Copyright © 2003 by Ian Lance Taylor
This document is licensed under a Creative Commons License [ http://creativecommons.org/licenses/by-nd/1.0/ ].
"For the love of money is the root of all evils; it is through this craving that some have wandered away from the faith and pierced their hearts with many pangs." |
|
1 Timothy 6:10 |
Last changed on $Date: 2003/08/30 05:13:07 $.
This essay first appeared on the Linux Journal web site [ http://www.linuxjournal.com/ ]. There was a discussion about it on Slashdot [ http://slashdot.org/article.pl?sid=03/06/20/1829248 ]. I have updated this essay since those appearances to reflect additional information.
This essay describes my visit to SCO on June 17, 2003, to discuss their claim that Linux infringes on their intellectual property rights. I visited their office in Lindon, Utah, for about one hour. I spoke with Chris Sontag, Senior Vice President, Operating Systems Divison, and with Blake Stowell, Director of Public Relations. In order to speak with them, I signed a non-disclosure agreement; I scanned in my copy after covering up the signatures: page 1, page 2, page 3.
The short version of this essay is that SCO's claims are not proven. The amount of information they were willing to show me was extremely limited, and does not appear to support their case. SCO claims to have additional proof which they did not show me, but it is odd that they did not select a more convincing example.
I won't give the full background here, as it is well covered elsewhere, such as Karsten Self's page [ http://twiki.iwethey.org/twiki/bin/view/Main/SCOvsIBM ].
The short version, as of June 17, 2003, is that SCO has sued IBM, alleging that IBM took work which was the intellectual property of SCO and incorporated it into Linux (when I say "Linux" in this essay, I mean specifically the Linux kernel, not a complete distribution). SCO is the current owner of Unix, which was originally developed by AT&T. SCO, which used to be named Caldera, purchased the rights to Unix from a different company named SCO, which has since changed their name to Tarantella. Along with Unix, SCO purchased a number of contractual agreements, including one with IBM. SCO is alleging that IBM has violated that contract.
SCO also sent a letter to some 1500 commercial users of Linux distributions, warning them that Linux may be an unauthorized derivative of code owned by SCO. That is, SCO alleges that Linux is actually to some extent owned by SCO, and may not be distributed under the GPL. The letter further claims that users of Linux may have legal liability because of this.
SCO said they would show the evidence that Linux is a derivative of Unix to independent analysts. With the help of Don Marti, the Editor in Chief of Linux Journal, I contacted SCO and offered to be one of those analysts. They agreed, subject to my signing the NDA and travelling to their headquarters in Lindon, Utah.
SCO's legal case is complicated by the fact that when SCO was named Caldera it was itself a Linux distributor, and it may have distributed, under the GPL, the code which it now claims to own. It also complicated by allegations that SCO has incorporated Linux code under the GPL into UnixWare. These issues may indeed cause SCO's legal case to founder, but not in the way I would prefer it to founder.
I took the trouble to do this because I care about what happens to free software in general and Linux in particular. The SCO claims have put a cloud over Linux. I have heard speculation from business acquaintances that the free versions of Linux will be shunned by corporate IT users, who will be unwilling to take the legal risk of using it. I don't think that would be good for Linux or for free software.
I remember the AT&T case against BSDI and the University of California, which arguably stalled BSD development for a few years, and, indeed, was arguably the root cause of Linux's popularity, since Linux was not stalled. SCO's case against IBM is in some ways a reprise of the AT&T case, and I fear that it has a similar potential to stall Linux development.
SCO was only willing to speak with people who signed a draconian non-disclosure agreement (NDA), one which essentially permitted SCO to declare any information which they provided to be confidential, regardless of whether the signer already knew it, and which gave no circumstances under which that information could be revealed. Most Linux developers were unable to sign such an NDA, as it could have easily prevented them from ever working on the kernel again. Similarly, employees of any company which worked with Linux could not sign such an NDA.
