Some more thoughts on the results of GPL enforcement

Just a small personal note: Yes, this blog is currently seeing close to no updates. This is because I'm literally working every minute that I'm awake, with no time for anything else.

But to get to the main point of this entry: The results we see from GPL enforcement. I don't want to write about the legal results, since they have always been successful, in 100+ violations that I've been dealing with so far.

I'd rather want to talk about other results. They mainly fall into two categories:

Structural results, how I like to call them, show that the vendors / "the industry" now understand the GPL [better] and thus adopt policies and business practises that are more likely to be GPL compliant from now on. This is good, since it has the potential to prevent further GPL violations down the road, presuming license compliance is something that we value and strive for.

But how does Free Software actually benefit from GPL enforcement? I'm talking about the actual software, and not the movement, the community, the advocates, etc.

How many times have you seen some code coming out of a "GPL code release" from one of the many (mostly embedded) vendors that was actually useful to be contributed back to an existing Free Software project, or even that spawned a new Free Software project? I for my part am certain to say: Zero. The actual number might be close to zero, but very small anyways.

The next logical question is to ask ourselves, why it is like that. First of all, the code quality is usually extremely bad. Looking at kernel patches from the various vendors, I'd say the code quality is _by far_ off any scale that would ever even remotely be considered to be suitable for upstream inclusion. Not only do those vendors not care about any CodingStyle (which could be easily fixed), but they ignore any existing standard API's (why use them if we can reinvent our own?), don't ever spend a single second on portability issues such as SMP, DMA safe allocations, endian issues, 32/64bit, etc. This code is "throw-away software". Fire and forget. The complete opposite of the long-term maintainability goals of about any FOSS project I know.

I would be the most embarrassed man if I ever was involved with any such software. Having your name associated with such poor quality would be like a stigma. Any technical person would laugh. And yet, the managers of those respective companies proudly announce the availability of their so-called "GPL code releases". If they only understood how ridiculous they make themselves in the technical community. It's like if they were proudly presenting a drawing from a three-year-old kid as the new Picasso. They just don't notice because the number of people with a taste of art is apparently larger than the number of people with a taste of source code quality and aesthetics.

The next big problem is the perpetual preference of vendors, even in a market with only six month product life-cycles, to use ages old software to base their code on. Of what use is e.g. an obscure netfilter patch that was developed against kernel 2.4.18, something that is many years old and of no relevance to current stable kernels or even current development?

Now you might argue "What about projects like OpenWRT?". While they are no doubt very useful, it is quite simple. Those projects mainly benefit only the customers of the (probably formerly GPL infringing) embedded devices. Therefore, they benefit specific customers, and not Free Software Users in general. Even if OpenWRT or others invest huge amounts of work and manage to clean up / re-implement some of the awkward sources released by embedded manufacturer X, and push it into the upstream project (e.g. Linux kernel), it is something that most often only a very specific user base that benefits from it. All the really interesting bits, if there are any at all, are kept proprietary by the respective manufacturers, using legally extremely questionable practises such as binary-only kernel modules.

If one thinks a bit more, this whole sad process could have envisioned before. It's a myth to believe that Linux and other FOSS is so popular in the embedded market because vendors think it is more reliable, or secure, or even because of the maintainability, audit-ability, or even the benefits that users and developers get from being able to run modified versions of the software. If they were, we would see clean code and regular security updates. In reality almost every product is one gaping security nightmare. None of those potential benefits are of any interest to embedded vendors.

The response to the 'why' question is quite simple: They use GNU/Linux because this way they can avoid per-unit royalties that are very popular with alternative (proprietary) embedded OS's. It's a cheap commodity. Thus, it's not surprising how they treat GPL compliance. Disgruntled, not understanding the issues behind, releasing only the most incomplete non-building source code snippets that make any reasonable developer vomit at first sight. And since they themselves lack the skilled developers internally (they're not cheap!), their management goes ahead and releases something that is embarrassing. If I wanted to evaluate the technical skill-set of a company before making large-scale business with them, I'd [have somebody] look at their source code releases. It can tell a lot about technical expertise and corporate style :)

Please don't get me wrong. I'm not complaining that there is any legal shortcoming in those "GPL Code Releases" though there often is, but that is not the point of this article). But if somebody asks me, how much the actual Free Software source code benefits from the code that was released by the vendors, my honest reply would be simple and sad: None.

