Hello!
It have come to my attention that a patch has been committed to the

kernel with the explicit purpose of tainting ndiswrapper - the kernel

module allowing Windows NDIS drivers for Ethernet and Wireless cards to

be used by the kernel.
That's the commit in question:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commi...
It is not the first time it has happened.  The same was done in October

2006.  A heated discussion ensued, and the patch was reverted as

erroneous.  For those wishing to refresh their memories, this LWN story

would be a great starting point:
http://lwn.net/Articles/205644/
I'd like to see this mistake to be fixed without lengthy arguments this

time around.
Just to reiterate some points from the old discussion:
- ndiswrapper is licensed under GPL
- ndiswrapper needs GPL-only symbols
- tainting ndiswrapper denies its access to GPL-only symbols
- denying ndiswrapper access to GPL-only symbols is unfair and not based

on any copyright law
- denying ndiswrapper access to GPL-only symbols makes it impossible for

ndiswrapper to function
- no copyright violation is involved, as Windows drivers are not derived

from Linux sources
- Windows drivers don't call GPL-only symbols directly; ndiswrapper

stands in the middle and sanitizes the access
- it's a fair game to taint the kernel in some way if ndiswrapper has

been loaded at some point, since tainting per se is just an indicator

that the kernel has been used in an unsupportable way
- if this change stands, ndiswrapper will be renamed, which would only

create more confusion and would thus defeat the purpose of tainting
- ndiswrapper is used by kernel developers to create native drivers
- ndiswrapper is a stepping stone towards a completely free OS; take it

away and see less users, less testers and less reverse engineering

efforts
--

Regards,

Pavel Roskin

--

Yup. There was (what I thought was) a bug in the existing logic (an

explicit match on "ndiswrapper", and a setting of the global kernel

taint flags) and I corrected it to do what I thought it was actually

intending to do, but hadn't been. Was I mistaken? What's the point of
Yes it is. But I thought the existing code was intending to taint the

kernel (that's what it does), so it would really help to identify why it

tainted the kernel, by calling add_taint_module instead of add_taint. I
Another fix would be for ndiswrapper to explicitly set the taint when it

loads a tainted driver? Or do we just want to go back to globally

"tainting" the kernel without assigning the blame to any module?
Jon.
--

So, it's the same thing as in year 2006.  Good intentions, unexpected
It taints the kernel, but not the module.  I could add tainting the

module to the ndiswrapper code, but it would reply on the internals of

the "struct module".  And I think we really don't want modules tainting

and untainting themselves by changing THIS_MODULE->taints.  It's a

Pandora's box that's better kept closed.
--

Regards,

Pavel Roskin

--

I wouldn't quite say that. I wasn't going to comment, but...personally,

I actually disagree with the assertions that ndiswrapper isn't causing

proprietary code to link against GPL functions in the kernel (how is

an NDIS implementation any different than a shim layer provided to

load a graphics driver?), but I wasn't trying to make that point.
Rusty - shall we just move the taint to post symbol resolution?
Jon.

--

By that logic, the kernel should always be tainted since it could

potentially always be linked to non-GPL code.
The ndiswrapper code is just like the kernel. It is GPL, but it could be

linked to non-free code. Any reason why ndiswrapper should be tainted would

equally well argue that any kernel with module-loading capability should be

tainted. Somebody might load a non-free module.
DS
--

Well, as long as *any* part of the kernel ever links to proprietary

code, then GPL functions link to it in exactly the same way ndiswrapper

enables.  It's only a matter of how many steps of separation.
A perfectly GPL USB network driver linked to GPL-only functions feeds

data into the kernel where it swirls about and emerges from a

proprietary network filesystem driver, for example.

--

A proprietary network filesystem driver _on a different system_, you

mean? In this case the proprietary code has no direct access to your

kernel data, except through the communication protocol. No tainting is

involved, as all corruption in your kernel is caused by kernel bugs in

visible code that can be debugged.
Gr{oetje,eeting}s,
						Geert
--

Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But

when I'm talking to journalists I just say "programmer" or something like that.

							    -- Linus Torvalds

--

Perhaps module.c needs more comments explaining why the ndis line

is there, and why it's correct and noone should touch it.

--

ftr, as a by-stander, I perceived the past discussions as a lack of

trust from other kernel developers that Ndiswrapper will always set

the taint flags correctly. (ndiswrapper code does not go through lkml
I think the global taint flag is always needed because you never know

what the proprietary module actually did to our memory. Unloading

the driver and ndiswrapper should retain some sort of taintedness

should it oops much later.

