From c1f10c3379e8d96977ef2ff7f9245d888c032624 2018-09-26 16:30:21 From: Bradley M. Kuhn Date: 2018-09-26 16:30:21 Subject: [PATCH] Larger presentation -> CCS report examples cp -pa presentations/2hr-GPL-compliance-focus/2hr-GPL.md presentations/ccs-report-examples/ccs-examples.md Plan to reduce this just to the CCS examples. --- diff --git a/presentations/ccs-report-examples/ccs-examples.md b/presentations/ccs-report-examples/ccs-examples.md new file mode 100644 index 0000000000000000000000000000000000000000..8a99469b1c5ae3af54c5d6aa42ed3412cbebcab4 --- /dev/null +++ b/presentations/ccs-report-examples/ccs-examples.md @@ -0,0 +1,766 @@ +% A Practical Guide to Compliance with the GNU GPL +% Bradley M. Kuhn and Karen M. Sandler +% Thursday 19 January 2016 + + +# Audience + ++ Our goal here is to move faster or slower based on audience knowledge. + ++ There are folks in this audience who have worked with this stuff for years, + and those who are completely new. + ++ We want these presentations to be valuable to all of you. + +# Audience + ++ Please, don't be embarrassed: + + Ever GPL expert in the world, including us, started as a student who + knew none of this. + ++ This is a course; raise your hand if you are confused or have a question. + ++ We are glad to go "off-slides" and get your questions answered. + +# The Tutorial's Textbook + ++ This tutorial actually has a 125-page textbook. + ++ You can download it (PDF or online HTML browse, or the source code!) from + [copyleft.org/guide](https://copyleft.org/guide) + ++ The text is in integration and culmination of every freely licensed + material on copyleft (and GPL in particular) we could find. + ++ We don't mind if you read the text while we talk and raise your hand with questions. + +# How this Tutorial Go? + ++ Materials presented will mix the simple & complex. + ++ We cannot possibly cover the entire GPL and compliance procedures in merely + two hours. + + a full course could take a whole day or more. + + but we'll give you the key highlights. + +# Outline + ++ Discuss: motivations, origins, then a few of GPL's sections. + ++ Turn to focus to how it relates to meeting the requirements of the license + (aka compliance). + ++ If you haven't asked enough questions at that point, we'll then still have + lots of time at the end to take questions and answer them. + +# Why Listen To Us? + ++ Conservancy operates and practices license compliance activities extremely transparently. + ++ So you have access to drafters, interpreters, enforcers. + ++ Someday, we may (or already have) sit across the table from you. + ++ Our transparency does make your job easier. + +# The Mindset of GPL + ++ GPL protects software freedom. + ++ Ultimate goal: make sure every user has the four freedoms. + + Freedom to run the software. + + Freedom to study and modify the software. + + Freedom to share the software. + + Freedom to distribute modified versions. + ++ Every clause in GPL was designed to uphold one of these freedoms. + + Or, it's a compromise of drafting in adoption vs. freedom debate. + +# Using Copyright + ++ GPL is primarily a copyright license. + + Software is copyrighted. + + License grants key freedoms. + + Requirement prohibit activities that take away freedoms. + ++ General concept: copyleft. + ++ Specific implementation: GPL. + +# Conditional Permissions + ++ A copyleft license grants copyright permissions, conditionally. + ++ Think of the phrase: “provided that” + ++ “provided that”: appears (in some form) only + + 4 times in GPLv2 + + 9 times in GPLv3. + +# Compare To Proprietary Licenses + ++ Yes, the GPL has its requirements. + ++ But *none* of these activities are ever permitted under proprietary + licenses. + ++ If you don't like what the GPL requires you to do, then just use + proprietary software instead. + ++ That way, you know the answer to every “Am I allowed to?” question is “no” + ++ rather than: “yes, but only as long as you …” + ++ Many business advantages to copyleft... + +# The Technical Gap + ++ Understanding GPL well requires a some software expertise & legal + expertise. + ++ You don't have to be a professional on either side to grok it. + + but you're best off if you're a professional in one & an amateur + in the other. + ++ Most important technical concepts you need: + + source code, binaries, methods of distribution. + +# Modification As a Center Provision + ++ GPL's primary copyright hook is copyright controls on the right to modify. + ++ GPL's central tenant: + ++ You can make a modified version of various types privately as much as you'd like. + ++ When you distribute that modified version, you have requirements to meet. + ++ Technological considerations dictate necessity of more complex rules for +certain types of modifications. + +# GPLv2 § 2(a-b) + + +

