The Official FF Open Source Fight Thrad

[lisarea]

Quote:

Originally Posted by seebs

Quote:

I mean Open Source (TM). That is to say, the thing that the trademark refers to.

The term "open source" is not trademarked. Do you mean this?

Again, that's not what I was referring to, but nothing about that jumps out as problematic to me. What exactly makes it incompatible?

Quote:

Yes, I am saying that. I think it's pretty likely, not because it's sensical, but because we have so many examples of people being held liable for ridiculous things that it's hard for me to imagine the courts suddenly turning sane.

Consider all the court cases that have led to all sorts of elaborate safety mechanisms and mechanisms for preventing people from intentionally disabling safety mechanisms, etcetera. The courts have consistently found that rich companies that could have taken more steps to prevent people from hurting themselves are liable for not having prevented people from going wayyyy out of their way to hurt themselves.

Basically, if a jury of people who don't know much about technology can be convinced that it was negligent of you to make it possible for people to hurt themselves, you can be liable.

Can you be specific? What sort of precedents are there that would apply to a situation like that?

I'm sure it's not what you intend, but that argument sort of looks like one of those vague appeals to American litigiousness that are usually based on urban legends.

And what sort of measures are currently in place to prevent it? If you look at some of the articles, the proprietary software on a lot of these devices is currently vulnerable to attack. Pacemakers are reprogrammed by an unencrypted radio signal. And the implication in the article about the insulin pump is that that signal is unencrypted too. Which makes it likely that obscurity is pretty much the only security they have.

So if employees and regulators are carefully reviewing the code for implanted medical devices to find and resolve vulnerabilities, they suck at it, and I'm really not seeing how public review and oversight could make it any worse.

[seebs]

Quote:

Originally Posted by lisarea

The term "open source" is not trademarked. Do you mean this?

Again, that's not what I was referring to, but nothing about that jumps out as problematic to me. What exactly makes it incompatible?

Oh, I guess they failed the trademark registration, but...

It's not that it's incompatible. It's that it's a much stronger claim than merely "you have access to the source". There are many, many, things you can do which give the user access to the source but which are not Open Source.

Quote:

I'm sure it's not what you intend, but that argument sort of looks like one of those vague appeals to American litigiousness that are usually based on urban legends.

Could be. It's entirely possible that all the lawyers who have come to conclusions about the restrictions they need to impose, and the pages and pages of disclaimers we see, are all just superstition.

Quote:

So if employees and regulators are carefully reviewing the code for implanted medical devices to find and resolve vulnerabilities, they suck at it, and I'm really not seeing how public review and oversight could make it any worse.

We're talking about different issues.

I am talking only about the GPLv3 mandate that it must be possible for the user to replace the software with a modified version, which I think is an unreasonable requirement which creates a barrier to use, and this is why I think GPLv3 is fundamentally stupid.

I am all for people publishing the code to systems, as yes, I think that would result in more vulnerabilities being caught, etcetera.

But there are real cases where, whether or not the regulations are sensical, it is not legal for developers to ship a thing which allows the user to modify or replace parts of the code. So the GPLv3 mandate that users must be able to replace code prevents people from running it.

So it's stupid, and less good at providing genuine openness in source code than alternatives are.

[lisarea]

Quote:

Originally Posted by seebs

Could be. It's entirely possible that all the lawyers who have come to conclusions about the restrictions they need to impose, and the pages and pages of disclaimers we see, are all just superstition.

You're talking about manufacturer labels and disclaimers?

I've been in product packaging meetings at a couple of different companies, and there's not always even a lawyer in the room, especially at smaller companies. Those warnings and disclaimers are often decided on by rooms full of laypeople, speculating about the potential for litigation based on different urban legends they've heard, just like you see it done on the internet.

So the common belief that warning labels and such are all based on some clear precedent is specious.

And anyway, if every warning and disclaimer were based on solid legal reasoning, that would seem to indicate that those warnings and disclaimers actually serve to protect the company from liability in those cases.

If there were a significant trend of successful lawsuits from people who have been injured because they intentionally modified products, there would be direct evidence of that. I'm just asking that you show me directly what type of cases you're talking about because I'm interested in seeing it.

[ChuckF]

Quote:

Originally Posted by seebs

Basically, if a jury of people who don't know much about technology can be convinced that it was negligent of you to make it possible for people to hurt themselves, you can be liable.

