DJB Releases All Source to Public Domain

A Sage Developer writes "During a recent conference, Sage Days 6, Dan Bernstein (who has recently come under attack for his licensing policy) was among the invited speakers. During a panel discussion on the future of open source mathematics software, Bernstein declared that all of his past and future code would be released to the public domain. This includes qmail, primegen, and a number of other projects. Given the headache that incompatibility between GPLv3 and GPLv2 is causing developers, will we see more of this?"

In a word...

[s4m7 (519684)]

Given the headache that incompatibility between GPLv3 and GPLv2 is causing developers, will we see more of this?

No.

Not in a manner disproportionate to what we've seen in the past anyway. Some people will keep gpl2 as their license, others will go gpl3, bsd, or one of any of the OSI licenses for the most part, because people like attribution, they like retaining (some) control of their work.

Re:In a word...

[BiggerIsBetter (682164)]

I agree. Public Domain licensing seems to be the worst of all worlds to me.

Re:

[civilizedINTENSITY (45686)]

I can't say that Public Domain is the worst way to release, but it is less than adequate for the purposes of Free Software. However, it would allow code to be quickly absorbed into projects and extended and released under the GPL. At that point, it would remain useful and also be safe (i.e., status: to remain free).

Re:In a word...

[by Anonymous Coward]

Well, Public Domain is a heck of a lot better than DJB's original license. For DJB's code, Public domain is a completely unqualified improvement.

(DJB's license forbade distribution of modified source - you can only distribute patches. You man not distribute binary files that result from any modification from the distribution source. I argue that it isn't open source at all.)

This might mean that qmail's glaring deficienies will get fixed. That's if qmail is still relevant. Plus, it might be secure on muliti-gigabyte ram 64 bit machines (which, frankly, are run of the mill linux boxes these days.)

Now, arguing a swap from GPL or BSD to/from Public Domain is another thing entirely IMHO.

Re:

[drsmithy (35869)]

(DJB's license forbade distribution of modified source - you can only distribute patches. You man not distribute binary files that result from any modification from the distribution source. I argue that it isn't open source at all.)

This is like arguing RHEL isn't open source because it isn't packaged up in ready to use ISOs.

Re:

[synthespian (563437)]

Shhh...Don't argue with religious people!
Fanatics of the Church of Stallman aren't capable of logic.
Besides, they think that "freedom" refers to objects and not to people.

Re:

[KevMar (471257)]

I like the sound of public domain. Its simple with out any complicated rules.

I saw Open Source as a free exchange of ideas and code that let you do what ever you wanted with it. Public Domain fits that better than a lot of others.

All the Gotchas and legal overhead built into some of them are just overhead that make the whole process fustrating.

At the same time, Open Source is becomming more of a buzz word than anything else. I hear even Microsoft does Open Source software now.

Re:In a word...

[civilizedINTENSITY (45686)]

Agreed that Public Domain is not incompatible with Open Source. In fact, it isn't incompatible, in terms of absorbing the code into a project, with the GPL. However, in terms of Free Software, Free doesn't mean "a free exchange of ideas and code that let you do what ever you wanted with it", but rather a limit on distribution rights for the purpose of ensuring that user rights always remain free. And it seems to work :-)

Re:

[Goaway (82658)]

And you know, some of us are far more interested in "a free exchange of ideas and code that let you do what ever you wanted with it" than in some convulted ideology where "freedom" is redefined as something restrictive.

Re:In a word...

[Hatta (162192)]

The only restriction the GPL imposes is that you can't restrict the freedoms of the user. It's like a double negative, restricting restrictions makes it more free.

You may call this a convoluted ideology, but the fact is if I receive a program with GPL code in it, I'm free to modify it as I see fit. If I receive a program with public domain code in it, I may not be able to modify it at all.

I'm interested in a free exchange of code that lets me do whatever I want with it. Public domain does not do that for me.

Re:

[iabervon (1971)]

If you receive a program with public domain code in it, you can do what you want with it. It's when you receive a binary derived from public domain code that you may be out of luck.