--

It will. The module taint variant also sets the global taint. But it

helps to know why you set that if you oops now and get a list of

modules. Yeah, we know about ndiswrapper, I just mean in general.
Man, that'll teach me to send one-liners without checking the entire

history of LWN stories beforehand. I'm going to the gym to escape :)
Jon.
--

Then we can move add_taint_module() for ndiswrapper closer to the end of

load_module(), so that it's not prevented from using GPL-only symbols.
I'm actually so relieved that it has been mistake, just like it was the

last time.  Good luck!
--

Regards,

Pavel Roskin

--

It is interesting that someone posting with an @gnu.org address claims

that dynamic linking of not GPLv2 compatible code into GPLv2 code was

not a copyright violation.
Is it an official statement of the FSF that such linking is considered

legal?
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

There is no copyright violation: ndiswrapper is licensed under GPLv2. And the

Windows driver is not linked to kernel code - only ndiswrapper functions are

linked to kernel.
In case that is not clear, ndiswsrapper is an implementation of NDIS and some

Windows kernel API functions in Linux kernel. The Windows driver is linked to

these functions so the driver works as if it is working under Windows.
Giri
      ____________________________________________________________________________________

Be a better friend, newshound, and

know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
--

IANAL, but I have serious doubts whether putting some glue layer between

the GPL'ed code and the code with a not GPL compatible licence is really 
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

Just to refresh my memory, I re-read the GPLv2, and specifically the

licence (COPYING file) that comes with Linux 2.6.23, and I see nothing

in it that suggests shims, wrappers or other glue-layers are forbidden.

I see exactly the opposite.  This idea that some symbols may only be

dynamically bound to GPL code is fallacy.  In the preamble to GPLv2 are

words which make the position clear:
  "the GNU General Public icense is intended to guarantee your freedom

to share and change free software"
Childish games, for example blacklisting ndiswrapper, can be defeated,

using patches, by authors of affected programs or anyone else.  That's

the freedom guaranteed by GPL.

--

As I understand it, the point of EXPORT_SYMBOL_GPL is not so much the

technical restriction (as you say, the module can lie or the user can

patch the kernel) but to indicate that the kernel developers consider

such interfaces to be internal to the kernel such that anything using it

would be highly likely to be a "derived work" of the kernel.
It's a hint to other developers rather than a prevention measure.
Chris

--

It may depend on the details of the "code with a not GPL compatible

licence".
It's pretty hard to argue that a binary driver written for another OS is

a derivative work of the linux kernel.
Chris

--

Read the paragraph starting with "These requirements apply to the

modified work as a whole." of the GPLv2.
IANAL, and I would therefore ask a lawyer whether, and if yes under

which circumstances, shipping a binary driver written for another OS
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

Please stop throwing around words like "criminal".  If this is in fact

illegal it would be a civil matter.
Lee

--

On Wed, 30 Jan 2008 14:36:19 -0500
Actually in large parts of europe multiple repeated infractions of

copyright law are criminal matters.
Alan

--

"multiple repeated infractions" might not be required.
I remember one case in Germany where offering 272 songs in a P2P network

once resulted in a fine based on criminal law. [1]
Convictions under civil law seem to be easier and result in higher costs

for the copyright violators, so the music industry tends to use the

reportings of offences in Germany only for getting the names of the

people from the IP addresses they have (happened in a five digit number

of cases), don't care about whether the criminal law cases proceed, and

focus on the civil law cases.
But if you are doing more than just filesharing, or even make a profit 
cu

Adrian
[1] http://www.jurpc.de/rechtspr/20040236.pdf
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

You are living in a country where copyright violations can't bring 
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

AFAICS you are misunderstanding the words "criminal" and "civil matter".
AFAIK in german law the difference between the two is that "criminal"

offences are prosecuted by the government out of their own accord while

"civil matters" require someone else to sue.
Murder and robbery are criminal offences.
Assuming the above is correct then copyright violations definitely are

"civil matters" in germany regardless whether you could go into jail or not.
Best,

Michael

=2D-=20

 Michael Gerdau       email: mgerdau@tiscali.de

 GPG-keys available on request or at public keyserver

Please read a book or ask someone who knows what he is talking about to 
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

