FLOSS Weekly Episode 747 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Doc Searls
This is FLOSS Weekly. I'm Doc Searls, and this week I'm joined by two co-guests they're normally co-hosts which are Jonathan Bennett and Dan Lynch, and we talk about pretty close to everything. But the theme of the show is new, hot, big and doomed, and you have to listen in to find out what that means. That's coming up next.

This is FLOSS Weekly Episode 747, recorded Wednesday, August 30th 2023. New, hot, big and doomed. This episode of FLOSS Weekly is brought to you by Kolide. That's Kolide with a K. Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Visit to book an on-demand demo today.

0:01:06 - Speaker 2
Listeners of this program get an ad-free version if they're members of Club Twit. $7 a month gives you ad-free versions of all of our shows, plus membership in the Club Twit Discord, a great clubhouse for Twit listeners. And finally the Twit Plus feed with shows like Stacey's Book Club, the Untitled Linux Show, the Giz Fizz and more. Go to twittv slash club twit. And thanks for your support.

0:01:33 - Doc Searls
Hello again everybody everywhere. I am Doc Searls. This is FLOSS Weekly and this week I am joined by ourselves, two of ourselves Jonathan Bennett and Dan Lynch. Jonathan and I are holding down the middle of the US, while Dan is holding down the UK Making sure it doesn't there. He is putting two hands down at the desk to make sure it doesn't move. Dan is ahead of us at times. How is it doing for you, dan?

0:02:03 - Dan Lynch
I'm speaking to you from the future. Yeah, it's okay.

0:02:08 - Doc Searls
So far Five hours into the future. Things are okay. You're prospecting for us out there.

0:02:14 - Dan Lynch
Yeah, that's true, there's some kind of Philip K Dick novel in this somewhere, I'm sure.

0:02:21 - Doc Searls
Maybe we're all living in one, as it happens. So this is a roundtable, although it's kind of triangular, because there are three of us on this one and we've queued up a whole bunch of topics and we're talking about a couple of me before we came on. But I'll let Dan lead off. What is in front of you, that's in front of the world at the moment, that should be the open source and free software, the philosophy world that we should be concerned about.

0:02:52 - Dan Lynch
Sure, yeah. Well, so there was a story I came across earlier today. It's actually a couple of weeks old now but it's still quite relevant. We weren't about time to talk about it on the show.

Obviously, this year, a couple of months ago now, maybe even three months ago, there was the big fallout from the Red Hat situation when they changed their source code, distribution rules and so on. So basically only paid customers now can get the source code and, as some people do, enterprise they're enterprise red enterprise Linux, yeah, and as some people quickly pointed out, even those customers are not able to redistribute that code because of the license, because of the agreement they've got with Red Hat as a customer. So they can see the code but they can't redistribute it or anything. So obviously this has been arguably aimed at a lot of the kind of derivative distributions that are out there. Obviously, Oracle massive enterprise company, they make unbreakable Linux, they have them for a long time, or, as the Red Hat people once called it, unfakable Linux, with those t-shirts they used to wear where they took and repackaged Red Hat Enterprise Linux. So anyway, I'll stop burying the lead and actually tell you the story. So the story now is that, in response to that, to this current situation.

Oracle SUSE and quite a few other people have got together and created something called the OpenELA, which is the Open Enterprise Linux Association. It's been formed by Oracle SUSE. I don't know how you say this. It looks like sick, but I don't know if I should say that it doesn't sound right. It's C-I-Q. It's the name of the company. They sponsor Rocky Linux, among other things. Maybe it's psych, yeah, maybe it's psych, I don't know.

Although the kids. I believe I sound really old, but I believe the kids say sick again now, as a kind of a positive thing.

0:04:44 - Doc Searls
That's a good thing. It's like that's sick, the Dolphin sick. Are both good now yeah.

0:04:51 - Dan Lynch
Anyway. So yeah, they've announced interestingly, they've announced that they've created this, what's essentially like a trade body to help them to distribute and work together on making sure that they can continue to create Enterprise Linux compatible distributions, which is interesting. But their tagline is really interesting. It's kind of almost a direct shot at Red Hat. Their tagline is no subscriptions, no passwords, no barriers, free loaders welcome. The language is almost directly pointed at Red Hat, who announced that they didn't want free loaders and other things, which is quite interesting. But the thing I found really interesting about this is Oracle. I mean, I'm not as long in this business as you, doug, but I mean I've never really thought of Oracle as a great friend of open source software. I don't know how you feel about it.

0:05:50 - Doc Searls
Just briefly, oracle has always had, has generously supported lots of I shouldn't say lots, but a number of alpha maintainers of the kernel. True, so at that level they've been involved, but they're not known as a friendly company to lots of things. So you know, I mean that one of my favorite book titles ever is a very long one that says what is the difference between Larry Ellison and God? God doesn't think he's Larry Ellison. So that's approximately the title. That's kind of the whole book right there. But yeah, I mean, what's not clear to me is I mean, if you or I wanted to work on that code, would we be able to thanks to this organization? I have no idea, would we? So I think so.

0:06:52 - Dan Lynch
I think well, so interestingly, they're saying they're inviting everyone. It says absolutely everyone is welcome to join, from enterprise Linux downstream derivatives, to organizations that depend on enterprise Linux, to vendors and individuals who just want to be part of something amazing, you are invited.

0:07:09 - Doc Searls
So it's basically we're sitting in this stuff free and we really hope some of the downstream stuff that comes out is going to be whatever Red Hat's doing and screw them for locking this thing down in the first place, Kind of.

0:07:20 - Dan Lynch
Yeah, it's so far. They're promising to and this is in their words establish and make accessible sources, tooling and assets to all members, collaborators and the open source enterprise Linux distribution developers to create and maintain one for one downstream derivatives of what they're calling EL, which is just enterprise Linux, and this seems to be the new brand that they've that these other people are calling it. They're not calling it Red Hat Enterprise Next, they're just calling it enterprise Linux. Well, you can't, you can't call it.

0:07:50 - Jonathan Bennett
Red Hat. It hits. It hits trademark off. If you do that, I think enterprise has always been kind of the code name for this, even when it was when it was sent OS. There's a lot of history here. I have thoughts too, but you were, you were getting ready to make it.

