Castle Denies GPL Breach

Anonymous Coward writes "Castle Technology, who were accused of breaching the GPL in RISC OS 5, have made a press release denying the allegations. This story has been covered on The Iconbar RISC OS news and resource site." We've given Castle some loving here on slashdot recently. Looks like this one isn't going away quietly.

Will this be the first GPL test case?

[Anonymous Coward +1]

From what I understand, the GPL (and most software licenses it seems) has never been tested in court. Perhaps this will be that test. I only hope that the GPL holds up in court.

So it's, one, test the GPL in court, two, pray it holds up???, three, GPL software profits!

Imagine how happy Microsoft would be if the GPL is ruled invalid...

Where did the accusation come from..

[j_kenpo]

Its been a few days since I read the original article, but I don't seem to remember where the original allegation that they'd ripped off the Linux kernel came from, other than "the guy". Who is "the guy"? Is he an employee for Castle, possibly disgruntled, or is he just "the guy" sleeping on the couch? If there is a legitimate breach, than whoever holds the license should by all means fight. But I've always been under the impression that borrowing code from a GPL based package was acceptable, as long as credit is given where credit is due. If that's the case, and there was indeed a breach of the GPL, couldn't Castle just put the creators names in the credits, no harm, no foul? Any takes on this?

Seems reasonable

[Alan Cox]

They say its not used GPL code in some old editions, and they wont be doing so in future. Its not clear if there is some release they did. They don't say they havem't done it with current code. Since they are making a floppy of the relevant code available that is a good step and means someone can check nicely and settle the question for good.

Only 5.0, 5.01, 5.02 and beyond mentioned

[Big Toe]

When he could have easily of said that GPL code has never and will never be used in RISC OS. Clever choice of words.

So maybe they used to use GPL code, and then they "sufficiently" changed it to not be the GPL code. Like appending "// this is sufficiently changed to be our code now" to each line of offending code.

Re:If they want it over with...

[Skyshadow]

why not release the source online, rather than using snail mail and floppies?

Obviously, they're trying to create a high level of hassle to get the code. They assume people won't want to go through the PITA that mailing a floppy represents.

I propose we kick their ass at this game. Here's the procedure:

Everyone reading this, go grab a 3.5" floppy from your old disk box or the supply room or whatever. Mail it to the address below along with a note requesting a copy of their GPL'ed source code:

The Managing Director
Castle Technology Ltd
Ore Trading Estate
Woodbridge Road
Framlingham
Suffolk
IP13 9LL

Let's see how they like making 50,000 copies onto floppies...

Re:Will this be the first GPL test case?

[LMCBoy]

From what I understand, the GPL (and most software licenses it seems) has never been tested in court.

Your parenthetic clause is important here. I can't imagine a situation where the GPL could be ruled invalid without basically saying no software licenses are valid. I don't think Microsoft would be very happy about that. :)

GPL

[AlgUSF]

Why don't they just encrypt it, and print out the encrypted source in hex. Then anyone who wants it can send a SASE to get it. :-) Does the GPL have any provision against encrypting the source before distributing it?

Hypothetical Question!

[vandel405]

I know this is a complete what if, but here it goes.

What if i was the owner of a company like Castle. A small shop of 30 or so people writing a commercial OS. Now say it was the task of three of the programmers to write some part of some IOKit. Now say they were under deadline and feared being fired, and couldn't keep up and stole a couple of pages of source from a GPL OS of your choice. Now say no one realizes this for 18 months and then the door is suddenly blow open and the execs of the small company are totally against this violation, and fire the employees in question and remove the code in question from the OS. Should the rest of the OS have to be GPLed? I would hope not!

Jon Hess

Nothing will happen

[Anonymous Coward]

Look at what little happened over the Virgin Webplayer.

It used a Linux kernel, some libc parts and shipped with this clause in the EULA
Section 2.2 of the member agreements reads as follows:

2.2 Webplayer Software License. Subject to the
provisions of this Agreement, we grant to you a
limited, non-exclusive, personal, non-transferable license to use and display the Webplayer Software in object code form only, solely as part of and as necessary to use the Webplayer and the Virginconnect Services. Except for the license granted to you above, we (or our licensors) retain all right, title and
interest, including all intellectual property rights, in and to the Webplayer Software. You may not attempt (or authorize any attempt) to defeat, obstruct or
block any or all of the Webplayer Software functionality, or to decompile, reverse engineer or disassemble the Webplayer or the Webplayer Software.

Nothing happened to them, and unless the people who actually OWN the copyright grow a backbone and take it to court, nothing else will happen.

Re:Confusing release

[Eric Seppanen]

They're saying that their kernel does not include GPLed code, but another program of theirs (called the HAL), a separate piece of software, DOES include GPLed code and source will be available for this program. I'm not sure I believe them; hiding the function names after a complaint sure does seem like they know they're doing something wrong. But that's what they're saying. Remember, too, that just offering source isn't the only requirement of the GPL. You're also required to notify users that the code is GPLed and tell them source is available. If they haven't done this part then they're also in violation.

