My Visit to SCO

This essay describes my visit to SCO on
June 17, 2003, to discuss SCO's claim that Linux infringes on its
intellectual property rights. I visited the SCO office in Lindon,
Utah, for about one hour. I spoke with Chris Sontag, Senior Vice
President, Operating Systems Division, and with Blake Stowell,
Director of Public Relations. In order to speak with them, I signed
a non-disclosure agreement.The short version of this essay is SCO's claims are unproven,
as I expected would be the case before I went. The amount of
information SCO was willing to show me was extremely limited, and
it did not by itself prove that SCO's claims were true nor that its
claims were false.BackgroundI won't give the full background here, as it is well covered
elsewhere, such as on
Karsten
Self's page. The short version, as of June 17, 2003, is SCO
has sued IBM, alleging that IBM took work that was the intellectual
property of SCO and incorporated it into Linux (when I say "Linux"
in this essay, I mean specifically the Linux kernel, not a complete
distribution). SCO is the current owner of Unix, which originally
was developed by AT&T. SCO, which used to be named Caldera,
purchased the rights to Unix from a different company named SCO,
which has since changed its name to Tarantella. Along with Unix,
SCO purchased a number of contractual agreements, including one
with IBM. SCO is alleging that IBM has violated that
contract.SCO also sent a letter to some 1,500 commercial users of
Linux distributions, warning them that Linux may be an unauthorized
derivative of code owned by SCO. That is, SCO alleges that Linux
actually to some extent is owned by SCO and may not be distributed
under the GPL. The letter further claims that users of Linux may
have legal liability because of this.SCO said it would provide evidence that Linux is a derivative
of Unix to independent analysts. With the help of Don Marti, Editor
in Chief of Linux Journal, I contacted SCO and
offered to be one of those analysts. SCO agreed, subject to my
signing the NDA and traveling to its headquarters in Lindon,
Utah.SCO's legal case is complicated by the fact that when SCO was
named Caldera it was itself a Linux distributor, and it may have
distributed, under the GPL, the code which it now claims to own. It
also complicated by allegations that SCO has incorporated Linux
code under the GPL into UnixWare. These issues may indeed cause
SCO's legal case to founder, but not in the way I would prefer it
to founder.Why Did I Go?I took the trouble to visit SCO because I care about what
happens to free software in general and Linux in particular. The
SCO claims have put a cloud over Linux. I have heard speculation
from business acquaintances that the free versions of Linux will be
shunned by corporate IT users, who will be unwilling to take the
legal risk of using it. I don't think that would be good for Linux
or for free software.I remember the AT&T case against BSDI and the University
of California, which arguably stalled BSD development for a few
years. Indeed, it arguably was the root cause of Linux's
popularity, because Linux development was not stalled. SCO's case
against IBM is in some ways a reprisal of the AT&T case, and I
fear that it has a similar potential to stall Linux
development.SCO was willing to speak only with people who signed a
Draconian non-disclosure agreement (NDA), one which essentially
permitted SCO to declare any information it provided to be
confidential, regardless of whether the signer already knew it, and
which offered no circumstances under which that information could
be revealed. Most Linux developers are unable to sign such an NDA,
as it easily could prevent them from ever again working on the
kernel. Similarly, employees of any company that works with Linux
cannot sign such an NDA.I have never contributed to the Linux kernel myself. However,
I have worked with free software for over 10 years, including
acting as a maintainer for projects owned by the Free Software
Foundation. I have plenty of personal knowledge of how free
software development works. I currently am not employed by anybody,
but simply working as a contractor on work not related to
Linux.Thus, I felt going in that I was in a good position to sign
the NDA and to analyze the information that SCO presented to me.
While SCO easily could have made it impossible for me to contribute
to the Linux kernel, it had no reason to do so. In any case, I had
no particular plans to do any kernel work.Before going to meet SCO, I asked three times if it would be
willing to change the NDA. I suggested that SCO should change the
NDA to permit the disclosure of information when legally required
by a court and to permit the disclosure of information when SCO
specifically agrees to it. I also suggested the NDA should be
changed so that information I already knew before meeting could not
be treated confidential. The only response I received was SCO
forwarded my suggestions to its counsel.As it turned out, SCO actually showed me very little
confidential information.PreliminariesAs mentioned above, I met with Chris Sontag and Blake
Stowell. Chris Sontag did almost all the talking. In general, below
I say "SCO says" and so forth, but Chris Sontag was the one who
actually was talking.Chris Sontag showed me a series of PowerPoint (I assume)
slides and talked about them. I took notes on my laptop. He
listened to my questions and tried to answer them. He did not show
me anything beyond his planned presentation, despite my requests
for some additional information. This presentation was not the same
as the one described by
The
Inquirer. This one was divided into three main
topics: SCO owns Unix, SCO vs. IBM and Linux is tainted.SCO Owns UnixSCO argues it purchased full rights to Unix from the old SCO,
which purchased the rights from Novell. The Unix patents still are
owned by AT&T, but SCO has purchased the right to use them.