0:08:05 - Dan Lynch
To make another point and now, no, that's fine. Well, I was just interested in the fact that they I was reading about this earlier about the, the problems they're going to have in in and this is kind of old news in a way. But because of the way that the red hat distribution source distribution stuff has changed, they can still, apparently because you've got CentOS now which is called CentOS Stream. They changed that and it's kind of upstream of rel, so it's kind of like a rougher kind of version of what will eventually become Red Hat Enterprise Linux. At some point they do sync up. So at the first, at the point not release of every Red Hat Enterprise Linux, you can grab the last version of CentOS Stream, supposedly, supposedly, which is almost you know, which is the same as what they're about to release, and kind of syncing up. So they were discussing whether this was possible. But then you've still got the problem that it's going to diverge down the, you know, down the, as they do their point releases on. On that it's going to diverge as well. So it seems like quite a challenge to me. I'm interested to see how they do. But Oracle have got quite a large customer base apparently for unbreakable Linux and other things. And also how.

How will this affect a lot of the kind of academic or scientific? You know there used to be scientific Linux, but you know the kind of distributions that. So Alma Linux I was reading about, which is used by, is a Red Hat, a rel derivative, is used by Fermilabs and, and CERN and NASA have another version. It's not, it's not Alma Linux, but NASA have a version of this which is based off a similar thing You've got. They've licensed Rocky Linux, apparently NASA now to use that internally, which is also based on on on rel. So I don't know, not exactly a clear point on that, but yeah, just some thoughts. So tell us, tell us your thoughts on this, jonathan, if you're.

0:09:54 - Jonathan Bennett
So, first off, rocky Linux actually put out a news story oh when was this? Back in June, it's about a month ago, no, two months ago now. Two months ago now that they have two different ways that they can get the upstream rel sources to be able to distribute them, and it's kind of it's kind of sneaky and it's kind of fun. They say one option is the use of UBI container images based on rel, available from multiple online sources like Docker Hub, and using one of these images it's entirely possible to obtain Red Hat sources. And then the other method would be to leverage pay per use public cloud instances where anyone can spin up a rel image in the cloud and thus obtain the source code for all, for all packages and iraada.

The cat and mouse game between Red Hat and Rocky and Oracle really intrigues me and it humors me quite a bit. I have been, and remained convinced that what Red Hat is doing is a violation of the GPL. I understand that they think they have a sneaky law your way to do this without being a violation, but a clear reading of what the GPL says about not adding what's the exact terminology? The GPL essentially says that you cannot add any additional restrictions and through the use of their end user license agreement they've added additional restrictions. So all of that is kind of its own thing. Maybe the most interesting about this is to see the difference in approach between Rocky so this new group that we're talking about and what All Malenix is doing, because All Malenix has taken a different approach to this and they've said well, red Hat wants us to be a downstream from CentOS Stream instead of Red Hat. What advantages could that give us? And one of the advantages is that if All Malenix is no longer bug for bug compatible, then they get to fix bugs faster, which is kind of a novel idea. So AMD had a processor problem back about a month ago now, and it was I forget the name that they used for it but it essentially allowed certain string manipulations happening in the processor to leak the contents of those strings. It was a null pointer dereference in the processor itself not in the code, but actually in the microcode of the processor was accidentally doing null pointer dereferences, which was a lot of fun. But Red Hat looked at this and said no, we consider that to be a non-critical problem and we will roll that microcode out when we deem it appropriate, and the guys at All Malenix said no, no, this is a huge deal, we're going to go ahead and issue this patch. And so All Malenix had to from what I consider to be a really critical security issue. All Malenix rolled the patch out within a couple of days of it being announced, and I don't know if Red Hat still has it out or not.

So I kind of made the point way back when Red Hat first started doing the CentOS Stream thing and we got Rocky Linux and All Malenix out of it. I kind of made the point then that it might be an advantage to have these two different companies doing this, because we could see two different competing approaches to it. And that really has come to fruition. And it is really fascinating to see, because now you have this option between Rocky Linux is going to continue to be bug for bug compatible, and when I say Rocky, of course there's also there's SUSE's coming Red Hat compatible and Oracle's as well. But you have this team, and then you've also got Alma who is taking this slightly different approach, which for some of us is really interesting. So time will tell. It's fascinating.

0:13:47 - Dan Lynch
Hmm, and it's worth pointing out that Alma Linux is not part of this association at the moment, at the time, correct Recording, so they are doing their own thing, which is really interesting to see what they're going to come up with. I think the whole thing's really kind of yeah, it feels like it's still early days in a lot of this kind of situation, but yeah, it's very interesting. I was reading about some possible ways of getting the source, as you talked about, but there's lots of them that, legally, are quite kind of grey areas. So it's kind of like is your legal team bigger than ours and do you really want to get into that with Red, red Hat and now, of course, ibm behind them? So maybe not. They're kind of like the 500 pound gorilla in the room.

0:14:39 - Jonathan Bennett
Well, isn't that really the point of Open ELA, though? Is to be able to put together a 500 pound gorilla legal team to keep IBM at bay, because you know that IBM would gladly go up against SUSE and they would gladly go up against CIQ, but Oracle and Oracle Plus SUSE maybe not. That may be some mutually assured destruction.

0:15:06 - Dan Lynch
That's a good point. Yeah, I never thought that. Maybe that's what it is. Maybe it's kind of like a calling together of resources in a way to kind of fight this, and so it's relatively new. It came out. They only announced this on the 10th of August, so what? Two, three weeks ago. So it remains to be seen what they'll actually do at this point. But it seems as though they're not backing down. They're going to try and keep fighting and keeping this going, which is really interesting.

One of the points that did make this in this article, which was on the register, I should point out is that they were talking about these kind of problems that they've got in some of the academic stuff that's going on, which is interesting because they're not commercial and they're not going to be selling the software or anything. As far as I could tell. I don't think the likes of CERN, for example, are going to be selling the software that they're going to make it so legally could they still do stuff. I don't know if they could still take some of the code and reuse it, but they can't officially redistribute it, which is the problem, for any purpose as far as I know. So I think you're right about the GPL thing. Certainly the reading. I mean I'm no lawyer in any sense of the term, but certainly smarter people than me have told me that they think this is very much a GPL violation or incompatible situation with Redhub.