I have never contributed to the Linux kernel myself. However, I have worked with free software for over 10 years, including acting as a maintainer for projects owned by the Free Software Foundation, and I have plenty of personal knowledge of how free software development works. I am also currently not employed by anybody, but simply working as a contractor on work not related to Linux.
Thus, I felt going in that I was in a good position to sign the NDA and to analyze the information which SCO presented to me. While they could easily have made it impossible for me to contribute to the Linux kernel, they had no reason to do so, and in any case I had no particular plans to do any kernel work.
Before going to meet SCO, I asked three times if they would be willing to change the NDA. I suggested that they should change it to permit the disclosure of information when legally required by a court, that they should permit the disclosure of information when SCO specifically agrees to it, and that they should change it so that information which I already knew before meeting could not be treated as confidential. The only response I received was that they forwarded my suggestions to their counsel.
As it turned out, they actually showed me very little confidential information.
As mentioned above, I met with Chris Sontag and Blake Stowell. Chris Sontag did almost all the talking. In general, below, I just say "SCO says" and so forth, but Chris Sontag was the one who was actually talking.
Chris Sontag showed me a a series of PowerPoint (I assume) slides, and talked about them. I took notes on my laptop. He listened to my questions and tried to answer them. He did not show me anything beyond his planned presentation, despite my requests for some additional information.
The presentation was not the same as the one described by The Inquirer [ http://www.theinquirer.net/?article=10013 ]. It had similarities to the one discussed by Bruce Perens [ http://perens.com/SCO/SCOSlideShow.html ], though it was not identical.
SCO's presentation was divided into three main topics: SCO owns Unix, SCO vs. IBM, and Linux is tainted.
SCO argues that they purchased full rights to Unix from the old SCO, which purchased them from Novell. The Unix patents are still owned by AT&T, but SCO has purchased the right to use them. There was a dispute with Novell over copyright ownership, but SCO claims that this has been resolved, and that SCO does indeed own the copyrights.
In general, SCO claims to have purchased all rights to all versions of Unix System V and all prior versions of Unix which were developed by AT&T.
My concerns are with free software, not the actual ownership of Unix. I believed at the start of the lawsuit that SCO owned the rights to Unix, and I suppose I'm still willing to believe that. I think that any legal issues here are clearly a matter of the purchase contract between Novell and the original SCO, and it should be more or less straightforward for the new SCO and Novell to settle them.
The main issue here of interest to me is whether rights to early versions of Unix have been weakened by the wide spread distribution of source code, including the publication of the Lions book and the fact that, until recently, the new SCO was distributing Unix source code for free on their FTP site.
SCO is suing IBM for breach of contract, unfair competition, tortious interference, and misappropriation of trade secrets. SCO is now the owner of the contract which IBM originally signed with AT&T (I assume, but maybe some later owner) to develop AIX. That contract requires that derivative works remain part of AIX. It also requires that IBM maintain confidentiality of sources and derivative code. Derivative works are allowed "provided resulting materials are treated as part of the original software products." (I learned later that IBM disputes this, and claims that their contract with AT&T provides that IBM retains full ownership of independent work done as part of Unix.)
SCO has a list of about 20 IBM engineers who are, they claim, using AIX methods in Linux. SCO claims that some of these engineers are literally looking at AIX source code as they discuss Linux issues, and make recommendations based on the AIX code.
SCO claims this is inappropriate because everything built on top of AIX, or which uses methods developed in AIX, is really a derived work of Unix. As we talked, I realized that this is a key part of their argument. SCO claims that anything which was built on top of Unix is itself a derived work of Unix. I will discuss this further below.
SCO claimed that Sequent also developed code which is derived from Unix. IBM bought Sequent, and SCO claims that IBM then proceeded to contribute some of that code to Linux. (This code may not be subject to the IBM exception mentioned above.)
SCO claims that some of the derivative works which IBM contributed to Linux include NUMA, RCU, JFS, SMP, performance measurement and improvements, serviceability, scheduler improvements, LinuxPPC 32 and 64 bit support, logical partition support, and then he went on to the next slide before I typed the rest down.
