Cipherfunk.org, the GPL, and Ubuntu Contributors


Why oh why do people jump to conclusions without properly investigating things? I haven’t ranted in a while because, well, there’s really nothing to rant about as of late. However, this morning, I read this news article on violation of the GPL by a site called Cipherfunk.org. If you take a look at the article, it goes on to explain that Cipherfunk was offering patches to various bug reports in Ubuntu because Ubuntu hadn’t fixed the bugs (bugs listed: #36596, #38802…possible fixes for: #16873, #38181, #47775) quick enough for the likes of Cipherfunk. Interestingly enough, this is the beauty of Open Source right? If you don’t like how something works, you have the right to get the source code and fix it yourself! In this case, that is just what Cipherfunk.org did. So what’s the big stink about? Source Code and $$$.

The problem is that two Ubuntu contributors asked for Cipherfunk.org to comply with the GPL by removing cost associated with distribution of source code. This is harmless in itself and applauded by many in the community. However, it’s not the why they did it that is wrong…it’s the HOW they did it. How they did it is by first informing the Cipherfunk.org that it was wrong to charge $$ for the source, and second by touting various sections of the GPL where they believed Cipherfunk was in violation. Why is this wrong? Let’s examine things a bit.

The big stink everyone brought up is not that Cipherfunk WASN’T distributing the source code…but that Cipherfunk WAS CHARGING for the source code which they believed was in violation. However, having seen this same case (where Warren Woodford and MEPIS distribute their sourced code for a cost) I know for a fact that the GPL allows one to do this. But let’s take a look at the GPL shall we?


Does the GPL allow me to charge a fee for downloading the program from my site?
Yes. You can charge any fee you wish for distributing a copy of the program. If you distribute binaries by download, you must provide equivalent access to download the source–therefore, the fee to download source may not be greater than the fee to download the binary.

We can see here that if you provide the program at a charge, you can’t charge more for the source and that you may also charge a fee to download if the fee is not greater than the cost of downloading the binary. So, what did Cipherfunk do that got people up in arms? They required a donation before downloading the source. From Cipherfunk.org:

Well, the GNU General Public Licence states — as part of Section 3) of the licence that I must provide source code on request for no more than the cost of physically performing the distribution.Given that the host this box is on actually costs me $110.95AUD every thirty (30) days to run, $9.90, as nice as that is — still will cost me over $100 AUD to distribute the code at all.

Now, I consider (in this technologically advanced day and age) that ‘the internet’ is an acceptable way of distributing software for public use, so effectively, my request to get people to help me pay for hosting — seemed quite rational to me, but apparently, some people don’t share my view — and I wouldn’t want to put anyone out.

I consider the whole thing a disappointment. I don’t like threats, but I am especially concerned at the number of people who grabbed the code, without even saying thankyou for my efforts.

It wasn’t as if i’d asked anyone to cure cancer, find me a job, or pay off my debts — what I did say was effectively “help me pay for hosting this for you or help me advertise my other website (in a rather cut-throat market), thanks. and, as i’m obligated to — you’ll get the sources, binaries and even some support from me, until Canonical can upstream these fixes.

So what actually happened? Was there a GPL violation? Not at all. Requiring a donation that is less than the cost of bandwidth to provide the source is allowed IAW the GPL. So the finger pointing…what did it accomplish? Other than making those who point the fingers look like idiots, not much. I guess it could have caused a rift in the Linux community as well…though effects like this are often hard to calculate.

What could have happened in this case? The contributors COULD have tried to get these patches integrated into the source tree at Ubuntu OR they could have taken the time to find out why the source code wasn’t being distributed for free by simply asking. Instead, the send robotic ‘you-are-wrong’ emails like this.

Hi,

I've noticed that you're providing kernel binaries at
http://64.71.152.24/dapper-binaries/ . As I'm sure you're aware, the
kernel is released under the terms of the GNU General Public License v2.
Under section (3) of the license, when distributing derivitives of this
code you are obliged to either

a) accompany it with the source code, or
b) provide a written offer to provide the source code on request for no
more than the cost of physically performing the distribution

Currently you are doing neither of these, and as a result are breaching
the license of the code. As one of the copyright holders of the code, I
would request that you conform to your obligations under the license.

This is not required for the X driver, as it is not released under the
GPL.

Thanks,
--
Matthew Garrett | mxxx9@sxxf.uxxm.org

What does this email tell us? First, it tells us that the person writing it believes they are immediatley correct. It assumes that the person being written to is completely wrong. It also offers no assistance to correct said issue, instead opting for a “fix these two things immediately” tone.