There was a dispute with Novell over copyright ownership, but SCO
claims this has been resolved and SCO does indeed own the
copyrights.In general, SCO claims to have purchased all rights to all
versions of Unix System V and all prior versions of Unix, which
were developed by AT&T.My concerns are with free software, not the actual ownership
of Unix. I believed at the start of the lawsuit that SCO owned the
rights to Unix, and I suppose I still am willing to believe that. I
think that any legal issues here clearly are a matter of the
purchase contract between Novell and the original SCO, and it
should be more or less straightforward for the new SCO and Novell
to settle them.The main issue of interest to me is whether rights to early
versions of Unix have been weakened by the wide spread distribution
of source code, including the publication of the Lions book and the
fact that, until recently, the new SCO was distributing Unix source
code for free on its FTP site.SCO vs. IBMSCO is suing IBM for breach of contract, unfair competition,
tortious interference and misappropriation of trade secrets. SCO is
now the owner of the contract that IBM originally signed with
AT&T (I assume, but maybe some later owner) to develop AIX.
That contract requires derivative works remain part of AIX. It also
requires IBM to maintain confidentiality of sources and derivative
code. Derivative works are allowed "provided resulting materials
are treated as part of the original software products."SCO has a list of about 20 IBM engineers who are, it claims,
using AIX methods in Linux. SCO claims that some of these engineers
literally are looking at AIX source code as they discuss Linux
issues and making recommendations based on the AIX code.SCO claims this is inappropriate because everything built on
top of AIX or using methods developed in AIX is really a derived
work of Unix. As we talked, I realized this is a key part of SCO's
argument. SCO claims that anything built on top of Unix is itself a
derived work of Unix. I will discuss this further below.SCO said that besides IBM, Sequent has contributed code to
Linux which is derived from Unix. Sequent is now a subsidiary of
IBM.SCO also claims that some of the derivative works IBM
contributed to Linux include NUMA, RCU, JFS, SMP, performance
measurement and improvements, serviceability, scheduler
improvements, LinuxPPC 32 and 64 bit support, logical partition
support. Sontag moved on to the next slide before I typed down the
rest of the list.I asked specifically about JFS, because I know that was
originally developed for OS/2. SCO claims that JFS was originally
developed for AIX, then ported to OS/2, then ported back to AIX;
the port back to AIX was the basis for the Linux port. Chris Sontag
said this was straight from the
JFS
web page. I just checked, and the JFS web page does not
entirely agree. There IBM says that while JFS was first developed
for AIX, the development for OS/2 was a new effort; the Linux port
was based on the OS/2 work, not the port back to AIX. Using SCO's
expansive definition of derivative work, arguably the development
on OS/2 was based on the original AIX development, as some of the
same people may have worked on it and used their experience with
the AIX code.Again, despite all this discussion, the whole issue of SCO
vs. IBM was not the reason I was there. If IBM did indeed breach
its contract, I suppose it should pay some appropriate penalty.
I've been around the computer world too long to think that IBM is
on the right side of every issue. However, SCO's presentation did
not show me any clear evidence that IBM did indeed breach its
contract. Obviously, IBM has contributed code to Linux, but it is
not at all clear to me that such code is a derivative of
Unix.Linux is TaintedHere, we come to the meat of the issue: has code clearly
derived from Unix been incorporated into Linux? Unfortunately, SCO
was willing to show me only one example. I was shown a source file
Sontag said was from SVR4, which was compared to a source file from
Linux. The identical portions of the code were highlighted. There
were indeed substantial similarities in the code: very similar
comment text, the same variable names, the same algorithm. There
also were some differences, but it seemed quite plausible that both
pieces of code came from the same source.SCO refused to show me the revision history of the Unix file.