I asked specifically about JFS, since I know that was originally developed for OS/2. SCO claims that JFS was originally developed for AIX, then ported to OS/2, then ported back to AIX, and that the port back to AIX was the basis for the Linux port. Chris Sontag said this was straight from the JFS web page. I just checked, and the JFS web page [ http://www-124.ibm.com/developerworks/oss/jfs/project/pub/faq.txt ] does not entirely agree. There IBM says that while JFS was first developed for AIX, the development for OS/2 was a new effort, and that the Linux port was based on the OS/2 work, not the port back to AIX. Using SCO's expansive definition of derivative work, arguably the development on OS/2 was based on the original AIX development, since some of the same people may have worked on it and used their experience with the AIX code.
Again, despite all this discussion, the whole issue of SCO vs. IBM was not the reason that I was there. If IBM did indeed breach their contract, then I suppose they should pay some appropriate penalty. I've been around the computer world too long to think that IBM is on the right side of every issue. However, SCO's presentation did not show me any clear evidence that IBM did indeed breach their contract. Obviously, IBM has contributed code to Linux, but it is not at all clear to me that that code is a derivative of Unix.
Here we come to the meat of the issue: has code which is clearly derived from Unix been incorporated into Linux?
Unfortunately, SCO was only willing to show me one example. They showed me a source file they said was from SVR4, and compared it to a source file from Linux. They highlighted the identical portions of the code. There were indeed substantial similarities in the code: very similar comment text, the same variable names, the same algorithm. There were some differences also, but it seemed quite plausible that both pieces of code came from the same source.
SCO refused to show me the revision history of the Unix file. I pointed out that this made it impossible to judge the order of derivation; they agreed, and said it was a matter of discovery for the court case. They said they were confident that the code had not appeared in BSD, and that it was developed internally at AT&T and successors.
The NDA I signed prohibits me from saying anything that would help identify the code in question, or anything about how it got into Linux (I discuss the issue of secrecy further below). They did not permit me to type the code in, but they did tell me the Linux file name, and I have a good memory for such things in any case.
Here is what I think I can say about the code I saw. The code is fairly trivial--the kind of stuff I wrote in school. The similar portions of the code were some 80 lines or so. Looking around the net, I found close variants of the code, with the same comments and variable names, in sources other than Linux distributions. The code is not in a central part of the Linux kernel. The code does not appear to have been contributed to Linux by SCO or Caldera. The code exists in recent versions of the Linux kernel.
Interestingly, close variants of this code appear in Unix source code which was explicitly released under a Berkeley style open source license [ http://www.tribug.org/pub/tuhs/Caldera-license.pdf ] by SCO, back when it was called Caldera. This by itself does not make it completely OK for the code to appear in Linux, because SCO released the code under terms which require copyright attribution, and that attribution does not appear in the Linux sources. However, it does make a mockery of any claim that SCO has been damaged significantly by the fact that this code appears in the Linux sources.
Oddly, my recollection of the code they showed me is not precisely the same as any version I found in any Linux distribution. The differences were in parts of the code which were different from the Unix code. The copyright statement at the top of the file also appeared to be different, though probably not consequentially. However, since I was not permitted to actually type the code in, my memory could be playing tricks on me here.
If this is SCO's only example of Unix code appearing in Linux, I very much doubt there is any real legal liability for Linux users. If the code is indeed derived from Unix, which is unproven, it is roughly equivalent to typing in some code from a basic computer programming text without permission. While I hesitate to predict the actions of the legal system, it is very difficult for me to believe that any judge would actually award damages on the basis of this code.
Naturally, SCO says that there are many other examples. They said they had found at least 10 to 20 specific examples of direct copying. They said there was much more derivative code. They claimed that there were cases in which copied code was intentionally obfuscated and rearranged to hide its origin; I commented that I felt that would be very difficult to prove, and indeed I sincerely doubt that anybody would bother.
SCO said that only in the last month or two have they really started analyzing Linux kernels for cases of copying. They claim that they are steadily finding more cases. They say that this will all come out in court.