0:16:38 - Jonathan Bennett
Yeah Well, that reminds me a lot of a point that Simon Fipps makes from time to time, and that is that licenses don't compile. It took me a bit to figure out exactly what he meant, but this sort of situation is what he's talking about. There's this disagreement about how exactly the GPL applies to this, and you're not going to get the kind of well like when you have source code and you run it through a compiler, you get an exact binary output. There's no way to do that. You don't get a binary output from looking at a license.

The closest we can do is litigate and put it before court and you ask the court to decide how does the GPL interact with this particular case. But you don't think anybody wants to do that right, like that's just a bad idea for everyone. Nobody wins. Nobody wins when you go to court like that, and so the point that Simon always makes is you can't just rely on the license to keep you out of the situation, which what is much better is to have a community around it where everybody's kind of in agreement and you work based on the community rather than just based on the idea that this license is going to keep everyone in mind.

0:17:41 - Doc Searls
I think there's a thread here with what happens when big companies that call themselves open source want to do things that big companies typically do that isn't, and what they can do with that and Red Hat isn't the only one. They've obviously started many balls rolling, most of which I'm sure they didn't intend to roll make happen in the first place. But there are other things going on like that and I want to visit those after we come back from this break. This episode of Floss Weekly is brought to you by Kolide, that's Kolide with a K. Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. If you work in security or IT in your company as Okta, this message is for you.

Have you noticed that in the past few years, the majority of data breaches and hacks you read about have something in common? It's employees. Sometimes an employee's device gets hacked because of unpatched software. Sometimes an employee leaves sensitive data in an unsecured place, and it seems like every day a hacker breaks in using credentials they fished from an employee. The problem here isn't your end users. It's the solutions that are supposed to prevent these breaches. But it doesn't have to be this way. Imagine a world where only secure devices can access your cloud apps. In this world, phished credentials are useless to hackers and you can manage every OS, including Linux, all from a single dashboard. Best of all, you can get employees to fix their own device security issues without ever creating more work for your IT team. The good news is, you don't have to imagine this world. You can just start using Kolide Kolidecomslash Floss to book an on-demand demo today and see how it works for yourself. That's K-O-L-I-D-Ecomslash Floss. So, jonathan, we're seeing something like the same thing going on with Canonical. Is there anything wrong about that?

0:19:51 - Jonathan Bennett
No, so that is what a lot of us fear. The story, the setup here, is LXD is an open source container management extension for Linux containers. It was founded by Canonical and a lot of the work on it has been done by Canonical, but it's kind of existed apart from Canonical as its own project. This story starts back on July 4th. Canonical pulled LXD back in house. The source repository has gone from the LXC Git repository back to Canonical's GitHub account. The LXD website is now no longer on Linuxcontainersorg but is under Ubuntucom. Canonical is taking control of the LXD YouTube channel. They've sunsetted the forums and the LXD continuous integration infrastructure will now be moved under Canonical management. Then the update to that was on July 27th.

Another step in tightening up control was now that apparently and this is the one that has a lot of scratching our heads apparently LXD maintainership rights is limited to Canonical employees. What happened is a couple of the other maintainers I think one of them left Canonical and one of them was no longer at Canonical. But when the one left, he got his maintainership rights pulled by. Canonical no longer is a maintainer. It's kind of an odd thing because for most of the open source world, maintainership is not tied to employment. People come and go from companies, but they end up still working on the projects that they care about. This is definitely a thing like at the Linux kernel, for instance, Linux kernel developers tend to be kernel developers first and employees second. We talked to some of the guys at the kernel and that is the point that they've made too. There's this thing happening that really has some people worried. The latest news about this is that, in response to this takeover, LXD has been forked and the independent Incus project has arisen and that is now the official fork that is part of Linux Containers. This is essentially the community saying we are not okay with Canonical exerting this amount of control over something that's supposed to be a community driven project. Now there's one other piece to this, and that is over at Hacker News at ycombinatorcom.

Mark Shuttleworth actually jumped into the comments and made a couple of interesting points. One of them that I found the most interesting is he says that they've always tried to be at the forefront of new kernel capabilities, particularly security and container tech. It helps that Ubuntu generally has very modern kernels. On Ubuntu we can make releases of the kernel and LXD that line up nicely. Then he also makes the point that there are no plans to try to prevent other distros from using LXD. As far as that part of it goes, playing nice with everyone else, that's going to continue as usual. The point that he is making is essentially they want to be able to make these releases line up for better integration and that's why they pulled it in-house. I'm still not sure what I think about this. It seems a little heavy-handed the way that that went, but I'm holding out hope that they're not going full red hat with this.

0:23:36 - Dan Lynch
Yeah, it's an interesting situation. One of the things that you said there, which I really think is a really interesting point, is that the community came together and said no to this. I hope I'm saying that right. Incus Project that has been created is actually basically all the core developers and the original project leader of LXD. It's not just a few disgruntled people who might have been slightly associated, it's almost the core kind of people, which is amazing. They've basically been able to say look, you can't take this away from us, we're going to keep it going in another form.

0:24:18 - Jonathan Bennett
Yeah, they've essentially said we're not willing to put all of our eggs in that canonical branded basket. There are some potential resolutions out of this that are probably net positive. At this point, probably the best that we can hope for is that Incus becomes the upstream and Canonical continues to work on LXC as the downstream but pushes code to the Incus Project. That seems like that would be a reasonable solution that would make everybody happy. I guess one of the other alternatives is that the community sees it well. Ubuntu is handling this well and will refold, will re-merge the two forks. I don't know what will happen, but it's reassuring that the fork got spun up so quickly. Is that insurance that we're not losing control of this altogether? We're going to keep something out there that Canonical does not have control of.

0:25:17 - Doc Searls
A question for me in both the Red Hat and the Canonical case is given a chance to do it over again, would they do that? Would they do what they did? Would Red Hat have put the paywall up? Would Canonical have pulled LXD?

0:25:34 - Jonathan Bennett
Probably In Red Hat's case. I think that was a decision that came down from above and we haven't seen a whole lot of repentance over that decision. If you will Remorse, I was going to say remorse. There you go With Canonical's case. It's such a new decision, it's still playing out. I feel like we need to give them a release or two and see how it works before we really get to two down on them.

