Dear Mr. McBride,
Recently you wrote an "open letter to the open source community" published September 9, 2003 by LinuxWorld. This reply is from a group within the open source / free software community. Because you addressed your letter to our community-at-large, we thought we should answer you ourselves.
Our community isn't organized hierarchically like a corporation, so it has no CEO or overall leader in that sense, except that Linus Torvalds leads Linux kernel development and Richard Stallman leads the GNU Project and the Free Software Foundation (FSF). We have written this letter together on the website Groklaw, which is a research and news site currently dedicated to covering developments in the news about your company.
Quite a number in the group are software engineers, including contributors to the Linux kernel. Others are proprietors of Linux-based businesses or executives or employees of Linux-related businesses. A few of us are lawyers, one is a paralegal, one a stockbroker, at least one is a physicist, a couple are journalists, one is a retired policeman, another a retired truck driver, others are in or have been in the military, and some work or have worked in government. We also have experienced UNIX programmers among us who personally witnessed the history of UNIX since its inception, participated in its development, and know the software well. One of us is a non-technical grandmother who installed GNU/Linux herself recently and fell in love with the software. We are a large, international and varied group of people, which is appropriate because GNU/Linux is developed and used worldwide and the open source community to which you directed your letter is both global and diverse.
VIOLATIONS OF THE GPL AND COPYRIGHT LAW
Our first purpose in writing to you is to draw to your attention that there are consequences to violating the GNU General Public License, the GPL.
You have continued to distribute the Linux kernel, despite alleging that it contains infringing source code. Simultaneously, you are attempting to compel purchase of "Linux Intellectual Property" licenses for binary-only use, the terms of which are incompatible with freedoms granted under the GPL.
According to the GPL, any violation of its license terms automatically and immediately terminates your permission to modify or distribute the software or derivative works. Note the wording of the GPL:
"4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
"5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it."
Releasing software under the GPL is not the same as releasing it into the public domain. Authors retain their copyrights to software licensed under the GPL. Even when authors assign their copyrights to someone else, such as to the Free Software Foundation, the copyrights remain valid, but with the new owner. Therefore, subsequent to termination of your permissions under the GPL, you are in the unhappy position of violating the copyrights of the software authors, if you continue to distribute their software. Under copyright law, you are not allowed to distribute at all without their permission -- and they have chosen to grant that permission only by means of the GPL.
YOUR INVOICES WILL PROVOKE LEGAL ACTIONS
With regard to the invoices you have said you will mail out by October 15, we caution you that we believe that any such action will expose you to civil lawsuits under both federal and state consumer protection laws, as well as to possible criminal prosecution and penalties should state and federal agencies, attorneys general, and district attorneys decide to get involved, which we fully intend to ask them to do upon receipt of any invoice from you.
For just one example of state consumer protection laws, we suggest that you read Article 22-A of New York's General Business Law, Sections 349 and 350. Similar laws are on the books in other states. The Linux kernel developers also have copyright law to rely upon to protect their rights. Linux-based businesses may also avail themselves of other commercial laws, such as trade libel law.
Should we receive invoices from you, we will initiate civil actions under the anti-fraud and consumer protection statutes wherever we live, according to our respective circumstances. We also intend to contact our state attorneys general to request that they seek criminal as well as civil penalties against you, in addition to injunctive relief. In addition, we will file complaints with the FTC and other federal and state agencies, as appropriate. Some individuals have already sent letters to legislators in their respective states and in Washington, DC.
We purchased GNU/Linux software in good faith, and we chose it precisely because it is released under the GPL. We will not accept your attempt to charge us a second time for a product that we have already bought and paid for, most of us from vendors other than yourself. Furthermore, we accept no license other than the GPL for GNU/Linux software. For one reason, it is the permission to modify our software that we treasure. Here is how the GPL FAQ explains the value of being able to modify software:
"A crucial aspect of free software is that users are free to cooperate. It is absolutely essential to permit users who wish to help each other to share their bug fixes and improvements with other users."