[GPLv2§]2. You may modify your copy or copies of the Program or any +portion of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 above, +provided that you also meet all of these conditions: +
+
+a) You must cause the modified files to carry prominent notices stating +that you changed the files and the date of any change. +
+
+b) You must cause any work that you distribute or publish, that in +whole or in part contains or is derived from the Program or any +part thereof, to be licensed as a whole at no charge to all third +parties under the terms of this License. +

+ + +# GPLv3§5(a-c) + + +

+You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: +
+
+a) The work must carry prominent notices stating that you modified it, and +giving a relevant date. +
+
+b) The work must carry prominent notices stating that it is released under +this License and any conditions added under section 7. This requirement +modifies the requirement in section 4 to "keep intact all notices". +
+
+c) You must license the entire work, as a whole, under this License to anyone +who comes into possession of a copy. This License will therefore apply, +along with any applicable section 7 additional terms, to the whole of the +work, and all its parts, regardless of how they are packaged. This License +gives no permission to license the work in any other way, but it does not +invalidate such permission if you have separately received it. +

+ + +# GPLv2§2¶ penultimates + + +

+These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. +
+
+Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. +

+ + + +# GPLv3 §0 ¶1-5 + +

+ "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. +
+
+ "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. +
+
+To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. +
+
+ A "covered work" means either the unmodified Program or a work based +on the Program. +

+ +# Binaries (Object Code) are Modifications + ++ Software that the computer understands is different than software humans + read. + ++ There is often a process required to modify (and/or translate) the software + from human-readable + + This process can be done ahead of time. + ++ Separation of source and binary was the first way proprietary software + companies discovered to subjugate users. + + GPL uses the fact that binaries are modifications (which are often + distribution) to prevent that subjugation. + +# GPLv2 § 3(a-b) + + +

+

[GPLv2§]3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: +
+
+a) Accompany it with the complete corresponding machine-readable +source code, which must be distributed under the terms of Sections +1 and 2 above on a medium customarily used for software interchange; or, +
+
+b) Accompany it with a written offer, valid for at least three +years, to give any third party, for a charge no more than your +cost of physically performing source distribution, a complete +machine-readable copy of the corresponding source code, to be +distributed under the terms of Sections 1 and 2 above on a medium +customarily used for software interchange; +

+ + +# GPLv3 § 6(a-b) + + +

+[GPLv3 § ] 6. Conveying Non-Source Forms. +
+
+You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: +
+
+a) Convey the object code in, or embodied in, a physical product +(including a physical distribution medium), accompanied by the +Corresponding Source fixed on a durable physical medium +customarily used for software interchange. +
+
+b) Convey the object code in, or embodied in, a physical product +(including a physical distribution medium), accompanied by a +written offer, valid for at least three years and valid for as +long as you offer spare parts or customer support for that product +model, to give anyone who possesses the object code either (1) a +copy of the Corresponding Source for all the software in the +product that is covered by this License, on a durable physical +medium customarily used for software interchange, for a price no +more than your reasonable cost of physically performing this +conveying of source, or (2) access to copy the +Corresponding Source from a network server at no charge. +

+ + +# GPLv3 § 1 ¶ 1, 4-6 + + +

+The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. +
+
+The "Corresponding Source" for a work in object code form means all the +source code needed to generate, install, and (for an executable work) run the +object code and to modify the work, including scripts to control those +activities. However, it does not include the work's System Libraries, or +general-purpose tools or generally available free programs which are used +unmodified in performing those activities but which are not part of the work. +For example, Corresponding Source includes interface definition files +associated with source files for the work, and the source code for shared +libraries and dynamically linked subprograms that the work is specifically +designed to require, such as by intimate data communication or control flow +between those subprograms and other parts of the work. +
+
+The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. +
+
+The Corresponding Source for a work in source code form is that +same work. +

