Alex Hudson

Thoughts on Technology, Product, & Strategy

Month: November 2010

Potential Gna! issues

It looks like someone has been attacking Savane-derived hosting platforms. Recently Savannah has been down, and the page that has now gone up confirms that they had a security breach. Unfortunately, Gna! has a similar code-base, and their site now confirms that they are investigating an issue too.

This has a knock-on issue for Bongo, since we use Gna! hosting. Our download area appears to still be alive, and thankfully we have always signed the releases. You can check a release of Bongo quite simply:

  gpg --verify bongo-0.6.1.tar.bz2.sig bongo-0.6.1.tar.bz2

This should result in a confirmation that the file is correctly signed with the key 9B6913D7, which is available on public webservers – just search for that ID.

We will check the SVN repos and other parts of the project when Gna! comes back on line to ensure that these have not been attacked; but I can say with some confidence that we have no reason to expect that r1323, the current HEAD, has anything nefarious in it whatsoever. Certainly, if the security breach was as recent as Savannah’s appears to be, there is nothing to fear.

Copyright changes ahead for the UK? SAS v WPL goes to Europe

I don’t particularly like talking law on this blog; it’s boring and – for the most part – disinteresting. However, recent developments in SAS Institute Inc v World Programming Limited (as written up here – thanks to Cristian for bringing this up at FFII) deserve to be aired.

The basic story is that the Judge in this case is deeply unsure of the boundary of copyright. For those who don’t know, SAS is a statistical package which is both popular and influential, and to a large extent can be thought of as a programming development environment. WPL, the defendants, wrote software which could interpret SAS programs. There is no direct analogy in the free software world, but LibreOffice Calc interpreting Excel spreadsheets is close enough for the purposes of our discussion.

The Judge, unsure of the boundary, has sent a number of questions to the European Court of Justice (ECJ). The questions are hypothetical, but clearly designed to test the waters and figure out where this line falls. As an example of some of the questions in our Calc vs. Excel example, he’s asking:

  • Does accessing the file format of Excel constitute copyright infringement?
  • Does interpreting Excel-compatible formula constitute copyright infringement?
  • Is it copyright infringement to copy the behaviour (intended or otherwise) of Excel when processing spreadsheets?
  • Does it make a difference you copy functionality from Excel into Calc by reading Excel’s manual versus observing Excel’s behaviour?
  • Does it make a difference if you have a license to Excel?

(Just to be clear, we’re not talking about Calc and Excel, I’m just interpreting J. Arnold’s questions in this context to make them more readily understood)

Now, the armchair lawyers amongst my readership have probably already thrown their arms up at all these questions and exclaimed, “Copyright doesn’t extend that far!”. And to an extent, they would be correct: originality has always been a defence to copyright infringement, and if any of the questions above were to be answered in the affirmative, we would see the start of that changing.

What makes this different, I think, is that we’re really seeing the weakness of copyright law treating software as a literary work. This has always been bunk, really: software is no more literary than a shopping list, and although the case of verbatim copying (with or without transformation) is open-and-shut copyright infringement there have always been “grey areas”. As one example, the FSF’s position on dynamic linking and the GPL: as a derivative work it does seem to fall under the purview of copyright, but it’s obviously a world away from literary copyright.

The WPL case is also one where the copying was explicit, deliberate and planned: they definitely did copy things. They just didn’t literally copy the software code, or decompile the software: they re-created it from the ground-up. So we’re definitely talking about a case of copying here, which it would seem could also be the purview of copyright.

This is going to be a really interesting case, and is going to have a fundamental effect on free software if we get some interesting answers to these questions. On one hand, it casts an immediate dark shadow over a number of projects: Samba being an obvious case in point, which has previously reached legal agreement in Europe about how it can copy Microsoft while still avoiding the patents that Microsoft hold on certain functionality. But while desktop apps which copy Microsoft make the most obvious cases, you could equally see problems for 3D graphics drivers, people implementing compilers, all sorts of areas – particularly where free software is still catching up to proprietary software.

But of course on the other hand, this would also strengthen the copyright position of free software applications. Companies that currently dance around the (L)GPL-style licenses will find themselves on thin ice indeed, and those proprietary implementations of leading free software will start having to be extremely careful.

It’s very unlikely that many of the questions will be answered in such a way that the copyright system becomes like the patent system: for one, it would be such a massive change that it would require primary legislation at a European level to become legally sound. And there are few cases exactly like this one, where the copying is so obvious and blatant.

The precedents being set here will be extremely important, though. Our understanding of copyright will almost certainly change from the outcome in this case, and will necessarily become more nuanced. The idea of “clean-room reverse engineering” may become more nebulous, and the “I wrote it from scratch” defence could become weaker.

