Software Freedom Conservancy 2015

Software Freedom Conservancy is running its 2nd annual (last year) individual supporter campaign. We need 750 supporters (at US$120 each) to keep the lights on (continue serving as a non-profit charitable home for free/open source software projects…assuming we manage to stay alive, some exciting new member projects will be joining in 2016) and 2500 to take on new GPL enforcement work. See the Conservancy news item and blog post announcing the campaign last month.

Conservancy supporter Sumana Harihareswara made a great video explaining why you should also support Conservancy. [Added 20151228: blog post with transcript]

The news item above includes a list of 2015 accomplishments. My second favorite is Outreachy (“helps people from groups underrepresented in free and open source software get involved”) joining as the first member project that isn’t strictly a software development project. My favorite is a link away from the main list. The list notes that Conservancy joined a one-page comment urging the FCC to not restrict wireless devices to manufacturer-provided software. That’s good, but the blog post about the comment notes that Conservancy leaders Karen Sandler and Bradley Kuhn also signed a much more interesting and extensive comment proposing an alternate regulatory regime of requiring fully auditable software and ongoing security updates, almost mandating supported free software (but not quite, for the comment doesn’t call for mandating free copyright licensing) for approved devices. This is by far the most important document on software freedom produced this year and I urge everyone to read it. I’ve copied most of the alternative proposal below (it starts on page 12, and is followed by many pages of endorsers):

In place of these regulations, we suggest that the Commission adopt rules to foster innovation and improve security and usage of the Wi-Fi spectrum for everybody.

Specifically, we advocate that rather than denying users the ability to make any changes to the router whatsoever, router vendors be required to open access to their code (especially code that controls RF parameters) to describe and document the safe operating bounds for the software defined radios within the Wi-Fi router.

In this alternative approach, the FCC could mandate that:

  1. Any vendor of SDR, wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change controlled source code repository on the Internet, available for review and improvement by all.
  2. The vendor must assure that secure update of firmware be working at shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.
  3. The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, the business lifetime of the vendor, or until five years after the last customer shipment, whichever is longer.
  4. Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.
  5. Additionally, we ask the FCC to review and rescind any rules for anything that conflict with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only shipundocumented “binary blobs” of compiled code or use lockdown mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.

This path has the following advantages:

  • Inspectability – Skilled developers can verify the correctness of software drivers that are now hidden in binary “blobs”.
  • Opportunity for innovation – Many experiments can be performed to make the network “work better” without affecting compliance.
  • Improved spectrum utilization – A number of techniques to improve the use of Wi-Fi bands remain theoretical possibilities. Field trials with these proposed algorithms could prove (or disprove) their utility, and advance the science of networking.
  • Fulfillment of legal (GPL) obligations -Allowing router vendors to publish their RF-controlling source code in compliance with the license under which they obtained it will free them from the legal risk of being forced to cease shipping code for which they no longer have a license.

Requiring all manufacturers of Wi-Fi devices to make their source code publicly available and regularly maintained, levels the playing field as no one can behave badly. The recent Volkswagen scandal with uninspected computer code that cheated emissions testing demonstrates that this is a real concern.

Why is this so important?

  • It isn’t purely a rear-guard action aiming to stop a bad regulation.
  • It proposes a commons-favoring regulatory regime.
  • It does so in an extremely powerful public regulatory context.
  • It makes a coherent argument for the advantages of its approach; it tries to win a policy argument.
  • The advantages are compelling.

Yes, the last three points are in contrast with relying on an extremely weak and resource poor private regulatory hack which substitutes developer caprice for a public policy argument. But not entirely: the last advantage mentions this hack. I doubt we’ll reach the 2500 supporters required to pursue new hack (GPL) enforcement, but please prove me wrong. Whether you love, hate, or exploit the GPL, enforcement works for you.

Please join Sumana Harihareswara, me, and a who’s who of free/open source software in supporting Conservancy’s work. The next $50,000 in donations are being matched by Private Internet Access.

Leave a Reply