Why don’t unprivileged user accounts violate the GPLv3?

Question

The GPLv3 says:

Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.

[…]

“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source.

[…]

If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information.

The Free Software Foundation added these clauses because they did not like that companies like TiVo were able to use GPL'ed software on their devices.

The Open Source Definition has the following requirement:

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

The SSPL is not considered an open source license because it is deliberately almost impossible to comply with for hosting providers. Why, then, is the GPLv3 considered an open source license even though it is deliberately almost impossible to comply with for TiVo, Nintendo, Sony, etc.?

On top of that, it doesn't seem like most Linux distro's comply with it either. You can buy a laptop, install Linux on it, create a user account without access to sudo or equivalent, lock the UEFI/BIOS with a password, and give the laptop away to someone else while only telling them the password for the unprivileged account. It seems to me that the GPLv3 is being violated here, because the user cannot install other software on their laptop. Yet, almost every Linux distro supports unprivileged accounts (GNOME even has parental control settings)! Does this mean almost every Linux distro violates the GPLv3?

Linux distros aren't forcing you to only use unprivileged accounts. The GPL doesn't require distributors to prevent you from implementing Tivoization. If you distribute devices with Tivoization, you're the one violating the license, not the Linux distro. — eesiraed, Jul 09 '22 at 05:25
@eesiraed it seem to me that your comment is really an answer in disguise. If people start commenting here on it, rather than on the question, it might well get deleted. If you'd like to write it as an answer, particularly if you feel it adds things not already covered in the existing answers, please feel free to do so! — MadHatter, Jul 09 '22 at 07:59
A BIOS/UEFI password is not a good example, since anyone with a screwdriver can easily reset it. — Revolver_Ocelot, Jul 09 '22 at 17:55
... "give the laptop away to someone else while only telling them the password for the unprivileged account." -- Whether this instance is a GPL3 violation or not, would depend on whether you consider this a "User Product" or not. For example, if you give me a laptop but don't give me any admin account info, I would consider it more like you are just lending the computer to me, perhaps for an indefinite amount of time. GPLv3 defines User Product as "property" so if the laptop example is not really my property yet, then there is no violation. — Brandin, Jul 12 '22 at 11:28
If I understand your question correctly, your main question is: "Which fundamental difference between GPLv3 and SSPL makes GPLv3 a 'free' license and SSPL a 'non-free' one?" The link in your question says that Fedora thinks that the SSPL is "non-free". It does not say that the SSPL definitely is a "non-free" license. — Martin Rosenau, Jul 18 '22 at 06:03

MadHatter · Answer 1 · 2022-07-09T16:43:14.883

12

Firstly, the source you link to says that the principal problem with the SSPL is that it "is intentionally crafted to be aggressively discriminatory towards a specific class of users", not that it's almost impossible to comply with. It may well be that, too, but that's not the reason that Fedora says they have taken against it.

Secondly, the GPL is not almost impossible for a hardware vendor to comply with. It's easy to comply with it: the vendor needs to stop locking their devices down so their users can't modify the software running on them. If the vendor doesn't want to do that, fine, but they can't ship GPLv3 software on them.

You can buy a laptop, install Linux on it, create a user account without access to sudo or equivalent, lock the UEFI/BIOS with a password, and give the laptop away to someone else while only telling them the password for the unprivileged account. It seems to me that the GPLv3 is being violated here

I haven't thought too deeply about it, but you may be right (though note that although some of the software included in most Linux distros is GPLv3, the Linux kernel itself is not). If you are right, it means the person who did all those things to the laptop before conveying it was indeed violating GPLv3.

Yet, almost every Linux distro supports unprivileged accounts (GNOME even has parental control settings)! Does this mean almost every Linux distro violates the GPLv3?

No, because a distro is not a device. It's just software. Sitting at rest, on its DVD, with source packages, it denies no rights to its users. Only if someone installs it on a user-hostile device which they distribute is the GPLv3 then violated, and the person violating it is the device distributor, not the distro author.