It's difficult to know what to make of this type of argument. SCO showed me something which appears suggestive but is also apparently inconsequential. SCO claims to have much more evidence, which they would not show me. It's tempting to conclude that this is their best case, and that they have no strong evidence. After all, if SCO can make their case to somebody like me, then they are in a stronger position for extracting revenue by licensing Linux to customers who are scared of lawsuits. But they may have other plans.
I will admit that their example initially unsettled me, by what it implies. Although in itself trivial, it does suggest that some Linux contributors may have been careless about copyright infringement. That is unfortunate. However, as I learned more about the history of the code they showed me, I have become more confident if there was an error in inserting the code into Linux, it was a minor one.
After the presentation was over, I asked a few questions.
I asked them when they expected to go to court. They said that they are starting document discovery and depositions. No court dates are set. I have since learned that the case is expected to go to court some time in 2005.
I asked why they sent the letters to commercial users of Linux distributions. They didn't give me a satisfactory answer. They said the letter was to make Linux users aware that SCO believes that Linux is tainted and contains unauthorized intellectual property. The letter was to tell the Linux users that they may have some liability, and that they should seek advice from counsel. SCO said the Linux users could then go through the same process of discovery which SCO is going through--but, of course, they can't, because they don't have the Unix sources. My guess was that the letters were to set themselves up for Linux licensing, a guess which has proved to be correct.
I asked whether they had any plans to license the Unix code to Linux users, to remove the liability. They said they had no current program. They hope to come up with something in which noncommercial use and educational use would be free, but for commercial use they want some remuneration. They said they hadn't come up with a plan because they are still trying to figure out the scale of the problem. They hoped to have some sort of solution by as early as July. They have since announced such a program.
SCO commented that Linux has no mechanism that ensures ownership of the IP which goes into it. They said most Linux developers are honorable, but that some commercial entities are bending the rules for their own benefit.
I asked about the lawsuit between AT&T and BSDI. That lawsuit was not ended by a judgement, it was settled between the parties, and the settlement was in large part confidential. SCO, which I presume is the legal inheritor of the AT&T side of the settlement, claims that there are some aspects of the settlement which have not been enforced, but would not describe it further. SCO has not yet looked into whether, in their opinion, the free BSDs are legally derivative of the Unix sources. I assume that if they can get a handle on the Linux situation, they'll go after the free BSDs next.
I paused for a while, trying to think of my next question, and Chris Sontag said he had another meeting to go to, and left.
Blake Stowell asked me what I would do if I owned some proprietary code, and it was being used by other people without permission. I said that Unix had been widely distributed for many years, had been published in books, and was not, after all, actually written by anybody at SCO. I said I didn't think that was easily compared to more conventional situations. Incidentally, Blake Stowell worked at Lineo, and joined Caldera in 2001. He agreed that the company had radically changed since that time.
That was the end of the meeting. The rest of this essay discusses a few relevant topics in more detail.
The key to SCO's case against IBM appears to be an expansive notion of derivative works. SCO is basically arguing that any code which was developed on top of Unix is a derivative work of Unix. They are arguing that the contract with IBM, which they now own, makes clear that any work which is derivative of Unix must remain confidential.
They are using a very extensive notion of derivative work. When I made that objection, SCO said it was for the court to decide. It is true that, so far as I know, no court has ever ruled on whether one piece of software is derivative of another. The question is whether a court would rule that even software entirely developed by IBM, such as JFS, is a derivative work of Unix because it was developed as a component of a Unix system. I think we can all agree that Unix with JFS is a derivative work of Unix; the question is whether JFS by itself is a derivative work.
In general the issue is where the boundary lies between derivative works and independent works. All programs run on Unix use a Unix API; do they therefore become derivative works? Presumably not. However, when writing a program which runs on Unix, I might look at Unix source code if I have access to it; does that make my program a derivative work? It seems, from SCO's comments, that they might claim that it would.
I am not a lawyer. However, I hope that the court will not accept SCO's broad definition of derivative work. I think it would be dangerous for free software, and for software development in general. Software thrives by extending work done by others. If adding a component to an existing piece of software means that the component is owned by the owner of the existing software, then few people will add components. That would not be good for anybody.