No, I'm representing myself only.  I don't think you represent all

kernel developers when posting from the kernel.org address.
I'm actually surprised that you are raising this issue.  If the

motivation to ban ndiswrapper is based on the copyright law, doesn't it

meant that we have DRM in the kernel now?  Is Linux going to enforce
I, for one, would welcome an informed position of the FSF.  It may have

interesting implications for Wine, ReactOS, mplayer, qemu, Java and many

other programs loading non-free compiled code at the run time.
--

Regards,

Pavel Roskin

--

I'm not using my @kernel.org address except for kernel issues and I'm

not using a company address in linux-kernel discussions.
Mailing lists of a project or a company are something completely

different from using a project or company address outside of the 
Wine is licenced under the terms of the LGPL.
ReactOS is licenced under the terms of the GPL with a licence

exception for runtime linking of non-free modules.
QEMU is licenced under the terms of the GPL with a licence exception for

runtime linking with libqemu.a.
GNU classpath (and libgcj) are licenced under the terms of the GPL with

a licence exception for runtime linking with it.
As you can see, all of the above explicitely address this issue.
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

Thanks for the detailed analysis!
Anyway, as far as I know, copyright covers copying of works, and dynamic

linking never creates anything suitable for copying.  The "derived work"

stays in memory, just like it does when a proprietary program runs on

top of the Linux kernel.  Memory dumps might be illegal to distribute

though.
I'm not a lawyer and the above is not a legal advice.  I don't represent

Free Software Foundation.
--

Regards,

Pavel Roskin

--

The GPL might only talk about distribution.
But copyright law is not restricted to copying of work.
IANAL, and I don't know abou the laws in other countries, but at least

in Germany modifications of a copyrighted work require the permission of

the copyright holder.
It's e.g. a not so uncommon problem that someone wants to modify a 30 or

80 years old building, and since the original contract with the

architect did not grant the owner of the building the rights to modify

it he needs to ask the architect (or the architect's heirs) who has the

(nontransferable) copyright on the building for the permission to modify 
cu

Adrian
[1] The building must be above the threshold of originality for giving

    the architect a copyright and there are other laws that might

    force the copyright holder to allow some modifications.
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

Germany does seem to be an odd case that really makes it very difficult

to do perfectly reasonable, desirable and sane things.  I am not even

sure the GPL necesarily makes sense under German copyright law.  I am

not German so I haven't had to deal with it.
--

Len Sorensen

--

http://www.jbb.de/judgment_dc_munich_gpl.pdf
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

Good point.  They seem to be the place that actually has enforced the

GPL.
--

Len Sorensen

--

An alternate reading is that it's the only place that has a legal system

so whacked that a case actually went to trial rather than the offending

party just going "Oh foo.. yeah, that *is* what it says, we better comply

in one way or another"...
It all depends what sort of legal system you have/want - I saw a statistic

for our local police department that said that 98% of all their cases last

year ended in plea agreements before going to trial (although to be fair,

that includes traffic violations where the driver just paid the fine before

the trial date came up and similar minor cases).  If things actually go to

trial all the time, things get even more bogged down than they already are...

If you go to http://www.gpl-violations.org you'll see that Harald has

also successfully enforced his rights under the terms of the GPL as one

of the copyright holders of the Linux kernel in many more cases without

having to go to (German) courts.
There were people who were claiming the GPL was not enforcible at court,

and there are many grey areas of the GPL left where people claim this

and that - and only court decisions will bring clarifications.
cu

Adrian
-- 
       "Is there not promise of rain?" Ling Tan asked suddenly out

        of the darkness. There had been need of rain for many days.

       "Only a promise," Lao Er said.

                                       Pearl S. Buck - Dragon Seed
--

I think you'd be impressed at how little I care about this, and how little I

value my fellow hacker's legal opinions except for humor value.
Let ndiswrapper do the taint itself, let's revert the patch and add a damn

comment: Jon was right to clean up such unexplained crap.
Rusty.

--

Probably in the same way that gmail represents official google policy ;)
Alan

--

How about you see this as syscall linkage or pipe linkage^2 instead?

Linux and GNU, respectively, allow these.
^2  gplprogram <input.txt | proprietaryprogram >output.txt

--

Not a productive approach. It will only harm support for everyone.

--

There are two taint flags.  Let's see:
        if (strcmp(mod->name, "ndiswrapper") == 0)

-               add_taint(TAINT_PROPRIETARY_MODULE);

+               add_taint_module(mod, TAINT_PROPRIETARY_MODULE);
And that's add_taint_module():
static inline void add_taint_module(struct module *mod, unsigned flag)

{

        add_taint(flag);

        mod->taints |= flag;

}
The module taint is set before the symbols are resolved.  Therefore, the
I know.  But ndiswrapper is a maintained program, which is regularly

updated to work with the latest kernels.  If the author fails to make

the necessary updates for the next kernel for whatever reason, somebody

will fork it and make such updates.
--

Regards,

Pavel Roskin

--

I think using a separate taint flag that does not disable GPL symbols

for the ndiswrapper case would be a fair solution. After all the main

motivation for tainting ndiswrapper is to make it visible in oopses, but not

prevent it from loading in the first place.
How about you submit an incremental patch to do that?
-Andi

--

I'll happily submit a patch to do whateve is wanted, and add comments

(I'm also debugging seveal module issues right now, so I have a

good opportunity to look over some of the code).
But do we want to:
*). Add a new taint?

