2005-09-06

GPL once more - part 1

This text is divided into two parts. This (the first part) discusses the issue, and in the second part I will describe a method that will (possibly) make it possible to get rid of GPL problems related to dynamic linking - once and for all :)

On the GnuPG -devel and -users mailing lists there is again a vigorous discussion on Werner's decision not to support PKCS#11 in GnuPG. One of the major arguments is again the licensing issue.

It seems that the problem is linking of the (proprietary) PKCS#11 shared library in the same address space with the GnuPG binary. E.g. executing a GPL'd binary that uses Win32 API does not violate GPL when calling kernel because:
  1. They are not linked together in the same address space but communicate by well-defined messages.
  2. There is also an exception in the GPL for the software delivered as a "part of the operating system".
Some participants distinguish between a protocol and an API (the library for which eventually gets dynamically, or even statically, linked into your application).

I maintain that, in many cases, these two things are the same. Consider two possible implementations of PKCS#11:
  1. As a shared library, and
  2. as a daemon listening on a local ("UNIX") socket.
In both cases the amount of data sharing between the applications is exactly the same. The only difference is in the mechanism of sharing.

But for some strange reason, using the first implementation of PKCS#11 would make the whole program, under GPL interpretation, a "derivative work". User is (legally) not allowed even to dynamically link a proprietary PKCS#11 DLL with a GPL incompatible license.

However, the second case is perfectly OK use-case: GPL application communicates with proprietary daemon using a pre-established "protocol" and everything is fine. Legally, what happens if UNIX sockets are implemented by shared memory? What does GPL say in that case?

I maintain that in both cases, the amount of sharing and coupling between the application and PKCS#11 module is in both cases the same. The only difference is in mechanism used to accomplish this sharing. In both cases the application shares only data with the service provider (PKCS#11 - in either form).

In my opinion, data sharing does not and cannot (in any common-sense interpretation) constitute a "derivative work". Furthermore, GPL is only about code sharing. Then again, I'm not a lawyer - comments are welcome.

Then again, you can register callback functions with PKCS#11 driver, creating an even more interesting situation. These functions can be translated into asynchronous messages from some daemon back to the application. So in my view, even in this case there is no code sharing. There is as much code sharing as with registering a ubiquitous WindowProc callback with Win32 API.

Paradoxically, it seems that GnuPG would be allowed to use closed-source MS CAPI because it is delivered as a "part of the operating system". The way CAPI works is:

your application -> CAPI -> back-end driver

So your application interacts with CAPI (delivered as a part of the operating system - an exception permitted by the GPL), and CAPI interacts with the back-end driver for the particular hardware device.

More interested readers can look into the gnupg-users and gnupg-devel archives for the thread named "OpenPGP card". (For the future record: around 6th Sep, 2005.)

Based on these things (also read my previous posts on GPG and Bitlbee), I personally find the GPL license flawed in many respects. A good open-source license should not allow for "paradoxes" (like the above example) and it also should not prohibit mixing the code (in any way - source form, static or dynamic linking) with another, essentialy "free" or standards-conforming code, like OpenSSL[1] or PKCS#11[2] drivers.

[1] free as in both open-source and no charge
[2] free as in no charge

During these discussions on the list I had a most interesting idea. Read about it soon in the next blog entry.

1 comment:

Anonymous said...

You are confusing GPL issues with copyright law issues. The GPL does not and cannot determine what constitutes derivative work; that is determined by the copyright law and the court system that upholds it. So when you ask "what does the GPL say about that," your implied criticism is misdirected. The interpretation that linking against shared libraries constitutes derivative work comes from the FSF as the owner of a lot of the software in question, not from the GPL itself, and has yet to be tested in a court of law. Therefore your finding that the GPL is "flawed" really applies to the copyright law's definition of "derivative work" or alternately to the FSF's interpretation thereof, not to the GPL itself.

Also note that the GPL does allow linking with other free licences, and it's routinely done -- a bunch of BSD code is used in GPL projects all the time, and FSF's web site lists a large number of "GPL-compatible" free software licenses. The GPL is incompatible with OpenSSL specifically due to the infamous "advertising clause". See http://www.gnu.org/philosophy/bsd.html for a writeup on why the FSF (and not just the FSF) considers the advertising clause to be a hindrance.