And Yes, that is correct and tech Tells people just install the vendor collection package, which is a wrote which is a meta package basically Which pulls in everything else? So and then because that's how they recommend people install tech We kind of have to package everything to meet all the meta packages that could possibly exist and So a lot of these packages are extremely old And haven't been updated in forever, but they are still dependencies in the tech universe And so it was important to understand the licensing on all of those components So that if we have any particular branch of dependencies where something is rotten at the call at the Specific point that we are also able to not have broken dependencies down the line Tech has extensive dependencies, but there's no way to auto generate them And so I either have to look at the meta data file Which is shipped with every component where sometimes if I'm lucky the upstream maintainer will in the text of the description Say this package depends on x and y and z not in a machine parsable way But in a text way where I can read it and I can manually say okay Let me add these requires that map up to that Or Because there are fields in the metadata to do that, but no tech package has ever used them so Understanding dependencies the only way I do it is when someone says hey, I installed this tech package And it didn't work, but it suddenly worked when I installed this other thing I was like cool Let me go add that requires and now it now it works for more people Yes, if I had a way to do that yeah, I would they are still using Subversion for their version control for everything and as far as I know No, no, they've been using subversion for a long time I think they were one of the big ones that adopted subversion first which in theory is great But in practice, I don't believe any it's their their ACLs are very odd And so only certain people have access to commit to core tech and it's a very limited list And there's no clear way usually I end up emailing the person who does the releases and saying hi It's me again Here are all my dumps and you haven't told me to go away. And so please consider applying some of these Yeah, it's it's it's good times on average. I end up pulling about when I do a major tech update I have I pull out about 10 new packages because they were non-free every time we do a massive update And this one that I'm working on right now for 2019 Is looking to be significantly worse than anything we've had in the last three years So Essentially, they don't publish these in any sort of the same way They don't do a change log that says these are the new packages and these are the ones that are going away I have to figure it out from context. So I have to I have to pull the metadata List which lists all the requires the metadata packages are actually really good about listing their explicit requires because that's all they do And then going through each one of them comparing them what to what we had in the last major release determining the new ones my notebook here This is where I'm currently out in the list These are all new packages that have to be created for the tech live package and then reviewed and audited for license And this is more of them that I haven't finished. I'm about halfway through the meta packages Norm last time it was I had to do about 75 packages To go to 2018 and this time it looks like it's going to be significantly worse than that so It it never worked the automation that was written You wrote good code that maybe worked once and it never worked again And then he disappeared and then there was no way to ask him. How did this ever work? And when I reverse engineered as much of it as I could to figure out how to make it go again It was this thing where there was a mix of C in Python And you had to run them in the right order and then rerun them against the generated spec And then you had to keep you were shuffling so often that you were actually hurting yourself by trying to use these Tools as opposed to Despite the fact that it usually takes me as extensive period of time It's still better to do it manually because they ought to generate results were so poor. How is it in in in Debian? So one of the fun things that I've discovered in working as Fedora legal is that Debian legal does a piss poor job most of the time of catching stuff like this No, I and then I'm down the record is having said it repeatedly It's well-intentioned but stuff that existed Before Debbie and legal existed has never been audited and so a lot of times what happens is There is a there is one specific individual I do not know his real name because he does not use it in any of our Correspondents or or bugs or anything who goes through Debbie and legal's bugs and assigns them all to Fedora if they're relevant He checks to see if we have the package and he opens a Fedora bug And he does the inverse when he discovers that I've changed something and fixed something and he watches all of my commits Which must be miserable Because a lot of my commits have nothing to do with legal He watches all of my commits and when he sees something that is a legal related commit He goes out to every other distribution on the planet and he opens a bug against it And so Debbie and legal hates me because they because every time I fix something they get all these bugs I'll just open up and I'm not doing it this other individual is doing it I've never suggested that he should be doing these But he is and so Debbie in place catch up on a lot of the things that we do one of the fun things I did a few years ago was I had when I had a rather lengthy list of things I knew were non-free that we were trying to get out Someone suggested to me at a conference that I should simply use one of the free software foundations Respects you or freedom certified distributions because all these problems must be fixed there And so I got bored and I pulled every one of them open and found all of our issues sitting in all of those distributions and pointed out that Exactly none of the free software foundations Respects your freedom distributions were actually 100% free because none of them have been audited on that level and the things I was aware of were in all of them Well, that's not true. There was one that I couldn't find the source code for because it had died So in theory that one might have been fully correct. I just was Or Well again, it was it was at that at that window of time It was things like SGI free be which everyone knew was in X and was non-free There was no jurisdiction in which