+ + +# What's a GPL Violation? + ++ GPL (both v2 and v3) require: + + The whole work licensed under GPL. + + (which means all copyrighted material added must be under + GPL-compatible licenses.) + + Complete, Corresponding Source (CCS) of that work provided, under GPL. + ++ The licenses terminate upon violation … + + … thus failure to comply means lost distribution rights. + + … enforcement uses this rights termination as leverage to + restore compliance. + +# Enforcement is Technical + ++ Copyleft's policy goals related to technical acts. + + modifying, building, and installing software is a technical process. + ++ In embedded systems, this process is rarely straightforward. + + Yet GPL requires that such be possible. + ++ In enforcement, we talk about “the CCS adequately meeting GPL's requirements” + +# Compliance-Friendly Development + ++ Use revision control ... + - ... to pull in vendor branch. + - ... to tag releases. + ++ Avoid "Build Guru" ... + - ... by documenting build process. + - ... and versioning it, too. + +# GPL Binary Requirements + +(v2 § 3, v3 § 6) + ++ Four options: + - Source alongside binary (v2/v3). + - Offer for source (v2/v3). + - Internet side-by-side distribution (v3). + - Torrent distribution (v3). + +# Source Alongside Binary + ++ Simplest option + ++ **Obligations end at distribution time.** + ++ Physical media required. + +# Offer For Source + ++ Useful if not shipping CD already. + ++ Lasts three years. + ++ Mail fulfillment required (not in v3). + +# Side-By-Side Distribution + ++ Not in GPLv2, pedantically speaking. + ++ Always been considered compliant for v2. + ++ v3 clarifies this. + +# Peer-to-Peer Distribution + ++ v2 obviously couldn't consider this. + ++ v3 allows distribution of equally seeded source and binary. + +# Preparing Corresponding Source + +(v2 § 3, v3 § 1) + ++ Make sure all sources are present. + - revision system helps a lot here. + ++ Build scripts + - make sure someone skilled in art can build it. + +# Termination + +(v2 § 4, v3 § 8) + ++ v2 is automatic and permanent. + ++ v3 has auto-reinstatement. + - 60 day self-correction timeout. + - 30 day penalty-less after notice. + ++ Usually, you need copyright holder to reinstate. + +# Actual Enforcement + ++ [*The Principles of Community-Oriented GPL Enforcement* at sfconservancy.org/linux-compliance/principles.html](https://sfconservancy.org/linux-compliance/principles.html). + ++ Send a Letter, carefully finding right person. + ++ Communication is key. + ++ Ask for CCS candidates. + + +# The "Rounds" + ++ Ideally (it's only happened to me twice) the first source release is + perfect. + + but we don't live in an ideal world. + ++ The worst I've ever experienced is 22 rounds. + ++ We send detailed reports. + +# No Build Instructions + +
+ The primary issues we found were a dearth of build instructions as well + as a complete lack of installation instructions. There was no + information that mentioned how one might build each package so we had to + guess about which Makefile and/or build script to run for each package. + And in many cases it was not possible or straight-forward to build - this + must be resolved in the next source candidate. + +# Making General Recommendations + +
+ We generally recommend that the source release be a single file (ie. one + tarball containing all packages required for the build) that includes a + README or similar in the main directory explaining exactly how to build + and install all of the packages. See section 21.2 of + http://compliance.guide/pristine-example for an excellent example. + +# Suspicious, But Not Captious. + +
+ Also, we noticed that some packages mentioned in the "OPEN SOURCE + SOFTWARE NOTICE" included with the device (and also downloaded as part of + the source release; see + Open_Source_Software_Notice_and_Privacy_Policy.pdf ) could not be found + in the source release. For example, we found "Software: Samba 3.0.XX" in + the notice, but could not find any trace of Samba in the source release. + Please ensure that all the software included in the notice is included in + the source release as well. + +# Nesting Doll Packages + +
+ + Once extracted, the 3 .rar files above produce the following output + files: + * busybox-1.21.1.rar + * AB_A0101.123.tar.gz + * source.rar + * a small text file that gives two-word descriptions of the above files + + +# Actual(ly Trying to) Build + +
+ + This file included no instructions for how one might build it so we + tried to run "make" but received the following error: + + $ make + .../busybox-1.21.1/scripts/gcc-version.sh: line 11: + arm-none-linux-gnueabi-gcc: command not found + +# Toolchain? + ++ The toolchain is rarely considered mandatory as part of “the + scripts”. + ++ Admittedly, it doesn't *control* compilation, it *is* compilation. + ++ The script here is explaining precisely what type of toolchain is needed. + ++ Something like: “GCC vX built with the following ./configure + line” is usually adequate. + ++ But including the toolchain is a nice step to make it easy for your users. + +
+> the scripts used to **control compilation** and installation of the executable. + +