Of course, it doesn't matter to you whether some source code is public domain or GPL; if you only acquire GPL binaries (whether they're derived from public domain code or not), you can do what you want with them, while if you acquire non-GPL binaries (whether they're derived from public domain code or not), you may not be able to

Not quite so fast

[einhverfr (238914)]

I'm interested in a free exchange of code that lets me do whatever I want with it. Public domain does not do that for me.

What can't you do with public domain code?

My concern about the GPL is that, while it is very friendly towards businesses who want to release and then control the direction of their open source products (I did not say projects), it can have a stifling effect on community. Compare for example, the MySQL development model (one company *controls* what goes into the next release) with the PostgreSQL development model. In many ways Linux is an exception rather than a rule, and even GNU suffers from politics of internal control (for example RMS dismissing the head HURD architect, Thomas BUshnell, for arguing against considering the GFDL to be "Free" according to Debian's guidelines-- if this is the free speech to be associated with the FSF's free software, I want no part of the FSF).

The GPL is in many ways a sort of halfway house for companies who want to do open source but not community-centered development. If MySQL was under the BSD license, there is no way they could maintain the central control-- they would have to open up the commit access to many people in other companies, and could not sell proprietary licenses because there would be no market for them.

The GPL, while having legitimate uses, is more of a political statement than anything else. I say this as someone who contributes thousands of lines of code per week into GPL'd projects.

THe GPL v3 is confusing in number of ways. For example, there is some concern over whether a company cedes patent rights over their own patents by merely using GPLv3 software, this is because of missing one little definition buried not in the definitions section but elsewhere in the license (section 11. paragraph 6, as much as a quick reading might otherwise support the concern, only applies to distribution relying on *explicit* patent licenses hence one cannot inadvertently license patents by mere distribution of the software).

A larger issue with the GPL v3 is that section 7 can be read to be incompatible with licenses such as the BSD and MIT licenses, perhaps even with the public domain. The question is, whether paragraph 2 (removal of additional permissions) must apply to portions under other licenses as well. A plain reading of the license suggests that this is the case (and my conversations with Eben Moglen suggest he thinks that this is the case, and furthermore that he believes that licenses such as the BSD and MIT licenses allow for additional restrictions to be added to the license when merely copying the software. It is clear from public speeches that this is also the view of RMS).

However, as another member of the SFLC pointed out to me, this was not the intent of a large number of authors of the license, and that few if any lawyers are willing to give advice that changing the license on a verbatim copy of a permissively licensed work is allowed (see the SFLC's memo on ISCL/GPL collaboration). They argue that since compatibility with licenses like the BSD license was a goal, that it needs to be read as compatible. Hence they argue that the additional things you can do with BSD-licensed code fall outside of the definition in section 7 of additional terms and are not governed by the GPL v3 at all.

However, if and until we see a memo from the SFLC on that topic, we will not have a neutral document to point to and say "this is what the license means." Hence it seems to me that every project ought to contemplate these issues, seek legal advice, and include some clarifying statements in the project's documentation.

This is too much trouble for me to go to in my projects so there is no incentive to move. I *am* considering moving a fair bit of my company's projects from the GPL to some variant of the MIT or ISC license however.

Re:

[fbjon (692006)]

Public Domain is good for shorter snippets that one might throw away one a forum or the like, but something of a more project-y character is probably better off with a license of some sort. The exact boundary is, of course, up to personal preference.

Re:In a word...

[Zeinfeld (263942)]

Public Domain is good for shorter snippets that one might throw away one a forum or the like, but something of a more project-y character is probably better off with a license of some sort. The exact boundary is, of course, up to personal preference.

We deliberately put the source codes for the original Web browser and client library into the public domain in order to create the maximum chance of growth.

At the time there was no Apache license and the GPL poison pill simply did not meet our needs. At the time we were actively lobbying Microsoft and IBM to come on board with the Web.

The only regret I have about it is that if we had had a license it would not have been possible for NCSA to put out the early releases of Mosaic which consisted of 75% or more of CERN code without a single mention of CERN or even the Web in the documentation. I would probably recommend that people think about the attribution issue carefully, the behavior of NCSA is the main reason that the Web received very shabby treatment from CERN, in the early days NCSA was getting all the press attention and they simply were not mentioning the fact that the ideas had come from Tim.

I don't think this applies in Bernstein's case. Nor would I be too concerned about possibly insecure extensions. There are some open source projects that have successfully maintained a very strict security process over ten years or more.