Yeah it is pretty easy to imagine a bunch of people who aren't very well-informed about a specialized area of knowledge reaching some pretty silly conclusions on the basis of misunderstanding, innuendo, and urban myth.

[seebs]

Quote:

Originally Posted by ChuckF

Quote:

Yeah it is pretty easy to imagine a bunch of people who aren't very well-informed about a specialized area of knowledge reaching some pretty silly conclusions on the basis of misunderstanding, innuendo, and urban myth.

True enough!

So if someone can point to actual court cases either way, I'd be fascinated to hear them. I have just assumed that the occasional silly results one hears about have some kind of basis, however tenuous, in reality. This may be an unreasonable assumption.

[ChuckF]

Quote:

Originally Posted by seebs

Quote:

True enough!

So if someone can point to actual court cases either way, I'd be fascinated to hear them. I have just assumed that the occasional silly results one hears about have some kind of basis, however tenuous, in reality. This may be an unreasonable assumption.

Oh, I kind of assumed you had some cases in mind because of how you said:

Quote:

Originally Posted by seebs

Consider all the court cases that have led to all sorts of elaborate safety mechanisms and mechanisms for preventing people from intentionally disabling safety mechanisms, etcetera. The courts have consistently found that rich companies that could have taken more steps to prevent people from hurting themselves are liable for not having prevented people from going wayyyy out of their way to hurt themselves.

This may be an unreasonable assumption.

[seebs]

Okay, background #1:

Product Safety

Random blogger observes that in some cases, product liability can apply even when users ignored warnings or instructions, though I see no citations:

User Error and Product Liability | Amicus Curiae: A Seattle legal blog - seattlepi.com

More detailed discussion with some history (PDF):
http://www.productliabilitypreventio...009_KRoss_.pdf

So, long story short: Intentional user modification can be a defense, but isn't a slam-dunk defense. The question of what is counted as "forseeable" appears to be something on which juries may disagree.

[seebs]

Which is to say: I had in mind a vague awareness that there had been cases which most people regarded as "silly" involving product misuse, although it appears that "modification" and "misuse" are distinct.

But!

Can anyone here point me to a completely unambiguous court ruling that loading new software on a physical device constitutes "modification" rather than "misuse"?

[ChuckF]

Quote:

Originally Posted by seebs

Okay, background #1:

Product Safety

Random blogger observes that in some cases, product liability can apply even when users ignored warnings or instructions, though I see no citations:

In many cases, in fact. Many US jurisdictions have adopted strict liability for products liability cases. This rejects the negligence model that preceded it. If the product was defective, then the manufacturer is liable.

Quote:

User Error and Product Liability | Amicus Curiae: A Seattle legal blog - seattlepi.com

More detailed discussion with some history (PDF):
http://www.productliabilitypreventio...009_KRoss_.pdf

The first page of that paper cites Greenman, which is in many ways the genesis of strict liability for defective products. It lays out the rationale underlying a strict liability for products liability. Basically, defective products should be kept off the market, and manufacturers are in the best position to keep them off the market.

Quote:

So, long story short: Intentional user modification can be a defense, but isn't a slam-dunk defense. The question of what is counted as "forseeable" appears to be something on which juries may disagree.

There is very rarely such a thing as a "slam-dunk defense." Even in strict liability jurisdictions, defendants may show that plaintiff's conduct contributed to or even caused injury. Tort law is a fuzzy thing, as it should be. It is of little consequence that juries, as finders of fact, may disagree on what is and is not foreseeable in a specific case.

And while juries may occasionally award enormous punitive verdicts for products liability case, where they are permitted to do so, the nominal value of those awards rarely translates into an actual dollar settlement. They are reduced on appeal or settled for much less than the nominal value. The jury award usually gets a media story. The settlement usually does not.

Quote:

Originally Posted by seebs

Can anyone here point me to a completely unambiguous court ruling that loading new software on a physical device constitutes "modification" rather than "misuse"?

lol, that is barely even a thing. Sometimes, when throwing Orly Taitz out of court, we see a completely unambiguous ruling. Otherwise, it's a pretty rare bird.

Your question looks like a contracts or intellectual property question rather than a torts question. It would really depend on the terms of the license agreement. More information is needed. And the law is different across various jurisdictions, so what may be true in California may not be true in Texas, and the same set of facts may yield different outcomes in the 9th Circuit and the 4th Circuit.

[ChuckF]

Quote:

Originally Posted by seebs

Which is to say: I had in mind a vague awareness that there had been cases which most people regarded as "silly" involving product misuse, although it appears that "modification" and "misuse" are distinct.