Instead, accusations flew and the Linux for Human Beings can now be seen as Linux for Slapping Human Beings that help fix its problems in the face. That’s right, 5 bugs could have been squashed in one swoop yet instead of approaching this in a manner of one developer/contributor to another (i.e. “hey, I see you’ve developed a patch for this problem…can I see how you did this by looking at your source code? Oh, you’re having problems distributing your source code due to bandwidth and are charging for it? Ok, let me see if I can find any help for you or possibly get a mirror”) they approached the situation as a superior approaches a subordinate. To me, this is silly. This guy at Cipherfunk was helping, not hindering. What should have happened was to help him distribute the code by providing mirrors, more bandwidth, etc. Instead, they’ve distanced themselves from an obviously talented person and left a bitter taste in his mouth.

What can we learn from this? We can learn patience instead of immediate accusation and finger pointing. We can learn that swatting at hands that help you is something you might not want to do. We can learn that a little bit of research can go a long way. And we can learn what not to do in a Linux community by trying to stay away from the mob mentality that developed in the Ubuntu and Linux community around Cipherfunks’ patch release and subsequent news posting.

Sometimes, I’m embarrassed of my fellow Linux users/devs/contributors. I sure hope Paul Drain, aka Cipherfunk.org’s webmaster, doesn’t stop contributing to Ubuntu. A little investigation and understanding can go a long way. I hope Ubuntu patches this fiasco up quickly and those two contributors who wrongly pointed fingers apologize for being ignorant so we can get back to the way things were.

This content is published under the Attribution-Noncommercial-Share Alike 3.0 Unported license.

About

devnet has been a project manager for a Fortune 500 company, a Unix administrator, a Technical Writer, and a System Analyst during his 10 years working with Technology.

  • helios

    While there are some extremely good and helpful people in that community, I’m afraid there are some over there suffering from the BMFIC syndrome…

    Let’s just hope those in the PCLinuxOS crowd do not assume the same traits when they unseat Ubuntu at DistroWatch.

    meteoric climb is is the term I believe best describes the PClinuxOS phenomenon.

    h

  • http://mjg59.livejournal.com Matthew Garrett

    No, you’re wrong. The GPL allows you to charge the cost required for physical distribution of the source. In the case of a download, the only amount you can charge is the actual cost of the bandwidth. You can’t charge for the cost of the server or the monthly hosting bills.

    As a comparison, if you ask me to provide a copy of GPLed source code on CD, I don’t get to charge you all of

    a) The price of a computer
    b) The price of a CD burner
    and
    c) The price of a blank CD

    , I only get to charge you (c). Paul made it quite clear that the money was supposed to cover some of the time and effort he’d put into developing the fix (which is actually mostly from upstream already, but still), and not just the cost of distribution. You can do that for binaries, but he was giving the binaries away. You can’t do that with source code.

    Let me make that clearer. You quote:

    “the fee to download source may not be greater than the fee to download the binary.”

    and I retort:

    “the binaries were downloadable for free. The source was not”

    Now that you’ve wrongly pointed fingers, perhaps you’d like to apologise for being ignorant?

  • http://linux-blog.org devnet

    [quote]
    Let me make that clearer. You quote:

    “the fee to download source may not be greater than the fee to download the binary.”

    and I retort:

    “the binaries were downloadable for free. The source was not”
    [/quote]
    Ah yes…but it doesn’t say Vice Versa and this text is quoted in the GPL FAQ and not the GPL…and the FAQ is only that…a FAQ.
    If you look at the license itself..there are three mentionings of a ‘fee’. Here’s what we’re interested in:
    [quote]
    You may charge a fee for the physical act of transferring a copy, and
    you may at your option offer warranty protection in exchange for a fee.[/quote]
    So, when we get down to it…I’m still right. You may charge ‘a fee’. Notice the GPL doesn’t say how much. If you’re still touting the FAQ, remember that equivalent access means they have to be available (source and binary) at the same place…which cipherfunk complied with. Now how about you apologize for calling me ignorant?

  • http://www.fooishbar.org daniels

    Are you seriously claiming that, when the GPL FAQ says, ‘therefore, the fee to download source may not be greater than the fee to download the binary’, that it’s somehow wrong? I don’t think they’d go to the effort of writing statements that were flat-out incorrect. The binaries were free. The source was $au4.95. Therefore (source cost) > (binary cost). Which is a GPL violation. Ask the FSF if you must, but given that they have already stated — and I’ll reiterate this — ‘therefore, the fee to download source may not be greater than the fee to download the binary’ — I doubt they’ll say anything new and interesting.