anyone thought it was but everyone did not want to be running without it And so everyone who was using X was running it and so it was like are you using X? Yes? Do you have free be yes? Okay, you're non-free let's keep moving and it was like check check check check check And this was something that it was just the dirty little secret now We've gotten that all re-licensed at this point thanks to the rod and corpse of the remnants of SGI but But it's one of those situations where Sometimes we know things are non-free and we are actively working with the license holders to try to resolve them at the moment There's nothing in Fedora that I'm aware of that meets that criteria But in the past that has been true and it may be true again Go ahead Not that I know of That doesn't mean that we don't because I don't hand audit everything that comes in It's possible that something has slipped through the cracks where someone no one's noticed it because it's like a test file in a pearl Package that no one ever looks at because it always passes and it was taken from something else I don't want to say with authority that there is never anything But we do a really good job of trying to prevent it and if you ever see anything that you're not sure about You can immediately file a bug on it now investigate and we'll get it resolved one way or the other We're not in a situation like we were with freebie where we didn't want to have to gut all of the gl support in order to Make our distribution free Yes I think that what is true We need to So I think that part of the problem is that traditional software licensing triggers on Distribution and that is the way that most of our licenses are structured and in cloud computing the concept of distribution becomes much more vague and Yes, and so or cloudy if you wish So being able to look at that and determine how and when licenses Trigger in district when is the act distribution happening? Because you have the same sort of divide for people in that space that you have in the non-cloud computing space there are folks who are on all edges of the spectrum from extreme copy left to extreme permissive and Right now we don't have a range of licenses that are designed to deal with cloud computing that across the spectrum Cover those sorts of cases and clearly indicate that when you are using this software in a cloud context Then these sorts of requirements apply to you the only real one that is out there that is doing this is agpl And so what most cloud computing projects are doing is they're using existing software licenses in a context That may not be a hundred percent applicable to people And so there's this ambiguity of Am I distributing when i'm running this or not? If my cloud computing package is mostly javascript because it's running through browser Am I distributing when the browser downloads those files and runs them? Does it count when they're minified? All of these sorts of factors come into play and and so there's a lot of people who are starting to think about these problems In more depth because people are starting to make real money Using these things and when people start to make money using things Then the lawyers show up and say hey here's how you can get some of that money And then the new licenses come out of the woodwork and so you you I fully expect that in five years will have a lot More licenses in this space to have to deal with and we're already starting to see people Trying to write these licenses on cocktail napkins and submit them upstream Now for the most part these aren't being written by lawyers And the only exception to that is the lawyer who is writing licenses that are plainly malicious and attempting to get their clients more money Um, so the only times I've ever seen licenses go end of license, uh end of life Uh are things where the only entities using that license dissolve or go away um a lot of sun's terrible licenses are dying because Sun is gone For all intents and purposes. I mean oracles still continues to kick some of them forward Um, but licenses don't ever go away as long as the internet remembers them So it's entirely plausible that someone will come and pick up a bad license and start using it again So the question is is is there ever a scenario in which the justice league which to be clear is the osi Determines that a license is no longer permissible for people to use and they say this is no longer open source Using this license was open source for the long time that it was And now it isn't they've argued about this at length to try to figure out because they did approve some licenses that they probably shouldn't have and called them open source, uh, and They can't come to consensus on this at this point. They may at some point in the future come to some consensus I think one of the big dilemmas there is if something was open source yesterday And I make the license go away and I still you want to use that source code Is it not open source tomorrow? Did that magically change? And then dealing with all the grandfathered cases Do you then document all the cases where you were aware that something is being used? And then how do you deal with all the private island concerns where someone's using this in private and assuming that it Is open source as a result of their use and not disclosing it to anyone because they're not required to Are they now all of a sudden not open source because they don't know it's not open source Because they believed it was open source when they moved on to the island So yeah, it becomes really complicated really quickly and they are incredibly disinterested in being an auditor of all software ever Even github isn't thrilled about that idea. So It's a hard problem. Um, but there are definitely cases where what they have done is they have listed licenses as retired Where they strongly encourage no one to pick these licenses up But they don't change the open source status of those licenses They've done this with some really archaic licenses where the company used it once got OSI approval Released once and then died and no one ever used their code as far as anyone could tell So there are some corner cases buried in their dusty cabinets, but The license was I think it's plausible that such cases exist. I can't name one The closest analogy I can name is that when we did the license review for send mail The legal determination was that it was free as long as it was for send mail And it was done for the author of send mail and that if anyone else used that license It would probably be considered non-free unless we went and