I pointed out this made it impossible to judge the order of
derivation; SCO agreed, and said it was a matter of discovery for
the court case. SCO said it is confident the code had not appeared
in BSD and was developed internally at AT&T and
successors.The NDA I signed prohibits me from saying anything that would
help identify the code in question or anything about how it got
into Linux (I discuss the issue of secrecy further below). SCO did
not permit me to type the code, but I was told the Linux file name,
and I have a good memory for such things in any case.Here is what I think I can say about the code I saw. The code
is fairly trivial--the kind of stuff I wrote in school. The similar
portions of the code were some 80 lines or so. Looking around the
Net, I found close variants of the code, with the same comments and
variable names, in sources other than Linux distributions. The code
is not in a central part of the Linux kernel. The code does not
appear to have been contributed to Linux by SCO or Caldera. The
code exists in current versions of the Linux kernel.Also, oddly, my recollection of the code SCO showed me is not
precisely the same as any version I found in any Linux
distribution. The differences were in parts of the code that were
different from the Unix code. The copyright statement at the top of
the file also appeared to be different, though probably not
consequentially. However, because I was not permitted actually to
type the code, my memory could be playing tricks on me here.If this is SCO's only example of Unix code appearing in
Linux, I very much doubt there is any real legal liability for
Linux users. If the code is indeed derived from Unix, which is
unproven, it is roughly equivalent to typing in some code from a
basic computer programming text without permission. While I
hesitate to predict the actions of the legal system, it is very
difficult for me to believe that any judge actually would award
damages on the basis of this code.Naturally, SCO says many other examples exist, and it has
found at least 10 to 20 specific examples of direct copying. SCO
said there was much more derivative code. It claims there are cases
in which copied code intentionally was obfuscated and rearranged to
hide its origin. I commented I felt such a scenario would be
difficult to prove, and indeed I sincerely doubt that anybody would
bother.SCO said that only in the last month or two has it really
started analyzing Linux kernels for cases of copying. SCO claims it
steadily is finding more cases and that all of this will come out
in court.It's difficult to know what to make of this type of argument.
SCO showed me something that appears suggestive but that also
apparently is inconsequential. SCO claims to have much more
evidence, which I was not shown. It's tempting to conclude this is
SCO's best case and it has no strong evidence. After all, if SCO
can make its case to somebody like me, then it is in a stronger
position for extracting revenue by licensing Linux to customers who
are scared of lawsuits. But SCO may have other plans.I admit that SCO's example unsettled me by what it implies.
Although in itself trivial, it does suggest that some Linux
contributors may have been careless about copyright infringement.
That is unfortunate.My QuestionsAfter the presentation was over, I asked a few questions. I
asked SCO when it expected to go to court. The answer was document
discovery and depositions have begun. No court dates are
set.I asked why SCO sent letters to commercial users of Linux
distributions, but I was not given a satisfactory answer. SCO said
the letter was to make Linux users aware that it believes Linux is
tainted and contains unauthorized intellectual property. The letter
was to tell the Linux users they may have some liability and should
seek advice from counsel. SCO said Linux users then could go
through the same process of discovery that SCO presently is going
through--but, of course, the users can't, because they don't have
the Unix sources. My guess is the letters were to set themselves up
for Linux licensing.I asked whether SCO has any plans to license the Unix code to
Linux users, to remove the liability. SCO said it has no current
program. It hopes to come up with something in which noncommercial
use and educational use would be free, but for commercial use it
wants some remuneration. SCO said it hadn't come up with a plan
because it still is trying to figure out the scale of the problem.