    Your readong of the licence is unlikely to somehow prove the FSF wrong.

    Think about it, if this provision wasn’t in place, what’s to stop someone making small improvements to Linux, and selling the source for $US1m while giving the binaries away for free (or perhaps charging a nominal cost), because they’re very popular, and their hosting bills are through the roof? That’s absurd, yes, but differs from this situation _only_ in magnitude.

  • http://mjg59.livejournal.com Matthew Garrett

    “You may charge a fee for the physical act of transferring a copy” is a quote from section 1 of the GPL, and refers to transferring copies of the source on its own. If you’re providing binaries, then section 3 applies, and you instead get:

    Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code

    The important part here is “no more than your cost of physically performing source distribution”. That’s the per-instance cost, not the overall cost – as I said in my example above, you’re allowed to charge for bandwidth but not your standard hosting fees, in much the same way as you’re allowed to charge for blank media but not the CD writer to write it. Ask the FSF.

    Section 3(b) is the important part here. 3(c) doesn’t apply since the binaries have been modified, and 3(a) doesn’t apply because the binaries weren’t accompanied by the source.

    For someone complaining about people who don’t understand the GPL properly, it looks awfully like you don’t understand the GPL properly.

  • http://linux-blog.org devnet

    No I’m claiming it doesn’t say vice versa. With no clarity on this statement (where one way is true but the opposite, binary cost to source) is not covered, I’d have yeilded to the FSF instead of pointing fingers at the person in supposed violation of this article.
    That’s the point of this article…not that cipherfunk is the all knowing all seeing perfect example of things and can do no wrong…just that the person bringing things up to cipherfunk should have approached it differently or went through the FSF and not approached it at all.

  • http://linux-blog.org devnet

    We don’t know what his bandwidth cost is…so why assume? Let the FSF sort it out for him or approach him in a different manner than what was done. Instead of blasting him out of the water when he has 5 patches right? A little tact can go a long way.

    I’m not out to prove the FSF is wrong. I’m not out to prove that cipherfunk is wrong. I’m out to prove that you approached cipherfunk in a wrong way. That is easily provable. As I said, a little tact can go a long way. And your counterpart who also raised the BS flag on Cipherfunk did worse than you did…it was bad enough (from what I gather) that Cipherfunk didn’t even post it.
    Can’t we all just get along? Can’t we let the GPL violation police aka FSF take care of these alleged violations instead of going round in circles? Can’t contributors approach other contributors with dignity and respect right off the bat instead of animosity and bitterness?
    I’d like to hope the Open Source Movement still had that same sentiment with it it had in the early nineties when I first started with it.

  • http://mjg59.livejournal.com Matthew Garrett

    You’re out to prove that I approached things in the wrong way by claiming that I’m wrong and ignorant about things that I’m not wrong and ignorant about? I admire the way you’re approaching the situation.

    I don’t need to make assumptions about his bandwidth cost. http://64.71.152.24/original.html makes it entirely clear – the money was intended to make some small contribution to the time that he had spent on working on the patches. That’s a violation of the license that I released my code under, and as a result he was breaching my copyright. But yes, you’re right, I could have been a little more tactful. Or, alternatively, Paul could have done something other than lie about me (I didn’t request that he remove the code or shut his site down), imply that I should have cut him slack because of his disability (entirely irrelevant in this case) and *still* not conform to the license (3(b) requires that the source be provided for 3 years). My reaction may not have been ideal. His was grossly disproportionate. I’m certainly not going to accept responsibility for it.

    (Note that it’s not the FSF’s job to enforce the GPL in general, only in cases where they hold the copyright. A quick scan of the Linux source tree suggests that I probably hold the copyright to more of Linux than the FSF does)

  • X-LinuxUser

    This is EXACTLY why I left the linux community and over to the *BSDs.

    Frankly, there are much more intelligent and rational people there and a bonus that the OS is much better.

  • none

    You are quoting one way to satisfy the requirements. Nothing would of stopped him from charging $3 for the binary and $3 for the source as long as he was not offering the binary for no cost also. He did offer the binary for no cost so therefore he did need to offer the source at no cost OR stop offering the binary at no cost.

    You keep mentioning the written offer but that according to RMS as well as Novalis was never meant to apply to a download. How would he be offering a written offer anyway? 3a COULD apply simply by cipherfunk pulling the free binary and offering equivalent access to both only for a fee.

    I personally think the approach was fine, simply informing someone they are doing something incorrectly. Yes, it could of been a little nicer but then again the nicest thing would of been for cipherfunk to understand the license in the first place.

