Conservancy and Bro Announce End to Bro's Member Project Status

by Conservancy + Bro LT on June 4, 2018

Software Freedom Conservancy, a charity that provides a home to free and open source software projects, and the Bro Leadership Team announce that the Bro Project, an open source network traffic analysis framework, will end its status as a Conservancy member project.

During its time with Conservancy the Bro project successfully raised funds and spent them effectively to support the community. For example, Conservancy helped Bro manage a substantial MOSS grant, which created an ecosystem for Bro community contributions through the new Bro package manager & repository. Conservancy also supported three conferences as well as smaller workshops, helped acquire trademarks for the project, and assisted in many other ways. In recognition of all of this work, the Bro Leadership Team is donating $10,000 to the Conservancy’s general fund to aid them in their ongoing efforts to promote and support software freedom and provide a home to other member projects.

The mutual decision for Bro to leave Conservancy is a result of the changing nature of Bro’s community of core contributors, and the diminished fit between the rapidly growing project and Conservancy’s charitable goals and corresponding services. Conservancy will assist Bro moving back to the International Computer Science Institute (ICSI)—the project’s previous home for more than a decade.

When the Bro project first joined Conservancy more than three years ago, the project was primarily a collaboration between two different academic institutions: ICSI and the National Center for Supercomputing Applications (NCSA). At that time, Bro’s development was funded mostly through substantial awards by the U.S. National Science Foundation (NSF), who set out to advance Bro into a powerful security tool for the nation’s education environments and scientific institutions.

Today, the Bro community looks different. With the NSF funding winding down, the team at the NCSA that heavily contributed to Bro for nearly a decade has significantly reduced their work on the project. Most of the core team of Bro is now affiliated with Corelight, placing the company at the center of Bro’s future development—which mismatches Conservancy’s charitable mission. While Bro’s strong footing in the academic community remains, the Bro user community overall has expanded from the public sector to the private sector. This shift has also been reflected in Bro conference attendance. These successes and rapid changes have led to an evolution of the project such that its trajectory is less of an apt match to Conservancy’s goals and services.

Going forward, ICSI will once again provide the Bro Leadership Team with asset and financial management as the project moves into a new phase of its life cycle. The Bro Leadership Team will continue to steer the project’s overall direction as an independent entity working in the best interest of Bro’s large and diverse open-source community, and Conservancy is fully committed to helping Bro transition smoothly to its new home.

[permalink]

Tags: conservancy, Member Projects

Update on Trademark Action (Fraud Claim Dismissed, New Filing)

by Bradley M. Kuhn on April 30, 2018

As per our commitment to transparency, here's a brief update on the trademark action we have discussed previously.

On Thursday, the Trademark Trial and Appeals Board (TTAB) dismissed SFLC's claim of fraud against Conservancy, as we predicted.

This sensible ruling is just the next step of many; the suit will proceed at the usual near-glacial pace of litigation. On Friday, we moved to the next procedural step, which is to ask the TTAB to allow us to update our answer as planned.

UPDATE: as of 2018-08-24, the Summary Judgement motion is refiled and pending before the TTAB.

We continue steadfast in our previous position: the entire matter remains a waste of resources for both organizations, and SFLC should do the honorable and right thing and simply withdraw their complaint.

[permalink]

Tags: conservancy

Conservancy at LibrePlanet 2018

by Molly deBlanc on March 22, 2018

March 24-25th hundreds of free software activists, community managers, hackers, legal experts, and all around fans will meet in Cambridge, MA for LibrePlanet 2018, the Free Software Foundation's annual conference and members meeting.

In addition to everything else happening there, Conservancy's own Bradley Kuhn, Brett Smith, Karen Sandler, and Denver Gingerich -- our part-time compliance engineer -- will all be speaking.

Topics covered include copyleft, the usibility of the GPL, medical devices, and free software in business.

• State of the copyleft union
  Bradley Kuhn, Distinguished Technologist
  

  The license-importance divide seems almost generational: the older generation cares about licenses, and the younger generation does not. Yet, the historical focus on licensing in FLOSS, while occasionally prone to pedantry to a degree only developers can love, stemmed from serious governance considerations regarding how community members interact.

  Copyleft was invented to solve the many problems of project governance, assuring the rights of users and creating equal footing for all contributors. The licensing infrastructure today also has increased in complexity, with proprietary relicensing business models, excessive use of CLAs, and tricky clauses on top of existing licenses.

  Given this climate, how do we understand if copyleft is succeeding? This talk explores historical motivations and modern reactions to these licensing matters, and digs into understanding how policies have impacted Free Software communities for both good and ill.

• A usability study of the GPL
  Brett Smith, Director of Strategic Initiatives
  

  We want software creators to use the GPL and its cousin licenses. We also know that people make mistakes in the process, or don’t even try because they’ve heard it’s "too complicated." Just as we do when we develop software, we would do well to study these failures and use them as opportunities to improve the usability of the GPL. This talk aims to start that process by identifying some known problems and considering some possible solutions. (None of these solutions are a new version of the license!)

• Copyleft, Diversity & Critical Infrastructure
  Karen Sandler, Executive Director
  

  GPL enforcement and Outreachy are the two most visible and controversial programs that Conservancy undertakes. In this talk, Karen will explore how the programs fit together in the context of software freedom generally. Karen will review her work around medical devices and critical infrastructure and show how seemingly disparate initiatives fit into a single advocacy narrative.

