2005-07-19

GnuPG and PKCS#11 and GNU extremism

Some time ago (November 2004, to be exact) I have released a patch to GnuPG which makes it possible to use 3rd party smart-cards with their PKCS#11 drivers with GnuPG.

Mr. Werner Koch (as I get, it he's one of (the?) main developers of GnuPG) didn't like it, saying there are licensing issues with run-time linking of proprietary PKCS#11 DLLs and GnuPG which is, well, GNU copylefted. You can find the whole discussion thread here. Nevertheless I have continued to work on it and the state where I have abandoned development is documented here (as well as in the patch itself). The reasons for abandoning the project could be summarized shortly in the following points:
  • Lack of suitable quality hardware/software PKCS#11 implementation under linux. I tried to find some software PCKS#11 token which offers a relatively complete API support, but.. I found only Mozilla's which is way too complicated to install.
  • Nobody on the gnupg-users list seemed really interested in the project.
So because of Werner's opinion on licensing, the patch did not get it into the GnuPG mainstream (even though I had offered to polish it). IMHO, what he failed to take into account is that there might be a GNU PKCS#11 implementation which, when linked into the GnuPG, wouldn't produce undefined licensing issues. In the mean time I have totally switched my areas of interest and don't even have the hardware available. So for the time being, the development is frozen on my part.

What's funny is that in the last week (8 months later) I have been contacted twice by different persons regarding the development status of the patch.

To one person from a certain company I offered help in patch integration (i.e. explaining my design decisions and how it works). After I have pointed him to the Werner's explanation of licensing issues, he asked whether I knew if GnuPG is perhaps dual-licensed. After I've replied 'to my knowledge, it's GNU-only', I have not heard from him later.

Another person has made modifications to my patch and actually made it work with Schlumberger Cryptoflex 32k, both with OpenSC's and MUSCLE's PKCS#11 library. Great news! I don't know the precise details yet whether he made possible to use more than 1 key pair. With his modifications he has solved some things more elegantly, but his changes conflict with my initial design decisions. And he also doesn't agree with Werner's interpretation of licensing.

This story is just another example of the GNU extremism hurting the end user. The latest example are Microsoft's libraries for parsing their new Office XML formats. As far as I have understood, these libraries are essentialy free (as freedom and beer), except that Microsoft wants a credit in programs that use its libraries. To the GNU people, this is not 'free' enough. Personally, I see nothing wrong in asking credit if somebody is using your work nor do I consider some work less 'free' because of such a requirement. Even if I would be required to return all changes to the original author - it's still free to me.

I guess the extreme point of view makes it much easier to construct a GPL-style license: lawyers need not bother with thinking about reasonable exceptions and wording them in a manner that can sustain a court challenge. Sadly, the lawyer's laziness combined with the GNU extremism hurts only the end user..

Currently, I'm employed in academia and I'll try to release my work under a BSD-like license. The academia is living on money coming from taxes paid by companies and citizens. It is fair to give in return to the society work unencumbered with GNU license so it can be freely used by the industry. If the industry is able to make money from the work of academia - it is good for everyone. And industry is reluctant to use GNU software with a good reason - they would be required by the license to open up their complete source which may contain trade secrets. The LGPL license is IMHO a step in good direction, but it is too rarely used.

Speaking of freedom - GNU should not be called free, as in freedom. It requires[1] you to make available any source code changes of any GNU licensed program, if you distribute that program. What's worse, if you use only a bit of GNU code in an otherwise your original work, your complete program is considered GNU.

[1] Since when is requiring someone to do anything called freedom? Oh yes, you have the freedom to not use the software in the first place. But then again, you have such a freedom with any kind of software.

Don't get me wrong - the GNU project has produced some marvelous pieces of software. But people like mr. Werner Koch are overdoing it. Of course, he should take care that GnuPG contains only GPL code. But what will happen in the event of its execution and runtime-linking to some proprietary PKCS#11 library, should not be his concern. It should be the concern of only the end-user.

3 comments:

Anonymous said...

Well... if Mr. Koch has some problems, why attack the whole? (GNU project & GPL) - I, personally, think that GPL is a better free software license than BSDL, because it doesn't let commercial software makers misuse the code. But, of course, it's just me. And no, it really doesn't have any relation to my very positive opinion regarding Mr. Stallman - I consider that a totally separate issue.

Anonymous said...

I agree with the post. I believe that GPL is too concerned with "freeing" the user at the expense of the developer, that it forgets that in open source world, every user is potentialy a developer (of derivative work of the original software). So, while freeing the user to use the software as he sees fit, it doesn't allow the same user to modify it and use the derivative work freely.

The other issue here is commercial misuse - first, what is misuse? For example, if a company uses a few (say, 100) lines of GPLed code in a 10000+ project, morally I don't see that as a misuse - but the GPL (and its interpretation under most laws) clearly state that it is.

Secondly, to effectively use GPL to protect its code, the developer must go to the court, and most projects' authors don't have the time and money to do that - so the GPL provides no protection to them. It just limits their potential user base (in comparison to more liberal licenses such as BSD).

Anonymous said...

So, one has moral right to use 100 lines of commercial code in GPL product without paying it?

I don't think so.