A Tweak to the Patch Submission Process and a Word on AdTI

Sunday, May 23 2004 @ 05:23 PM EDT

Contributed by: PJ

Linus, always pragmatic, sees the need to protect against future SCO's by making a small tweak to the patch submission process. I see that he is putting in place a method that will be open and obvious even after we are all dead and gone, and it should calm down corporate types who think in old-fashioned, proprietary terms. Smart. It's a crying shame watching Linus having to learn the dark side's wicked ways so as to route around them, but to his credit, he is learning and applying his brains and skills to the task. He has begun a discussion of a proposal, which you can read on LWN. When corporations and proprietary dudes get involved, you need to plan for their low-down, icky tricks. Linus says this:

"People have been pretty good (understatement of the year) at debunking those claims [by SCO], but the fact is that part of that debunking involved searching kernel mailing list archives from 1992 etc. Not much fun."

Truthfully, Linus, I've found it a lot of fun, personally, not to mention an education. He proposes a tweak to make the archives info more accessible.

His modestly and honest openness is such a contrast to the AdTI folks. If you go to their site, and I hope you don't, you will see links to articles (here's one) that present their view, but you won't find a link to Andrew Tanenbaum's rebuttal. Smarmy, indeed. Note that Linus is quoted as stating firmly that he never read the Lions book, and here is the story on Minix, starting with the AdTI view:

"'It's clear to me, at least from quotes from Tanenbaum, that Linus started from Minix...He just sat down with Minix and wrote this product. By definition, that is not an invention,' Brown said. 'If you sit down with the Ford blueprints and build a Chrysler and don't give Ford any credit, that's not invention.'

"In an interview conducted for the study, Brown quoted Tanenbaum as saying that Minix 'was the base that Linus used to create Linux. He also took many ideas from Minix, including the file system, source tree and much more.'

"If Linux is a derivative work of Minix, that makes Linux vulnerable to charges of intellectual property infringement by Prentice Hall, which published books on Minix, as well as the Minix source code, but restricted its use until 2000, the study said. 'Arguably, Prentice Hall has lost out on tens of millions of dollars' because of lost book sales, the study said.

"But Torvalds argued that he and other Linux developers have given proper credit.

"'Linux never used Minix code...We never credited anybody else's code, because we never used anybody else's code,' Torvalds said. . . .Minix, he said, was simply a platform on top of which Torvalds did his programming work.

"The study suggested that Torvalds might have gradually replaced Minix code with Linux, but Torvalds says that did not happen.

"'I didn't "write the Minix code out of Linux," Torvalds said. 'I was using Minix when I wrote Linux, but that's in the same sense that you are using Windows when you write your columns. Do your articles contain Windows source code because you use Windows to write them?'"

So now they want us not to be able to use ideas we know about. What a wonderful world they have in mind, eh? And a publisher could get tens of millions of dollars from a programming book? Puh-lease. Anyway, they strike out again, because Linus never read that book.

I am not providing a link to AdTI in this article, unlike earlier ones, because they are telling journalists like Stephen Shankland that "outsiders" have crashed their site. They obviously were not set up for the kind of traffic sites like Groklaw and Slashdot can create, and probably they imagine a malicious motive for what was likely just large numbers of people interested in reading what they wrote.

Here's a bit of what Linus suggests:

"So what I'm suggesting is that we start 'signing off' on patches, to show the path it has come through, and to document that chain of trust. It also allows middle parties to edit the patch without somehow 'losing' their names - quite often the patch that reaches the final kernel is not exactly the same as the original one, as it has gone through a few layers of people.