It's worth noting that if a court does accept such a broad notion of derivative work, it will weaken SCO's defense against the allegations that Linux code was copied into UnixWare. That would seem to put SCO on the horns of a dilemma; I don't know how they plan to resolve it.
It's also worth noting that even if SCO manages to convince the court that IBM illegaly donated code to Linux, it is a much bigger stretch to convince the court that SCO therefore has any ownership of Linux. After all, SCO did not write any of the code which IBM contributed, nor does any of that code appear in the versions of Unix which SCO owns. If IBM is liable for damages for the code they contributed to Linux, then SCO is presumed to be paid in full for the damages they have received, and nobody else is liable for damages. This is a problem for SCO, because SCO's Linux licensing program relies on SCO's claims that Linux infringes on Unix. That is why SCO is showing code examples like the one they showed me: in order to demonstrate that code was copied from Unix to Linux independent of IBM.
I asked a couple of times why SCO was being so secretive about everything. Their answers were not particularly convincing.
SCO said they were keeping their evidence secret because it is part of a legal action. The evidence will be presented in court. They don't want it to be tried in public before it is tried in court.
They said that in any case the Unix code has always been provided under confidentiality agreements, despite its wide distribution. I have since learned that this is not true, since as noted above SCO itself released old versions of Unix under an open source license.
They said that until they go to court, they don't want the Linux community to remove the code in question. They think it's beyond just changing a few lines of code. As noted above, they feel there are large chunks which are derivative. They argued that even a full replacement would be in part based on the prior effort, and thus would itself be derivative, at least under the terms of the IBM contract.
My guess is that SCO would prefer not to have to reveal any of their evidence. My guess is that they would prefer to settle with IBM, and to use the spectre of liability to get licensing revenue from Linux users. After all, in court they might lose. The current situation, in which they make people feel nervous, is better for them. I don't know whether I'm right, and if I am right I don't know how it will play out.
Chris Sontag appeared confident when he spoke to me. However, my sense is that SCO knows they have a weak hand, and they are playing it as strongly as they know how. I expect them to keep upping the pressure in the press, and to announce a Linux licensing scheme, and to hope to start getting more revenue.
IBM is a past master of the IP extortion strategy. For example, see this Forbes article [ http://www.forbes.com/asap/2002/0624/044_print.html ] about their shakedown of Sun in Sun's early days. For SCO to attack IBM using IP is somewhat like trying to eat a live tiger.
If IBM starts to feel nervous about this suit, they will unleash their patent portfolio. SCO is certain to be violating a number of IBM patents. Unless there is some preexisting patent agreement between SCO and IBM, SCO will surely lose against IBM's countersuit. In fact, since I originally wrote this, IBM has sued SCO for violating four of IBM's patents; this will just be the start.
However, for IBM to unleash their patent portfolio against Unix may not be a good thing for free software. After all, Linux probably violates a number of those patents as well. Once the beast is awoken, who knows when, or if, it will go back to sleep. The best hope in such a case is that IBM will recognize the danger of killing the goose with the golden eggs, and lay off on their own accord.
It's worth noting that the people running SCO, and their lawyers, may not appreciate the power of software patents. In my experience few people outside the profession understand the degree to which every program of any scope violates patents. The software industry today survives only through a unstated agreement to not stir things up too much. We must hope that this lawsuit isn't the big stirring spoon.
One of the last things Chris Sontag before he left is that SCO is not against Linux. SCO likes Linux. They want to get to the point where Linux can move forward.
This may be a deep misunderstanding of the free software process. If Linux becomes encumbered to the point where commercial users must pay a fee, I expect that many independent developers will stop working on it. Linux development will slow down, and may eventually stagnate. The people in charge at SCO may not understand that.
On the other hand, Chris Sontag's statement may simply have been cynical and manipulative--the sort of thing which people say to make malicious statements appear fair and open minded, as in "Joe is a bloodthirsty cannibal, but I like him as a person."