If nothing else, this highlights that no law is truly ever settled, and possibly portents to more movement in this area in the future: I’ve described before how the UK Government is making noises about revisiting intellectual property laws, and in our current weak economic state it is extremely tempting for politicians to beef up some of these laws in order to “create wealth”. Cameron, our Prime Minister, is particularly in thrall to Google, as if they set any good example for our businesses. It’s sometimes very easy to just think about patents and lose sight of the bigger picture.

SparkleShare updates

It’s been a little while since I talked about SparkleShare; since then it has moved project hosting (here’s my fork) and there have been various changes – thankfully, updating the packages for the new version and to get it on Fedora 14 didn’t take too long. There are likely to be problems here and there with the packages – invitations don’t seem to work right now, but I haven’t tracked down that bug yet – but they should be mostly working. Please let me know if you’ve tried them and found any problems.

The situation with repos hasn’t really improved very much. At the moment I use mock to build packages; even SparkleShare (which is quite simple) takes about nine minutes to build in mock. It’s also quite a manual process, and if mock encounters errors then obviously the whole thing becomes very time consuming.

I really don’t understand why there isn’t a better solution than this yet. By using something like Koji, you can achieve much more automation – but Koji is hardly straightforward. And Koji uses mock, so is therefore not going to provide anything in the way of a speed increase.

Now, I understand why it’s involved, I get the whole clean root thing. But there needs to be something better, because the tools are a pain, and I only build for x86_64 and i386. If you’re building something in Fedora, you have access to the main koji and things aren’t too bad. Outside of that, you’re pretty much on your own and things get complicated, slow and/or manual quickly. If anyone has any better ideas than mock and koji, please please let me know…

A late review of Fedora 14

It seems like everyone has had their word on the latest release, but like a fashionably-late party-goer, I’m going to waltz in at the 11th hour and offer my 2p 🙂

I think it’s well-known at this point that 14 has shaped up to be a very good release, but I’d like to draw attention to one point in particular: the version of Nouveau in this release is another big, big step forward. I have a relatively bog-standard Dell D830, and 14 is the first time that:

  1. suspend/resume has worked out of the box – this is huge for me
  2. the Mesa 3D drivers, although marked experimental, work well enough to run Compiz easily

Is nouveau’s performance great? No, to be honest, it actually feels slightly slower here than on 13 (although almost certainly because I’m now in Compiz, not metacity) – but for me, this doesn’t matter, being able to suspend is massive. I could even envisage the 3D stuff being turned on by default in the next release or two.

If there’s part of the system which sticks out as still being sub-optimal, though, it’s the application install experience. I know I’m not saying anything new here, or probably anything anyone disagrees with. A great example is attempting to install OpenOffice.org on a clean Live install (OOo no longer comes by default on the CD), because you have to negotiate a couple of problems:

  1. you have to figure out where the openoffice packages are (searching on “openoffice” isn’t enough sadly; it pulls through large amounts of non-openoffice packages);
  2. once you’ve found the packages, you have to figure out which ones you need – amongst a sea of langpacks, extensions and other stuff, are the bits you actually need. Calc is relatively easy to find; Impress less so, Writer comes right at the bottom (alphabetical, see) – not easy. Plus then there are the bits you do actually want – extra graphics filters, extended PDF support, etc.
  3. then, when you’ve figured out which bits to install, you set it going and the “success” dialog looks an awful lot like “fail”:
    PackageKit dialog coming up with no actual content.They are lovely icons, though 🙂

I’ve previously said that I don’t really understand why all of these types of installation tasks are grouped together in the same application: for example, my belief is that font installation is much better served by a Google Fonts-alike web service which can be used to browse and try fonts live: you’d then hit an “Install” button or something which would then trigger the excellent PackageKit. However, many people remain unconvinced even in the face of the actual numbers and things.

It’s the same with this. We need some kind of application store. I personally don’t see why this should be conflated with the package mechanism: packages are the how, the app store is the what. It makes no sense, to me, that all packages be treated identically: for example, if an application can talk to the PackageKit interface for its plugins/extensions, there’s no reason to have that stuff in the app store at all. Similarly, just because something isn’t a GUI application doesn’t mean it should be excluded: why can’t we have a “Python Developers’ Corner” in the store to browse libraries and things? That’s what I want as a user (yes, developers are users too).

This isn’t going to get fixed quickly, and sadly I think efforts like Ubuntu’s Application Store don’t solve many of the problems: if your application store is just a majorly cut-down view of the package database, I think you’re doing it wrong (for one thing, it doesn’t scale as you add back in all the packages you cut out).

At some point over Christmas I might have a go at attacking this problem; a lot of the pieces needed are already in place: PackageKit is more than capable enough of installing things from the web, and I really think that having an actual prototype that people could use would do so much to illustrate the idea that even if it wasn’t used, it would help push things in a better direction.