Re:Calm down...

[stratjakt]

Thing is, if you consider that both implementations are done "correctly", the object form will be very close, if not identical.

Hence is the inherent flaw in software liscensing/patenting. Often in programming, there's one "right way" to do things.

Assume for the sake of argument, that both linux and riscos did this the same 'right way' in completely different voids unaware of each other. Or even say that the RisOS design team studies linux and implemented their own take on the routines in question (which is what I gather they are saying)

Computers know 1's and 0's, and HAL implementations are as low-level as it gets.

Just because company/group A manages to publish their implementation of the "right way" first, all subsequent efforts must do things the "wrong way"?

If this is true, it behooves everyone interested in programming as a profession to never, ever come within 100 miles of a piece of GPL'd code. Because if you learn something, everything you write from that point on could be corrupted.

Re:Will this be the first GPL test case?

[jpc]

and reading the press release forwarded to lkml I see that they have admitted using functions from Linux, and are prepared to give copies of the source to the authors. But they have ignored the derived works / linking parts og the license. This admission is rather bad for them, as they have admitted using copyright material in their product without permission, as if the GPL gives them this permission if they send developers copies of their own code on floppies...

It reads:

For the avoidance of doubt, the hardware abstraction layer (roughly
analogous to a PC's BIOS) has it's PCI allocation and bridge setup
based in part on the following functions from the Linux kernel sources:

pci_alloc_primary_bus
pbus_size_bridges
pbus_assign_resources_sorted
pci_setup_bridge
pci_bridge_check_ranges
pbus_size_mem
pbus_assign_resources
pci_assign_unassigned_resources
pci_scan_bus
pcibios_update_resource
pci_read_bases
pci_alloc_bus
pci_add_new_bus
pci_do_scan_bus
pci_scan_bridge
pci_setup_device
pci_scan_device
pci_scan_slot
pcibios_fixup_bus
pci_calc_resource_flags
pci_size
pdev_fixup_device_resources
pbus_assign_bus_resources
pci_do_scan_bus
pcibios_fixup_pbus_ranges
pci_assign_resource
pdev_sort_resources
pdev_enable_device
pbus_size_io

Any company or individual wishing to receive a copy of the source code
to this component should apply in writing to:
(blah)

Re:Will this be the first GPL test case?

[sbryant]

this case would be in the UK, where click through licenses are not valid anyway [...]

That's not quite the entire truth. The click-through licence is not invalid because it's a click-through licence. The problem is that the customer is able to buy the software (which closes the deal) without seeing or agreeing to any terms first.

I read today (albeit about German law, but it might well be the same in the UK) that even a notice on the outside of the box saying you must agree to an EULA is not enough to make the EULA legitimate.

Furthermore, there are legitimate questions as to whether clicking something may represent contractual agreement. What if someone under 18 (who can't legally be bound by many such contracts) clicked it? There's no proof who clicked something - a signature shows who the signer was; it could be forged but that's what witnesses are for. There's also the problem of pre-installed (ie: pre-clicked) software...

-- Steve

Re:Will this be the first GPL test case?

[Cyberdyne]

Legally, you have no automatic rights to use or redistribute anything. This is how copyright works.

Not entirely; in the UK at least, you do have an automatic right to use any software "lawfully obtained". So, if I walk into a shop in the UK and buy a retail copy of, say, Windows or Office, I am entitled to use that software - whatever the license says. (I also have a right to make backup copies, and limited reverse-engineering rights.) The "lawfully obtained" bit is what stops warez being legal, of course: if the warez site is distributing the software illegally, you still aren't allowed to use it.

Having said that, most of the items in an MS EULA are redundant anyway: stripping out the lawyer-speak, they basically say "you're allowed to use this software and make legal backups, and that's it. Oh, and don't sue us." All the rest just clarifies that they are not giving you any extra rights you don't get automatically.

It's possible to get a proper, signed contract governing software; I've had software under NDA before, for example, and once got a free copy of Visual Studio Enterprise on condition I used it for research only and didn't give or sell it to others. The usual EULA however is meaningless: it doesn't give or take away anything, under UK law at least! (Some of the recent licenses may differ; apparently FrontPage now has a prohibition on anti-MS sites? I don't think that would stand up in court, but IANAL - I just advise a group of lawyers on technical matters!)

Re:If they want it over with...

[ChrisJones]

Don't be a bozo, that's a spiteful and stupid thing to do. Why not do what you should be doing, shut the fuck up and leave this to the people who's Copyright is alleged to have been infringed. Spamming the crap out of some poor little company is pathetic.
If they have infringed, they can either fix it or hope the copyright owners don't sue them.

Comparison to bnetd / vivendi complaint?