Edit: you ask in a comment below "Why is the button there to begin with?". The answer is: because that button has legitimate uses, too. As a parallel example, TPMs can be misused to lock down my hardware so it can't boot the OS I want; but they can also be used to increase the security of my crypto keys (full disclosure: I wrote that article). A good licence (like a good law; take note, Parliament and others) doesn't proscribe a technology merely because it can be used badly, but instead proscribes the bad uses of that technology.

edited Jul 09 '22 at 16:43

answered Jul 08 '22 at 15:07

MadHatter

48,547
4
122
166

The GPLv3 is purposefully written against the entertainment industry, just like the SSPL is purposefully written against the hosting industry. Not locking the device down is absolutely not an option for devices like game consoles.
So if a desktop environment has a button to create an unprivileged account, only the admin that clicks it is violating the license? Why is the button there to begin with?

jobukkit

Jul 08 '22 at 16:37

5

@jobukkit if you say GPLv3 is discriminatory towards, e.g., game consoles, then you might as well say GPLv2 is discriminatory against any other number of software competitors who cannot build a software product in their industry with source code disclosed. The GPL does not prevent you from building a game console, smart-home assistant, or thermostat using GPL'd code; market forces may or may not make it so you can turn a profit doing so. – apsillers Jul 08 '22 at 17:00

@apsillers What line is the SSPL crossing, then? Hosting providers can theoretically only allow open source software onto their servers, like the SSPL requires... – jobukkit Jul 08 '22 at 17:06

1

@jobukkit SSPL and the Open Source Definition – Philip Kendall Jul 08 '22 at 19:32

@jobukkit The GPL allows proprietary elements in a software stack. You can run GPL software on a proprietary OS, or proprietary software on a GPL OS. But SSPL reaches beyond the licensed work and its derivatives, and requires unrelated parts of the software stack to have a SSPL-compatible license. This isn't literally impossible – BSD exists, a lot of modern devops/sysadmin tools are Apache-2.0-licensed – but it's a tremendous overreach, clearly designed to prevent competitors to MongoDB Atlas. – amon Jul 08 '22 at 21:08

6

@jobukkit "So if a desktop environment has a button to create an unprivileged account, only the admin that clicks it is violating the license?" – Merely creating the account wouldn't violate the license. The admin would have to create an account and then perform "a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term" in order to violate the clause. Merely letting a family member use the device probably wouldn't be a violation; renting it out probably would be, I think. – Tanner Swett Jul 09 '22 at 01:04

1

@jobukkit, the problem is that the SSPL mandates the use of open-source software. For example, if you offer MongoDB as a service, you can't use Veritas for backups, you can't use Microsoft IIS to run your management console, you can't virtualize your server using vSphere, and so on. Yes, it is possible to comply with the license, but it requires very careful selection of software to do so. – Mark Jul 09 '22 at 02:38

@TannerSwett “If you do all your chores, you may use your computer for the rest of the day!” is a transaction that transfers a fixed term of use to the recipient. One that GNOME explicitly falicitates with its parental controls. – jobukkit Jul 09 '22 at 09:16

1

@jobukkit It probably does not constitute ‘the right of possession […] of the User Product’, though, despite the possessive pronoun. – user3840170 Jul 09 '22 at 09:23

@user3840170 (Sorry, deleted the previous comment when I saw your edit, there’s still a spelling mistake in my comment as well ) It says “regardless of how the transaction is characterized” so I don’t think claiming that children don’t actually own computers holds up, especially if the child paid for the computer with their allowance. – jobukkit Jul 09 '22 at 09:52

4

I think this discussion's getting fairly off-topic. If anyone wants to start a new question such as "Does a parent giving a device to a child constitute a conveyance under GPLv3?", feel free, but I'd prefer this conversation not to continue in this comments field. – MadHatter Jul 09 '22 at 09:59

Comments are not for extended discussion; this conversation has been moved to chat. – MadHatter Jul 10 '22 at 09:24

user253751 · Answer 2 · 2022-07-10T10:30:08.720

6

even though it is deliberately almost impossible to comply with for TiVo, Nintendo, Sony

Why do you think it's impossible? They just have to give users more access to the device they bought. That is quite possible - in fact, the developers have such access by default and go out of their way to prevent users from having the same access.

The fact that Nintendo doesn't want its users to have access to their own purchased devices is nothing to do with whether the GPL is valid. It just means they can't use GPL software.