+— GPLv2§3 +

+ + +# We Guess at Compiler Anyway + +
+ So we searched for an arm-none-linux-gnueabi- cross-compiler in the + other files but could not find one. We then tried to use our own (be + editing the PATH appropriately), which did get us past this error. Note + that this is not acceptable in a source release - the cross-compiler + that a user must use needs to be clearly indicated (name, version, etc.) + and/or included with the source release. + +# Feedback on Small Problems + +
+ + Once we had the custom cross-compiler configured, we then ran into these + errors: + + $ make + .../busybox-1.21.1/scripts/gen_build_files.sh: Permission denied + make: *** [gen_build_files] Error 127 + + $ make + .../busybox-1.21.1/scripts/mkconfigs: Permission denied + make: *** [include/config/MARKER] Error 126 + + $ make + /bin/sh: applets/usage_compressed: Permission denied + make[1]: *** [include/usage_compressed.h] Error 126 + make: *** [applets_dir] Error 2 + + $ make + .../busybox-1.21.1/scripts/trylink: Permission denied + make: *** [busybox_unstripped] Error 126 + + In each case, we found the mentioned file and then added executable + permissions to it (ie. "chmod u+x scripts/gen_build_files.sh"). This + must be fixed in the next source release - please set the executable + bits on the above files appropriately in the archive file you + distribute. + +# Install Instructions missing + +
+ After fixing the above, a "busybox" binary was generated. However, + there were no instructions to indicate how one might install this binary + on the device. Such instructions are required by GPLv2, under which + BusyBox is licensed. Please include the instructions in your next + source release. + +# Build "Only Seems" To build + +
+ For the AAB_A0101.123.tar.gz package, we ran "./build.sh", the build + took about 140 seconds, which is less than one would expect for building + all of the programs listed in the "OPEN SOURCE SOFTWARE NOTICE". The + only files we could immediately find that were clearly the result of + this "./build.sh" invocation were some kernel image binaries, found in + path/path/path/path/path/KERNEL_OBJ . This path was not mentioned at + all and we had to guess at where they might be. + +# Maybe Proprietary Kernel Modules? + +
+ Furthermore, there were no .ko files generated, which is abnormal for a + build of the kernel, Linux. Please ensure that all .ko files which are + used on the system are generated with "./build.sh" or a similar script. + +# Weird versioning + +
+ + * The following libraries have different versions in the firmware than + is built from the candidate CCS. Specifically, your candidate CCS + contains version "1800", and the firmware has version "2400". Since + most of these libraries are licensed under the LGPL, you are required + to have the complete, corresponding source present for the correct + version as distributed in the firmware. You also must include the + "scripts to control compilation and installation of the executable". + + * lib/libgio-2.0.so.0.2400.2 + * lib/libglib-2.0.so.0.2400.2 + * lib/libgmodule-2.0.so.0.2400.2 + * lib/libgobject-2.0.so.0.2400.2 + * lib/libgthread-2.0.so.0.2400.2 + * lib/libz.so.1.2.5 (version 1.2.2 is provided in the sources) + +# Weird Build Issues Over Many Candidates + +
+ You mentioned in your Round 6 commentary that you have corrected the + thatlib issues. However, we are unable to see what you mean. There are + now two copies of thatlib, one in 2624.7_524/uclinux-rootfs/lib/thatlib/, + as well as the one in yourlibs. We aren't sure which one you intend to + be built to generate the binaries on the firmware. When we try to build + the yourlibs one from scratch, by cleaning the whole area, we get the + following build issues. Here's what we did: + +# Getting Really build-technical + +
+ + We ran: + + make -C libsrc/thatlib install + + which did not work because of a missing Makefile error. We read the + build source and discovered that the Makefile, etc, for that directory + is generated by running: + + cd libsrc/thatlib/thatlib-0.9.22_mipsel-uclibc; sh configure_thatlib_mipsel-uclibc + + Once we did that + + make -C libsrc/thatlib install + + worked correctly. The only remaining binaries were in build source and + discovered that the Makefile, etc, for that directory is generated by + running: + + cd libsrc/thatlib/thatlib-0.9.22_mipsel-uclibc; sh configure_thatlib_mipsel-uclibc + +# Getting Really build-technical + +