I can't help thinking that as of this writing SCO has a market cap of around $130 million, and that Red Hat has nearly $300 million in cash and investments. Even at an inflated price, Red Hat could afford to buy SCO, and free up Unix once and for all. Live the dream.
I am not a Linux maintainer. But I would like to suggest that this case make the Linux maintainers take the issues of copyright paperwork seriously.
First, I think that all Linux contributors should consider their own contributions. Is there any chance that they have contributed code which is directly copied from Unix or any other non-free source? Here I'm not talking about SCO's expanded sense of derived work, I'm talking about direct copying, such as may (or may not) have occurred in the one example which they showed me. Any such directly copied code should be rewritten in a different fashion, perhaps by somebody else.
Similarly, I think that all Linux maintainers should consider the code for which they are responsible, and convince themselves that the contributors did not do any direct copying. I personally doubt that anybody is intentionally copying non-free code into Linux. But mistakes can happen.
Removal of any copied code, if there is any, won't affect the lawsuit against IBM, but it may affect legal liability concerns for Linux users.
My next suggestion is that Linus and the Linux maintainers form a foundation to hold copyright declarations for Linux. Linus has made clear in the past that he does not want all the Linux copyrights held in the same place. While that means that there is no single party who can sue about a GPL violation, my impression is that Linus thinks that that is an advantage.
However, perhaps it would be OK to require all significant Linux contributors to sign papers stating that they own the code they contribute, and require their employers to also sign papers. This would be along the lines of the paperwork used by the Free Software Foundation, but it wouldn't actually be a copyright assignment.
Such paperwork would not eliminate the possibility of a mistake, nor the possibility of malicious code insertion. But I think it would make it considerably less likely. It would force people to think about the issue. It might also permit moving any legal liability for copying from Linux users to Linux contributors, which would be good for users; the increased risk for contributors might make them more careful, though hopefully not too careful.
It would be necessary for somebody to monitor accepted contributions, and make sure that copyright declarations were signed by all new contributors before each release. It would be unreasonable to expect Linus or the other central maintainers to do this work.
I would be willing to help set up such a foundation, although I don't think my help is required.
The FSF started requiring copyright assignments in the wake of the threats from Unipress over the Gosling emacs code. Perhaps the SCO lawsuit means that Linux needs to start tightening up their IP processes. In an ideal world this would not be necessary, but unfortunately we must all live in this one.
My plane from San Francisco left 90 minutes late. I arrived in Salt Lake City well after midnight, and got lost driving to the hotel.
In the morning, I locked my keys in the car. Fortunately Avis repair service showed up in 25 minutes with a new key, but I was then 20 minutes late getting to SCO. Rather than look like a total idiot right off the bat, I told Blake Stowell that I "had trouble with my rental car." He was very nice about it.
My plane leaving Salt Lake City that afternoon hit a seagull shortly after take off. We returned to the airport. After landing, the pilot told us the windshield now had a small crack, and the plane wasn't going anywhere. After disembarking, we were able to look back at the plane--a rather gory sight. I have enough travel experience that I immediately used my cell phone and booked a seat on the next flight out. When that plane left, two hours later, there was still a long line of people trying to get to San Francisco that day.
All told, on the trip I spent about $350, plus 25,000 frequent flier miles, plus 24 hours away from my family. Although I wasn't expecting it, Linux Journal sent me a check for $150 for carrying my article on their web page. Free software has given me a lot over the years, and I can afford the difference. If you want to contribute in support of my trip, please make a donation to the Free Software Foundation [ https://agia.fsf.org/mp/order.py?make-donation=1 ], the Electronic Frontier Foundation [ https://secure.eff.org/ ], or Amnesty International [ http://web.amnesty.org/pages/donate_now ].
Odd though it may seem, I would like to thank SCO for taking the time to talk to me. They had to know when I came in that I would not be on their side. But they played fair, were very polite, and took me seriously. I'm sure both Chris Sontag and Blake Stowell had better things to do than humor some random free software developer.
This essay received helpful comments from David Henkel-Wallace and Karsten Self.