CopperheadOS Fights Unlicensed Installations On Nexus Phones (xda-developers.com) 97
An anonymous reader writes:
Earlier this week security-hardened Android build CopperheadOS temporarily blocked Nexus updates on its servers after finding out that other companies have been flashing the ROM onto Nexus phones and selling them commercially in violation of the CopperheadOS licensing terms. The incident highlights an inherent problem in getting open source to be used by the masses: the difficulty of organizations being able to build and monetize a successful, long-term open source business model...
"We've enabled over-the-air updates again," CopperheadOS tweeted Saturday, "to avoid impacting our remaining customers on Nexus devices and other legitimate users. However, downloads on the site will no longer be available and we'll be making changes to the update client for Nexus devices."
In an earlier series of tweets, they explained it's an ongoing issue. "It's not okay to disrespect our non-commercial licensing terms for those official builds by flashing and selling it on hundreds of phones... This is why we've been unable to sell access to Pixel images. There are people that are going to buy those and flash + sell devices in direct competition with us in violation of the licensing terms. Needing to deal with so many people acting in bad faith makes this difficult.
"It's not permitted for our official Nexus builds and yet that's what's happening. We do all of the development, testing, release engineering and we provide the infrastructure, and then competitors sell far more devices than us in violation of our licensing terms. Ridiculous."
"We've enabled over-the-air updates again," CopperheadOS tweeted Saturday, "to avoid impacting our remaining customers on Nexus devices and other legitimate users. However, downloads on the site will no longer be available and we'll be making changes to the update client for Nexus devices."
In an earlier series of tweets, they explained it's an ongoing issue. "It's not okay to disrespect our non-commercial licensing terms for those official builds by flashing and selling it on hundreds of phones... This is why we've been unable to sell access to Pixel images. There are people that are going to buy those and flash + sell devices in direct competition with us in violation of the licensing terms. Needing to deal with so many people acting in bad faith makes this difficult.
"It's not permitted for our official Nexus builds and yet that's what's happening. We do all of the development, testing, release engineering and we provide the infrastructure, and then competitors sell far more devices than us in violation of our licensing terms. Ridiculous."
Not sure they understand licensing (Score:5, Informative)
Re: (Score:2)
Isn't the GPL specifically designed to prevent this?
Re: Not sure they understand licensing (Score:2, Informative)
No. That's likely incorrect.
The Linux kernel is released under the GPLv2, but the rest of Android is released under the Apache License. The Apache License is permissive. It's not a copyleft license. Apache-licensed software can be relicensed.
The GPL only applies to the Linux kernel. The GPL requires that users who have received a copy of the software binaries must be allowed to receive a copy of the source code. GPL software can be sold and the license makes no restrictions on the price. The vendor is only
Re: (Score:3)
Only the copyright holder can relicense the software, even if it's under the Apache license. While others can put their license on a work, it is not valid for pieces that they do not own. They can't go to court and enforce rights on the software as if it was under their license and they owned it. They can only enforce their own license terms on the pieces that they actually own.
Re: (Score:2)
But a modified version CAN be re-licensed. They can add their modifications to the Apache licensed code and license the resulting code any way they want. Even if the modifications are minor.
Re: (Score:2)
But a modified version CAN be re-licensed. They can add their modifications to the Apache licensed code and license the resulting code any way they want. Even if the modifications are minor.
What? Who told you that? The lines of code they actually wrote can carry their license, but they can't relicense a whole file just because they made changes to it. Even if they did, they'd only be creating an unauthorized derivative work.
Re: (Score:2)
Re: (Score:2)
What? Who told you that? The lines of code they actually wrote can carry their license, but they can't relicense a whole file just because they made changes to it. Even if they did, they'd only be creating an unauthorized derivative work.
/facepalm
If there was an award for being the most outspoken idiot on slashdot, you would have gnawed on the plutonium medal after winning it several times now...
http://www.apache.org/foundati... [apache.org]
Even if you change every single line of the Apache code you're using, the result is still based on the Foundation's licensed code. You may distribute the result under a different license, but you need to acknowledge the use of the Foundation's software.