+ + Once we did that + + make -C libsrc/thatlib install + + worked correctly. The only remaining binaries were in + ./libsrc/thatlib/\{YOURLIB_ROOT_DIR\}/ which looks like a build with a + misconfigured environment somehow, so we simply removed that + directory. + + Then, after running make clean, thatlib failed with the following + errors. Random .o/.so files laying around in the thatlib source + directory, and then it failing to build correctly after they are + removed. If there some set of .so files you claim are not required + as part of the C&CS since thatlib is LGPL'd, we understand that, but + the rest of the sources must build and install those other .so's. + Here's the build error we get in the bdvdlibs version: + +# Getting Really build-technical + +
+ + mkdir .libs/libthatlibwm_default.a.tmp + (cd .libs/libthatlibwm_default.a.tmp && ar x ../../.libs/libthatlibwm_default.a) + mkdir .libs/libthatlibwm_default.a.tmp + (cd .libs/libthatlibwm_default.a.tmp && ar x ../../.libs/libthatlibwm_default.a) + /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- + ld -o libthatlibwm_default.o -r .libs/libthatlibwm_default.a.tmp/*.o + /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- + ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) + /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- + ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) + /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- + ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) + /opt/toolchains/crosstools_sf-linux-2.6.18.0_gcc-4.2-9ts_uclibc-nptl-0.9.29-20070423_20080702/bin//mipsel-uclibc- + ld: .libs/libthatlibwm_default.a.tmp/default.o: Relocations in generic ELF (EM: 3) + .libs/libthatlibwm_default.a.tmp/default.o: could not read symbols: File in wrong format + make[4]: *** [libthatlibwm_default.o] Error 1 + +# Proprietary Linux Modules Are Everywhere + +
+ We did find one .ko file that was already included in the package, but + wasn't built when we ran "./build.sh". This is + path/path/android_X.X/device/device-type/mydevice.ko , which notes that + its license is "GPL v2" in the modinfo, but for which we could find no + source code in the source release. Please ensure that the source code + for mydevice.ko is included in the next source candidate. + +# Proprietary Linux Modules Are Everywhere + +
+ + * The following files are derivative of the kernel named Linux and + therefore covered by the GPL. However, no source code, scripts to + control compilation nor installation are included in your CCS + candidate: + lib/modules/myfilesystem.ko + lib/modules/mydevicecontroller.ko + lib/modules/myblockdevice.ko + lib/modules/mypcicard.ko + +# Non-Technical GPL Compliance Issues + +
+ Regarding over the air updates: we'd like to see a screenshot or other + details documenting what has now been implemented by BestBuy to make + sure the offer for source appears to users appropriately after + upgrade. There was a consensus reached on the last conference call + how this would be done, so we only need follow up and implementation + on that. + + +# Binary Comparison. + +
+ + Note that we did not receive a firmware image to compare this with + (though we do have the device). Company's website did not appear to + have any firmware images available for download. It would be helpful to + have such an image for the next CCS check. + + The above source candidate was downloaded from + http:///sourcez.company.com/en/search/index.htm?keywords=X1234Y, which + was alluded to in Company's 2017-01-18 email to us that said: + + "You can check this website + http://sourcez.company.com/en/search/index.htm " + + The email did not mention how to use that website, but we found that by + entering "X1234Y" into the top right search box that we could find the + source file list. + + Note that the offer for source included in the web UI of the device said + to email NAME@COMPANY.com , which is how the above instructions for + downloading the source were received. + + + + +# More Info / Talk License + + + ++ URLs / Social Networking / Email: + - Pls. support Conservancy: [sfconservancy.org/supporter/](https://sfconservancy.org/supporter/) + - If you hold copyrights in Linux, Debian, Samba, or BusyBox, you can + join our enforcement coalition. [Contact us!](https://sfconservancy.org/linux-compliance/about.html) + - [*The Guide*](https://copyleft.org/guide) is available & [welcomes contributions at copyleft.org](https://copyleft.org). + - Conservancy: [sfconservancy.org](https://sfconservancy.org/) & [@conservancy](https://twitter.com/conservancy/). + - Me: [faif.us](http://faif.us) & [ebb.org/bkuhn](http://ebb.org/bkuhn) + - Slides: [ebb.org/bkuhn/talks](http://ebb.org/bkuhn/talks/ELC-2015/pristine-example.html). + + +

Presentation and slides are: Copyright © Bradley M. Kuhn (2008–2011, 2015, 2017), Karen M. Sandler (2017), and are licensed under the Creative Commons Attribution-Share Alike 4.0 International License.

+