Re:

[Russ Nelson (33911)]

Open Source is becomming more of a buzz word than anything else. I hear even Microsoft does Open Source software now.

Yes; just like everybody else who's publishing Open Source Software, they're doing it using an OSI Approved Open Source License.

Re:

[DaleGlass (1068434)]

You're wrong. You'll only be able to use any improvement if your competitor distributes the changes to you . Only the recipient of the modified GPL software is entitled to the changed source.

This is correct

Here's an example: You write GPL software that is used by LargeCompany, and sell the support to them. BigCorp takes your software, makes some great enhancements, and sells it to the same LargeCompany saying, "Hey, this software does everything that guy's does and more!" Do you think, because of the GPL,

Re:

[nuzak (959558)]

Yeah, look at how sqlite has languished by being public domain. No sooner was it released than it was snapped up and closed off and now no one can download the free version anymore.

Re:

[orasio (188021)]

Yeah, look at how sqlite has languished by being public domain. No sooner was it released than it was snapped up and closed off and now no one can download the free version anymore.

I am talking about all instances of the software. Of course we can still get sqlite, but most of sqlite users don't know they are using it, and they don't know they can get the actual code to fix an issue. The idea of the GPL is protecting those users. Public domain doesn't help end users, because they don't even need to know what they are using.

Re:

[TheRaven64 (641858)]

Very little code in CentOS comes from Red Hat, it comes from a large number of sources, including the GNU project, and was originally packaged by Red Hat. The GPL and BSDL both have attribution requirements. You are not allowed to claim that you wrote any of the code in CentOS. The reason CentOS does not use the Red Hat name is to do with trademarks, not copyright. Red Hat do not allow them to use their trademark, and so they have removed anything with Red Hat branding on it. Any code contributed by Re

OK so when exactly?

[MichaelSmith (789609)]

The reason I ask is that I read some releasing a new version of netqmail with smtp auth patches in it, and this is really waiting on DJB to do something about this issue. My servers are currently taking a big hit from spam and a clean way to block it in smtpd would make life a lot easier for me.

Re:

[ravenspear (756059)]

My servers are currently taking a big hit from spam and a clean way to block it in smtpd would make life a lot easier for me.

You could switch to postfix.

Re:OK so when exactly?

[lukas84 (912874)]

Exchange!

Re:OK so when exactly?

[N7DR (536428)]

Already.

From http://cr.yp.to/qmail/dist.html [cr.yp.to]:

I hereby place the qmail package (in particular, qmail-1.03.tar.gz, with MD5 checksum 622f65f982e380dbe86e6574f3abcb7c) into the public domain. You are free to modify the package, distribute modified versions, etc.

Still a dick!

[by Anonymous Coward]

Just wanted to get that in there.

That may be good.

[www.sorehands.com (142825)]

I like qmail. This is both good and bad.

The good is that allows people to fix, and distribute the fixes as part of the package instead of as a bunch of patches.

The bad is the security of the result. One of the hallmarks of the DJB software is that it is secure and he backs it up with a $500 (it may be $1000 now) bounty for security holes in the software. Many people referred to him as arrogant because of his refusal, but when you are good, you sometimes develop an attitude that people mistake for arrogance. Even so, it is HIS code, so he gets to do what he wants with it.
 

Re:

[JoshJ (1009085)]

If it's public domain, it's not really "HIS" code anymore.

Re:That may be good.

[arivanov (12034)]

Actually, if you like qmail you need to have your brain checked.

The biggest advantage of Unix is the "We stood on the shoulders of Giants" philosophy. The library functions are continually improved and nowdays there is a library function for nearly everything. Qmail goes completely against this philosophy by rewriting nearly every higher level function in libc it needs. Granted, when qmail came out some of these rewrites were more secure and technically superior implementations. First of all, not contributing them towards the libc's is sociopathic behaviour (I want only my app to benefit, everyone else go suck bricks sidewise through a thin straw). Second, their technical superiority even from a security perspective is no longer there. Libc has moved on and even the worst of them (HPUX and Irix) are now at the same level of the DJB replacements (or better).