'The plan is to make this very light-weight, and to fit in with how we already pass patches around - just add the sign-off to the end of the explanation part of the patch. That sign-off would be just a single line at the end (possibly after _other_ peoples sign-offs), saying:

Signed-off-by: Random J Developer

"To keep the rules as simple as possible, and yet making it clear what it means to sign off on the patch, I've been discussing a 'Developer's Certificate of Origin' with a random collection of other kernel developers (mainly subsystem maintainers). This would basically be what a developer (or a maintainer that passes through a patch) signs up for when he signs off, so that the downstream (upstream?) developers know that it's all ok:

Developer's Certificate of Origin 1.0

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or

(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

"This basically allows people to sign off on other peoples patches, as long as they see that the previous entry in the chain has been signed off on. And at the same time it makes the 'personal trust' explicit to people who don't necessarily understand how these things work. "The above also allows for companies that have 'release criteria' to have the company 'release person' sign off on a patch, so that a company can easily incorporate their own internal release procedures and see that all the patches have gone through the right channel. At the same time it is meant to _not_ cause anybody to have to change how they work (ie there is no 'extra paperwork' at any point). "Comments, improvements, ideas?"

Here is what AdTI has on their site today:

"Linus Torvalds and his peers, wrote Wired magazine last November, 'don't have the institutional resources to ensure that a programmer isn't guilty of plagiarism.' In a path-breaking study, AdTI's Kenneth Brown reviews the origins and development of Linux -- in light of repeated expressions of contempt for intellectual property rights by Torvalds and some (but by no means all) open source programmers."
Neat strategy. First get the media to print what you want said as a fact -- and we all know how hard *that* is -- and then quote it. The same article makes much of Linus' alleged absent-mindedness. Want to bet that handy paragraph comes up at trial in the form of some questions to Linus? And the article says Linus looks like a supply clerk. To whom? Not to me. And look at the photo they managed to include on page 2. Would they do that to Bill Gates or even Darl McBride?

About those alleged "expressions of contempt for intellectual property", while I haven't yet read the book, I have read Martin Pool's review, and he mentions three such expressions listed in the book:

"AdTI has a consistent pattern of asking people for comments on hypothetical scenarios and applying those comments out of context to Linux. It allows him to give the impression that Bloch, or Tanenbaum, or Richie is saying 'Linux is X', when they said no such thing.


'Sometimes a little theft is necessary'.

'There is theft everywhere and the open source community should not be singled out.'

'The samizdat exchange was outright theft but it was necessary.'

"Quotes supposed to be from open source programmers, but not attributed. Did they just make them up? Perhaps we should attribute thoughts to 'Factions within the AdTI' on whether wife-beating is 'sometimes OK', 'happens all the time', or 'is absolutely necessary'?

I thought you might be interested in the fact that when I went to Google and searched for the three phrases he "quotes" about theft, none of them resolve to anything. Nobody said them in a way that Google can find. From what we have seen, the AdTI style of research includes posting questions on public boards and maybe they found somebody somewhere who said that privately, but they don't tell you who or where, and for sure I can't find it. Something smells funny here.

A clue for you. We don't need "institutional resources", actually, you old-fashioned types. We have community resources. Our software is superior to yours in many ways, because those resources are superior. We just do things differently than you do. Let me suggest you do this: Ask Sun or Microsoft or any proprietary software company to "ensure that a programmer isn't guilty of plagiarism." See what happens. Actually, I have Sun's "Binary Code License Agreement" and "Supplemental License Terms for Sun Java Desktop System", dated December 2003, and here is what it says about that:


"5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose."[Emphasis added]

Lots of protection and guarantees of no plagiarism there. Not.

No offense to anyone, but are all those outsourced coders in India or Eastern Europe or wherever proprietary companies can find cheap labor really more trustworthy than Linus and his contributors? No? Then stop singling Linux out as if that problem were unique. No one can guarantee 100% that no one plagiarized code, but the open process means any proprietary company can take a look at the code -- which is 100% open to the public -- and see if anyone stole their code and put it in Linux. As you have seen despite their bizarre allegations in the media, SCO has yet to successfully do that in court, and no other company that I know of has ever done so either. It's an issue in your imagination, not in the real world. But because it appears to be stuck in your imagination, like an old song, Linus is making a tweak to show you what he and his team already do know, that there is no unique problem with the code.

I'll have more to say about that word, samizdat. It's one more thing that AdTI got wrong.