This is one key to the justly renowned stability and security of GNU/Linux software, and we have no intention of reverting back to the Dark Ages of binary-only software permissions, having already made the conscious and informed decision to escape from and avoid such like the plague.
WE DO BELIEVE IN COPYRIGHT LAW
Despite the false impression you attempt to paint in your letter -- that we are a lawless community that doesn't respect copyright law -- we wish to inform you that we do believe in copyright law. It is the legal foundation upon which the GPL is built, and we rely upon it to protect our rights. If the Linux kernel developers didn't believe in copyright, they would have released their software into the public domain instead of choosing to license it under the GPL.
You are required by law to respect the Linux kernel authors' copyrights, as well as the license they chose to use, the GPL. It is hypocritical to complain of alleged violations of your copyrights and licenses while at the same time disregarding the equivalent legal rights of others.
YOU HAVE SHOWN US NO INFRINGING SOURCE CODE
You have refused to show us, much less prove, any infringing source code. If you showed source code that proved to be infringing, it would be immediately removed. Linus Torvalds, Richard Stallman, and the FSF's attorney, Eben Moglen, have each told you so repeatedly as men of honor. You refuse to let that happen. Why? It appears to us it is because you have no infringing source code to show.
Your most recently filed 10Q shows your UNIX business declining, even as Linux continues to grow in market acceptance. If you are refusing to show the source code to prevent its removal because you wish to charge a perpetual toll, in effect riding on the coattails of the more successful GNU/Linux software, that is a shameful tactic. You cannot compel Linux developers to retain your source code, even if any infringing code existed. An alleged infringement is curable by removing the infringing source code. If you can identify any infringing source code, please do so, prove it is infringing, and let us remove it, because we surely do not want it.
Even more shameful would be to try to destroy, co-opt, or make proprietary, the labor of thousands of good-hearted volunteers who did not volunteer to work for you, do not wish to be exploited by you for your monetary gain, and have already chosen to release their creative work under the GPL.
If your concern is that evidence will be removed before your claims against IBM and its counterclaims against you can be heard in court, that is a baseless concern, because the Linux source code is and always will be publicly available for review by any court. Secrecy is not an option under copyright law. If you make allegations of copyright infringement, you must offer proof.
We do not need or want your legacy UNIX source code. It would be a violation of the GPL to accept proprietary source code into the Linux kernel. If there is proprietary source code in the kernel, we want it removed just as badly as you do, perhaps more so, because we believe in the GPL. Just because people will not walk through your front door to buy your software, you have no right to compel them to pay you through the back door for what they did not voluntarily choose to buy. You must, therefore, try to find a viable business model without our compelled participation.
Any claims you may have against IBM are between you and IBM. It is a contractual dispute to which we are not parties. If you have any valid contractual claims, they will be settled in a court of law, but your remedies in that dispute lie with IBM and IBM alone, not with Linux users. Even if some misappropriation were to be established, you cannot collect twice for the same transgression. Further, we note that to date you have filed no copyright claims against either IBM or Red Hat.
SOURCE CODE CAN BE BOTH IDENTICAL AND LEGAL -- THE BSD CONNECTION
Since the beginning of this year, you have claimed that there is infringing source code taken from your version of UNIX and illegally donated to Linux. But when two examples were shown at SCOForum, neither supported your allegations. For six months, we have listened to analysts say that some source code appeared similar, if not identical. Yet what both they and you failed to investigate and determine is where that source code originated, how and by whom it was added to the software at issue, to whom it now belongs, and who is allowed to use it.
There is BSD source code in Linux which is legally there, and it will, of course, be identical to or similar to BSD source code in your software. The BSDi lawsuit revealed that the AT&T source codebase includes a great deal of BSD source code. Caldera itself also later released "Ancient UNIX" source code under a BSD-like license. Consequently SysV contains substantial amounts of source code that SCO and others have already licensed for use and that the open source / free software community may legally use.
WE POLICE SOURCE CODE EFFECTIVELY -- DO YOU?