0:26:06 - Doc Searls
Yeah, it seems to me there's a. I mean many years ago, when I was working in Silicon Valley, realized there were always these three levels of the species, of the corporate species growing there's new, then there's hot and then there's big, and they're administrated different ways. They have different imperatives and there's a certain thing that happens once things get big and they get bad in certain ways. Yeah, and it's often because they have people on top that have no recollection of what it was that got them there. They're just or just, because big can't move as well as small. But there's especially, let's say, with containers and other things like this, that we're it's not just moving up the stack, we're moving farther and farther away from the original imperatives behind the code base that everybody depends on and lose track of why it was so appealing in the first place.

And so it strikes me, in reading through the Reddit thread there just quickly that you were quoting from, I wasn't clear to me whether Shuttleworth was really being defensive or whether, but he seemed to be saying things that were kind of platitudinous. It seemed to me Like we were always trying to do it this way, always trying to do it that way, and he's still in charge. He's still the original guy, so that's not a case where he got replaced, but they're commercial. He did sort of tip his hat to commercial necessities and I think there's always going to be a tug of war between those commercial necessities and trying to keep things open for everybody, because commercial necessities tend to be selfish and exclusive and working for everybody is very different. And how do you keep that ant farm going at the base level that you utterly depend on while at the same time trying to make exclusive products at the top that you charge for and put paywalls up for?

0:28:04 - Jonathan Bennett
So I am pretty convinced that there is not an inherent incompatibility between capitalism and open source, but I do acknowledge that sometimes those two things are challenging to make work together.

0:28:24 - Doc Searls
Yeah, and open source has been very good for business, but it's been good in a very downstream kind of way.

0:28:32 - Jonathan Bennett
And in some cases business has been good for. Open source, like the Linux kernel, has hundreds of maintainers, many of which get to do it as their day job, and the Linux kernel sort of has this. I don't know if it's written anywhere, if it's an unwritten rule, but the rule being that your manager at your day job does not get to dictate what happens with the Linux kernel Maybe tells you what to work on, but there's no corporate manager anywhere that gets to decide what goes into the kernel. And that unwritten rule has served them very well to sort of keep these two opposing forces separated from each other.

0:29:12 - Dan Lynch
That's a really good point and, although I've had my issues with them at times over the years, people like the Linux Foundation they're in plain Linux Torvalds, they're in plain many other key developers and maintainers and stewards of the kernel and all that sort of stuff. So it's true, actually it's very easy. I'm often myself keen to kind of point out the evils of certain corporate masters, but they do have their uses in some cases and they have given stuff back. There's an old adage I don't even know who said it, I've just been trying to look it up but at a certain point, once a company reaches at some point I can't remember what it's called it's like when a company reaches a certain size, they'll become run by accountants, essentially.

0:29:57 - Jonathan Bennett
I was going to bring that up the way that that's put, that I normally quote is pernell's iron law of bureaucracy. This isn't any bureaucracy. The people devoted to the benefit of the bureaucracy itself get in control, and those dedicated to the goals that the bureaucracy is supposed to accomplish have less and less influence and sometimes are eliminated entirely. So Doc had those three stages of a company New Hot Big, I think. Maybe there's a fourth stage. Yeah, doomed.

0:30:25 - Doc Searls
Yes, exactly, new, hot, Big and doomed. There's a my old friend, craig Burton, who was sympathetic to open source, but he was one of the before open source got big, was one of the primary people at Novel I mean of L-60, but he said there are some companies, when they get so big they don't know they're dead. He said it's like the giant snake that circles the world and the tail doesn't know when the head's dead, and so I think that's when you get to the doomed stage, when you get to the iron law. It works like that. And I'd like to move to some stuff that got said about how licensing itself is kind of obsolete, you might say. But we'll go to that after this break. Okay. So, Jonathan, I think you were the one who brought this up in our own back channel here. There was something Matt Essay wrote he's working for MongoDB and said something Well.

0:31:34 - Jonathan Bennett
So there is multiple facets to this story, but we can start with the Essay article. So the context here to keep in mind is he is not only working for MongoDB. He is one of the guys at MongoDB that is leading the charge away from actual open source licenses. I think MongoDB is going to the business source license, which we'll talk about that more here in a second. He wrote an article and he says the open source licensing war is over and he is essentially making the point that we are in a post open source environment and the actual license itself doesn't matter so long as the project is open enough to be usable. And I am not convinced.

I kind of feel like this is cutting the floor out from under yourself in celebration of being able to stand on the floor. It would be a weird way to put that, but it's hollowing out the foundations of how we've been able to get to this point that everything is open enough to be usable and that is that we've got these clearly defined rules in our open source licenses. And some of those rules are really important. And the rule here that things like the business source license really violates is this idea that once something is open source, you don't have any control over how people use it and who uses it. You have control over what happens to the source code itself, Like there's rules about what happens. For example, with the GPL, you've got to make the source code available to the end users. That's overly simplified, but essentially that's what the GPL says, and things like the business source license is trying to add this requirement that no, you cannot use our open source code to sell a product that competes with us. That's essentially what the BSL is about, and I am very sympathetic to these small and medium companies that has this open source project that they're trying to make money with. And then someone like Amazon who I think is one of the big offenders here someone like Amazon will come along, add support to it, Add support for that project to their cloud infrastructure and then sell it, and so now you have software as a service from Amazon who is going to undercut the business that's actually doing all of the development work on this piece of software. So I'm sympathetic to that as a problem.

But the reason that the way that we have gotten to this point, where everything is open source and open source is essentially one, is because when the guys and girls put their heads together and came up with these are the things that we have to have for it to be open source. They got it right, and a couple of those rules that they came up with was everybody gets to use it and you don't get to put restrictions on how it gets used. You don't get to say, well, we consider this use case to be evil and therefore you can't use it for that. That doesn't work with open source. You don't get to say we consider this person to be so obnoxious and offensive they don't get to use our product. That's not how open source works.