• Freedom, devices, and health
  Mad Price Ball, Rachel Kalmar, Dana Lewis, Karen Sandler
  

  When it comes to health, freedom is literally visceral. How do the principles of freedom apply to the devices used for medicine, health, and wellness? Moderated by Mad Price Ball, a Shuttleworth Foundation Fellow, this panel introduces leaders that bridge industry, community, and individual experiences. Rachel Kalmar (Berkman Klein Center), uses her experience with sensors and wearables to confront how devices and their data interact with a larger ecosystem. Dana Lewis (OpenAPS) connects us to health communities, and her work with the Nightscout project and patient-led efforts in type 1 diabetes. Karen Sandler (Software Freedom Conservancy) shares her experience as an individual with a device close to her heart: a defibrillator she uses, as a matter of life or death -- and she cannot get the source code to it. Join us to learn about how freedom matters for devices in health.

• In business: Keeping free software sustainable
  Denver Gingerich, Compliance Engineer
  

  Starting a business is a big decision, and choosing to share its results with the world is perhaps bigger still. Denver started JMP early last year, and faced this very choice, deciding to release all of JMP's code as free software and to charge money to use the instance he runs. In this session, Denver will describe why he chose to build a free software business, and will discuss the details of the business model he arrived at, alongside other business models for free software companies.

  Few contributors are paid to work on free software today, and far fewer are paid by non-profit organizations (or even by small businesses). It is imperative for us to explore how we can sell free software, especially through non-profits and small businesses, so we can bring freedom to more people and, just as importantly, build sustainable futures for our contributors.

More information is available on the LibrePlanet 2018 website.

Organized by the FSF, LibrePlanet is focused entirely on user freedom. We hope to see you there, in our talks or at the Conservancy booth in the exhibit hall.

[permalink]

Tags: conservancy, conferences

Copyleft compliance misconception #1: Companies check their source builds before publishing

by Denver Gingerich on February 15, 2018

We often hear from people that are confused about why companies fail to meet their copyleft compliance obligations - it seems fairly straight-forward to do, so why don't they all do it? In its many years of experience attempting to help companies comply with the GPL and other copyleft licenses, Conservancy has seen first-hand how many of the expectations software users have about how a company would release source tend to not be met the majority of the time. This post is Conservancy's first in a series on these common misconceptions about copyleft compliance, which will hopefully provide some insight for people wondering why these expectations are seemingly seldom met.

Misconception #1: Companies check their source builds before publishing

If you use or develop free and open source software, you probably find it natural for software projects to make building and installing their software as easy as posssible (or at least to provide contact points in case it is not). This is because getting people to use or contribute to such projects depends on these projects being straight-forward to build and install, otherwise people would just use something else (since normally they would have little invested in a project they can't build or install).

As a result, when companies publish source code as a result of their obligation to comply with the copyleft licenses in the software they distribute (usually this is their primary motivation - in rare cases (so far as we see it) companies are motivated primarily by engaging with the free software community, which we naturally try to encourage as much as possible), they do not have the same incentives as you would normally expect of a project distributing free and open source software. Consequently, companies tend to spend most of their time ensuring that whatever product they're selling to you (be it a router, Blu-ray player, smartphone, etc.) performs the functions it's intended to perform and meeting their bare obligations when it's shipped. They don't spend very much time working on the build and installation experience for those who would like to modify the software running on it after they receive it.

Furthermore, determining which parts of the device's overall build and installation process a company considers to be confidential is often not done, or is done under pressure so close to release time that the company does not wish to try untangling the portions they consider confidential from the portions that they are required to release in order to fulfill their obligations under the copyleft licenses for the software they chose to use.

What we normally see as the outcome of this (in the hundreds of source releases we've evaluated) is that the source code companies provide is nowhere close to meeting the requirements of GPLv2 (which is the copyleft license we most often see being violated), which state that companies must provide "the complete corresponding machine-readable source code" for all the GPLv2-licensed software on the devices they distribute and that "The source code for a work means the preferred form of the work for making modifications to it [which includes] the scripts used to control compilation and installation of the executable."

There are a variety of reasons that a company's source release might fail to meet the above requirements. In many cases we find that the versions of the source packages they provide are nowhere close to the versions of the binaries they distribute. Or their source release is missing entire source packages - i.e. they distribute a binary for Copylefted Project A, but do not provide any source code for Copylefted Project A, even though they might include source for Copylefted Project B.

Even if the above issues are not present, most often we find that there are no scripts at all for installing the software on the device (either in machine- or human-readable form), and any scripts we might find for controlling compilation of the executable are little more than what the original maintainers of the source package provided (which normally means people outside the company shipping the device). As a result, the compilation does not succeed because any changes the company made to the original source package are not considered in the build instructions (the company likely got it to build at least once, in order to ship it on the device, but decided not to document or share that process in their source release). This is particularly frustrating to the people who report the violations to us, as they often want access to the source code to do something particular with the devices they own.

After seeing this pattern in dozens of different source releases from dozens of different companies, it is clear to us that companies do not normally check to see if the source they release can actually be built and installed. Rather than being motivated primarily by meeting the perceived legal requirements of copyleft licenses and thus releasing markedly incomplete source code, our hope is that more companies will start to see the primary motivation for source releases as a way of engaging with the free software community, from which correct build and installation instructions (and indeed fully compliant source releases!) will naturally follow. We've already seen community development projects like SamyGo and OpenWRT form around Samsung TVs and Linksys routers and we hope other companies will see the benefits and help build such communities right from the start.

[permalink]

Tags: conservancy, GPL