It took only a day or so for the source code shown at SCOForum to begin to be identified by members of the open source community. If we do not police source code effectively, as you claim, why were they able to so quickly identify the code? You, in contrast, had no idea where that source code came from, or to whom it belonged, or you surely would not have used it to attempt to prove "infringement" of "your" source code. The evidence indicates it is your due diligence system that is broken, not ours.
If the legal departments of corporations represent to Linus Torvalds that they have ownership rights to source code they donate, what more can reasonably be expected? Do you have methods in place to prevent GPL source code from being improperly inserted into your proprietary software? Would you be willing to allow us to check for such violations? We particularly wish to check your Linux Kernel Personality (LKP) source code. We suspect that there may be GPL source code taken from the Linux kernel and used in LKP without authorization, and we challenge you to prove this has not happened by showing us your LKP source code, throughout its complete development history to date.
Any proprietary software company can police its own source code in Linux by checking the Linux source code. The Linux kernel is open to the public. If you see any source code that you believe is yours, you have only to speak up, and it will be immediately removed, upon confirmation that it is infringing. That is what you should have done. It's a superior feature in the open source method that all you need to do is your own due diligence. Any interested party can verify that no copyright infringements are taking place, simply by looking at the published source code. This creates strong incentives for honesty and provides far greater protection for copyright holders than your proprietary system, where source code can be misappropriated and hidden and no one can check for it, short of a lawsuit. Perhaps that is why proprietary software companies are so often locked in legal battles, something you rarely see in the open source / free software community.
With regard to broken systems, how could it happen that while working with the Linux kernel source code for years -- and your company did -- you never noticed any infringing source code? And how do you explain that you released the allegedly infringing source code in your own distributions of Linux for years without noticing it was in there?
If Linux did contain infringing UNIX source code that you failed to notice for years, or noticed but did nothing to prevent, despite the fact that the Linux source code was freely available at any time for your review, it raises questions about your internal processes and procedures for protecting your copyrights rather than demonstrating any purported "breakdown" in the open source methodology.
INDEMNIFICATION IS A RED HERRING
Anyone considering surreptitiously inserting proprietary software source code into Linux knows they would be quickly discovered and identified by name. That is your indemnification and your protection. We believe our system for policing source code is far more exacting and successful than your own.
On the subject of indemnification, we note that the software license which you propose to sell does not offer indemnification from lawsuits brought by other companies. And we think we should inform you that warranties are permitted under the GPL:
"1. . . .You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee."
We do not feel we need it; the open source method protects us sufficiently, but it is certainly negotiable if we wish to pay for it.
Proprietary software companies regularly file lawsuits against each other for copyright infringement, patent and trademark violations. Microsoft has been found guilty recently in several cases, but despite the fact that the GNU Project was begun in 1984 and Linus Torvalds began the Linux kernel in 1991, there has never been a claim of copyright infringement that we know of in all those years, let alone a finding of guilt. The record shows which method has done a better job of policing source code, which reveals that your call for indemnification is, to put it bluntly, FUD.
WE RESPECT THE LAW
With regard to your talk of having experienced a DDoS attack and your request that we aggessively police the community, your request is like us asking you to police Microsoft to ensure it never again breaks antitrust law or never again violates anyone's patents, trademarks, or copyrights.
Just because you are both proprietary software companies, it doesn't follow that you can control what Microsoft does or should be criticized as if you condoned their actions just because you are in the same proprietary camp. Whether it is individuals or companies that break a law, it is wrong, but it reflects only on the individual perpetrator. We expect you to make that distinction for us, as we do for you.
There is a legal process for such matters. Not everyone accepts as established fact that there was an attack. The doubt is based on the fact that your employees were quoted as saying that reports of an attack were untrue and that you took your servers down for maintenance yourself and then had trouble getting them back up again. We observed that the "attack" kept business hours, Utah time, for much of that week. If the information your employees provided was false and there was in fact a network denial of service attack on your servers, we naturally abhor such behavior. Your implication that we would feel otherwise is deeply insulting and offensive.
We would think, however, that a capable information technology company that sells web services software would have the technical know-how to handle a DDoS attack, if that is really what happened. Most such companies do handle them without being brought to their knees for a week. We are glad that you say you have since learned technical steps you can take to protect yourself in the future.