That's not part of the definition, and so I see it as a big problem when these different companies are going to things like the business source license and there's been other things out there, other ideas suggested, like there was the non-gratis license that someone suggested that is essentially just going to list one or two people. As these people are so obnoxious, they're not allowed to use the product, and it's like no, no, no. This is an important principle that you've got to make it open to everyone. You cannot exclude people or use cases because it's not really open. And the other problem with that is. Once you open the door to that, I think the people you least want making the decisions about who and what gets to you, who and what gets to use your software, are going to be the ones that inevitably start making those decisions. You kind of get into that ironclad law of bureaucracy again.

0:35:51 - Speaker 3
Mr Bennett, do you mind explaining again BSL and ant-pruit terms so I can better understand? Because it sounds like you said if it's open source, no one else can use that code to make money off of it. Everybody can use the code, but they can't make any money off of it. Is that correct, or am I confused here, which is probably.

0:36:15 - Jonathan Bennett
So sure. So one of the principles of open source is once you make the code open, anyone can use it for any purpose. Well, one of the things that's happened is business A is making money off of it. Business A writes the code, makes money off the code, but they've released it as open source. Business B comes along and sells that software as a service and makes money off of it, which is taking from the revenue of business A. They become competitors and the business source license is a suggested solution to that problem.

The BSL essentially says we own the copyright, we own the code, we're releasing it under the BSL and under the terms of the BSL you cannot offer a competing commercial product. Well, that does not jive with the definition of open source. So you have groups like OSI has looked at the BSL and says this is not an open source license, it's not open source compatible, it's not compliant with the definition of open source. So things like the BSL are not open source. And so you get terms now like it's a source available license, which is technically true but really is trying to squeeze the juice set of open source without actually meeting the definition of it. Yeah, so you've got the BSL. It's not open source, but the BSL is what would prevent offering a competing service?

0:37:53 - Dan Lynch
I think one of the best descriptions short description I've seen of kind of BSL-style licenses is the phrase look but don't touch. Essentially, you can look at the code, but we don't want you to. Actually you know. So, as Jonathan said, it violates the whole idea of free software and open source.

One interesting point though that I didn't realize until I was reading about this earlier, with the BSL license specifically, is that after four years so there is a non-compete clause in there, so you can't make a commercial product that competes with the provider of the software for four years, and then it reverts to a permissive license. And now I don't know how the mechanics of that work and it doesn't really. I'm not defending it in any way, but it is worth noting that after four years apparently there's a legal mechanism that means that it does revert to what we would call a true open source license. But it's still like violating this spirit of the thing. I thought quite interestingly reading the article that we referenced. I mean I can bring most things back to a big Lebowski-style reference, but reading it, all I could hear in my head was like go home, lebowski the hippie is lost and that was the kind of tone that I got from it.

I don't know, maybe that's just me, but I did think that, yeah, there's definitely something. We've pointed this out already, but it is worth pointing out that Matt A Say is very much a kind of proponent of this system, this licensing system, because that's what MongoDB does. They actually created the BSL thing originally, so they're going to be very much behind it, I think.

0:39:35 - Jonathan Bennett
Yeah, so going hand in hand with this. There is actually another story. Hashicorp has also adopted the BSL for their open source projects, which you may not be familiar with Hashicorp, but you probably will be familiar with either Terraform, vault or Vagrant. Vagrant is the one that I've had to rub shoulders with the most, and those projects have now gone BSL as well. And so now, when they keep in mind, when a company does this, you can still go back to the last release, the last.

There's going to be a clean copy of source code somewhere before they made the license change, and so you can just go back to that and essentially fork it and run on from there, which is, I'm sure, what people in the community are going to have to do. If Amazon wants to build a cell services based around Vagrant, that's what they're going to have to do. They're going to have to go back to that last truly open source copy of the code. But this idea is sort of gaining steam among companies that are doing open source things, and that does worry me a bit. I think too much of it when you say this thing.

0:40:47 - Doc Searls
you're talking about what Mongo did, or yes?

0:40:53 - Jonathan Bennett
Going to the BSL and things like it, moving away from actually being open source, trying to defend their project from getting essentially scalped by somebody else offering it as a service.

0:41:08 - Doc Searls
Dan, you're going to say something about that. I thought you were.

0:41:10 - Dan Lynch
Yes, sorry, I was reading earlier. You can tell. I've been reading the register today. It was another opinion piece on the register by Stephen J Vaughan Nichols. It is an opinion piece, but he was talking about this idea that I'll get the link.

He was talking about this move of companies away from open source licenses and he mentions the likes of MongoDB, redis Labs I think that's how you pronounce it Redis, or Redis Labs, elastic, who did it as well. Of course, it's in the light of this Hashicorp story that Jonathan was talking about that they've just done this. He makes the point that if you look at the actual I'm not going to get into exactly hard figures here but if you look at the financials of some of these companies, they're not struggling. They weren't struggling financially. It's a bit disingenuous for them to say we can't do this because we're struggling financially, because of competition, because of the way the licenses work.

What it actually is is a desire to have more money. His point was how much money is enough when you there's a few other people who've made this point, like Amanda Brock and people like that have commented on this. It's in the story there if people want to have a read of it, but I thought it was a really interesting point. It's like I said about the whole thing about accountants running companies. At a certain point, if you're making hundreds of millions but you'd like to make billions, is that justification for saying let's throw away any kind of principles that we had and go after that. I don't know, it's a larger philosophical question, possibly.

0:42:45 - Jonathan Bennett
I think there's even a more practical question than that, that is, by trying to go from making millions to making billions, are you in fact cooking your golden goose? Are you getting rid of the thing that actually made you successful in the first place? I believe that is the case. I think these companies that do this and move around, move away from actually being open source developers, are going to see that and be much less willing to use their products. It's companies moving into that fourth and final stage, where they are becoming doomed, rather than just big.

0:43:21 - Dan Lynch
Yeah, that's pretty true In the piece he mentions will developers become wary, as you say? Is it cooking golden goose? In a way, developers who might have donated their time or just helped out with projects feel like they don't want to because they feel like this is likely to happen down the road. If organizations have a history of doing this, are they shooting themselves in the foot and putting off potential developers and contributors in a way?