SCO hopes to have some sort of solution by as early as July.SCO commented that Linux has no mechanism that ensures
ownership of the IP which goes into it. It said most Linux
developers are honorable, but some commercial entities are bending
the rules for their own benefit.I asked about the lawsuit between AT&T and BSDI. That
lawsuit was not ended by a judgment, it was settled between the
parties, and the settlement was in large part confidential. SCO,
which I presume is the legal inheritor of the AT&T side of the
settlement, claims some aspects of the settlement have not been
enforced but would not describe it further. SCO has not yet looked
into whether, in its opinion, the free BSDs legally are derivative
of the Unix sources. I assume if SCO can get a handle on the Linux
situation, it'll go after the free BSDs next.I paused for a while, trying to think of my next question,
and Chris Sontag said he had another meeting to attend and
left.Blake Stowell asked me what I would do if I owned some
proprietary code, and it was being used by other people without
permission. I said that Unix had been widely distributed for many
years, had been published in books and was not, after all, actually
written by anybody at SCO. I said I didn't think that was easily
compared to more conventional situations. Incidentally, Blake
Stowell worked at Lineo and joined Caldera in 2001. He agreed that
the company had radically changed since that time.That was the end of the meeting. The rest of this essay
discusses a few relevant topics in more detail.Derivative WorksThe key to SCO's case against IBM appears to be an expansive
notion of derivative works. SCO basically is arguing that any code
developed on top of Unix is a derivative work of Unix. It is
arguing that the contract with IBM, which SCO now owns, makes clear
that any work derivative of Unix must remain confidential.SCO is using a very extensive notion of derivative work. When
I made that objection, SCO said it was for the court to decide. It
is true that, so far as I know, no court has ever ruled on whether
one piece of software is derivative of another. The question is
whether a court would rule that even software entirely developed by
IBM, such as JFS, is a derivative work of Unix because it was
developed as a component of a Unix system. I think we can all agree
that Unix with JFS is a derivative work of Unix; the question is
whether JFS by itself is a derivative work.In general, the issue is where the boundary lies between
derivative works and independent works. All programs run on Unix
use a Unix API; do they therefore become derivative works?
Presumably not. However, when writing a program that runs on Unix,
I might look at Unix source code if I have access to it; does that
make my program a derivative work? It seems, from SCO's comments,
that it might claim this is so.I am not a lawyer. However, I hope the courts will not accept
SCO's broad definition of derivative work. I think it would be
dangerous for free software and for software development in
general. Software thrives by extending work done by others. If
adding a component to an existing piece of software means the
component is owned by the owner of the existing software, then few
people will add components. That would not be good for
anybody.It's worth noting that if a court does accept such a broad
notion of derivative work, it will weaken SCO's defense against the
allegations that Linux code was copied into UnixWare. That would
seem to put SCO on the horns of a dilemma; I don't know how it
plans to resolve it.SecrecyI asked a couple of times why SCO was being so secretive
about everything. The answers were not particularly convincing. SCO
said it was keeping its evidence secret because it is part of a
legal action. The evidence will be presented in court. SCO doesn't
want it to be tried in public before it is tried in court.SCO said the Unix code always has been provided under
confidentiality agreements, despite its wide distribution. It said
that until the parties go to court, it doesn't want the Linux
community to remove the code in question. SCO thinks it's more than
changing a few lines of code. As noted above, it feels large chunks
are derivative. It argued that even a full replacement would be in
part based on the prior effort, and thus would itself be
derivative, at least under the terms of the IBM contract.My guess is SCO would prefer not to have to reveal any of its
evidence. My guess is it would prefer to settle with IBM and to use
the spectre of liability to get licensing revenue from Linux users.
After all, in court SCO might lose. The current situation, in which
it makes people feel nervous, is better for SCO. I don't know if
I'm right, and if I am right I don't know how it will play
out.Chris Sontag appeared confident when he spoke to me. However,
my sense is SCO knows it has a weak hand, one it is playing as
strongly as it knows how. I expect SCO to keep upping the pressure
in the press, to announce a Linux licensing scheme and to hope to
start getting more revenue.IBM and PatentsIBM is a past master of the IP extortion strategy. For
example, see
this
Forbes article about IBM's shakedown
of Sun in Sun's early days. For SCO to attack IBM using IP is
somewhat like trying to eat a live tiger.If IBM starts to feel nervous about this suit, it will
unleash its patent portfolio. SCO is certain to be violating a
number of IBM patents. Unless some preexisting patent agreement
exists between SCO and IBM, SCO surely will lose against IBM's
countersuit.However, for IBM to unleash its patent portfolio against Unix
would not be a good thing for free software. After all, Linux
probably violates a number of those patents as well. Once the beast
is awakened, who knows when, or if, it will go back to sleep. The
best hope in such a case is that IBM will recognize the danger of
killing the goose with the golden eggs and lay off on its own
accord.It's worth noting that the people running SCO and their