[Anonymous Coward]

Do you remember the bnetd / vivendi complaint? I'll recap here briefly:

Vivendi: You stole our code. There was a bug in one of our subroutines, and your implementation included the bug. Also, some of our subroutines look identical.

Bnetd: Of course! Since the bnetd project was basing its code on the unprotected network traffic between client and server, the code would contain the bug because it was observed in said traffic.

Furthermore, If the two programs do the same thing, it makes sense that some of the code will be the same, simply because its the easiest / best way to implement it.

Is it possible that something similar is occuring here?

Re:Where did the accusation come from..

[platypus]

Well, but R.King stated on the kernel mailing list he could show how to modify the linux kernel source to produce the same _binary_ code - I really doubt I misinterpreted that.

This would make the "just used the same ideas" explanation a little bit unlikely, methinks.

It will be interesting to see how it all pans out, but I agree that we don't know the real facts at this point.

Re:Will this be the first GPL test case?

[HiThere]

That's what the MS EULA used to say. It had gotten a lot worse than that before I refused to agree to it any more. Now my understanding is that many of their licenses give them the right to enter your place of business without further agreement on your part and, at their convenience, conduct an audit of your software at your expense for their benefit. The terms also give them the right to (remotely) add, copy, remove, or modify any files that they choose without even necessarily notifying you that this is happening. This is quite a bit more severe than your easy dismissal would indicate. Perhaps it depends on exactly which licenses you examine?

N.B.: This hasn't been tested in court, so it might not hold up. But if it were determined (somehow) that they had exercised the rights that they claimed, you would be in a position where the legal system would need to take positive action to redress your wrongs, and until this had happened, your data would still be "altered, copied, or deleted". This is a quite weak position to try to defend from. It would even be perfectly legal under their license (as I understand it) for them to alter the logs to indicate that someone or something else had performed the actions at some other time then when they actually occured. Just try to prove what has happened!

Now you appear to live in Britain, so perhaps your rules are different. And you may even get more decent EULAs. (Nobody ever claimed they were all the same.) But that's the way it appears to me, living in the US. (I have a very hard time understanding why any business is willing to agree to those terms, of even any individual.)

P.S.: This is all hearsay, as the current agreements appear to make it illegal to distribute what you need to agree to before you make the purchase. I.e., it's illegal to quote the license that comes with the product in public. (There's another article on this appearing on the front page right now.)

Re:3rd post!

[Ponty]

Judging from the performance I've seen from this Cybernetics Corporation device, I would never purchase any Ps1t generator that they sold. The technology just isn't mature enough yet. I'm sorry.

Re:Castle may not be in violation of the GPL

[Jimithing DMB]

I don't understand how you can make a cut and dried statement such as "if they link it's a violation, plain and simple." Could you please define linking? How is it different from calling routines in a BIOS?

I'll give you a hint. There is little to no technical difference. Either way you're going to be pushing some arguments on the stack or placing them in registers and calling a routine and possibly receiving a return value from that routine. There really is no technical difference between these activities.

So what makes running DOS on top of LinuxBIOS okay, but running RiscOS on top of a Linux-based HAL not okay? Unfortunately, I can't come up with an answer to this question. The only thing I can say with absolute certainty is that it will be a non-technical one.

Re:Wrong.

[aqua]

It's not safe to assume that at all. You can implement a HAL a number of ways, but one of the simpler, lighter-weight ones is just to use a layer of interface abstraction code in a kernel through which lowlevel driver code serves up the interface to a device through a common API -- for example, a common timer interface applied to a CPU's clock. There don't need to be any process space boundaries or linker divisions at all. There's at least one major OS using a HAL layer in this fashion -- it's a separate "component," but only to the same degree that the Linux kernel's IDE and block-layer subsystems are separate components.

Link-based licensing (compile-time or runtime) tends to get compilicated (or complicate things) in the embedded world, where many devices use single statically-linked system images. The conventional linking-based interpretation of the GPL's standalone-works stipulation (GPL section 2) is a bit awkward in that context. If you take a loose view of the link restrictions (e.g. accepting compile-time linkage), then the GPL contaminates the least part of the incorporating work that could "be reasonably considered independent and separate works" -- possibly a driver, a HAL, or the whole kernel.

The knotty question

[stevelinton]

Assuming that Castle aren't lying then this goes straight to the hard question of the GPL (and of Copyright law enforcement in general) -- what is a derived work?

They admit that they have a GPL component and offer source. Fine. Then the question: is the product as a whole, a derived work of this component, or are they separate works, distributed together? If the former then Castle are in breach and would need to offer their entire OS under the GPL, the latter they are fine.

This question comes up in other places. For instance is Linux kernel + binary only module a derived work, or are they separate works? This ha snever been tested, but Linus has expressed some opinions.

It seems agreed that Linux kernel + proprietary user mode software (eg a Linux PDA with some proprietary app on it) are separate works, but in the embedded software world, even this becomes murky.

There is a real question here which can only ever be finally resolved by precedent.