talked to them and got explicit clarification Because the only way we were able to consider send mail free was through direct and private correspondence with the upstream copyright holder Yes And so if you go and you look in the licensing list for the send mail license, it says free as long as it's send mail That is a different sort of case where we where there are no no ops in all of the licenses that date back to a specific era but yes If we document in our lengthy licensing fact if you are so inclined to go really really deep into the rabbit hole I have not Yeah, no, I would love to be able to figure out something where we could be Intelligent and hard link all the copies of the license files that we ship and everything to minimize on disk space Just a little bit. It probably won't make a significant impact But if you were in a cloud Or in a container situation where every single bit On the disk counts Then being able to do that sort of a cleanup could be beneficial. Um, the difficulty is that For some licenses you can look at sums and compare Gpl was almost never edited To amend for copyright holder or date or anything like that people are usually just picking up a copy of copying or copying lesser Or copying library depending on your era and And so it's the address the street address of the URL. Yeah So it literally boils down to which of the six or seven variants of the gpl family licenses do you have? And then comparing them against that Some of the distributions I've seen what they do is they create a master license package that includes all the possible licenses that could ever exist in any of their packages and then make Any build composed depend on it and so they I'm aware But that that's how they ensure that they're always shipping the licenses for everything they possibly could and don't worry about it On a package level basis because they have a licenses package that always will have your licenses They're always there for you to look at Does this practice as well they have this common licenses package which must be installed on the computer And their copyright files refer to it for for the ones that are templated licenses like a patchy and gpl There's nothing that's preventing us from doing a common license packages in fedora other than that. We've never done it and I for the most part people seem reasonably comfortable with Now that rpm allow us to tag license files as license files And so they are specially tagged doc files that if you do no docs installs, they still make it through There's enough variants in licenses that I would be really worried about trusting a common license this package is Everything but if it helped enough people to Simplify their packaging life in some way, I wouldn't be opposed to it I'm not sure that it simplifies anything because it's really pretty straightforward to include the licensing in fedora packaging right now So you'd really have to come to me with a really compelling case or at least a mildly compelling case as to why we should Yeah, that's the only one where I was thinking this might be useful, but then I don't know There are a family of licenses and this is listed in the fedora license FAQ That require that a copy of the corresponding license be distributed along with it BSD is the most notable one of this family And so lots of times when upstream say bsd and don't include a copy of the license They are out of compliance. However, it is not possible for a copyright holder to be out of compliance with themselves So they can do it all day long And we have to add it but we also have to be sure that we are adding the bsd variant they intend So what we usually do in those cases is I end up filing a bug with the upstream and saying Hey, which of these bsds did you mean when you said bsd? And if they don't and if they don't respond then I don't care Right because they clearly don't and the likelihood of them coming and saying you are infringing my copyright Is simply responded to with me saying my bad. What's your license exactly? And then they provide me the license and we get what we wanted to get from the beginning So it's not something that we lose a lot of sleep about We do make a good faith effort to try to determine what the license is in case they come back and say when I said bsd What I actually meant was bare standard You know license Or something crazy like that Which is wireless and again usually in most of these cases the correct response is going to be to open that upstream ticket and say I'm attempting to confirm the the actual text of your license. Uh, can you Add that or tell me what it is and I will add it Um, sometimes I've had success with upstreams where they're on github where I'll do a straight pull request and say You seem to be mit. This is the standard osi license text for mit Will you merge this or not and one nine times out of ten they merge it and I'm like great Well, you just you just confirmed what your license is by having me write it for you But I don't care because we got the problem solved and I'm happy with that license text Again if they merge it then they are de facto as the copyright holder saying that this is correct Yeah, I'm just saving them ten steps. And so if that's what makes it happen, then that's what makes it happen Um Again sometimes and it doesn't work all the time sometimes upstream is like why would you write my license for me? I would want to do that and then they go to the exact same thing and I'm like, you know what? I don't care knock yourself out. I don't this is all fine um, the last thing I would say to the room and to the video is if you believe that there is a patent situation involving your code Please be vague When you report this publicly if you wish to be specific consider reporting it privately to me maybe even encrypted uh, and There are reasons for that that I cannot go into but it would make my life a lot simpler If you would stop filing bugs that say things like, hey, I believe this violates patent number Please don't do that Obviously in those situations where that happens red hat and fedora do the responsible thing and deal with this appropriately Obviously and clearly All right. Well, there's no more questions on this I will be around for the rest of the flock you can come to me and quiet and be like, okay So I have got this legal problem which inevitably is this the price of such questions is usually a alcoholic drink Sometimes if after learning about the problem it may require additional alcoholic drinks But thank you for coming and uh, and thank you for uh, respecting legal in store