[lsb-discuss] LSB conf call notes for 2008-07-30

Theodore Tso tytso at mit.edu
Fri Aug 8 18:06:44 PDT 2008


Russ,

I will have the Linux Foundation lawyers take a quick look over it,
but I don't see anything highly objectionable in it.  Yes, there's an
NDA; once you download the TCK, you can't share it with anyone else.
We've always known the TCK was "free as in beer", but not Free Software.

As far as the indemnification clause, it merely says that you are
responsible for any damages caused by your OS.  That is, if you
distribute an OS, people should be sueing *you*, not Sun.  If they try
to sue Sun, you promise to defend Sun.  To take a concrete example,
let's take a hypothetical situation where a Canonical engineer who is
distributing a Java implementation maliciously inserts a security back
door, obviously the Canonical engineer (and perhaps Canonical the
company for failing to adequately supervise said Debian maintainer) is
liable for the damages caused by this security back door.  If this
deliberately-compromised Java implementation is used by a bank, the
Canonical engineer and the Canonical could potentially be liable for
millions and millions of dollars.  Yes, there is a disclaimer of
liability in the GPL, but it's not clear the courts will consider it
applicable if a deliberate and malicious insertion of a backdoor was
added.  In any case, it the bank decides that since Sun has deep
pockets, that Sun might be 1% liable under some strange bogus argument
that the TCK should have detected the security back door.  In that
case, if Canonical had signed the TCK, Canonical would be liable to
defend Sun against this claim --- which arose out of one of
Canonical's products.  Most would say this is uttery fair thing to
request.

I will note that Sun is actually still taking on a risk, since if in
the above scenario, you replace Canonical with Debian, you get a
situation where the Debian maintainer and the Debian organization
might not have a lot of money, so they wouldn't have a lot of money to
defend themselves (or Sun) --- and so the bank might go after Sun due
to the malfeansance of a Debian maintainer --- so in fact Sun is
actually exposing themselves to a certain amount of liability just by
making the TCK available.  Of course, that's just the facts of life in
our extremely litigious society; you expose yourself to liability
whenever you do anything at all, it seems --- including serving hot
coffee.  :-)

It should further be noted that FSF's own copyright assignment has
similar indemnification clause.  When you donate code to the FSF, you
indemnify the FSF against any lawsuits regarding the copyright status
of the code which you contributed to the FSF.  So if someone like
tries to donate code to an FSF project, and that code turns out to be
proprietary code that belongs to Microsoft, and Microsoft sues the
FSF, because of the copyright assignment contract, the FSF can turn
around and demand that the person who originally donated the disputed
code to the FSF defend the FSF against claims made against the code
that individual had originally donated.

So if you are claiming that Sun's indemnification clause requesting
that you take responsibility for your own code is somehow evil, then
you must also be claiming that the FSF's very similar request in their
copyright assignment form is also evil.  Both are contractual
indemnification clauses, and both are there for very similar reasons.

							- Ted



More information about the lsb-discuss mailing list