But!

Can anyone here point me to a completely unambiguous court ruling that loading new software on a physical device constitutes "modification" rather than "misuse"?

Just to make clear what you're looking for, give me a hypothetical example of a fact pattern:

ChuckF loads new software on to a physical device and then _________.

[seebs]

...and then uses it precisely as it would have been used without that new software.

So, say you have a dialysis machine. You hear that the firmware is open source and some guys on the Internet say they have software that will make it more effective, and you can upload new firmware to it. You upload new firmware to it, and continue using it exactly the way you previously did.

The new firmware doesn't work, or makes the machine malfunction in exciting ways. You die.

Is the manufacturer at fault? I don't think so, but it seems to me that this runs into a weird boundary. We have at least some cases showing that the company can use "but you modified the device" as a defense successfully. We have at least some showing that "but you used it wrong" may not be a successful defense.

But is "loaded new software onto it" a kind of modification, or is it an easily-forseen misuse that the company could trivially have prevented by not making it possible to load new software onto it?

While I think the result is Obviously Bad, it seems to me that the existing history of lawsuits involving product liability could certainly lead to a conclusion that this was a device that could easily malfunction if misused, and that loading new firmware onto it is such a misuse, and that the company should have taken steps to prevent the loading of new firmware.

[ChuckF]

Quote:

Originally Posted by seebs

...and then uses it precisely as it would have been used without that new software.

So, say you have a dialysis machine. You hear that the firmware is open source and some guys on the Internet say they have software that will make it more effective, and you can upload new firmware to it. You upload new firmware to it, and continue using it exactly the way you previously did.

If you put new firmware on it, you're not using it exactly the way you previously did.

Quote:

The new firmware doesn't work, or makes the machine malfunction in exciting ways. You die.

Is the manufacturer at fault?

Maybe. Maybe not. That may not even be the relevant inquiry, because the law of products liability is not always a fault-based negligence regime. In some places at some times it is, and in some places and at some times it isn't.

Quote:

I don't think so, but it seems to me that this runs into a weird boundary. We have at least some cases showing that the company can use "but you modified the device" as a defense successfully. We have at least some showing that "but you used it wrong" may not be a successful defense.

But is "loaded new software onto it" a kind of modification, or is it an easily-forseen misuse that the company could trivially have prevented by not making it possible to load new software onto it?

Different facts lead to different outcomes. This sounds like a design defect type of product liability, and the burden in such cases is typically to demonstrate that the product is defective and unsafe when used in the intended, reasonably foreseeable manner, as an ordinary consumer would see it. Were I defending the manufacturer, I would present evidence of the technical sophistication required to write new firmware for this specific device. I would call experts to to testify about the complexity of firmware. I would show that loading new firmware on to the device is neither the intended use, nor reasonably foreseeable. I would call the software engineer who wrote the firmware and have him explain how complex it is. Were I representing the plaintiff, I would call experts to testify about how easy it is to install new firmware. I would show that the manufacturers designed firmware for the machine and loaded it, and it was therefore reasonably foreseeable that some other party could do so in the absence of a mechanism to prevent it. I would cross-examine the software engineer who wrote the firmware and make him explain why he thought that nobody else could do what he did, and why he didn't take steps to prevent them.

Quote:

While I think the result is Obviously Bad, it seems to me that the existing history of lawsuits involving product liability could certainly lead to a conclusion that this was a device that could easily malfunction if misused, and that loading new firmware onto it is such a misuse, and that the company should have taken steps to prevent the loading of new firmware.

It could. It depends on the law of the jurisdiction. In a strict liability jurisdiction, there could be some liability, but it depends on a lot of things. Relevant factors may include the relative cost of implementing a mechanism to prevent users loading new firmware; countervailing benefits arising from the design that outweigh risks; the sophistication and specialized required to alter the firmware; a thousand other considerations. For example, could a user easily alter the existing firmware in such a way that the machine would not function correctly? Could a user wipe the firmware? Could he do it by simply connecting the machine to his laptop with a USB cable? Or is some very advanced and specialized technique required? Do competitors in the industry permit users to load their own firmware?