While this whole post might sound bitter and resignated, and like I wanted to give up GPL enforcement since it's not worth it: This is not the message that I want to put out. GPL enforcement remains important. I never assumed that there would be a lot of actual mainline-mergeable source code coming out of it, so I'm not disappointed with the enforcement. I just have the constant feeling that many people are driven by misconceptions, and nobody outside the hacker community really knows what's going on on a technical level.

QNTAL concert in Berlin

One of my favourite band for many years, QNTAL, have been playing tonight in Berlin. The concert was fantastic, and due to my recent high workload, I apparently actually missed their last album relase. They did very well with that latest release.

However, apparently day 15 of the tour (one concert every night) has already left quite some traces on Syrah's otherwise brilliant voice. It was still extremely good, but you could notice she's [again] having some problems :( What kind of torture must it be, to be an excellent singer with classical training, with a crystal clear voice - but then having chronical problems with your throat..

To my big surprise, the support band Unto Ashes was actually extremely good. I'm not saying this because I thought Unto Ashes was bad, but rather because support bands generally suck quite a lot. Maybe it's just me being unlucky, but this was actually the first concert with a great support band that I've been to.

All in all definitely a memorable evening. If it didn't eat that much productive time...

Linux World Expo in Utrecht, The Netherlands

Due to Armijn (of gpl-violations.org) involvement in the programme committee of the linuxworldexpo.nl 2006, I have been invited to do a session called "Free Software Master Class" together with Georg Greve from the Free Software Foundation Europe. Georg presented on "the business value of Free Software", whereas I was talking about "how to be GPL compliant".

The presentation went quite fine, and there were good questions coming from the audience. Hoewver, you could clearly tell that the organizers didn't really have any experience with holding conference/seminars, but just trade shows.

First of all, the seminar area was not reasonably shielded from the background noise of the trade show. Therefore the volume of the PA had to be quite high to combat that background noise.

Secondly, the light situation was way too bright for the audience to be able to read the image projected by the LCD projector. I mean, there were dozens of neon lights (that couldn't be switched off) directly above the screen, that just cannot work.

My third point of criticism was the organization of speaker travel and accomodation. If it wasn't for me meeting with Armijn at the night of arrival, I wouldn't have known to which hotel to go to. Furthermore, the hotel was located in a different town (so you couldn't just go back to the hotel during the day, to drop some stuff, or change clothes, or whateer). Then that hotel was undergoing a complete reconstruction. I could only take the question "do you need a wake up call" by the receptionist as an ironic joke. At 7.45am the power drilling started - way after all the other noise that started about half an hour earlier.

Luckily I had arranged for my own travel. Georg has received his ticket information only on Monday afternoon (and was leaving on tuesday!). This is not exactly how you professionally organize any kind of event.

I don't want to overly complain, but I just want to give motivation to improve that situation the next time.

Dual-Opteron liquid cooling leaking

I'm not really having that much luck with the liquid cooling system of my main workstation. Today, one of the CPU coolers (dual socket 940 board) started leaking. Unfortunately it was the cooler of the CPU sitting above the AGP and PCI-X slots, spilling coolant on th Radeon 9200 and E1000 cards.

Coincidentally all that happened while I was having a bath, but that just as a side-note.

Now the box still boots up and is accessible from the network. Just no graphics output. Pretty bad for what I use as a dual-head compile and development workstation. So far it looks like at least that AGP card has died. I already bought a used one on eBay (you can't get any Radeon 9200 these days, and that's the really last 'free' graphics chip out there [apart from Intel on-board stuff]...). It could also be the AGP socket or something completely different. I don't have any spare AGP cards, just PCI... 5V PCI that don't fit in the 3.3V-only PCI-X slots, so I couldn't test it with a different card right now.

