Enforcing the General Public License (GPL) to bring real software freedom to people can be very challenging in practice, but many of the steps in the process are straight-forward. As the only organization enforcing the GPL for Linux, Software Freedom Conservancy (SFC) receives a huge quantity of GPL violation reports, and needs to triage each one as the beginning of our process. The next step is called the "CCS check" (complete corresponding source check), a crucial but barely known activity that determines whether some candidate source code actually corresponds to the device/binaries that the candidate was provided for. We will discuss the CCS check in detail, providing examples and tips for doing your own checks.
Lastly, we'll cover the offer check, something everyone can do to help in SFC's efforts to bring real software right-to-repair to every device running Linux. Whether you want to check offers for source code, review a CCS candidate, or go even further with additional GPL enforcement work of your own, this talk will set you up for success.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
1. How do you really do GPL enforcement?
How do you really do GPL enforcement?
aka Bringing software right-to-repair to the masses
aka Bringing software right-to-repair to the masses
Denver Gingerich
SFSCON 2023
Friday 10 November 2023
https://ossguy.com/talks/20231110_sfscon/
4. Why are we here?
Why are we here?
freedom!
to repair, modify, update our device (software)
5. Why are we here?
Why are we here?
freedom!
to repair, modify, update our device (software)
"our source request was not made because we wanted
[company] to go to the website of each project it uses
and give us the tarball found on that website. If that's
all the GPL required, it would be quite a silly make-
work license. That's not what the GPL is; it requires..."
6. "the scripts used to control compilation
"the scripts used to control compilation
and installation of the executable"
and installation of the executable"
8. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
compliance@sfconservancy.org
9. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
triaging of report - GPL binaries given, no source/offer?
compliance@sfconservancy.org
10. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
triaging of report - GPL binaries given, no source/offer?
offer check, contact the company
compliance@sfconservancy.org
11. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
triaging of report - GPL binaries given, no source/offer?
offer check, contact the company
complete corresponding source (CCS) check
compliance@sfconservancy.org
12. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
triaging of report - GPL binaries given, no source/offer?
offer check, contact the company
complete corresponding source (CCS) check
back to contacting? how many times?
compliance@sfconservancy.org
13. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
triaging of report - GPL binaries given, no source/offer?
offer check, contact the company
complete corresponding source (CCS) check
back to contacting? how many times?
it works! get it to users! or...
compliance@sfconservancy.org
14. Enforcement, from violation report to compliance
Enforcement, from violation report to compliance
report received (at )
triaging of report - GPL binaries given, no source/offer?
offer check, contact the company
complete corresponding source (CCS) check
back to contacting? how many times?
it works! get it to users! or...
file a lawsuit :(
compliance@sfconservancy.org
16. Show me the source!
Show me the source!
talk is cheap, let's see some code
17. Show me the source!
Show me the source!
talk is cheap, let's see some code
sure, we've got source code candidates for you
18. Show me the source!
Show me the source!
talk is cheap, let's see some code
sure, we've got source code candidates for you
https://sfconservancy.org/usethesource/
19. Show me the source!
Show me the source!
talk is cheap, let's see some code
sure, we've got source code candidates for you
go ahead, try them out
https://sfconservancy.org/usethesource/
20. Show me the source!
Show me the source!
talk is cheap, let's see some code
sure, we've got source code candidates for you
go ahead, try them out
or keep listening if you like
https://sfconservancy.org/usethesource/
21. Show me the source!
Show me the source!
talk is cheap, let's see some code
sure, we've got source code candidates for you
go ahead, try them out
or keep listening if you like
let's break it down...
https://sfconservancy.org/usethesource/
23. The CCS check
The CCS check
"the scripts used to control compilation and
installation of the executable"
24. The CCS check
The CCS check
"the scripts used to control compilation and
installation of the executable"
therefore...
25. The CCS check
The CCS check
"the scripts used to control compilation and
installation of the executable"
therefore...
does it compile?
26. The CCS check
The CCS check
"the scripts used to control compilation and
installation of the executable"
therefore...
does it compile?
does it install?
27. The CCS check
The CCS check
"the scripts used to control compilation and
installation of the executable"
therefore...
does it compile?
does it install?
oh, wait: is it "the complete corresponding ... source"?
31. Does it compile?
Does it compile?
where is the README?
great! or let's try make...
need a certain OS? sure, use that...
32. Does it compile?
Does it compile?
where is the README?
great! or let's try make...
need a certain OS? sure, use that...
ok, now I'm compiling!
33. Does it compile?
Does it compile?
where is the README?
great! or let's try make...
need a certain OS? sure, use that...
ok, now I'm compiling!
uhoh, an error
34. Does it compile?
Does it compile?
where is the README?
great! or let's try make...
need a certain OS? sure, use that...
ok, now I'm compiling!
uhoh, an error
is it my fault? if you followed the steps, no
35. Does it compile?
Does it compile?
where is the README?
great! or let's try make...
need a certain OS? sure, use that...
ok, now I'm compiling!
uhoh, an error
is it my fault? if you followed the steps, no
or ... I got a firmware image!
38. Does it install?
Does it install?
let's find that README again...
one option: put it into that update UI
39. Does it install?
Does it install?
let's find that README again...
one option: put it into that update UI
install, works?!
40. Does it install?
Does it install?
let's find that README again...
one option: put it into that update UI
install, works?!
let's change something just to be sure
41. Does it install?
Does it install?
let's find that README again...
one option: put it into that update UI
install, works?!
let's change something just to be sure
still works! or ...
42. Does it install?
Does it install?
let's find that README again...
one option: put it into that update UI
install, works?!
let's change something just to be sure
still works! or ...
uhoh, bricked my device :(
43. Is it "the complete corresponding ... source"?
Is it "the complete corresponding ... source"?
44. Is it "the complete corresponding ... source"?
Is it "the complete corresponding ... source"?
proprietary kernel modules? * sigh *
45. Is it "the complete corresponding ... source"?
Is it "the complete corresponding ... source"?
proprietary kernel modules? * sigh *
any other non-source-code stuff?
46. Is it "the complete corresponding ... source"?
Is it "the complete corresponding ... source"?
proprietary kernel modules? * sigh *
any other non-source-code stuff?
generated stuff similar to stock image?
47. Is it "the complete corresponding ... source"?
Is it "the complete corresponding ... source"?
proprietary kernel modules? * sigh *
any other non-source-code stuff?
generated stuff similar to stock image?
no problems - huzzah!!