The SSPL is not considered an open source license because it is deliberately almost impossible to comply with for hosting providers. Why, then, is the GPLv3 considered an open source license

In my opinion, the discrimination argument is a bad one. The intent behind the SSPL appears to be to create an even stronger version of the AGPL, which is reasonable on the face of it. However, there are other arguments against the SSPL, namely that its main effect is to create uncertainty around legal requirements. It's not obvious whether using SSPL software requires a company to open-source every piece of software used by the company. That seems like a pretty good reason not to consider it a "proper" licence.

edited Jul 10 '22 at 10:30

answered Jul 09 '22 at 12:20

user253751

538
3
8

Their own approved Linux distro's not complying with the GPLv3, let alone the GPLv3 not being recognized as an open source license, would certainly be the FSF's problem. As for Nintendo, the Nintendo DS had no DRM, and that was a disaster. – jobukkit Jul 09 '22 at 16:59
@jobukkit The Nintendo DS had DRM - signed cartridges - but it was cracked. I myself enjoyed writing some DS homebrew software. – user253751 Jul 09 '22 at 17:16
I misspoke on the FSF thing. Of course the FSF would like all consoles to be open, but they can't force consoles to do so if the consoles have no connection to the FSF. – user253751 Jul 09 '22 at 17:17
@jobukkit The Linux kernel is GPL2, and a large amount of user software on typical distros now is GPL3. Both licenses GPL2 and GPL3 are OSI approved Open Source. – Brandin Jul 12 '22 at 12:08

apsillers · Answer 3 · 2022-07-11T14:20:43.353

Setting aside the question of when exactly a transfer of ownership of a laptop occurs and setting aside the fact that the Linux kernel is licensed under the GPLv2, not GPLv3:

Performing a transfer of ownership of a laptop whose GPLv3-licensed OS can only boot a unprivileged account will not violate the GPLv3's Tivoization requirements, unless you also separately lock down the hardware to prevent the installation of new operating systems (i.e., perform the act of making the hardware "Tivoized"). The GPLv3 requires only that the device's owner be able to install and execute a modified version of the GPLv3 software on the hardware:

"Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source

This seems primarily like a matter of what the laptop's BIOS allows, not how the OS is configured. The OS does not get a say in what OS replaces it or is a coresident OS. In general, I'd expect selling a laptop with a locked BIOS is sufficient to violate this condition even with admin access to the OS.

Admittedly most desktop Linux distros allow the OS to install modified versions of itself, so if you don't grant a recipient the ability to use that OS-upgrade functionality and you lock the hardware (e.g. BIOS) such that you can't install any new OS, then indeed that union of lockdowns together are sufficient to violate the GPLv3's Tivoization requirements. If the laptop contains a well-docunented approach to resetting a BIOS password via hardware switch, you may still yet avoid avoid a violation if a court views this information as a well-understood normal use of that laptop hardware. If the laptop doesn't include a well-documented reset mechanism, then you have indeed created a Tivoized device that doesn't let its owner install a new OS, so I'm unsurprised the Tivoization requirements would be violated in this case.

Another pressing concern is that transferring ownership of any GPL software on a laptop requires providing or offering the source code for each GPL-licensed binary whose ownership is transferred. However, this consideration doesn't pertain much to unprivileged accounts or to the GPLv3 in particular; that issue may arise equivalently for GPLv2 or v3 systems sold to a new owner with full admin access.

As for Fedora 's rejection of the SSPL on the grounds of discrimination, I can see the logic (it names a specific industry whereas other licenses do not), but I agree I don't find it particularly persuasive. I agree their reasoning seems much more steeped in the cultural difficulties that would arise from admitting the SSPL under the definitional umbrella of FOSS licenses. However, just as the Debian Free Software Guidelines build specific interpretation on top of the Free Software Definition (e.g., the desert island test, the dissident test), so too is Fedora free to provide their own interpretation of the OSD.

I'll also agree with another answer here and say that I object to the SSPL on the basis that its requirements are so far-reaching that they might be legally unenforceable.

Honestly, I find the OSD's point #9 more relevant to rejection of the SSPL as open source:

9. License Must Not Restrict Other Software

The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.

The SSPL imposes requirements on "management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software," which seems likely to be out of compliance with point #9. For example, if SSPL-covered software runs a service that produces some data, and a separate piece of software asynchronously backs that data up to a remote drive, the SSPL places requirements on the unrelated backup software.

Why don’t unprivileged user accounts violate the GPLv3?

3 Answers3