0:43:48 - Jonathan Bennett
Yeah Well, even more than just developers and contributors, are they putting off businesses that would have otherwise paid for their products? You've got to know that there are engineers at Fortune 500 companies that essentially make the decision what distro are we going to use when we prop up this next thing? Are we going to pay for a Red Hat license? Are we going to go to Ubuntu Server? Are we going to put Debian on this machine? Are we going to go to one of the OpenBSD systems? They read the news and they see what's happened with Red Hat and they probably used at some point in the past they probably used CentOS for their own personal projects. I question the wisdom of ticking off all of these network and software engineers by doing things like killing CentOS. I cannot think anything other than the next time these guys have to pick a paid distro, they're going to think twice about going with Red Hat. It's like Red Hat has burned me twice now through CentOS. Why would I trust them with this thing that we're building? Why would I put it on Red Hat?

0:44:50 - Dan Lynch
Yeah, I'm full of quotes today. It's the whole fool me once, shame on you. Fool me twice, shame on me kind of situation, isn't it I just noticed actually in this story. I should point out just for a correction, in case before somebody writes in to say I said before that MongoDB created BSL, but reading this, it's something called the server-side public license. The SSPL is what MongoDB created in 2008. Just to the interest of correction, I thought I'd better say that.

0:45:20 - Doc Searls
You might even say this is a form of a BSL. It kind of tries to do this similar thing. An interesting thing to me is that you brought up Stephen J Von Nichols pieces. He's been hammering away in the register about all this stuff. One of his points is that Red Hat's llama with its whatever they're calling it, is not really open source. Everybody's calling it open source. Well, somebody open source some of the large language models, but not really. This is another example of a really big company doing something that's kind of like they're what they depended on in the first place, but not really. I think we had to be on the edge of this problem for some time. Yeah.

0:46:11 - Dan Lynch
Well, that was kind of the point from the piece we talked about before, from Matt Esay's thing we talked about. So there's been a release, a story that I was looking at. It's a few weeks old now, I think, or certainly a couple of weeks old, but Metta the Facebook people, as I still call them they've released llama. Yeah, so they've got. Llama is their kind of large language model AI. They've released a version. Well, this is the argument. They're calling it open source, called llama code.

Now, what a lot of people are saying is it's not really open source because of some of the restrictions on the license and so on, you can't use it for, as Jonathan said, for commercial purpose basically, which is against the kind of freedoms to do whatever you want with the software and so on that you might talk about. But yeah, the whole llama thing is really interesting. It brings me on to something that I kind of wanted to talk about with you guys, which is the idea of how we're going to deal with code that's generated with things like Copilot and all these other pair programming systems, ai systems. They could be pulling code from GPL licensed software and suggesting it to you and so on. How does that affect licensing and things going forward for developers, because it's a big problem.

The AI may suggest things that are copyrighted in some way, or they might be in some other way, which is interesting. I think we've got a story as well about that, which I think Jonathan might have suggested, which was about Copilot specifically. They're actually going to. They announced let me fill when I find a link sorry they're actually launching a tool that will tell you that will reference when you. It suggests some code to you that is from another repository and from an open source repository or so on. That's what they're trying to promote. So I may be a bit out of touch on that one.

0:48:30 - Jonathan Bennett
So what? Yeah, I'll pick that thread up. So what GitHub Copilot is doing now with their referencing thing is when it suggests code. So what Copilot does is you're programming along and you come to a difficult problem and you can essentially say, hey, copilot, help me with this. And what Copilot does is it looks through all of the other source code on GitHub and it says essentially it says, oh, this problem is similar to these problems that these other open source or these other projects have fixed in this way, and so it essentially just borrows all of that code and then suggests based on all of this code that we've ingested, we think that this code is probably going to do what you want, and you know, sometimes that's useful.

I'm personally not sold on the idea of AI writing code at all, because I think AI is pretty much always hallucinating, but that's a separate issue. The question here is what about copyright? And so there's probably, and really there's going to have to be a court case, probably several court cases, to decide exactly how this works. But the fear is, if Copilot is taking large chunks of code directly from other projects, is it also then, legally speaking, inheriting the license from those projects? Is it enough that it's considered a derivative work. And then you have questions about well, what if Copilot is being trained on something that is closed source? Or what if Copilot trained on something that uses the GPL and we can't use the GPL in this project? Or what if it trained on something that's GPL and I'm working on a project that's closed source? And so then there's this question of how much Copilot usage and what Copilot usage can I use before it's a derivative work and we inherit, say, the GPL.

So what GitHub is introducing here with code referencing is it's essentially saying okay, we're going to look at the snippet that we suggested and we're going to search through all of the code that we've ingested and look for exact matches. And if we have an exact match, then we're going to warn the user about it, because there is this potential for legal liability for being considered a downstream, a derivative work. So when you look at things like AI in generating images, well, so far the court seemed to say that something, an image generated by AI, is not copyrightable, which okay, because copyright is for human expression and this is machine expression instead. That sort of makes sense, but it's not clear to me that that is going to be the decision that is made when it comes to source code. I don't know.

I would say this and I've warned several people this until we get those court cases, I would not be willing to use AI generated code in a project, just because of the potential for copyright to be sticky to those bits of code that AI suggests. And I can very much imagine a world in which people it'll probably be done in AI, where people put AI engines on, find me code that has been lifted from my source code and then see litigation around that, almost like what we see with patent litigation. Now you can start seeing the same thing with source code via AI.

0:52:15 - Dan Lynch
You can have an, if true, equals equals lawsuit, doesn't it? On the function? Actually, that's something that I did think of when I was looking at this. Similar to I don't know what the names of them, but the systems they use now in universities, colleges, to check automatically, scan your dissertations or whatever it is, to check that you haven't used AI or copied large amounts of something from somewhere else, might be a similar kind of system.

0:52:50 - Jonathan Bennett
Yeah, you've got to think that some of that technology is going to be the same. So universities are doing things like well, automated systems looking for plagiarism, but they're now starting to do automated systems looking for things generated by AI, and so you could imagine that exact same technology being used for source code. According to me, source code that's plagiarized from my project.

