My Visit to SCO
Here, we come to the meat of the issue: has code clearly derived from Unix been incorporated into Linux? Unfortunately, SCO was willing to show me only one example. I was shown a source file Sontag said was from SVR4, which was compared to a source file from Linux. The identical portions of the code were highlighted. There were indeed substantial similarities in the code: very similar comment text, the same variable names, the same algorithm. There also were some differences, but it seemed quite plausible that both pieces of code came from the same source.
SCO refused to show me the revision history of the Unix file. I pointed out this made it impossible to judge the order of derivation; SCO agreed, and said it was a matter of discovery for the court case. SCO said it is confident the code had not appeared in BSD and was developed internally at AT&T and successors.
The NDA I signed prohibits me from saying anything that would help identify the code in question or anything about how it got into Linux (I discuss the issue of secrecy further below). SCO did not permit me to type the code, but I was told the Linux file name, and I have a good memory for such things in any case.
Here is what I think I can say about the code I saw. The code is fairly trivial--the kind of stuff I wrote in school. The similar portions of the code were some 80 lines or so. Looking around the Net, I found close variants of the code, with the same comments and variable names, in sources other than Linux distributions. The code is not in a central part of the Linux kernel. The code does not appear to have been contributed to Linux by SCO or Caldera. The code exists in current versions of the Linux kernel.
Also, oddly, my recollection of the code SCO showed me is not precisely the same as any version I found in any Linux distribution. The differences were in parts of the code that were different from the Unix code. The copyright statement at the top of the file also appeared to be different, though probably not consequentially. However, because I was not permitted actually to type the code, my memory could be playing tricks on me here.
If this is SCO's only example of Unix code appearing in Linux, I very much doubt there is any real legal liability for Linux users. If the code is indeed derived from Unix, which is unproven, it is roughly equivalent to typing in some code from a basic computer programming text without permission. While I hesitate to predict the actions of the legal system, it is very difficult for me to believe that any judge actually would award damages on the basis of this code.
Naturally, SCO says many other examples exist, and it has found at least 10 to 20 specific examples of direct copying. SCO said there was much more derivative code. It claims there are cases in which copied code intentionally was obfuscated and rearranged to hide its origin. I commented I felt such a scenario would be difficult to prove, and indeed I sincerely doubt that anybody would bother.
SCO said that only in the last month or two has it really started analyzing Linux kernels for cases of copying. SCO claims it steadily is finding more cases and that all of this will come out in court.
It's difficult to know what to make of this type of argument. SCO showed me something that appears suggestive but that also apparently is inconsequential. SCO claims to have much more evidence, which I was not shown. It's tempting to conclude this is SCO's best case and it has no strong evidence. After all, if SCO can make its case to somebody like me, then it is in a stronger position for extracting revenue by licensing Linux to customers who are scared of lawsuits. But SCO may have other plans.
I admit that SCO's example unsettled me by what it implies. Although in itself trivial, it does suggest that some Linux contributors may have been careless about copyright infringement. That is unfortunate.
After the presentation was over, I asked a few questions. I asked SCO when it expected to go to court. The answer was document discovery and depositions have begun. No court dates are set.
I asked why SCO sent letters to commercial users of Linux distributions, but I was not given a satisfactory answer. SCO said the letter was to make Linux users aware that it believes Linux is tainted and contains unauthorized intellectual property. The letter was to tell the Linux users they may have some liability and should seek advice from counsel. SCO said Linux users then could go through the same process of discovery that SCO presently is going through--but, of course, the users can't, because they don't have the Unix sources. My guess is the letters were to set themselves up for Linux licensing.
I asked whether SCO has any plans to license the Unix code to Linux users, to remove the liability. SCO said it has no current program. It hopes to come up with something in which noncommercial use and educational use would be free, but for commercial use it wants some remuneration. SCO said it hadn't come up with a plan because it still is trying to figure out the scale of the problem. SCO hopes to have some sort of solution by as early as July.
SCO commented that Linux has no mechanism that ensures ownership of the IP which goes into it. It said most Linux developers are honorable, but some commercial entities are bending the rules for their own benefit.
I asked about the lawsuit between AT&T and BSDI. That lawsuit was not ended by a judgment, it was settled between the parties, and the settlement was in large part confidential. SCO, which I presume is the legal inheritor of the AT&T side of the settlement, claims some aspects of the settlement have not been enforced but would not describe it further. SCO has not yet looked into whether, in its opinion, the free BSDs legally are derivative of the Unix sources. I assume if SCO can get a handle on the Linux situation, it'll go after the free BSDs next.
I paused for a while, trying to think of my next question, and Chris Sontag said he had another meeting to attend and left.
Blake Stowell asked me what I would do if I owned some proprietary code, and it was being used by other people without permission. I said that Unix had been widely distributed for many years, had been published in books and was not, after all, actually written by anybody at SCO. I said I didn't think that was easily compared to more conventional situations. Incidentally, Blake Stowell worked at Lineo and joined Caldera in 2001. He agreed that the company had radically changed since that time.
That was the end of the meeting. The rest of this essay discusses a few relevant topics in more detail.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- The US Government and Open-Source Software
- The Humble Hacker?
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- AdaCore's SPARK Pro
- Canonical and BQ's Aquaris M10 Ubuntu Edition Tablet
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide