FAQ
In reading the new draft of the AL, I'm struck by the potential of
section 4 (and by extension 5) to support ham-handed or malicious
replacement of the Standard Version. As I read it, a Modified Version
may replace the Standard Version on a system as long as the author of
the MV makes the changes available to the author of the SV, whether or
not the SV's author wants them. As a concrete example, one might
distribute a version of Perl that sends a copy of the process
environment (or /etc/passwd, or name-your-favorite-local-info) to the
distributor prior to executing the task it was invoked to perform. It
would be legitimate under 4(a) to replace the default Perl
installation on the system with this "modified" version, as long as
you sent Larry Wall a patch which would cause the standard Perl to
send you this info as well. I'm oversimplifying a bit -- there's the
matter of having to "clearly document" the difference, but I suspect
that's open to some creative interpretation -- but the potential for
(at least reputational) harm to the original author and the SV seem
substantial.

This isn't a new problem, and I'm not sure to what extent a
open-source license wants to drift into questions of what constitutes
a legitimate change, but I do wonder whether there's room for
requiring something like 4(b) if the SV's author objects to a
modification. Just a thought...

--
Regards,
Charles Bailey
Lists: bailey _dot_ charles _at_ gmail _dot_ com
Other: bailey _at_ newman _dot_ upenn _dot_ edu

P.S. One other <nit type="trivial">If you disclaim implied warranty,
why not expressed?</nit> I guess one can claim that "express
warranty" is now a term of art.

Search Discussions

  • Allison Randal at Apr 28, 2006 at 3:20 pm

    On Apr 26, 2006, at 21:45, Charles Bailey wrote:

    In reading the new draft of the AL, I'm struck by the potential of
    section 4 (and by extension 5) to support ham-handed or malicious
    replacement of the Standard Version. As I read it, a Modified Version
    may replace the Standard Version on a system as long as the author of
    the MV makes the changes available to the author of the SV, whether or
    not the SV's author wants them. As a concrete example, one might
    distribute a version of Perl that sends a copy of the process
    environment (or /etc/passwd, or name-your-favorite-local-info) to the
    distributor prior to executing the task it was invoked to perform. It
    would be legitimate under 4(a) to replace the default Perl
    installation on the system with this "modified" version, as long as
    you sent Larry Wall a patch which would cause the standard Perl to
    send you this info as well.
    Potentially, yes, though once they've given their complete source
    code to Larry/TPF under the Artistic License we can publicly reveal
    exactly what they've done. No one would choose to install such code
    once they're aware of what it's doing.

    If someone were maliciously installing hacked versions of Perl on
    people's machines against their will, that would fall into a
    completely different legal category, and isn't something for a
    license to address.

    ... but the potential for
    (at least reputational) harm to the original author and the SV seem
    substantial.
    Other legal tools are helpful too, such as the Perl trademark to
    identify versions of Perl that are sufficiently Perl-ish. (This one
    definitely would not be.)

    P.S. One other <nit type="trivial">If you disclaim implied warranty,
    why not expressed?</nit> I guess one can claim that "express
    warranty" is now a term of art.
    If you include every possible warranty disclaimer, it could run for
    several pages. You have to draw the line somewhere, and this one fell
    on the "unlikely to apply" side.

    Allison
  • Charles Bailey at Apr 28, 2006 at 11:46 pm

    On 4/28/06, Allison Randal wrote:
    On Apr 26, 2006, at 21:45, Charles Bailey wrote:

    In reading the new draft of the AL, I'm struck by the potential of
    section 4 (and by extension 5) to support ham-handed or malicious
    replacement of the Standard Version. As I read it, a Modified Version
    may replace the Standard Version on a system as long as the author of
    the MV makes the changes available to the author of the SV, whether or
    not the SV's author wants them. As a concrete example, one might
    distribute a version of Perl that sends a copy of the process
    environment (or /etc/passwd, or name-your-favorite-local-info) to the
    distributor prior to executing the task it was invoked to perform. It
    would be legitimate under 4(a) to replace the default Perl
    installation on the system with this "modified" version, as long as
    you sent Larry Wall a patch which would cause the standard Perl to
    send you this info as well.
    Potentially, yes, though once they've given their complete source
    code to Larry/TPF under the Artistic License we can publicly reveal
    exactly what they've done. No one would choose to install such code
    once they're aware of what it's doing.

    For the subset of people paying attention, I agree. For the cases where
    it's buried in a larger installation, or the user's consent to the
    installation is questionable (e.g. adware), perhaps not. I was thinking
    that there's often enough weasel room in "user consent", "permitted access"
    and the like to give the Black Hats cover; it'd be nice to have a licensing
    hook to deny them use of your tool for evil purposes. Possibly too
    proactive, but para 13 got me to thinking about the possible role of a
    license in promoting the author's notion of good social behavior.

    If someone were maliciously installing hacked versions of Perl on
    people's machines against their will, that would fall into a
    completely different legal category, and isn't something for a
    license to address.

