General developer forum

"For UC patents (medicine and the sciences) are a good thing, in fact they help pay for the larger institution."

But do you consider software patents a good thing for UC?

Hi Curtis,

As with others here, IANAL, but the language doesn't sound to me at all like it's exposing all UC patents when you contribute.  Here's the relevant part of Section 11 (Patents), with emphasis added by me:

A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”.

A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.

Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.

Given that "the contributor's essential patent claims" are defined as being those claims which would be infringed by some act (copying, using, distributing, etc) upon the project (Moodle) which is permitted by the GPL v3 license, I don't see any way that this could be construed as granting a license for a patent which has nothing to do with Moodle.

In fact, the wording suggests to me that you're not even granting license for entire patents, but rather licenses for specific claims - i.e. the absolute minimum license required to allow all actions permitted by the GPLv3 license to be performed on your contributor version (i.e. Moodle with your modifications).  This is definitely a Good Thing for Moodle (and other open source projects), and if my understanding is sufficiently accurate, it's a Good Thing for contributors too, since it allows them to contribute to the project without opening up any more of their IP than they want to (if you're contributing to an open source project, you're implicitly endorsing it - contributing to a project and then subsequently claiming infringement would be uncouth, and is one of the things Section 11 seems to be intended to prevent).

 

-Paul

I agree, to some extent, that the risk is fairly small, but it's real - UCLA's lawyers aren't being dumb to consider it.  Were I advising an institution, in most cases I'd say it was an acceptable risk, but for large institutions like UCLA or my own university defensive measures such as you mentioned wuld be very wise.

It's actually very much like a cross-site-scripting attack.  Permissions granted in one context can inappropriately extend to other contexts, either trough mistake or malfeasance. Call it a cross-site-patent attack. 

In 1998 we could only think of rather contrived examples of cross-site-scripting attacks, so some people concluding it was rather unlikely to ever be a problem.  Others saw the hole and warned that bad scenarios would end up happening unless the problem was addressed via the same-origin policy and other mitigations.  Today examples of cross-site patent attacks may be a little contrived, but they do demonstrate the potential exists.

 

Not only would some unscrupulous person have to submit code which infringes your (unrelated) patent, but Moodle HQ would have to integrate it into the official HQ repository. Unless HQ were in on it ... the contribution would simply be rejected as irrelevant

Consider for example the biometric authentication I mentioned.  It's plausible that someone could contribute an authentication module for Moodle and it could be committed without any need for HQ to be "in on it".  That may be a bit contrived, but it's no more contrived than the cross-site attack scenarios we predicted in 1990s and we know cross-site-scripting has caused billions of dollars of total damage in the last fifteen years.

 

GPLv3 specifically refers to the "contributor version" - so as long as you're careful about what you include in the version which you make available, you shouldn't be at risk of exposing any unrelated patents. 

"Contributor version" is NOT the "the version you make available".  If it were defined as such, that would certainly help. That's one of many problems with with that section actually says as opposed to what it should say. In the GPL3, "contributor version" has a far wider definition.  It is a) "the work" (Moodle) and any other work Moodle has code derived from (such as ADODB).  "The work" under GPL3 is Moodle and the contributor version as any version which includes code we've contributed.  The actual wording is it's a version in which we a contributor "authorizes use" of our code.  

So, somone conributes something which infringes a patent developed by some other part of the university, 600 miles away. A week a later I fix in typo in the default theme.  My contribution authorizes use for that version of Moodle, which also happens to contain infringing code in some other module.  

 

There are two types of overreach happening - the clause extends to all 1.1 million lines of Moodle, to modules I may have never seen before, much less contributed, and it extends to all patents owned OR CONTROLLED by my organization. So it overreaches in the code it requires me to bless all of Moodle, not just the modules I work on or even modules I've heard of, and it overreaches on the other side by going at all patents controlled by the organization, including patents I've never heard of.

 

Although the real world doesn't always work exactly as it ideally should, incorporating code into your build without knowing what it is or does isn't a good idea.

 

You read and understood all 1.1 million lines of Moodle before you contributed anything?  If you had, you still would know what all was in there because WHILE you were reading, more code was being contributed and code was being changed.  By the time you read and understood the SCORM module, it had already been changed while you were reading it. Therefore it's smply not possible for any one human to know every bit of Moodle. 

The whole situation also depends on one key point: ownership of the IP.  Is the legal entity which holds the IP that UCLA (in this case) is worried about the same legal entity which is contributing code to Moodle? 

One can, if you do it carefully.  Specifically, the legal entity who owns and therefore contributes the copyright to the code must not have right to license the patent. Going the opposite direction won't work, the GPL3 tries to prevent that defense.  Remember splitting ownership is not enough.  Under GPL3, you automatically license any patents which you can license, whether you own them or not.

 

Ray, are you willing to share your source for the bit about the kernel developers?  The "28 of 29 principal kernel developers said no to GPLv3" thing seems to be related to a survey conducted based on the then-current draft of GPLv3;

I don't believe the fial version "fixed" the problems with the patent clause in any significant way since this was written:

http://lwn.net/Articles/200422/

You can of course see the devel list for full discussion at each stage, including after the final draft was approved.  The ultimate final statement as to kernel's position on GPL3 is:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob_plain;f=COPYING;hb=HEAD

 

They, the kernel developers, ultimately decided against GPL3.  Peruse the discussion list of you want to see how much of a landslide it was against GPL3.