WHO MAKES UP THE OPEN SOURCE COMMUNITY TODAY?
Kindly bring up-to-date your concept of the people and organizations that make up the open source community. Your letter attempted to portray us as a counter-cultural fringe element. On the contrary, the truth is that our community is very much in the mainstream already and includes many of the largest and most successful businesses today, including IBM, Red Hat, Merrill Lynch, Lucent Technologies, Unilever, Verisign, Dell, Amazon, Google, Dreamworks, Los Alamos National Laboratory, Oak Ridge National Laboratory, the US Department of Defense, the US military, and many other federal, state, and local governments and governmental agencies, including, by the way, the town of St. George, Utah.
You can read a list of companies and governmental agencies that use GNU/Linux at Linux International's "Linux Success Stories" webpage. The Linux Documentation Project also has such a webpage, called "Powered by Linux!", as does the Linux in Business website. The Linux Counter calculates there are currently 18 million users of GNU/Linux software.
With so many businesses, educational institutions, governmental organizations, and individual users switching to our software, we must be doing something right.
LINUX ALREADY HAS A BUSINESS MODEL
Your inability to make your Linux business a success, while unfortunate for you, parallels your company's failure to make your UNIX business a success. Perhaps the problem isn't Linux, the GPL, or the open source business model.
Economist Amy Wohl is of the opinion that "The Open Source Community Has a Business Model" and one that is successful. Ms. Wohl is an analyst who has been covering IT for nearly 30 years and who currently comments on the commercialization of new and emerging technology. Here are her comments, which we include with her kind permission:
"As an economist, let me assure you that Open Source has a business model. It simply isn't one that a traditional company like SCO, which expects to be paid for source code, can figure out. There are still lots of companies that can charge for source code, but only when the source code they are offering is valued by customers because it is unique or convenient or offers other recognized value. Other companies (IBM is a good example) charge for their Linux-compatible middleware source code, but honor the Open Source community by supporting it with technical and financial assistance and by strongly supporting the open standards that permit customers to choose to use Open Source code when they prefer it and purchased source code when they find it, for whatever reason, more valuable. Then, as many posters have noted, IBM extends its business model into the future by providing services to help customers plan, design, implement, and customize whatever combinations of hardware, open source, and proprietary code the customer prefers.
"That is the new business model and it seems to be a very successful one."
DUAL LICENSING IS AN OPTION
We suggest that you ask your attorneys to explain the Lesser General Public License (LGPL) to you. If they are not familiar with the LGPL, contact the Free Software Foundation, and they can help you to resolve your misunderstanding and confusion about the GPL and how it works and can explain to you how the LGPL can help your business to thrive, should you insist on continuing with the old proprietary software business model. Companies such as MySQL distribute software simultaneously under both open source and proprietary licenses, a practice that is acceptable, if not ideal, under the GPL.
It is not a violation of the GPL to sell software released under that license. As the GPL FAQ points out, "The right to sell copies is part of the definition of free software." The "free" in free software refers to freedom, not that you can get it gratis. Many of us have paid for our free software, simply because it's more convenient than downloading it or as a way to thank the wonderful folks who developed and shared it with the world. If you're looking for a successful business model, you might consider the tried and true model of satisfied customers.
We have prepared a research document with links to evidence supporting our position and other resources that you may find helpful, including information about the GPL and the LGPL and how they work. The Inquirer is making our research document available online. We hope it will help you understand our position better and prove a useful resource to you and others interested in this controversy. We also believe it demonstrates that we have right on our side and that we will win.
Thank you for writing to us. We appreciate the opportunity to answer your letter. We trust you will give our response due consideration. Thank you for your time.
Members of The Open Source / Free Software Community at Groklaw
Groklaw is a technology legal news and research website currently dedicated to covering the SCO litigation and related news.
Copyright © Groklaw, 2003 Verbatim copying of this letter is permitted in any medium, provided this notice is preserved.
Sign up for INQbot – a weekly roundup of the best from the INQ