0:53:14 - Doc Searls
I've been friends. I'm at a university, but a friend at another university said that his is at the denial stage. No, past the denial stage and now they're at the bargaining stage of grief about the presence of AI in their midst. And it has to do with things like this. I mean, it's going to be impossible to tell a lot of this stuff. You do the AI of marking on another AI, marking another AI while a student is cheating, or maybe not cheating. Well, at the same time, what you're trying to do is learn. It seems to be, jonathan, that what's the poison in here? Because you go back to do you poison something by having the AI code in it that may have inherit license problems from somewhere else. Is that a good enough way of putting it?

0:54:07 - Jonathan Bennett
Yes, yes, you inherit copyright from another project and that copyright might not be compatible. Not all open source licenses are compatible with each other, so there could be a big headache there.

0:54:20 - Doc Searls
Well, we're down to being fairly short on time, and so after this break we'll come back to the topics. We have too many listed, but one of them might be right to repair. One of them might be something else and we'll go into that after this. Hey, so there's one more thing One loose end. One loose end from the last thread, Do we?

0:54:40 - Jonathan Bennett
want to go back and do a break and do that right.

0:54:44 - Doc Searls
Okay, yeah, we'll break it, but let Doc take it up and hand it off to me. Okay, I'll do it. Okay. So, jonathan, you had one last thread to close from the last conversation.

0:54:58 - Jonathan Bennett
Yes, so we've been talking about all these things that are problems, and not necessarily doom and gloom, but different things to tackle, and there's actually some good news out there. And so I've got a pair of stories about right to repair, which is slowly making progress both in Europe and in the United States, and one of these is a hackaday story about Europe's proposed right to repair law, and this is essentially a law that says that if you're going to sell consumer electronics, you've got to also make them open enough to where people can work on them themselves. And so you've got things like companies are starting to put replaceable batteries in their phones. I believe Apple is going to finally be forced into using the USBC port for charging the new iPhones, things like that and while I am of two minds of the idea of the government forcing companies to do things, I do see that it's a huge consumer win to be able to replace your battery and to use one charging cable for everything. So I think that's probably a net positive. But the other one that's really interesting is it's an Arsenteca article, and essentially hell has frozen over because Apple has come out and supported a right to repair bill and this is a California bill SB244. And Apple is making some stipulations but is coming out in support of the bill, and it's very much a flip flop from what Apple has done in the past, and I have to think that this is Apple seeing the writing on the wall Enough. Consumers want right to repair, it's going to happen, and so if Apple jumps on the bandwagon now, they may be able to, from their perspective, limit the damage.

I think there was a really humorous quote in here Back in 2017, nebraska was apparently working on one of these right to repair bills. The then Nebraska State Senator, lydia Branch, was quoted as saying that an Apple representative told her that if Nebraska passed its right to repair bill, it would be the only state to do such a thing and it would become a mecca for hackers. And I read that it was sort of confused because that sounds amazing. But state doesn't want to be a mecca for hackers. That's like you would become the next Silicon Valley. Really struck me as being a net positive thing for a state. But then I realized, no, no, that word hacker actually has a negative connotation for most people, doesn't it? But it looks like right to repair is coming and I'm pretty excited about that I have been very annoyed by the inability to replace cell phone batteries for a long time. So a net when there, I think.

0:57:43 - Dan Lynch
Yeah, I think you're definitely right. I agree with you about and I've never been a big fan of Apple, to be honest, that's just my personal opinion. But I do think that you know they can see that they're not winning this battle now and I think it's better for them to. For PRs, you know, from the PR perspective they can kind of try and look like the good guys a little bit to some degree now by getting behind this and people who maybe haven't followed the story or, don't you know, have a great interest in it, will just see a headline that says Apple supports right to repair, and that would be the only thing they know and they'd be like, oh, apple is so good for repairing stuff and and so on.

It is interesting the whole thing with the USB C port that was actually passed. There was so years ago years ago now, I forget exactly what year and the EU told Apple that they had to use a USB C port, or a common port, on all of their devices, on their iPhones and stuff, and they just ignored it because they could afford to pay the fines. So they were just like, how much is the fine? Yeah, we'll just pay the fine. So they just paid the fine for years because they were like, we're not doing that, we're going to keep paying the fine. So now they finally changed changed possession on it, which is interesting.

0:58:58 - Jonathan Bennett
Yeah, yeah, it's interesting. So there's there's, there's one other wrinkle list. We have time to talk about ice cream.

0:59:06 - Doc Searls
Always? You do, but I. There's a question I have about USB C, which is is it not true that I mean there are some USB C itself is not entirely a unified thing within, and given the many uses of it, such as having an 85 watt laptop charger, frying some earbuds or something like that, do you have a short answer to that? I just wonder about it.

0:59:30 - Jonathan Bennett
It's terrible. It shouldn't break anything, but there is no guarantee that when you plug a given cable in between two given devices, that it's going to do what you think it's going to do. There's about seven different.

0:59:41 - Doc Searls
You should have a smoke rising yeah.

0:59:44 - Jonathan Bennett
But no, no, you shouldn't get smoke. If you get smoke, something is really wrong. But there's no guarantee that a cable is going to have all the pins attached in the way that you think it does, and so it just. A given cable may not transfer power, or a given cable may not transfer video signal. A given port on your laptop may not support high power charging, it may not support input power, it may not support pushing video over that cable. So USB C is great, except for the parts where it isn't.

1:00:17 - Doc Searls
So let's, let's go to ice cream, because you're heading in that direction.

1:00:23 - Jonathan Bennett
So this is this is related, I promise. In the United States there is the McDonald's ice or the McDonald's franchise. It's fast food and McDonald's has ice cream machines for soft serve ice cream. And there is this meme that's been around for years and years that the ice cream machine at McDonald's is always broken. And there's a reason that that meme exists, because it's quite common to go into a McDonald's and find that the ice cream machine is broken. Well, there's a couple of reasons for that. One, the ice cream machine at McDonald's is way over engineered because it does self cleaning cycles and it to be able to constantly have cold ice cream but to have it in a way that's safe is a hard problem to solve. So the ice cream machines are way over engineered. But the bigger problem there is McDonald's has an agreement with a particular company. Oh, what's the name of the company? I can't, I don't remember the name of the company off the top of my head. They have, they have agreement with the company that makes the Taylor, I think.