The last few paragraphs of Linus' statement here also sum up nicely how many developers feel about it:

https://lkml.org/lkml/2006/9/25/161

 it may be that their concerns regarding the patent section have actually been addressed since then, but they're just too stubborn (and/or lazy)

Any position predicated on the kernel development team being lazy, stupid, or stubborn is rather tenuous. With about 25 - 30 commits per day, I can assure you they (we) are not lazy.  As a (tiny) contributor to the kernel, I am offended by that suggestion.

 

No, it has much more to do with the fact that they feel it is morally wrong to take someone else's code and their rights to it, which they contributed to an open source project for your enjoyment, and misappropriate it to fight content DRM, patents, secured systems and other issues entirely unrelated to the stated goals of the project they contribted to, Moodle.  

 

For example, YOU may feel that that all content should free and that after spending over a million dollars developing coursework a school should not use anti-circumvetion measures to protect their investment.  I might even agree with you.  However, other people who have contributed to Moodle may disagree.  They may well feed their families by producing such content.  To take their which they contributed code and use their contributions to prevent them from protecting their content is wrong and that' what GPLv3 does.  It prevents them from protecting their work using anti-circumvention measures.  I can decide to use MY code license in that way, but I have no moral standing to use SOMEONE ELSE'S contributions to club them or a third party over the head in regards the content the present via Moodle.  No, it's not laziness, it' that tey actually have a valid concern their.  You may disagree.  You may think that you have a right to take my code and use it to attack other people's patents.  They simply don't think that's right.

 

If you take that software, make changes and do not release those changes, you cannot claim them as copyrighted or patented in any way - it is only with public knowledge and actual release can you say they are your changes. This protects anyone who may make the same changes when those changes have not been placed in the public arena.

Not quite.  The GPL only requires you to grant rights to people to whom you distribute the software, so if you don't distribute the software to anyone, then you don't need to grant rights to anyone.

> However, why not offer the code to Moodle.org for inclusion, or lt least inform Moodle.org of what changes you have made and when. that's what this whole tread is about. Answer - because by doing so, under GPLv3, you could be risking ALL of your company's patents. > Would this not offer a form of insurance? Quite the opposite. The GPL says that if you contribute to an open source project, you GIVE UP any patents that could be in any way related to any part of that project. If you do NOT contribute, GPLv3 can do nothing to your patents. Only by contributing would you be agreeing to give up your patents under the GPLv3 terms. The bad part about contributing is that the way GPLv3 is written, it takes away your patent rights to patents which have nothing at all to do with your contribution. You lose patents that affect code in Moodle modules that you may have never even heard of. That said, you may notice we contribute code a few times per week. There are good reasons to contribute, and version 3 of the GPL creates two big reasons to NOT contribute. On balance, we decide to contribute anyway, but our developers have a meeting later to go over all the patents we have to watch for, because if we contribute any little typo fix to a project which and some other person contributes code which infringes a patent, we lose the patent.

Apologies. I got mixed up with the Moodle Trust.

Thanks Martin, I will pass this on

Just in case anyone else is still following this thread, we've finally resolved this and are able to contribute back to Moodle core again (2 1/2 years later...).

Basically we just did exactly what Martin Suggested, we signed over our Moodle copyrights of any code that we contribute back to Martin Dougiamas. It actually took longer than expected since the legal team here at UCLA actually wanted us to physically sign a contract assigning Martin the copyright (rather than us just adding the @copyright like he originally suggested.

Glad this is finally resolved.

You can take the source of a GPL program and sell it for whatever you can get them to pay and still be compliant with the licence. If that software is Moodle you might need to change the name to comply with it's use of Trademark law, but once you have done that you can put it up for sale. The GPL has never restricted a persons right to sell software created under it, it does however limit what restrictions you can place on anyone you sell the software to.

Well I would imagine they don't know they can get it for free in that case.

It just seems wrong to me that you can put a lot of work into developments and release them for people to use for free and then have someone come along and take your work, do nothing but repackage or rename it and make money off it from unsuspecting people. 

> the bit I don't understand is why someone would pay for something which is already available free. But that's the nature of how some people think/work I guess.

Other than the case where they simply don't know they can get it for free, the person selling it might package it such that it is more convenient or useful in some way. One example is FOSS software which is readily available for normal Linux, but hasn't been packaged as an Android app Android is a form of Linux).  Someone might pay 99 cents for a copy that's in the app sore rather than go download the source code, cross-compile it for Android, etc.

An example for Moodle specifically would be if someone chose a bunch of third-party plugins, a theme, and configuration settings to set up Moodle to work well for ____.  Maybe for higher-stakes assessments, or for a certain field or whatever.  They might then sell "Mdl for Medical" for $199, all setup and ready to go for institutions teaching in the medical field. Or they might sell it pre-packaged with all of the materials required to comply with US labor laws, like non-discrimination notices, etc., and setup for easy compliance reporting, showing tat all employees had viewed the notices.