Re: (Score:3, Informative)
They may no understand licensing, but they (the people behind CopperheadOS) also don't understand hypocrisy.
CopperheadOS is based on Android (which they didn't create), which itself is based on the Linux kernel (which they also didn't create). They are perfectly happy to take the work of others and use it for their own benefit, but when someone else does that to THEM . . . . .ZOMG!!! IT'S TERRIBLE!! WE CANNOT ALLOW THIS!!!
STFU.
Re: (Score:2)
Never mind the fact that the cost is out of this world
Yes, the cost of producing a secure operating system is pretty high. Hence the price of the product.
Re: (Score:2)
They may no understand licensing, but they (the people behind CopperheadOS) also don't understand hypocrisy.
CopperheadOS is based on Android (which they didn't create), which itself is based on the Linux kernel (which they also didn't create). They are perfectly happy to take the work of others and use it for their own benefit, but when someone else does that to THEM . . . . .ZOMG!!! IT'S TERRIBLE!! WE CANNOT ALLOW THIS!!!
STFU.
There is no hypocrisy in this.
Linux and Android provide a common "floor" that everyone can build from, in the same way that there is a massive base of shared public knowledge in science and engineering that we all tap into when we start making physical products.
The makers of Apache understood that the software they were all contributing to would offer benefits to private companies as well as the universities they worked for, and they understood that they were contributing to creating a shared knowledge bas
Re: (Score:2)
Actually, they took the source code, modified it, then said you can have the source code and they're keeping control over the binaries which they built. You're allowed to build, modify, and distribute their work; you're not allowed to download the ready-to-go package, flash it, and sell phones.
They're not downloading Google's Android image, flashing it, and selling phones, either. They built their own--with modified code, even.
Re: (Score:2)
The Linux kernel is licensed under GPLv2, but the rest of Android is licensed under the Apache License.
The binary firmware blob is under the GPL, because the Apache 2 license is GPL-compatible, what happens is the entire BLOB file which is distributed is subject to the most restrictive license, and distributing a Blob containing GPL binary code with additional non-commercial use restrictions would be a GPL violation.
Re: (Score:2)
I'm not so sure. I think the binary blob is an aggregation of multiple works rather than a derivative work of the GPL kernel in its entirety. You can install it and extract the pieces separately.
You can enforce the GPL on the pieces within the blob that are under GPL, and the pieces that are combined to make a single program with the kernel. But not the whole of user-mode, etc.
Re:Not sure they understand licensing (Score:5, Interesting)
The Apache 2.0 License most of Android is under permits Sublicensing, but not complete License Replacement --
the new license needs to include the Apache terms.
ALSO, the License they have cited the CreativeCommons-NonCommercial-ShareAlike is NOT DESIGNED to be used for software source code and binaries, and it does not even qualify as an Open Source software license.
Re: Not sure they understand licensing (Score:1)
Are you certain of this?
The GPL doesn't require that a vendor release binaries to anyone. The vendor is free to charge a fee or to only distribute the binaries to non-commercial users. They're also required to provide the source code upon request to users who have received the binaries.
Those who receive the source code are free to modify and redistribute it under the GPL. It's clear to me that the GPL requires that source code can be redistributed. It's also clear that derivative works can be redistributed,
Re: (Score:2)
Can you point me to where in the GPLv2 it indicates that the original binaries must be able to be redistributed without restriction?
You mean GPL v3. Don't you?
In any case, you're asking the wrong question. CopperHeadOS is clearly implying that their new licensing applies to the entire source code, not just the binaries. And they're actually happy that this new license has had a chilling effect on their competitors capable of building their own binaries themselves.
Aleksa Sarai: @LordCyphar - 23hr [twitter.com] Wouldn't that be an argument that GPLv3 would still work, you just need to not provide binaries that people can hock off for their own products? Bad actors will always exist, so I don't see how GPLv3 is less helpful than CC-BY-NC-SA in this area?