lawyers may not appreciate the power of software patents. In my
experience, few people outside the profession understand the degree
to which every program of any scope violates patents. The software
industry today survives only through an unstated agreement not to
stir things up too much. We must hope this lawsuit isn't the big
stirring spoon.SCO Says They Are Not Against LinuxOne of the last things Chris Sontag said before he left is
SCO is not against Linux. SCO likes Linux. SCO wants to get to the
point where Linux can move forward.This may be a deep misunderstanding of the free software
process. If Linux becomes encumbered to the point where commercial
users must pay a fee, I expect that many independent developers
will stop working on it. Linux development will slow down and may
eventually stagnate. The people in charge at SCO may not understand
that.On the other hand, Chris Sontag's statement may simply have
been cynical and manipulative--the sort of thing that people say to
make malicious statements appear fair and open minded, as in "Joe
is a bloodthirsty cannibal, but I like him as a person".Red Hat and SCOI can't help thinking that as of this writing SCO has a
market cap of around $130 million and Red Hat has nearly $300
million in cash and investments. Even at an inflated price, Red Hat
could afford to buy SCO and free up Unix once and for all. Live the
dream.Linux CopyrightsI am not a Linux maintainer. But I would like to suggest that
this case make the Linux maintainers take the issues of copyright
paperwork seriously.First, I think all Linux contributors should consider their
own contributions. Is there any chance that they have contributed
code that is copied directly from Unix or any other non-free
source? Here I'm not talking about SCO's expanded sense of derived
work; I'm talking about direct copying, such as may (or may not)
have occurred in the one example SCO showed me. Any such directly
copied code should be rewritten in a different fashion, perhaps by
somebody else.Similarly, I think all Linux maintainers should consider the
code for which they are responsible and convince themselves that
the contributors did not do any direct copying. I personally doubt
that anybody is intentionally copying non-free code into Linux. But
mistakes can happen.Removal of any copied code, if there is any, won't affect the
lawsuit against IBM, but it may affect legal liability concerns for
Linux users.My next suggestion is that Linus and the Linux maintainers
form a foundation to hold copyright declarations for Linux. Linus
has made clear in the past that he does not want all the Linux
copyrights held in the same place. While that means there is no
single party who can be sued about a GPL violation, my impression
is Linus thinks that is an advantage.However, perhaps it would be okay to require all significant
Linux contributors to sign papers stating they own the code they
contribute and to require their employers to also sign papers. This
would be along the lines of the paperwork used by the Free Software
Foundation, but it wouldn't actually be a copyright
assignment.Such paperwork would not eliminate the possibility of a
mistake, nor the possibility of malicious code insertion. But I
think it would make such occurrences considerably less likely. It
would force people to think about the issue. It also might permit
moving any legal liability for copying from Linux users to Linux
contributors, which would be good for users. The increased risk for
contributors might make them more careful, though hopefully not too
careful.It would be necessary for somebody to monitor accepted
contributions and make sure that copyright declarations are signed
by all new contributors before each release. It would be
unreasonable to expect Linus or the other central maintainers to do
this work.I would be willing to help set up such a foundation, although
I don't think my help is required. The FSF started requiring
copyright assignments in the wake of the threats from Unipress over
the Gosling Emacs code. Perhaps the SCO lawsuit means Linux needs
to start tightening up its IP processes. In an ideal world this
would not be necessary, but unfortunately we must all live in this
world.Notes on the TripMy plane from San Francisco left 90 minutes late. I arrived
in Salt Lake City well after midnight and got lost driving to the
hotel. The next morning, I locked my keys in the car. Fortunately,
Avis repair service showed up in 25 minutes with a new key, but I
was then 20 minutes late getting to SCO. Rather than look like a
total idiot right off the bat, I told Blake Stowell that I "had
trouble with my rental car." He was very nice about it.My plane leaving Salt Lake City that afternoon hit a seagull
shortly after take off. We returned to the airport. After landing,
the pilot told us the windshield now had a small crack, and the
plane wasn't going anywhere. After disembarking, we were able to
look back at the plane--a rather gory sight. I have enough travel
experience that I immediately used my cell phone and booked a seat
on the next flight out. When that plane left, two hours later,
there was still a long line of people trying to get to San
Francisco that day.All told, on the trip I spent about $350, plus 25,000
frequent flier miles, plus 24 hours away from my family. Free
software has given me a lot over the years, and I can afford it. If
you want to contribute in support of my trip, please make a
donation to the
Free
Software Foundation,
the Electronic Frontier
Foundation or
Amnesty
International.ThanksOdd though it may seem, I would like to thank SCO for taking
the time to talk to me. The people I spoke with had to know when I
came in that I would not be on their side. But they played fair,
were polite and took me seriously. I'm sure both Chris Sontag and
Blake Stowell had better things to do than humor some random free
software developer.This essay received helpful comments from David
Henkel-Wallace and Karsten Self.

email: ian@airs.com