Re:

[civilizedINTENSITY (45686)]

I suppose then that now there is nothing to stop developers from implementing a fork of qmail that will use libc (and indeed, to absorb into libc anything worthy from qmail). So the race is on! Will gqmail or kqmail be the first to distribute said fork?

Re:That may be good.

[arivanov (12034)]

No point. The MTAs have moved forward as well. The libraries have moved forward as well. It would have been interesting 10 years ago (I used it and advocated its use at that time).

Now it is pointless.

Postfix, Exim and even sendmail have made a giant leap forward in terms of code quality, performance and security. So have the underlying libraries.

There simply no point to use qmail or any of its code base now. Too little, too late.

Re:That may be good.

[Just Some Guy (3352)]

my qmail gateways have never been exploited through qmail.

That's because qmail's known exploits [guninski.com] mainly affect new hardware. Cool, huh? Buy a new server and watch it automatically get less secure.

Re:

[Asmodai (13932)]

I cannot for the life of me imagine why anyone would want to use qmail.

From a system administrator's point of view qmail does NOT keep adequate logging to track the flow of a message through X MTAs. With Postfix or Sendmail (and I reckon Exim too), I can see the entire flow in the logs. If you ever worked for a company such as an ISP or where someone complained about email gone missing, stuff like this is lifesaving.

From a programmer point of view DJB's software is just the antithesis of everything decent p

Re:That may be good.

[FishWithAHammer (957772)]

First of all, not contributing them towards the libc's is sociopathic behaviour (I want only my app to benefit, everyone else go suck bricks sidewise through a thin straw).

This is ludicrous. He wrote them because the ones out there weren't good enough. Others can write their own. There is nothing sociopathic about closed source software, no matter how much you may wish it to be.

(It is probably in the realm of sociopathy, as we're using the term, to go after people who reverse engineer your compiled binaries, but that's entirely different from not giving them your code. If they can extract what they need from what you have chosen given them, good for them. It is always wise to remember that while the GPL and the Free Software movement are in favor of unlimited user rights, a developer choosing to exert his own rights is not wrong.)

Re:

[vidarh (309115)]

Qmail stems from a time when serious UNIXen were commercial and closed. Getting the libc source cost big money; fixes were not solicited.

When Qmail was release, glibc was more than a decade old. So though glibc might not have been as widely used as those of commercial Unix versions there were certainly plenty of opportunity to release it.

That said, most of the stuff he reimplemented is not stuff that belongs in libc, and quite a bit of it is pointless paranoia and just contributes to make the Qmail source hard to read.

Re:

[TheRaven64 (641858)]

This is why OpenSSH has an OpenBSD and a portable branch. Every feature they find lacking a C library gets merged into OpenBSD's libc (and quickly makes it to other BSD libcs) and gets stuck in the portability library which implements these functions in a portable manner. Other libc maintainers can take the code from the portable library, since it's BSD licensed, and everyone benefits. Failing that, people can compile OpenSSH with the in-tree copies of the functions.

Re:

[Russ Nelson (33911)]

Also, I'm not familiar with the qmail source; what are some of the wheels that djb reinvented?

For example, str_chr(). The standard strchr returns EITHER a pointer to the found character, or NULL. djb's str_chr always returns a usable pointer; either to the character or to the null terminating the string. Compare this idiom:

strcpy(secondhalf, strchr(wholething, ';'));

to djb's

str_cpy(secondhalf, str_chr(wholething, ';'));

This code works even if ';'

dnscache as an common daemon

[Tuqui (96668)]

I really like DJB approach in many programs but his daemon as services makes his good programs difficult to use.
I would like to use dnscache as a normal daemon, one below the /etc/init.d , that will be cool.

Re:dnscache as an common daemon

[SanityInAnarchy (655584)]

DJB's approach to standards is to write his own incompatible version.

Right, since there isn't a standard right now...

As for user friendly, he can't even put the man pages where they can be found.

That's why I called it "trying".

Other than not watching for dead processes, what exactly is the problem with /etc/init.d?

Well, init.d is complete in the sense that brainfuck is Turing-complete.

Which is to say, it's actually awkward for quite a lot of things. For instance: networking.

On Gentoo, the way multiple network interfaces are dealt with is by assigning each of them an init script, all symlinked to the same one. Gentoo init scripts have dependencies, so I can have something depend on some or all of the network interfaces being up.