CopperHeadOS: @CopperHeadOS - 23h [twitter.com] There are very few individuals and companies willing to build illegal businesses on our code. GPLv3 let them do it legally and we were unable to have even close to a sustainable business. CC-BY-NC-SA has substantially improved the situation.
And if you don't believe my interpretation of CopperHeadOS's response, just read the content of their new CC-BY-NC-SA license [github.com] for yourself and take a look at one of the many lo
Re: (Score:2)
Re: (Score:3)
Also, if you sublicense the Apache software, you still only get to enforce the license on the pieces that you own, not the Apache pieces.
It's Not Open Source (Score:3)
CopperheadOS uses the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license as its compilation copyright and as the copyright on their new work. That isn't an Open Source license. It violates rule #6 of the Open Source Definition.
Re: (Score:2)
Open Source does not mean free! I am tired of seeing this misunderstanding. It means what it says, Open Source! the SOURCE is OPEN.
Re: (Score:2)
It means what it says, Open Source! the SOURCE is OPEN.
That sounds great in theory, but in practice it means that anyone can build their own binaries, so why should they pay you?
Plenty of people (including me) make money writing FOSS, but few of us do it by "selling the software", and those that do don't earn much.
Re: (Score:2)
Not if it is against the license - you could have access to the source code but have a license that prohibits redestribution. Or a license that prohibits use without paying for it.
Re: (Score:2)
Re: (Score:2)
Open Source means that you can download the source code for your own use [hyperlogos.org], it does not mean that it conforms to the OSI's vision of what Open Source should mean if they were allowed to trademark it — which they aren't, because it already had a meaning when the OSI became a thing, and it already had a meaning when Bruce &co claim to have invented it.
Can the offending phones be bricked? (Score:1)
Re: (Score:3)
They could do that if they want to go to jail..... ILLEGAL.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
There are several legal issues here. You can't brick the phone preventing installation of a replacement for your software, and you can't prevent 911 calls. Other than that, you could indeed deny access to features by license violators or those who got their phones from license violators.
That said, it bothers me that they misrepresent their system as Open Source (wrong license to be Open Source) and it sounds like they have less than a full understanding of what pieces their license applies to (only the ones
Re: (Score:2)
When the GP writes "Poison Pill" update, one thinks of a software update which is developed to be deliberately destructive --
rendering the basic functions of phone inoperable, at least without manually re-installing the operating system...
knowingly deploying such an update in way users would be expected to automatically receive it, is essentially writing and propagating sabotage malware through a system users expect to receive bug patches ---- the reason Jail time could result is that willfully dev
Re: (Score:2)
Because some people give away their software, the Pandora's box has been opened. A very vocal
Re: (Score:2)
You can put your configuration under a compilation copyright. It can be argued, however, that most of what they do to enhance security is functional, and thus not subject to copyright under 17 USC 102(b). The copyrighted matter in your program is the artistic choices you make when you have more than one way of doing things. Not every line of your code. Not function definitions and returns, data structures, and anything required for compatibility with something else. Read up on CAI v. Altai to get more of an
Re: (Score:2)
then if you turn around and steal it, then you are a thief.
Yes, the people who wrote CopperheadOS are thieves. The security layer of Android is at the Linux level.
The people who wrote CopperheadOS are free to charge whatever they want for their modifications, but they are not allowed to retroactively change the open source license of Linux by dictating that their code can only be used non-commercially.
So they distribute open source software (Score:4, Insightful)
written by others, adapted by themselves, and now they are whining that someone else does the same with their variant? Another company that does not understand that there is no right to have paying customers.
After these tricks and their anouncement I would not trust their software anymore. Who knows what malware thei are going to distribute to anyone they might think uses their software from other channels?
Re: (Score:2)
Not exactly. They are complaining about people using their compiled and packaged binary without paying the licensing fee.
Note that this is not in violation of even the GPL as distribution costs can be charged.
