Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code.

[Jean Louis]

* bill-auger <bill-auger@peers.community> [2021-10-04 12:29]:
> how is that legit? - if the copyright holder does not provide
> the source code to _someone_ who is using the software under the
> supposed GPL, then it is impossible for _anyone_ to comply with
> the GPL - that surely invalidates the GPL
> 
> i think i get your point; but firmware is not a representative
> example - firmware is an edge case, where efficiency is
> paramount - the author could always claim that it was written by
> hand in machine code; so no CCS exists - the blob is already in
> the "preferred form for modification" - it is reasonable to
> extend the benefit of doubt, for something so specialized to
> drive a very specific piece of hardware - for most software
> though, that same claim would be very weak

In relation to that chat, let me say something programmers often
completely forget, don't know, or neglect it, but companies
don't. Companies are required to know about parties they are dealing
with, to conduct their due diligence and keep the "know your clients"
procedures. Every company or organization which means a group that is
more serious than single programmer or team of programmers, shall have
their own legal division of work. Legal division verifies legalities.

Legality is never adequately verified just because party A finds
software on website X, that provides free license Z by author B.

Companies and organizations are to verify all relations rather then
just to blindly believe "it is so how it is digitally written". That
does not work in courts. 

Let us say somebody provides Windows source under GPL on Internet,
that does not make Windows source legally licensed under GPL, because
author or copyright holders never licensed it so. It should be very
clear to businessmen, but is not clear to programmers.

There is requirement of due diligence to establish whole chain of
legality when taking over somebody's software.

I understand that we neglect the due diligence and we blindly believe
digital information. 

Though the DMCA repository of Github demonstrates that there are
hundreds if not thousands of cases where people make such gravid
mistakes. 

Distributions don't have legal divisions, not that I know, and none of
distributions truly verifies full legalities, they blindly believe the
licenses offered online.

> On Sun, 3 Oct 2021 20:01:19 +0200 Denis wrote: 
> > So in cases like that it would also be a good idea to archive that
> > source release somewhere, ideally in projects like Archive.org or
> > Software Heritage

That would not establish chain of legalities. That would mean if you
find software anywhere, you would just believe that it is licensed
under free license Z, just because you find it.

How do you ensure that third party Archive.org did not tamper
information? 

Right way is to verify software with author. If author is not
available then to find other ways of other authoritative parties who
did verify it.

I don't myself support copyright, I am only presenting it from legal
and business perspective. 

Myself, I will take any video or image from Internet, books, and will
not regard copyright. I would not mind if my own books are distributed
same way.

> but only the copyright holder could publish proprietary code,

Anybody could tamper software packages and include proprietary code.

That is why authors digitally sign their software packages.

For serious business, parties who wish to reuse or modify software are
advised to verify it is really from the author and really published
under specific license, the verification shall also include previous
works not to be proprietary as not to enter into infringements. 

> _anywhere_ - it seems to me that automated archivers such as
> Software Heritage have a huge liability there

Yes, I do think so.

Only for reasons of lack, and fact that it is free software and huge
complexities in verification there are almost none complaints. Again,
compare it to DMCA repository on Github, where people complain
probably daily (did not verify it recently). The reason why there are
many complaints on Github is that code can be easily located. Other
repositories don't have the search engine. I am just assuming there
would be equal number of complaints on those others like Heritage.

But Archive.org and online libraries receive all the time attacks from
copyright holders.

> if Software Heritage notices any proprietary code in their
> repos, presumably they would delete it - so, i dont think it
> could be used for the purpose as you describe, without consent
> of the copyright holder

I also think so, but I don't think that one organization is able to
verify all software to be proprietary or not.

Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/