On Debian, this is dealt with by having one "networking" init script that then ties into its own init-like system for individual interfaces -- ifup/ifdown. I can force certain scripts to run after an interface comes up or goes down.

On Ubuntu desktops, this is dealt with by having a NetworkManager daemon (started by init.d) that handles everything itself, by communicating with a GUI. I'm fairly sure it uses ifup/ifdown in some way, as it seems to respect some of my static scripts.

Gentoo is the closest to the "right way", in that there's a unified way to start/stop something. That is, on Gentoo, I know I can stop a network device by doing /etc/init.d/net.eth1 stop. But Ubuntu's the most user-friendly way, because I can do it from a GUI, and, for instance, easily migrate between wireless networks.

Now, go read about upstart [ubuntu.com], for a completely different approach. In particular, the ability to receive "events" from, say, udev or HAL, means that the equivalent of "/etc/init.d/net.eth1 start" will be run when I plug a cable into eth1, without removing that functionality, or forcing it into a completely different system (ifup/down).

At least, that's how I think it would work. In practice, while Upstart is used in Ubuntu, it's mostly used just to launch all the old sysv rc scripts, which then launch things like NetworkManager.

Re:

[SanityInAnarchy (655584)]

By the way, I don't see /etc/rc*.d to be going away anytime soon. If you think there is any important features missing from it, the best way to go is probably to file a wishlist bug in the bug tracking systems of the distributors.

It's being worked on. [ubuntu.com]

The software is good.

[jd (1658)]

The crypto software and FFT software especially so, but maintenance isn't always as hot. That's hardly DJB's fault - they are public domain and nobody has run with them. On the other hand, it is not acceptable that his software is not being properly distributed, promoted or documented. Nor is it acceptable that he allows his personality quirks to interfere with the primary purpose of getting code into active circulation.

DJBDNS

[caudron (466327)]

Good. DBJDNS is, overall, a solid piece of software that kicks the crap outta Bind and leaves it bleeding in a ditch. I'll be glad to see it under a more open license that allows it to prosper and get some of its problems addressed.

Tom Caudron
http://tom.digitalelite.com/ [digitalelite.com]

Re:Don't be an "indian giver"

[McDutchie (151611)]

The GPL pushes that one step further by making sharing a requirement. Now receiving obliges you to give in return (if copyright wasn't the basis for the GPL, would Stallman have required distribution too?).

Sigh. No, it doesn't. The GPL sets forth rules you need to follow if you choose to share (i.e. distribute) the software. But nothing in the GPL obliges you to share anything.

Re:Don't be an "indian giver"

[SanityInAnarchy (655584)]

It all got so confusing

How is it confusing?

and now with GPL3 putting further restrictions on sharers

The restrictions are essentially closing loopholes whereby people could either avoid sharing or share something useless.

Under GPLv2, you could create a derivative work and run a website based on it, but not share the changes since you weren't technically distributing the software. Or you could create a signed binary, and hardware that won't run it unless that binary is exactly the same. Or you could patent some procedure used, so that people can see the source code, but if they do anything with it, they violate your patent.

All GPLv3 does is enforce the spirit of GPLv2. Specifically: Everyone has to be able to get the source code, make any change they want, recompile, and run the modified binary.

greater restrictions are a smack in the face to the original reason anyone wanted to get involved in the first place, i.e. to share.

If you're getting hit with these restrictions, chances are, you, yourself, are an "indian giver" -- you want to pretend to share, except, not really.

Public domain remains the last safe haven for shareable code.

Or GPLv2... or BSD... or Apache... or MIT...

You're suggesting that GPLv3 somehow "infected" GPLv2, or every other license out there. That's simply not true. While public domain is perhaps the only way to ensure your code can be included in any kind of project, I see nothing wrong with share alike, and I see no reason why closing the loopholes is "going too far".

Re:

[Cecil (37810)]

While public domain is perhaps the only way to ensure your code can be included in any kind of project...

