To Baker: I could not find your e-mail address, so I'm posting this here instead.
Good Sir.
Here is the part I was thinking of, when asking for the source to the security module a couple of days ago:
From the FAQ:
Well this is no borderline case. The security module is not a "fire and forget" fork/exec thing. It is dynamically linked and thus shares the same execution context as the GPL'd Quake engine (it becomes one with the engine), function calls are made, data is shared and communication is not limited to just invoking the main function and waiting for it to return. Furthermore there are a lot of places in the ProQuake sources where the security module is present in one way or another. It even has its own security.c/security.h files along with the rest of the ProQuake source files. As far as the GPL is concerned you can't just sneak around it like that. The full source code must be provided. In fact, there is only one special exception to this, and it concerns:
... and the security module clearly does not fit that category.
If not distributing the source code for the security module does not violate the GPL then one could add almost arbitrary modifications to a GPL'd program, in the form of modules or plug-ins, and even redirect function calls to them if they are loaded (rpc's and pipes also comes to mind), without releasing any module/plug-in sources. The program would function just fine without the modules.. (and without the modifications). This would of course go against the very point of the GPL.
In my personal opinion, making a Quake server that has a mode in which it will only accept connections from certain clients, without giving the server administrator the chance of choosing 'which' clients and without giving developers adequate information about how to connect with their own clients, breaks the spirit of the GPL (at least GPL-3). It's a form of tivoization, in which software (instead of hardware) prevents users from running modified versions of GPL'd software.
Furthermore there is the trust part. How can anyone trust a security module, whose source code is not available for inspection? How can we be sure there aren't any backdoors or anything similar? Without the source code, we can't. Well, perhaps a Company could be somewhat trustworthy. After all, a company could lose money if they tried anything like that. My point is: Security through obscurity... isn't.
I hope I have persuaded you to respect the GPL and do the right thing.
With Best Regards
// Cortex
Good Sir.
Here is the part I was thinking of, when asking for the source to the security module a couple of days ago:
2.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
GNU General Public License v2.0 - GNU Project - Free Software Foundation (FSF)
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
GNU General Public License v2.0 - GNU Project - Free Software Foundation (FSF)
If I add a module to a GPL-covered program, do I have to use the GPL as the license for my module?
The GPL says that the whole combined program has to be released under the GPL. So your module has to be available for use under the GPL.
If a program released under the GPL uses plug-ins, what are the requirements for the licenses of a plug-in?
It depends on how the program invokes its plug-ins. If the program uses fork and exec to invoke plug-ins, then the plug-ins are separate programs, so the license for the main program makes no requirements for them.
If the program dynamically links plug-ins, and they make function calls to each other and share data structures, we believe they form a single program, which must be treated as an extension of both the main program and the plug-ins. This means the plug-ins must be released under the GPL or a GPL-compatible free software license, and that the terms of the GPL must be followed when those plug-ins are distributed.
If the program dynamically links plug-ins, but the communication between them is limited to invoking the ‘main’ function of the plug-in with some options and waiting for it to return, that is a borderline case.
Frequently Asked Questions about the GNU Licenses - GNU Project - Free Software Foundation (FSF)
The GPL says that the whole combined program has to be released under the GPL. So your module has to be available for use under the GPL.
If a program released under the GPL uses plug-ins, what are the requirements for the licenses of a plug-in?
It depends on how the program invokes its plug-ins. If the program uses fork and exec to invoke plug-ins, then the plug-ins are separate programs, so the license for the main program makes no requirements for them.
If the program dynamically links plug-ins, and they make function calls to each other and share data structures, we believe they form a single program, which must be treated as an extension of both the main program and the plug-ins. This means the plug-ins must be released under the GPL or a GPL-compatible free software license, and that the terms of the GPL must be followed when those plug-ins are distributed.
If the program dynamically links plug-ins, but the communication between them is limited to invoking the ‘main’ function of the plug-in with some options and waiting for it to return, that is a borderline case.
Frequently Asked Questions about the GNU Licenses - GNU Project - Free Software Foundation (FSF)
"... anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, ..."
If not distributing the source code for the security module does not violate the GPL then one could add almost arbitrary modifications to a GPL'd program, in the form of modules or plug-ins, and even redirect function calls to them if they are loaded (rpc's and pipes also comes to mind), without releasing any module/plug-in sources. The program would function just fine without the modules.. (and without the modifications). This would of course go against the very point of the GPL.
In my personal opinion, making a Quake server that has a mode in which it will only accept connections from certain clients, without giving the server administrator the chance of choosing 'which' clients and without giving developers adequate information about how to connect with their own clients, breaks the spirit of the GPL (at least GPL-3). It's a form of tivoization, in which software (instead of hardware) prevents users from running modified versions of GPL'd software.
Furthermore there is the trust part. How can anyone trust a security module, whose source code is not available for inspection? How can we be sure there aren't any backdoors or anything similar? Without the source code, we can't. Well, perhaps a Company could be somewhat trustworthy. After all, a company could lose money if they tried anything like that. My point is: Security through obscurity... isn't.
I hope I have persuaded you to respect the GPL and do the right thing.
With Best Regards
// Cortex
Comment