    IANAL, but I don't think this is necessarily true. If you click 'OK' when
    the Sony DRM installer asks, the fact that it sneaks in a buggy rootkit
    doesn't put it into a different legal category than if it installed a
    well-designed userspace agent. (Well, there's the negligence issue, but I'm
    not sure to what standard the author is held, especially with the typical
    disclaimers of warranty.)

    These things said, I really don't want to make a big issue of this. I'd
    wondered whether there was some utility to building into the license some
    notion that the Package's author had some say over what other works could
    represent themselves as the Package. The current effect of the AL is that
    the author has no say. That's a defensible point, and maybe even a basic
    tenet of "free" software. Just musing . . .

    ... but the potential for
    (at least reputational) harm to the original author and the SV seem
    substantial.
    Other legal tools are helpful too, such as the Perl trademark to
    identify versions of Perl that are sufficiently Perl-ish. (This one
    definitely would not be.)

    Er, I got sort of lost here. Since the AL explicitly grants anyone the
    right to distribute the Package, as long as they say they're doing it, and
    implicitly (by making 4(b) one of several options) grants the right to
    represent whatever you distribute as the Package, I'm not sure how trademark
    helps you. At one level, can you grant someone the right to distribute the
    Package named Perl but deny them the right to refer to it as Perl? (Yes,
    this depends on how they refer to it: information is different from
    advertising, for instance.) At another level, I doubt trademark use impacts
    much on what happens when you type C<perl> on the command line.
    P.S. One other <nit type="trivial">If you disclaim implied warranty,
    why not expressed?</nit> I guess one can claim that "express
    warranty" is now a term of art.
    If you include every possible warranty disclaimer, it could run for
    several pages. You have to draw the line somewhere, and this one fell
    on the "unlikely to apply" side.


    I got lost here too. My only point was that the warranty the AL presumably
    meant to disclaim was an "expressed" warranty (i.e. one stated), rather than
    an "express" warranty (i.e. a quick one). The error is so common, though,
    that I expect "express warranty" is now considered as a term of art
    identical in meaning to "expressed warranty". Again, a trivium.

    To the extent that this is useful discussion, thanks for replying. To the
    extent that it's soaking up time revisiting settled issues, feel free to
    devnull it.

    --
    Regards,
    Charles Bailey
    Lists: bailey _dot_ charles _at_ gmail _dot_ com
    Other: bailey _at_ newman _dot_ upenn _dot_ edu
  • Allison Randal at Apr 29, 2006 at 7:58 pm

    On Apr 28, 2006, at 16:45, Charles Bailey wrote:
    On 4/28/06, Allison Randal wrote: On Apr 26,
    2006, at 21:45, Charles Bailey wrote:
    If someone were maliciously installing hacked versions of Perl on
    people's machines against their will, that would fall into a
    completely different legal category, and isn't something for a
    license to address.
    IANAL, but I don't think this is necessarily true. If you click
    'OK' when the Sony DRM installer asks, the fact that it sneaks in a
    buggy rootkit doesn't put it into a different legal category than
    if it installed a well-designed userspace agent.
    I meant different in the sense that malicious hacking is criminal
    behavior even ignoring any question of license, and it's more
    appropriate to deal with the problem there. (The Sony DRM installer
    is yet another different case.)


    Another good place to deal with the problem is through trust
    relationships. Sites like SourceForge are useful because they collect
    a bunch of software together, but they're also useful because you can
    see other users' comments on the software, and because SF has a
    policy of removing malicious software.
    Since the AL explicitly grants anyone the right to distribute the
    Package, as long as they say they're doing it, and implicitly (by
    making 4(b) one of several options) grants the right to represent
    whatever you distribute as the Package, I'm not sure how trademark
    helps you.
    Think of it like the Apple logo on the back of an iPod. It's a sign
    of a reliable source. If someone shipped something that looks like an
    iPod without the logo, you'd know it wasn't really an iPod, and you
    wouldn't trust it as much. If someone put the logo on cheap knock-
    offs without Apple's permission (pretending to be the real thing),
    Apple can make them stop. Apple doesn't have the right to prevent
    people from making small, rectangular, white MP3 players, but the
    trademark gives them a tool to help keep their users from getting
    tricked by fakes.
    My only point was that the warranty the AL presumably meant to
    disclaim was an "expressed" warranty (i.e. one stated), rather than
    an "express" warranty ( i.e. a quick one). The error is so common,
    though, that I expect "express warranty" is now considered as a
    term of art identical in meaning to "expressed warranty". Again, a
    trivium.
    Ah, right, then I misunderstood the comment. Actually, "express" as
    an adjective means "stated" too. As in "express wish" or "express
    purpose". Not common in modern colloquial usage, but legal language
    tends to hang on to older meanings longer. (The etymology of
    "express" is fascinating, and hinges around people thinking "express
    train" meant it was fast, when it really meant the train was
    dedicated to a special purpose. Eventually "fast" became the primary
    meaning.)

    Allison
  • Charles Bailey at Apr 30, 2006 at 2:46 pm

    On 4/29/06, Allison Randal wrote:
    On Apr 28, 2006, at 16:45, Charles Bailey wrote:
    On 4/28/06, Allison Randal wrote: On Apr 26,
    2006, at 21:45, Charles Bailey wrote:
    If someone were maliciously installing hacked versions of Perl on
    people's machines against their will, that would fall into a
    completely different legal category, and isn't something for a
    license to address.
    IANAL, but I don't think this is necessarily true. If you click
    'OK' when the Sony DRM installer asks, the fact that it sneaks in a
    buggy rootkit doesn't put it into a different legal category than
    if it installed a well-designed userspace agent.
    I meant different in the sense that malicious hacking is criminal
    behavior even ignoring any question of license, and it's more
    appropriate to deal with the problem there. (The Sony DRM installer
    is yet another different case.)

    Another good place to deal with the problem is through trust
    relationships. Sites like SourceForge are useful because they collect
    a bunch of software together, but they're also useful because you can
    see other users' comments on the software, and because SF has a
    policy of removing malicious software.
    Since the AL explicitly grants anyone the right to distribute the
    Package, as long as they say they're doing it, and implicitly (by
    making 4(b) one of several options) grants the right to represent
    whatever you distribute as the Package, I'm not sure how trademark
    helps you.
    Think of it like the Apple logo on the back of an iPod. It's a sign
    of a reliable source. If someone shipped something that looks like an
    iPod without the logo, you'd know it wasn't really an iPod, and you
    wouldn't trust it as much. If someone put the logo on cheap knock-
    offs without Apple's permission (pretending to be the real thing),
    Apple can make them stop. Apple doesn't have the right to prevent
    people from making small, rectangular, white MP3 players, but the
    trademark gives them a tool to help keep their users from getting
    tricked by fakes.
    What you say makes complete sense. I think we're just working through
    slightly different scenarios. I expect that the "informed consumer"
    will use cues like this, and potentially more direct links like a GPG
    signature on the distribution by a TPF source, to obtain a "trusted"
    distribution.

    I'm more conceerned about the less knowldgeable or less-well-versed
    consumer who decides to install a modfiied package (say, "HyperPerl"
    or "Perl++" or "SuperTrafficAnalyzer with Perl!") without realizing
    its adverse effects, or even fuzzier situations such as "You clicked
    on the attachment to my email advertisement; that consititued
    permission for me to replace your Perl with my modified version" or
    the the botherder's "Of course the owners of all my machines
    consented." This is undoubtedly a fuzzy question, and I'm not sure
    what role an open source license has in trying to make dubious (but
    not necessarily per se illegal) tactics like this more difficult. It
    does seem to me that the potential reputational damage to Perl in
    these hypothetical scenarios is appreciable ("Perl-driven worm
    propagates rapidly", "Adware distributor claims he only making
    legitimate use of licensed software"). Whether the package author
    would want to have an enforceable way to interfere with use of the
    package in such schemes (and possibly put up with "Artistic License
    not free" criticisms along the way) isn't entirely clear, though. It
    would probably have little impact among savvy readers, who are likely
    to know already that the package author doesn't condone the use in
    question. I'm not sure how much practical impact it'd have, or how
    much it'd convince a less well informed or less invested audience, who
    may focus only on results.
    My only point was that the warranty the AL presumably meant to
    disclaim was an "expressed" warranty (i.e. one stated), rather than
    an "express" warranty ( i.e. a quick one). The error is so common,
    though, that I expect "express warranty" is now considered as a
    term of art identical in meaning to "expressed warranty". Again, a
    trivium.
    Ah, right, then I misunderstood the comment. Actually, "express" as
    an adjective means "stated" too. As in "express wish" or "express
    purpose". Not common in modern colloquial usage, but legal language
    tends to hang on to older meanings longer. (The etymology of
    "express" is fascinating, and hinges around people thinking "express
    train" meant it was fast, when it really meant the train was
    dedicated to a special purpose. Eventually "fast" became the primary
    meaning.)
    Interesting. I hadn't thought of that as a current usage, but I see
    citations in the OED into the 19th century at least, and that doesn't
    include legal usage. I type corrected. Serves me right for letting
    my prescriptivist streak sneak out in public. That leaves just the
    matter of euphony, on which I should be content that the Elizabethans
    didn't leave us with something like "expresse and implie" as the
    common usage (probably not much risk, since the ppt. of "imply" hung
    on enough to give us "implicated" and friends, and "implicat[e]"
    doesn't roll off the tongue like "expresse").

    --
    Regards,
    Charles Bailey
    Lists: bailey _dot_ charles _at_ gmail _dot_ com
    Other: bailey _at_ newman _dot_ upenn _dot_ edu

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupartistic2 @
categoriesperl
postedApr 27, '06 at 4:45a
activeApr 30, '06 at 2:46p
posts5
users3
websiteperl.org

People

Translate

site design / logo © 2021 Grokbase