Now since this is the second time I'm having quite big trouble with that liquid cooling system, this is a good time to re-think whether it was that good an idea. I still think it was. I mean, for the better part of two years, this system has been running day and night, without any problems. In fact it is so quiet that I now regard my Quad G5 (unloaded, all fans at minimum) as extremely loud. And it is that quiescence which I love so much, and it is even worth at least those two times I've now had problems.

Nedap voting machines in Europe

The regular reader of this weblog might have noticed that for more than a yearI've had an interest in the use of voting machines in elections, specifically Germany.

While my many other interests and projects have not allowed me to look into this subject as much as I wanted, some of my friends of the Berlin CCC have collected a lot of information on voting machines (German) and also actually had a chance to do some hands-on security research together with our Dutch hacker friends

Yesterday, their joint activities became public. First in a TV show that has been aired in the Netherlands. German media reports are catching up today. Expect some more coverage following-up the CCC press release, such as this one.

Now what was actually discovered? In short,

• There are many possibilities for manipulations
• That a proof-of-concept firmware for election manipulation on a Nedap machine has been developed
• That the Nedap machine can be re-programmed just like any other computer, e.g. to turn it into a chess computer
• That the Nedap machines actually have spurious emissions that can be used to detect which party / candidate is currently being voted from a range of at least a couple of meters distance by using a small radio receiver with earphones.
• That any contemporary cell phone or Digital TV set-top-box has employed more security mechanisms than those voting machines. Cryptographically signed boot process? Signed applications? Trusted Computing? Such technologies are only employed for the protection of important data, such as commercial audio and video recordings. Unimportant matters such as democratic and free elections do not require any such secure technology, but use 1980's home computer technology.
• That the legal requirements on the technology of voting machines in the Netherlands and in Germany do apparently not even come close to identifying (and preventing) the most basic IT security threats.

Therefore, the use of such voting machines must be halted immediately, at least until an independent board of renowned international IT security experts has been drawn to specify new technical requirements on their security, and until all old machines have been upgraded or replaced by such machines that follow those requirements.

Because any reasonable set of security requirements will inevitably lead to machines that are by far more expensive than those currently in use, it becomes even more questionable to build and use them in the first place. Why should a few hours quicker election results ever be worth even only the slightest increase in risk of election manipulations?

Bollywood Musical in Berlin

Tonight I've been to Bollywood - The Show, a Bollywood musical that is touring through (I guess among other countries) Germany for the next couple of months.

It was truly amazing. First, there is the irony of playing a story that is remotely based on a true story - probably an idealized form of the story of the musicians and choreographer family behind this musical: The Merchant family. Secondly, the number of dancers is actually quite limited, so they need to danca and dance and dance for hours. What is usually done in many takes (with breaks) when shooting the song sequences of a Bollywood movie - those musical dancers have to do it all in one row. One some days even two shows on one day. What an amazing talent and stamina.

It's too sad to learn that such musicals can only exist in the west, since their cost of production is just too expensive for India, plus apparently the lack of a musical culture there.. quite strange, isn't it? I bet a lot of Indian Bollywood fans are definitely sad to lack the opportunity to see this (or another upcoming one, such as the Bharati).

Obnoxious RoHS/WEEE rules and their German implementation

You might have heard about RoHS (Reduction of Hazardous Substances) before. I always thought it is a well-meant and important contribution of the European Union to reduce the amount of hazardous substances in electronic waste. As a supporter of many environmental groups, and an occasional voter for the Green party, I definitely support such a goal.

If I was to manufacture electronic equipment, then certainly I would consider it as my moral duty to pay for the cost of processing ('recycling', how they call it, if that was ever possible)the resulting waste. No debate on that at all.