Products liability tends to be a fuzzy area of the law that is not easily reducible to tests. It may incorporate the reasonable person standard and foreseeability from negligence, and tort law's models of causation. The softness of these concepts permits the finder of fact to apply the law to hugely diverse factual scenarios and render justice. When we hear about perverse or absurd jury awards in products liability cases, we rarely get more than a tiny, tiny fraction of the story. Just enough to make it sound silly in the paper. If you look at the actual record, a lot of evidence goes in to product liability cases. They are expensive and very difficult to try, and very difficult to win. When juries do render huge and apparently unreasonable awards - which they sometimes to - the law can deal with that too. There's an entire appellate system just for that.

That's the main thing that bugs me when I see the whole OMG THE INSANE COURTS line of bullshit. The law is a huge and dynamic institution with uncountable moving parts. If you think that some given outcome is unreasonable, there are smarter people than you working on it, even as you speak.

[seebs]

What I mean by "using it the same way" is that, with a dialysis machine, there's a regular daily routine with hookups and power cycles and button presses, and following that exact same routine on a machine with different firmware could cause a problem.

For a real-world example: There existed dialysis machines which had a special self-cleaning cycle which was triggered by entering the far-future date of 9/9/99. Obviously, following the normal procedure for using the machine would become unsafe in September of 1999...

I guess what concerns me is that it strikes me as extremely forseeable that, if you ship a machine known to contain a computer, with a provided mechanism for replacing the code on it with other code, it seems pretty damn likely that people will do exactly that, and there are well-understood mechanisms for restricting what firmware can be loaded on machines.

Honestly, I would actually sort of expect a vendor of such a machine to take some kind of precaution against stupidity there. I seem to recall car manufacturers are expected to do this because people tried to reprogram engine computers to get "better performance".

APR 93 Octane ECU Chip Modification Review | The Truth About Cars

Software like this exists, and I have heard (but can't find a source at the moment) that in some cases it has caused problems, such as failure to meet emissions standards, and that as a result some vendors now make an effort to prevent users from doing this.

I am not sure where the reasonable line is. I do, however, think it makes sense for a company to choose to impose some technical barriers to replacing the code driving a medical device. At which point, they are limited in which kinds of open source licenses they could use for any of the code in it...

[Corona688]

Quote:

Originally Posted by seebs

Honestly, I would actually sort of expect a vendor of such a machine to take some kind of precaution against stupidity there. I seem to recall car manufacturers are expected to do this because people tried to reprogram engine computers to get "better performance".

I don't see why it'd be anything but the users' responsibility. A computer is a universal machine, after all. Putting a different set of code in to it can cause as radically different behavior as replacing the entire board, and certainly if they'd replaced the guts of the machine it'd be no question the user was at fault.

If it's well and truly not supposed to be reprogrammable, if it's a special-purpose lifesaving device with limited function, don't make it reprogrammable. Medical equipment for example could use EPROMs instead of flash. EPROMs might be more stable anyway, it wouldn't even be able to erase itself by accident. Worst comes to worst, if they find a big glitch, they can burn a new batch of chips and mail them to people; for medical equipment they'd only be talking about thousands of units, not millions.

[JoeP]

Quote:

Originally Posted by ChuckF

That's the main thing that bugs me when I see the whole OMG THE INSANE COURTS line of bullshit. The law is a huge and dynamic institution with uncountable moving parts. If you think that some given outcome is unreasonable, there are smarter people than you working on it, even as you speak.

I misread that last sentence. But I think my misreading is also true:

If you trust that some given outcome is reasonable, there are smarter people than you working on it, even as you speak.

[seebs]

Quote:

Originally Posted by Corona688

If it's well and truly not supposed to be reprogrammable, if it's a special-purpose lifesaving device with limited function, don't make it reprogrammable.

Right -- and that's where a license that says that you MUST provide for user replacement of code under this license becomes a problem.

[Corona688]

Yes, now I see. Even the LGPL would be bothersome to deal with in that scheme.

[lisarea]

I think this is the relevant portion of GPLv3, my bolding:

Quote:

"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.

If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).

If I'm not mistaken, it doesn't require everything you deliver to be reprogrammable, it just means that as long as something is reprogrammable by someone, the information about how to do that must be provided.

[ceptimus]

Oops, I posted before reading properly.

[seebs]

Hmm, interesting. The famous example, of course, is TiVo. They used checksums and suchlike to prevent people from installing modified boot images.

Say you have a fairly non-trivial piece of medical hardware which you really want to be able to software-upgrade for some reason; say it's installed inside a person, for instance, so it's impractical to physically swap ROM.

If you build a way to reload firmware, and there's any GPLv3 code, you appear to be in principle required to make it possible for end-users to load code of their own, and you can't impose some kind of signing or checksum thing to prevent "unauthorized" code.