Yes Taylor makes these freezers, these ice cream machines, and only Taylor is allowed to service these ice cream machines, and Taylor likes to charge a lot of money to come and do it and they're not exactly the snappiest. So a company started making these little diagnostic devices. I fix it is one of the companies that's doing it. Both knowledge is the other, and they're they're making these little diagnostic devices sort of like a car OBDC reader where you can plug it into the port. You can see what the problem actually is, and if it's something trivial, there's a button on there to say make me ice cream anyways.

Well, taylor has hit them with a DMCA violation, a digital millennium copyright act violation for essentially the essentially telling section 1201, telling them that you know you're not, you're not violating copyright, but you're, you're violating the digital rights management, you're violating the security protections, and so I fix it. And these two companies are now launching a lawsuit against McDonald's and Taylor saying this is ridiculous to use the DMCA to try to prevent us from fixing people's ice cream machines. And they're they're looking for a. They're they're looking for an exception to the DMCA for ice cream machines, and it's. It's very much a right to repair issue, but just the whole thing is humorous, it's. It's hilarious that the DMCA is keeping ice cream out of the hands of poor, hungry children.

1:03:02 - Doc Searls
I'm trying, I'm quickly searching to see if this is true or not. Does McDonald's call their ice cream ice cream and a Dairy Queen does not A number of other sauce serve? Ice cream vendors don't, because technically they don't qualify by the federal definition of what ice cream is and how much. You like, jonathan, but I just but I'm trying to find out whether I McDonald's actually is ice cream in any way. That's what they all say. Software serve yeah, that's right.

1:03:32 - Jonathan Bennett
Yeah. So there, there is a hilarious website, by the way. I've got to mention this. Mcbrokencom is a. It may be worldwide. Yeah, it's a worldwide map of. I say worldwide, it's not worldwide, it's, it's the US, it's the UK and Germany, so, but anyway, it's all of the locations where there are McDonald's and it is a map of right now Is their ice cream machine working or is it broken? And I tell you what, when you zoom out on this, there's a whole lot of red on that map. It kind of looks like there's a lot of broken ice cream machines right now. So in Los Angeles.

1:04:13 - Doc Searls
I'm astonished at how many ice cream, how many McDonald's there are. To begin with, oh goodness, it's like, oh my God, it's almost as many as subway, but there's a stop in Los Angeles.

1:04:24 - Jonathan Bennett
right now, 17.14% of all of the ice cream machines in the McDonald's franchises are broken. It's hilarious to me, wow.

1:04:35 - Doc Searls
Well, this is great. So so, guys, before we go, you always ask this John, is anything really weird that's going on or that has happened that you'd want to report on? I'm blindsided you with that, but I'm not.

1:04:45 - Jonathan Bennett
I think, I think McBroken, I think McBroken. I think it's weird and unusual thing.

1:04:49 - Doc Searls
My qualifier is this yes, yeah, so this is where I need to look at next week, which I always did. This week is not what we planned last week. We won't go into what that was, but I have it. Actually, it's Nathan Freitas of Proof Mode Personal Security, anonymity and Privacy Using Phones. So he's with the Guardian Project, so that is coming up next week. So I want to make sure I have that and now, so you guys need to. Well, how was this for both of you guys? At this point, we managed to cover most of the things that we'd share with each other, I think before the show.

1:05:35 - Jonathan Bennett
Yeah, we got through pretty much all of it.

1:05:37 - Dan Lynch
Yeah, I think we did pretty well. Not always the exact path that we thought we were going to go, but we got there in the end. I was just thinking that it's a very wondering path where we started.

1:05:47 - Jonathan Bennett
With which one did we start with? Was it the business source license? No, it was something else. We started with the AI and we ended up with ice cream. Right, it's a very interesting path that we've taken to get there.

1:05:59 - Doc Searls
Yeah, and now finally, I haven't looked at the back channel yet, but we'll do that eventually in the meantime. So you guys want to do your plugs and then I'll get to the close, and then we can yak at each other privately, almost.

1:06:21 - Dan Lynch
Yeah, thank you very much. Yeah, I don't have a massive amount to plug in On the whole right to repair and so on. We have a repair cafe at the local hackerspace that I'm part of in Liverpool. We have a I say this as if I'm behind this in some way. I don't really do any of the good work, but some of the guys there, some of the people involved they every month run a repair cafe. So if you've got something that's broken, you can bring it along. If you go to my website, which is downlinchorg, you can find links on there to various things. But there's actually a repair cafe movement in, certainly in Europe. I don't know, maybe there is in the US, I'm not really sure, but you can go and look for your nearest repair cafe which will help you hopefully repair your items. So, yeah, that's the only thing I have to plug. Really, my website's woefully out of date. I need to get on there and update it more. So I apologize for that, but you can find all the relevant things on there, All right.

1:07:25 - Doc Searls
So Jonathan.

1:07:27 - Jonathan Bennett
Yep, I've got. I guess I have three things I want to plug this time. So first off, I'll mention hackadaycom. We've got the security article. It goes live every Friday morning there. And then there's the untitled Linux show which is a club twit exclusive. And if you're not on club twit, you should be and make sure to check out the untitled Linux show while you're there. And then one last thing I've just recently set up is I'm now on Buy Me a Coffee. So if you want to get access to the tip jar,, no pressure, but check it out if you want to.

1:07:58 - Doc Searls
That's fantastic, I'd note about. Buy Me a Coffee, yet I'm drinking less. Now, damn it, I'm not allowed. I'm not allowed Anyway. So that's Jonathan then.

1:08:13 - Jonathan Bennett
Back to you, Jonathan, now.

1:08:14 - Doc Searls
I get a free tree. Oh yeah, okay, guys, this has been great. It's been a great show. Again next week, nathan Freitas of proofmoorg. It'll be a good show. I'm Doc Searls, we will see you then.

1:08:30 - Rod Pyle
Hey, I'm Rod Pyle, editor in chief of Adaster Magazine, and each week I joined with my co-host to bring you, this week in space, the latest and greatest news from the final frontier. We talked to NASA, chief space scientists, engineers, educators and artists, and sometimes we just shoot the breeze over what's hot and what's not in space books and TV. And we do it all for you, our fellow true believers. So, whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars rocket, join us on this week in space and be part of the greatest adventure of all time.

All Transcripts posts