As I understand it, the only project in which Modified-BSD code could not be included is a project where the author wanted to claim you recommend their project without your permission. So while it's technically true, I don't think it's fair to say that public domain is the only way to allow code to be used in any project, not realistically speaking anyway. Anyone who insists on falsely claiming I endorse

Re:

[rbanffy (584143)]

"Under GPLv2, you could create a derivative work and run a website based on it, but not share the changes since you weren't technically distributing the software. Or you could create a signed binary, and hardware that won't run it unless that binary is exactly the same. Or you could patent some procedure used, so that people can see the source code, but if they do anything with it, they violate your patent."

You still can run a web site on modified GPL3 software and not share the modifications you made. It's

Re:

[Just Some Guy (3352)]

You still can run a web site on modified GPL3 software and not share the modifications you made. It's the AGPL3 (http://www.fsf.org/agplv3-pr) that prohibits this.

Quite correct. Fortunately, it's almost trivially easy to beat the AGPL [honeypot.net].

The GPL v3 *is* confusing

[einhverfr (238914)]

Most of these points have come out of arguments with both developers and lawyers as to the restrictions in the GPL:

1: If you download a copy of the GCC under the GPL v3, are you licensing your patents which the GCC infringes on to all third parties?
After a lot of discussion on and off various lists, the answer is no, but you have to stop using the GCC prior to suing anyone or else other people could conceivably sue you. However, this is confusing because it is easy to miss the definition of patent license

A Linus supporter?

[SanityInAnarchy (655584)]

There are two vastly different interpretations of the GPLv2's intent.

Linus' interpretation is, so long as we get to see the code, it's fine, even if we can't do anything with it.

That is not the original intent. Say what you will about RMS, but he wrote the damned thing.

Do you know why RMS started this "free software crusade", founded GNU, and wrote any GPL at all? It starts with a printer. He'd messed with the old printer driver for the old printer -- it was prone to paper jams, so his hack was to at least detect a jam and alert the user, even if he couldn't fix it. Well, the new model of printer came in, and he was all set to port his fix, but he didn't have source code.

That's why GPLv2 is all about source code -- RMS wants to be able to tinker with any device he owns, and he saw lack of source code as the only thing stopping him. In the case of this printer driver, it was. But now we have tivoization. Tell me, if the lab computer was set to only accept signed binaries, what good would any amount of source code be? He could change it to do his paper-jam-fixing-hack, and even compile it -- he could do anything but run it -- which makes it completely useless.

Linus has a point, and so do you -- there is some academic value in seeing how people did what they did.

But Linus and you miss the crucial point -- it's not about restricting the developers, it's about empowering the users. The GPLv3 guarantees that any piece of software you get that's GPLv3-licensed, you can modify it, recompile it, and run it in the same way as the original. What's restrictive about that?

Re:A Linus supporter?

[FreeUser (11483)]

Why don't you do a modicum of research and find out? The story has been presented far and wide by RMS himself, and is easy enough to find. What you insinuate is that the trouble fixing the printer was somehow RMSes fault, which history shows to be untrue. The printer manufacturer wouldn't acknowledge the problem, and refused to let RMS see the source code so he could "fix" a bug they wouldn't acknowledge. This irrespective of how often said bug bit their customers. RMS spotted a severe social/technical problem and wrote the GPL to solve it (which it does, very successfully). Unscrupulous people have sought out loopholes to subvert the GPL, hence GPL v2, and now, with the advent of MS's "trusted computing initiative" and tivoization, GPL v3 to protect those freedoms in the face of some very powerful entities manipulating very powerful copyright and patent laws with the intent of subverting, even destroying, those same freedoms.

The GPL v2 and v3 are, whatever else one may say, the most successful attempt so far at creating a "constitution" that protects users rights in perpetuity, within the current framework of law designed to do just the opposite. It may not be perfect, but it's a damn sight better than most options out there.

Re:

[Abcd1234 (188840)]

Its method of storing its database as raw inodes is... mildly frightening, to say the least.

Huh? Why? I mean, I'm no qmail zealot, but if you're afraid of storing data in your filesystem, you have far *far* bigger problems.

Re:

[Cecil (37810)]

It makes restoring from backup difficult, for one thing, unless you use an exact image of the disk with a partition the exact same size. I don't, I use file-level backups. Or maybe I want to move qmail to a different disk or volume. I mean, on one hand, it's freaking email queue, who gives a damn. But it's the principle of the thing.