So far as I can tell, the pretty much universal reaction from embedded vendors has been "okay, no GPLv3 code on targets, then."

[lisarea]

Quote:

Originally Posted by seebs

If you build a way to reload firmware, and there's any GPLv3 code, you appear to be in principle required to make it possible for end-users to load code of their own, and you can't impose some kind of signing or checksum thing to prevent "unauthorized" code.

Right. And as long as the procedure is secure and there are sufficient safeguards in place to ensure that it's not done trivially or accidentally, I don't see a problem with making the person in whom the device is implanted the ultimate arbiter of how that device functions. Especially considering what the alternatives are.

Quote:

So far as I can tell, the pretty much universal reaction from embedded vendors has been "okay, no GPLv3 code on targets, then."

Well, first, we really have no idea what's running on those devices because the source code isn't publicly available. People have discovered unauthorized uses of others' code in proprietary software enough times that I wouldn't eat my hat if a review of the code of embedded medical devices revealed some stolen stuff in there.

And I don't have a problem with developers choosing to write their own code under their own terms if that's what they choose, as long as that code is made available for review. People who license their code under GPLv3 have every right to impose those limitations, and anyone who doesn't want to abide by the terms doesn't have to use it.

But if you're writing software that people are literally entrusting with their lives, those people should be able to see exactly what that software does, so they can make an informed decision.

[seebs]

I'm coming to this from the perspective of someone whose day job is selling Linux to embedded developers. They are fine with GPLv2. They are fine with making code available. But they frequently have compelling reasons for which they must not (in the strong sense of the RFCs) permit user modification of some aspect of a system. As in "we could not legally sell our product if we did". So a big part of what we provide is a set of tools and resources known not to create GPLv3 contamination, and clean-room engineering of an occasional bug fix or patch that's in a GPLv3 upstream version.

But yes, I think the world would in general be a better place if people were much more strongly encouraged to publish source.

[Corona688]

Quote:

Originally Posted by lisarea

I think this is the relevant portion of GPLv3, my bolding:

Quote:

Sharp eyes, Lisa. It sounds like there's provisions built right into the license for it.

With so many chips being actually erasable these days, that still places constraints on which chips they use, but it's still there. There may be some with code-protection features preventing erase even being possible to the manufacturer after, in which case they could just socket the whole microprocessor...

[ImGod]

All this wordprocessing and medical device talk is interesting, but it doesn't address the fact that Mark Zuckerberg probably installed an untraceable rootkit with a keylogger on any internet capable device you own so he can view anyone he wants via webcams, look at what they are doing on their PC,smartphone,tablet, and track their every movement, purchase, update, photo posting, and website visit so he can sell data to vendors, governments, and data peddlers.

It's likely you agreed to it on page 1015 of the EULA for the priviledge of accessing The Facebook, and if not, he's doing it anyway because he's a fucker like that and you have know way of knowing.

What you don't know won't hurt you and if you don't have anything to hide you shouldn't have to worry anyway. AMIRITE.

When Rick Perry gets elected someday, Jerry Falwell can give him a list of unacceptable websites to quietly remove from the world after their morning prayer and the US's computing system will quietly comply.

[lisarea]

[Inelegant segue, defense of tenuous link to open source.]

Doctorow talked some about this in that talk you all listened to before because I told you to, but to qualify for Windows 8 compliance, Microsoft is going to require implementation of the secure boot feature of UEFI, which is a feature that will effectively lock devices from booting to an unsigned operating system, which, depending on how manufacturers implement it, will prevent people from installing or even running a live distribution of an alternate operating system such as Linux on their computers. (In fact, according to the most awkward sentence ever, " Later it was reported that Microsoft apparently prohibited implementation of disabling of Secure Boot on ARM systems," manufacturers will be required to completely lock users in on ARM devices.)

This is some straight up bullshit, of course, for not only the obvious reasons that you as a user will be locked out of using the features of the hardware you purchased, but it could also lead down the road to even more abuses:

Microsoft's Take on UEFI May Impede Linux (and that's being polite) | Linux Journal

I find this particularly scary right now, as there's been a steady increase in adoption of single-use, locked in devices that people use instead of computers; but this goes well beyond that, in that actual computers are being locked in and effectively turned into single use, disposable devices as well. (I wouldn't even call something with a mandatory secure boot a 'computer' in the narrow sense. It's more like an appliance or a gadget or something.)

And that has the potential to result in a lot of terribleness.