  • me

    I see nothing wrong with how the matter was handled. I find it strange that cipherfunk only provided the part of the correspondence that he wanted to provide which casts it is a demanding sort of way.

    I would rather someone approach me than call the “gpl cops” on me. Obviously the guy didn’t comprehend what is required by the GPL so nothing wrong with informing him and then he would reply that he flubbed up and would correct the situation. I do think ALL options open to him should of been mentioned or no options mentioned instead of one method only.

    I just find it childish that instead of correcting the situation cipherfunk closed the doors.

  • sanjuro

    After reading quite a few forum discussions about this issue (and your responses in almost all of them) I am still a bit confused. Just when did Paul all these (see quote below) ? He does not even mention you or your mail (unless Philipp Kern is an alias of yours or vice versa :) )

    ——————————
    Paul could have done something other than lie about me (I didn’t request that he remove the code or shut his site down), imply that I should have cut him slack because of his disability (entirely irrelevant in this case)
    ——————————

  • rjames

    This is EXACTLY why I left the linux community and over to the *BSDs.
    Frankly, there are much more intelligent and rational people there and
    a bonus that the OS is much better.
    >
    >
    You mean the BSD crowd can’t do anything to stop parasites like you from ripping off their work and reselling it as your own, don’t you? Good ridance, since “people” like you aren’t wanted in the Linux base to begin with.

  • http://linux-blog.org devnet

    Another thing we haven’t thought about here is whether or not he offered a warranty after donation? That could be included in the cost right?
    I find it unlikely but hey, if we’re going to point fingers, we need to make sure the person we’re pointing at is guilty. There are too many unknowns in this situation and the points I was trying to make were that A) The GPL doesn’t implicate that binary to source charge should be considered same as source to binary in sections 1 and 3. and B) the approach used by the contributors to Cipherfunk could have been much more tactful and this whole situation could have been avoided.

  • http://mjg59.livejournal.com Matthew Garrett

    The entire point of the GPL is that, should you obtain the binaries (and it’s perfectly acceptable to charge for that) then you must be able to obtain the source for no more than the amount of money it costs to provide you with that individual copy of the source. You’re allowed to charge extra money for a warranty, but you must also be willing to provide the source for no more than the amount of money it costs to provide you with that individual copy of the source.

    That’s the only point I’ve been trying to make, but you seem happy to label me ignorant anyway.

  • http://linux-blog.org devnet

    [quote]That’s the only point I’ve been trying to make, but you seem happy to label me ignorant anyway.[/quote]
    I’d like you to read back through my comments. I _never_ called you ignorant. I make it a point to be tactful to people who comment on my blog. I feel it is the right thing to do. I asked if you’d like to apologize to me for calling me ignorant…never once did I point fingers at you and “label” you as such.

  • http://mjg59.livejournal.com Matthew Garrett

    “I hope Ubuntu patches this fiasco up quickly and those two contributors who wrongly pointed fingers apologize for being ignorant so we can get back to the way things were.”

    So, uh, yes you did.

  • http://linux-blog.org devnet

    Well slap me silly and call me sally…so I did.

    Or call me ignorant to the fact that I used ignorant in the article :P
    I apologize for what its worth…you weren’t ignorant to what happened, but you were less knowledgeable on how to properly approach a fellow developer/contributor with tact.

  • http://mjg59.livejournal.com Matthew Garrett

    Apology quite happily accepted :)

  • Bob

    “The entire point of the GPL is that, should you obtain the binaries (and it’s perfectly acceptable to charge for that) then you must be able to obtain the source for no more than the amount of money it costs to provide you with that individual copy of the source. ”

    This is not the only method of satisfying the requirements of the GPL though. There are other things he could do. I do agree he got it wrong but nothing is wrong with charging the same for the binary and for the source.

    His original website is a clear indicator that he charged nothing for the binary and yet did charge for access to the source which is a clear violation. But he could of easily removed the free binary and charge a equal fee for both source and binary and been fine.

    I would like to hear someone state exactly how they would of handled it in a different matter. While it could of been taken to the FSF, nothing is wrong with a copyright holder from contacting someone about a violation.

  • Archie Arevalo

    Why don’t we all site down amicably instead of tearing at each other’s throat? The Microsoft camp is laughing at us.

    GPL or not, I think Cipherfunk is actually doing Ubuntu a big favor in exchange for what? Mere droppings from a well-stacked coffer? C’mon the guy did the fix, and no one would help him with 9.90? That’s less than the cost of ShipIt.

    Work together; don’t undermine talent; give a little leeway … an bit of elbow room … a little allowance. Ubuntu does not want enemies in the Linux camp. Get your act straight.