Now I actually am involved with producing small quantities of electronic equipment, and suddenly those issues come up again. The product obviously only uses RoHS compliant components, no question on that. We do want to reduce the environmental impact, after all.

Now enter EU and German bureaucracy, combined with lobbying of large industrial electronics manufacturers, and you end up with the German implementation called "ElektroG" (Gesetz ueber das Inverkehrbringen, die Ruecknahme und die umweltfreundliche Entsorgung von Elektro- und Elektronikgeraeten [Law about distribution, withdrawal and eco-friendly disposal of electrical and electronic devices]). That law basically regulates and delegates the administration of the RoHS/WEEE guidelines to an authority called EAR (Stiftung Elektro-Altgeraete Register [Foundation for Registry of Electrical Devices]).

The way how this system works is:

• All manufacturers and importers have to register themselves with EAR
• They also have to register the quantity (weight) of produced/imported goods every month
• They furthermore have to produce proof of having made a deposit on the amount of money required to "recycle" the resulting electronic waste, even in the case of bankruptcy of the producer/importer

This all sounds very reasonable and well-thought. Given the facts stated until here, I would still be an avid supporter of such a system.

Now enter the disaster: The minimum quantity that this system can deal with is the metric ton. This is very suitable for large manufacturers, but what about a small company that produces 100 units of 180grams of weight every year? It will take more than 55 years to fill up that metric ton. Now, if they actually allowed you to pay for one ton every 55 years, then that would be great. Obviously, they don't. Rather they employ an undisclosed lottery algorithm, which elects one registered producer/importer who has to take care of recycling one specific container that was filled last at the electronics waste collection station. Yes, every time one container is filled, they elect another lucky lottery winner. And in order to make sure that every possible "winner" could actually afford the disposal of that container, EAR has the "proof of bankruptcy-safe deposit".

You might think: Well, quite a fancy system, but assuming that algorithm was tuned right, there still is no problem, even for small producers, since the probability of them being chosen by the lottery is very low. And in fact it is. An EAR person has publicly stated in an interview that only producers having produced more than 3.5 metric tons of electronics are eligible to win that lottery. Great, since in our example that would be in 194 years. Son nothing to worry about, right?

Wrong. The administrative fees of EAR.

• 155 EUR one-time fee for registration is still quite acceptable.
• 85 EUR per product that is put on the market is fine, too.
• 100 EUR for each notice of change in production quantity is a bit steep, given the inevitable flux of that figure.
• 455 EUR for the validation of the proof of having made the deposit
• 215 EUR annually for the re-validation of the proof of having made the deposit

Now what kind of bull**it is this? This means that during those 55 years we would fill one metric ton, we'd have to pay 12066 EUR only in administrative fees for validation and re-validation of the bankruptcy-save deposit? All that for the disposal of one ton of electronic waste, which costs [now] between 200 and 400EUR ?

I would be very surprised if such fees would not violate anti competition rules of the EU somewhere at some point. This is the creation of a serious market entrance barrier for small manufacturers of electronic equipment and nothing else.

Bavaria's best gothic/dark wave/industrial/ebm club "Top Act" about to close

I'm sad to hear that the best club "close" (50km) from my old home city is about to close at the end of the year. This is extremely sad, and I suppose it will have quite an impact on the subculture there.

I can only hope that I'll find some spare time for a goodbye visit in November or December this year. A night at Goettertanz or La Nuit Obscure has always been a deeply touching, emotional and aesthetic event. No other club anywhere else has ever managed to make me feel anywhere close to how I felt at Top Act back then. Excellent DJ's, great choice of music, the right kind of people, 18+ limit for admittance, and a gothic dress code(!). Call that elite, if you want - I'll tell you: The result was spectaculous. People would travel 150+ km every weekend to get there.

Good bye Top Act. Thanks to Thomas Manegold and his crew, thanks for hosting that many memorable events. Thanks to Kodachi (didn't forget you!) for first recommending that location to me.