*). Move it later?
It's all trivial, but a policy should be established for the future.
Jon.

--

I'd prefer a new taint.  It's less likely to break.  It provides more

information in the stack dumps.  It makes it clear the difference

ndiswrapper and driverloader.
Here's the patch:

---
Introduce a new taint flag for ndiswrapper
Although ndiswrapper loads proprietary code, it's under GPL itself.

Introduce a different taint flag for this case, so that ndiswrapper

retains access to GPL-only symbols.
Add comments to show the difference between driverloader and

ndiswrapper.
Signed-off-by: Pavel Roskin <proski@gnu.org>

---
 include/linux/kernel.h |    1 +

 kernel/module.c        |    5 ++++-

 kernel/panic.c         |    2 ++

 3 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/include/linux/kernel.h b/include/linux/kernel.h

index a7283c9..861a6ae 100644

--- a/include/linux/kernel.h

+++ b/include/linux/kernel.h

@@ -240,6 +240,7 @@ extern enum system_states {

 #define TAINT_BAD_PAGE			(1<<5)

 #define TAINT_USER			(1<<6)

 #define TAINT_DIE			(1<<7)

+#define TAINT_BLOB_WRAPPER		(1<<8)
 extern void dump_stack(void) __cold;
diff --git a/kernel/module.c b/kernel/module.c

index f6a4e72..a64380c 100644

--- a/kernel/module.c

+++ b/kernel/module.c

@@ -1925,8 +1925,11 @@ static struct module *load_module(void __user *umod,

 	/* Set up license info based on the info section */

 	set_license(mod, get_modinfo(sechdrs, infoindex, "license"));
+	/* GPL, but may load proprietary code */

 	if (strcmp(mod->name, "ndiswrapper") == 0)

-		add_taint_module(mod, TAINT_PROPRIETARY_MODULE);

+		add_taint_module(mod, TAINT_BLOB_WRAPPER);

+

+	/* Wrongly claims to be under GPL */

 	if (strcmp(mod->name, "driverloader") == 0)

 		add_taint_module(mod, TAINT_PROPRIETARY_MODULE);
diff --git a/kernel/panic.c b/kernel/panic.c

index da4d6ba..b040812 100644

--- a/kernel/panic.c

+++ b/kernel/panic.c

@@ -152,6 +152,7 @@ EXPORT_SYMBOL(panic);

  *  'M' - System experienced a machine check exception.

  *  'B' - System has hit bad_page.

...
[ message continues ]

Are you sure you don't need to add a new '%c' to the format string too?

I think gcc should have warned.
--

You are right!  Thanks.
--

Regards,

Pavel Roskin

--

At some point, a compromise position of "Have ndiswrapper do the tainting

if it loads something with contentious licensing" was suggested - whatever

happened to that?
(If for no other reason than if you load ndiswrapper for testing, and then

do *not* actually load something, your kernel should remain untainted...)

We should distinguish kernel tainting and module tainting.  Kernel

tainting affects the stack dumps.  Module tainting affects access to

GPL-only symbols.
Kernel tainting for "ndiswrapper" is in the code already.  The patch I'm

complaining about is replacing kernel tainting with both kinds of

tainting.
Of course, ndiswrapper could taint itself as a module, but it would be a

purely symbolic act, since the module would be loaded already, and the

GPL-only symbols resolved.
--

Regards,

Pavel Roskin

--

I think that might be an acceptable alternative to the current explicit

matching on "ndiswrapper" in the kernel. Something should say "hey, the

kernel is tainted, and I'm the reason why", not just set a global taint.
Note: personal opinion aside, I actually wasn't trying to start a huge

copyright debate here. I just thought the taint flag logic was wrong (if

we're going to match on specific modules, we should mark them) - an

alternative would be a new type of taint flag?
Jon.
--

ndiswrapper does taint the kernel when a Windows driver is loaded.
Giri
      ____________________________________________________________________________________

Be a better friend, newshound, and

know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
--