The problem is not with open-source software (Score:5, Insightful)
This is FUD. If CopperheadOS prohibits selling it commercially, then they are not using an open-source license. By definition, open-source licenses cannot prevent others from selling the software commercially or otherwise prohibit redistribution or discriminate against fields of endeavor (including business use).
And, indeed, most sources (e.g. https://en.wikipedia.org/wiki/... [wikipedia.org]) call the Copperhead license "source available" rather than "open source" because of these non-open-source restrictions.
See https://opensource.org/osd [opensource.org]
1. Free Redistribution
The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.
2. 6. No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
And flashing it onto a ROM would constitute a derived work covered under section 3 of the OSD.
Re: (Score:3)
You are correct that it's not an Open Source license. I do not, however, believe that a binary blob for an android install is a derivative work of the kernel in its entirety. It's an aggregation, like a Linux distribution CD. You can take it back apart. The GPL can be enforced on the GPL components in it and anything that is directly combined with the GPL program. But not just anything on the filesystem.
Re: The problem is not with open-source software (Score:1)
Agreed - developers conflating Open Source (OSI compliant) and proprietary licenses, including "non-commercial", causes wide-ranging problems. Not suggesting CopperheadOS do this, only a number of previous commenters
Source seems to be still available. (Score:1)
Re: (Score:2)
It is exactly Sveasoft.
CopperheadOS Is Not Open Source (Score:5, Interesting)
Re: (Score:2)
Not this again. If you can download the sources, then it's Open Source [hyperlogos.org]. Stop saying "Open Source" when what you mean is "OSI Approved".
Re: (Score:2)
Hi Martin,
I hope you're doing well and that this recent spate of nasty fires didn't harm you. My 17-year-old FIRE/EMS student fought the fire in Napa. Lots of smoke at my home.
It's ironic that you want to credit SCO for a cut-down definition of Open Source at the same time you criticize the legitimacy of the Open Source I announced to the world. That's what Caldera became, of course, and we are clear that they bore ill will for our community and are now a bankrupt failure. More interestingly, their attorney
Re: (Score:2)
It's ironic that you want to credit SCO for a cut-down definition of Open Source at the same time you criticize the legitimacy of the Open Source I announced to the world.
I don't actually. That's just the earliest reference for which I could find a citation. People in nerd communities like that in scruz (nominally centered around ucsc) were already calling it "open source" before SCO even had a product called "open desktop". That both I and SCO come from the same place is of course merely a coincidence, although I have been acquainted with many fine technical SCO employees including the lead developer of Xenix.
Despite some infrequent use of the two words together before my announcement, "Open Source" is the proper name for a campaign that I first announced to the world and started with the same ESR who is under discussion in this article.
It really is not. It really is the name for the practice of provi
Re: (Score:2)
I am> promoting Free Software. Just not to the community to whom the words Free Software are resonant. And any use of Open Source to deprecate Free Software was not done with my countenance and is no longer relevant in any case.
You'll notice that even Bradley Kuhn of the Software Freedom Conservancy, a FSF-aligned organization, uses "FLOSS" [sfconservancy.org], which I find grating. But the reasons for not simply using "Free Software" in English are well known.
Re: (Score:2)
But until you come up with better terms and get everyone to use them, they're what we have now and trying to pretend they mean something neither the FSF or OSI have said they mean is really a gigantic waste of fucking time.
There is already a better term for what the OSI does, and it is "OSI Approved". "Open Source" already meant something when the OSI was created, and that the people who founded the OSI don't know that doesn't make them authoritative, it makes them ignorant.
Re: (Score:2)
Sorry, if Copperhead is an OS based on Linux, then Copperhead must be GPL
No that's not correct. Android is an OS based on Linux and it is not GPL. The kernel is GPL but the rest of the OS is under various other licenses including Apache. The Linux kernel COPYING [github.com] file explicitly states that programs that use the kernel via normal system calls do not constitute derived works under the GPL.
i see this crap all the time (Score:2)